Multiple EVIDs : Catch All : Level 3 (Español - Security)

Event Details

Event Type	Multiple
Event Description	Catch all rule to handle Windows Security Events.
Event ID	Multiple

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
Provider	N/A	N/A
EventID	<vmid>	<vmid>
Version	N/A	N/A
Level	N/A	<severity>
Task	N/A	<vendorinfo>
Opcode	N/A	N/A
Keywords	<tag1>	<result>, <tag2>
TimeCreated	N/A	N/A
EventRecordID	N/A	N/A
Correlation	N/A	N/A
Execution	N/A	N/A
Channel	N/A	N/A
Computer	<dname>	<dname>
Error Code	N/A	<responsecode>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1006507	Catch All : Level 3	Base Rule	General Audit	Other Audit Success
	EVID 4609 : System Shutdown	Sub Rule	System Shutdown	Startup and Shutdown
	EVID 4610 : Authentication Package Loaded	Sub Rule	Object Initialized	Access Success
	EVID 4611 : Trusted Logon Process Started	Sub Rule	Process/Service Started	Startup and Shutdown
	EVID 4614 : Auth Package Loaded By SAM	Sub Rule	Auth Package Loaded By SAM	Other Audit Success
	EVID 4637 : General Audit	Sub Rule	General Audit	Other Audit Success
	EVID 4638 : General Audit	Sub Rule	General Audit	Other Audit Success
	EVID 4639 : General Audit	Sub Rule	General Audit	Other Audit Success
	EVID 4640 : General Audit Failure	Sub Rule	General Audit Failure	Error
	EVID 4641 : General Audit Failure	Sub Rule	General Audit Failure	Error
	EVID 4642 : General Audit Failure	Sub Rule	General Audit Failure	Error
	EVID 4643 : General Audit Failure	Sub Rule	General Audit Failure	Error
	EVID 4657 : Handle Allocated	Sub Rule	Handle Allocated	Information
	EVID 4658 : Handle Closed	Sub Rule	Handle Closed	Information
	EVID 4660 : Object Deleted	Sub Rule	Object Deleted/Removed	Access Success
	EVID 4690 : Handle Duplicated	Sub Rule	Handle Duplicated	Information
	EVID 4709 : IPSec Policy Agent Started	Sub Rule	Process/Service Started	Startup and Shutdown
	EVID 4710 : IPSec Policy Agent Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
	General : Audit Success	Sub Rule	General Audit	Other Audit Success
	General : Audit Failure	Sub Rule	General Audit Failure	Error
	EVID 4931 : Directory Services Access	Sub Rule	Object Accessed	Access Success
	EVID 4932 : Directory Services Access	Sub Rule	Object Accessed	Access Success
	EVID 4933 : Directory Services Access	Sub Rule	Object Accessed	Access Success
	EVID 4616 : System Time Changed	Sub Rule	Configuration Modified : System	Configuration
	EVID 4663 : General Access Attempt	Sub Rule	Object Accessed	Access Success
	EVID 4902 : Per User Audit Policy Refreshed	Sub Rule	Policy Modified : Auditing	Policy
	EVID 4903 : Per User Audit Policy Set	Sub Rule	Policy Enabled : Auditing	Policy
	EVID 4608 : System Started	Sub Rule	System Started	Startup and Shutdown
	EVID 1100 : Logging Service Shut Down	Sub Rule	Process/Service Stopping	Startup and Shutdown
	EVID 1102 : Audit Log Cleared	Sub Rule	Log Cleared	Access Success
	EVID 4671 : App Blocked Ordinal Access Attempt	Sub Rule	Access Object Failure	Access Failure
	EVID 5060 : Verification Operation Failed	Sub Rule	Command Execution Failure	Access Failure
	EVID 6273 : Network Policy Server Denied Access	Sub Rule	Access Object Failure	Access Failure
	EVID 4704 : User Right Assigned	Sub Rule	Privilege Granted	Access Granted
	EVID 4717 : Sys Sec Access Granted	Sub Rule	Access Granted Activity	Access Granted
	EVID 4728 : User Added Glbl Security Grp	Sub Rule	Account Added To Group	Access Granted
	EVID 4732 : User Added To Local Sec Grp	Sub Rule	Account Added To Group	Access Granted
	EVID 4746 : User Added Local Dstr Group	Sub Rule	Account Added To Group	Access Granted
	EVID 4751 : User Added Global Dstr Grp	Sub Rule	Account Added To Group	Access Granted
	EVID 4756 : User Added To Univ Sec Grp	Sub Rule	Account Added To Group	Access Granted
	EVID 4761 : User Added To Univ Dstr Grp	Sub Rule	Account Added To Group	Access Granted
	EVID 4785 : User Added To Basic App Group	Sub Rule	Account Added To Group	Access Granted
	EVID 4787 : Non-Member Added Basic App Group	Sub Rule	Account Added To Group	Access Granted
	EVID 4887 : Cert Svcs Issued Certificate	Sub Rule	Certificate Services Issued Certificate	Information
	EVID 4705 : User Right Removed	Sub Rule	User Account Attribute Modified	Account Modified
	EVID 4718 : Sys Sec Access Removed	Sub Rule	Access Revoked Activity	Access Revoked
	EVID 4729 : User Removed Glbl Security Group	Sub Rule	Account Removed From Group	Access Revoked
	EVID 4733 : User Removed From Local Sec Grp	Sub Rule	Account Removed From Group	Access Revoked
	EVID 4747 : User Removed From Local Dstr Grp	Sub Rule	Account Removed From Group	Access Revoked
	EVID 4752 : User Removed From Global Dstr Grp	Sub Rule	Account Removed From Group	Access Revoked
	EVID 4757 : User Removed From Univ Sec Grp	Sub Rule	Account Removed From Group	Access Revoked
	EVID 4762 : User Removed From Univ Dstr Grp	Sub Rule	Account Removed From Group	Access Revoked
	EVID 4786 : User Removed From Basic App Group	Sub Rule	Account Removed From Group	Access Revoked
	EVID 4788 : Non-Member Removed Basic App Group	Sub Rule	Account Removed From Group	Access Revoked
	EVID 4870 : Cert Svcs Revoked Certificate	Sub Rule	Access Revoked Activity	Access Revoked
	EVID 4656 : Object Opened	Sub Rule	Object Read	Access Success
	EVID 4656 : Object Open Failed	Sub Rule	Access Object Failure	Access Failure
	EVID 4657 : Registry Value Modification Failed	Sub Rule	Modify Object Failure	Access Failure
	EVID 4659 : Object Opened For Delete	Sub Rule	Object Deleted/Removed	Access Success
	EVID 4660 : Object Delete Failed	Sub Rule	Delete/Remove Object Failure	Access Failure
	EVID 4662 : Object Operation	Sub Rule	Object Operation	Other Audit Success
	EVID 4662 : Failed Object Operation	Sub Rule	Failed Object Operation	Error
	EVID 4664 : Hard Link Creation Attempt	Sub Rule	Hard Link Creation Attempt	Other Audit Success
	EVID 4666 : Application Operation	Sub Rule	Application Operation	Other Audit Success
EVID 4666 : Application Operation Failed	Sub Rule	Command Execution Failure	Access Failure
EVID 4668 : Application Initialized	Sub Rule	Object Initialized	Access Success
EVID 4668 : Application Initialization Failed	Sub Rule	Application Initialization Failed	Critical
EVID 4673 : Privileged Service Called	Sub Rule	Object Accessed	Access Success
EVID 4674 : Privileged Object Operation	Sub Rule	Object Accessed	Access Success
EVID 4691 : Indirect Object Access	Sub Rule	Object Accessed	Access Success
EVID 4692 : Data Protection Master Key Backed Up	Sub Rule	Data Protection Master Key Backup Attempt	Other Audit Success
EVID 4693 : Data Protection Master Key Recovered	Sub Rule	Data Protection Master Key Recovered	Other Audit Success
EVID 4694 : Auditable Protected Data Protected	Sub Rule	Auditable Protected Data Protected	Other Audit Success
EVID 4695 : Auditable Protected Data Unprotected	Sub Rule	Auditable Protected Data Unprotected	Other Audit Success
EVID 4782 : Password Hash Accessed	Sub Rule	Object Accessed	Access Success
EVID 5039 : Registry Key Virtualized	Sub Rule	Registry Key Virtualized	Other Audit Success
EVID 5051 : File Virtualized	Sub Rule	File Virtualized	Other Audit Success
EVID 5058 : Key File Operation	Sub Rule	Key File Operation	Other Audit Success
EVID 5059 : Key Migration Operation	Sub Rule	Key Migration Operation	Other Audit Success
EVID 5061 : Cryptographic Operation	Sub Rule	Cryptographic Operation	Other Audit Success
EVID 5136 : Directory Service Object Modified	Sub Rule	Object Modified	Access Success
EVID 5137 : Directory Service Object Created	Sub Rule	Object Created	Access Success
EVID 5138 : Directory Service Object Restored	Sub Rule	Directory Service Object Restored	Other Audit Success
EVID 5139 : Directory Service Object Moved	Sub Rule	Object Moved	Access Success
EVID 5140 : Network Share Object Accessed	Sub Rule	Object Accessed	Access Success
EVID 5141 : Directory Service Object Deleted	Sub Rule	Object Deleted/Removed	Access Success
EVID 5888 : COM+ Object Modified	Sub Rule	Object Modified	Access Success
EVID 5889 : COM+ Object Deleted	Sub Rule	Object Deleted/Removed	Access Success
EVID 5890 : COM+ Object Added	Sub Rule	Object Added	Access Success
EVID 6272 : Network Policy Server Granted Access	Sub Rule	Access Granted Activity	Access Granted
EVID 6277 : Network Policy Server Granted Access	Sub Rule	Access Granted Activity	Access Granted
EVID 6278 : Network Policy Server Granted Access	Sub Rule	Access Granted Activity	Access Granted
EVID 4720 : User Account Created	Sub Rule	User Account Created	Account Created
EVID 4727 : Global Security Group Created	Sub Rule	Group Created	Account Created
EVID 4731 : Local Security Group Created	Sub Rule	Group Created	Account Created
EVID 4741 : Computer Account Created	Sub Rule	Computer Account Created	Account Created
EVID 4744 : Local Dstr Grp Created	Sub Rule	Group Created	Account Created
EVID 4749 : Global Dstr Grp Created	Sub Rule	Group Created	Account Created
EVID 4754 : Universal Sec Grp Created	Sub Rule	Group Created	Account Created
EVID 4759 : Universal Dstr Grp Created	Sub Rule	Group Created	Account Created
EVID 4783 : Basic App Group Created	Sub Rule	Group Created	Account Created
EVID 4790 : LDAP Query Group Created	Sub Rule	Group Created	Account Created
EVID 4726 : User Account Deleted	Sub Rule	User Account Deleted	Account Deleted
EVID 4730 : Global Security Group Deleted	Sub Rule	Group Deleted	Account Deleted
EVID 4734 : Local Security Group Deleted	Sub Rule	Group Deleted	Account Deleted
EVID 4743 : Computer Account Deleted	Sub Rule	Computer Account Deleted	Account Deleted
EVID 4748 : Local Dstr Grp Deleted	Sub Rule	Group Deleted	Account Deleted
EVID 4753 : Global Dstr Grp Deleted	Sub Rule	Group Deleted	Account Deleted
EVID 4758 : Universal Sec Grp Deleted	Sub Rule	Group Deleted	Account Deleted
EVID 4763 : Universal Dstr Grp Deleted	Sub Rule	Group Deleted	Account Deleted
EVID 4789 : Basic App Group Deleted	Sub Rule	Group Deleted	Account Deleted
EVID 4792 : LDAP Query Group Deleted	Sub Rule	Group Deleted	Account Deleted
EVID 4722 : User Account Enabled	Sub Rule	Account Enabled	Access Granted
EVID 4723 : Password Change Attempted	Sub Rule	Password Modified	Account Modified
EVID 4724 : Password Reset	Sub Rule	Password Modified	Account Modified
EVID 4725 : User Account Disabled	Sub Rule	Account Disabled	Access Revoked
EVID 4735 : Local Security Group Changed	Sub Rule	Group Attribute Modified	Account Modified
EVID 4737 : Global Security Group Changed	Sub Rule	Group Attribute Modified	Account Modified
EVID 4738 : User Account Changed	Sub Rule	User Account Attribute Modified	Account Modified
EVID 4740 : User Account Locked Out	Sub Rule	Account Locked	Access Revoked
EVID 4742 : Computer Account Changed	Sub Rule	Computer Account Attribute Modified	Account Modified
EVID 4745 : Local Dstr Grp Changed	Sub Rule	Group Attribute Modified	Account Modified
EVID 4750 : Global Dstr Grp Changed	Sub Rule	Group Attribute Modified	Account Modified
EVID 4755 : Universal Sec Grp Changed	Sub Rule	Group Attribute Modified	Account Modified
EVID 4760 : Universal Dstr Grp Changed	Sub Rule	Group Attribute Modified	Account Modified
EVID 4764 : Group Type Changed	Sub Rule	Group Attribute Modified	Account Modified
EVID 4767 : User Account Unlocked	Sub Rule	Account Unlocked	Access Granted
EVID 4781 : Account Name Change	Sub Rule	User Account Name Modified	Account Modified
EVID 4784 : Basic App Group Changed	Sub Rule	Group Attribute Modified	Account Modified
EVID 4791 : Basic App Group Changed	Sub Rule	Group Attribute Modified	Account Modified
EVID 6279 : User Account Locked Out	Sub Rule	Account Locked	Access Revoked
EVID 6280 : User Account Unlocked	Sub Rule	Account Unlocked	Access Granted
EVID 4649 : Replay Attack	Sub Rule	General Attack Activity	Attack
EVID 4625 : Authentication Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
EVID 4771 : Failed Pre-Authentication	Sub Rule	Authentication Failure Activity	Authentication Failure
EVID 4772 : Kerberos Ticket Request Failed	Sub Rule	Authentication Failure Activity	Authentication Failure
EVID 4773 : Kerberos Service Ticket Request Failed	Sub Rule	Authentication Failure Activity	Authentication Failure
EVID 4624 : Authentication	Sub Rule	User Logon	Authentication Success
EVID 4634 : Logoff	Sub Rule	Authentication Activity	Authentication Success
EVID 4647 : Logoff	Sub Rule	User Logoff	Authentication Success
EVID 4648 : Logon Using Explicit Credentials	Sub Rule	User Logon	Authentication Success
EVID 4622 : Security Package Loaded By SAM	Sub Rule	Configuration Loaded : Security	Configuration
EVID 4665 : Application - Client Context Created	Sub Rule	Configuration Enabled : Application	Configuration
EVID 4667 : Application - Client Context Deleted	Sub Rule	Configuration Deleted : Application	Configuration
EVID 4697 : Service Installed	Sub Rule	Software Installed	Configuration
EVID 4698 : Scheduled Task Created	Sub Rule	Configuration Enabled : System	Configuration
EVID 4699 : Scheduled Task Deleted	Sub Rule	Configuration Deleted : System	Configuration
EVID 4700 : Scheduled Task Enabled	Sub Rule	Configuration Enabled : System	Configuration
EVID 4701 : Scheduled Task Disabled	Sub Rule	Configuration Disabled : System	Configuration
EVID 4702 : Scheduled Task Updated	Sub Rule	Configuration Enabled : System	Configuration
EVID 4794 : DS Restore Mode Admin Password Set	Sub Rule	Configuration Modified : Security	Configuration
EVID 4890 : Cert Svcs Settings Changed	Sub Rule	Configuration Modified : Application	Configuration
EVID 4891 : Cert Svcs Config Entry Changed	Sub Rule	Configuration Modified : Application	Configuration
EVID 4892 : Cert Svcs Property Changed	Sub Rule	Configuration Modified : Application	Configuration
EVID 4904 : Sec Event Source Registered	Sub Rule	Configuration Enabled : Security	Configuration
EVID 4905 : Sec Event Source Un-Registered	Sub Rule	Configuration Disabled : Security	Configuration
EVID 4908 : Special Groups Logon Table Modified	Sub Rule	Configuration Modified : Security	Configuration
EVID 4928 : AD Replica Src Naming Context Estab	Sub Rule	Configuration Loaded : Directory Services	Configuration
EVID 4929 : AD Replica Src Naming Context Removed	Sub Rule	Configuration Deleted : Directory Services	Configuration
EVID 4930 : AD Replica Src Naming Context Modified	Sub Rule	Configuration Modified : Directory Services	Configuration
EVID 4934 : AD Object Attributes Replicated	Sub Rule	AD Object Attributes Replicated	Information
EVID 4937 : Lingering Object Removed From Replica	Sub Rule	Configuration Deleted : System	Configuration
EVID 4946 : Firewall Exception Rule Added	Sub Rule	Configuration Loaded : Network Access	Configuration
EVID 4947 : Firewall Exception Rule Modified	Sub Rule	Configuration Modified : Security	Configuration
EVID 4948 : Firewall Exception Rule Deleted	Sub Rule	Configuration Deleted : Security	Configuration
EVID 4949 : Firewall Settings Restored To Default	Sub Rule	Configuration Modified : Security	Configuration
EVID 4950 : Firewall Settings Changed	Sub Rule	Configuration Modified : Security	Configuration
EVID 4956 : Firewall Changed Active Profile	Sub Rule	Configuration Modified : Security	Configuration
EVID 4979 : IPSEC Security Mode Assoc Established	Sub Rule	Trust Relationship Established	Access Granted
EVID 4980 : IPSEC Security Mode Assoc Established	Sub Rule	Trust Relationship Established	Access Granted
EVID 4981 : IPSEC Security Mode Assoc Established	Sub Rule	Trust Relationship Established	Access Granted
EVID 4982 : IPSEC Security Mode Assoc Established	Sub Rule	Trust Relationship Established	Access Granted
EVID 5040 : IPSEC Authentication Set Added	Sub Rule	Configuration Loaded : Security	Configuration
EVID 5041 : IPSEC Authentication Set Modified	Sub Rule	Configuration Modified : Security	Configuration
EVID 5042 : IPSEC Authentication Set Deleted	Sub Rule	Configuration Deleted : Security	Configuration
EVID 5043 : IPSEC Connection Security Rule Added	Sub Rule	Configuration Loaded : Security	Configuration
EVID 5044 : IPSEC Conn Security Rule Modified	Sub Rule	Configuration Modified : Security	Configuration
EVID 5045 : IPSEC Connection Security Rule Deleted	Sub Rule	Configuration Deleted : Security	Configuration
EVID 5046 : IPSEC Crypto Set Added	Sub Rule	Configuration Loaded : Security	Configuration
EVID 5047 : IPSEC Crypto Set Modified	Sub Rule	Configuration Modified : Security	Configuration
EVID 5048 : IPSEC Crypto Set Deleted	Sub Rule	Configuration Deleted : Security	Configuration
EVID 5049 : IPSEC Security Association Deleted	Sub Rule	Configuration Deleted : Security	Configuration
EVID 5065 : Cryptographic Context Mod Attempted	Sub Rule	Cryptographic Context Modification Attempted	Warning
EVID 5067 : Cryptographic Function Mod Attempted	Sub Rule	Cryptographic Function Modification Attempted	Warning
EVID 5070 : Cryptographic Funct Prop Mod Attempted	Sub Rule	Cryptographic Function Property Mod Attempt	Warning
EVID 5122 : OCSP Responder Configuration Changed	Sub Rule	Configuration Modified : Application	Configuration
EVID 5123 : OCSP Responder Configuration Changed	Sub Rule	Configuration Modified : Application	Configuration
EVID 5124 : OCSP Responder Sec Setting Updated	Sub Rule	Configuration Modified : Security	Configuration
EVID 5126 : OCSP Updated Signing Certificate	Sub Rule	Configuration Modified : Security	Configuration
EVID 5127 : OCSP Revoc Provider Updated Revoc Info	Sub Rule	OCSP Revocation Provider Updated Revocation Info	Information
EVID 5446 : Filtering Platform Callout Changed	Sub Rule	Configuration Modified : Application	Configuration
EVID 5447 : Filtering Platform Filter Changed	Sub Rule	Configuration Modified : Application	Configuration
EVID 5448 : Filtering Platform Provider Changed	Sub Rule	Configuration Modified : Application	Configuration
EVID 5449 : Filtering Platform Prov Context Change	Sub Rule	Configuration Modified : Security	Configuration
EVID 5450 : Filtering Platform Sub-Layer Changed	Sub Rule	Configuration Modified : Application	Configuration
EVID 5029 : Firewall Driver Init Failed	Sub Rule	Firewall Driver Init Failed	Critical
EVID 5030 : Firewall Service Failed To Start	Sub Rule	Firewall Service Failed To Start	Critical
EVID 5035 : Firewall Driver Startup Failed	Sub Rule	Firewall Driver Startup Failed	Critical
EVID 5037 : Firewall Driver Critical Condition	Sub Rule	Firewall Driver Critical Condition	Critical
EVID 5038 : Possible Disk Error	Sub Rule	Computed Hash Match Failure	Error
EVID 5484 : IPSEC Service Error Caused Shutdown	Sub Rule	IPSEC Service Error Caused Shutdown	Critical
EVID 4712 : IPSEC Service Failure	Sub Rule	IPSEC Service Serious Failure	Error
EVID 4816 : RPC Integrity Violation	Sub Rule	RPC Integrity Violation	Error
EVID 4864 : Namespace Collision	Sub Rule	Namespace Collision	Error
EVID 4935 : AD Replication Failure Begins	Sub Rule	AD Replication Failure Begins	Error
EVID 4936 : AD Replication Failure Ends	Sub Rule	AD Replication Failure Ends	Error
EVID 4965 : IPSEC Received Bad Packet	Sub Rule	IPSEC Received Bad Packet	Error
EVID 5050 : Programmatic Firewall Disable Attempt	Sub Rule	Programmatic Firewall Disable Attempted	Error
EVID 5057 : Cryptographic Self Test Failed	Sub Rule	Cryptographic Self Test Failed	Error
EVID 5477 : Failed To Load Quick Mode Filter	Sub Rule	Failed To Load Quick Mode Filter	Error
EVID 5483 : IPSEC Service Failed To Start	Sub Rule	IPSEC Service Failed To Start	Error
EVID 5485 : IPSEC Filter Processing Failed	Sub Rule	IPSEC Filter Processing Failed	Error
EVID 6145 : GPO Security Policy Application Error	Sub Rule	GPO Security Policy Application Error	Error
EVID 4621 : Recovered From Crash On Audit Fail	Sub Rule	Crash On Audit Fail Recovered	Information
EVID 4793 : Password Policy Checker API Called	Sub Rule	Policy Modified : Object	Policy
EVID 4802 : Screen Saver Invoked	Sub Rule	Screen Saver Invoked	Information
EVID 4803 : Screen Saver Dismissed	Sub Rule	Screen Saver Dismissed	Information
EVID 4871 : Cert Svcs Request CRL	Sub Rule	Certificate Svcs Received Request To Publish CRL	Information
EVID 4872 : Cert Svcs Published CRL	Sub Rule	Certificate Services Published CRL	Information
EVID 4873 : Certificate Request Extension Changed	Sub Rule	Certificate Request Extension Changed	Information
EVID 4874 : Certificate Request Attributes Changed	Sub Rule	Certificate Request Attributes Changed	Information
EVID 4876 : Cert Svcs Backup Started	Sub Rule	Certificate Services Backup Started	Information
EVID 4877 : Cert Svcs Backup Complete	Sub Rule	Certificate Services Backup Completed	Information
EVID 4878 : Cert Svcs Restore Started	Sub Rule	Process/Service Started	Startup and Shutdown
EVID 4879 : Cert Svcs Restore Completed	Sub Rule	Certificate Services Restore Completed	Information
EVID 4883 : Cert Svcs Retrieved Archived Key	Sub Rule	Certificate Services Retrieved Archived Key	Information
EVID 4884 : Cert Svcs Imported Certificate	Sub Rule	Certificate Services Imported Certificate	Information
EVID 4889 : Cert Svcs Cert Status To Pending	Sub Rule	Certificate Services Set Cert Status To Pending	Information
EVID 4893 : Cert Svcs Archived A Key	Sub Rule	Certificate Services Archived A Key	Information
EVID 4894 : Cert Svcs Imported & Archived Key	Sub Rule	Certificate Services Imported And Archived Key	Information
EVID 4895 : Cert Svcs Published CA Cert	Sub Rule	Certificate Services Published CA Certificate	Information
EVID 4896 : Cert Svcs DB Rows Deleted	Sub Rule	Certificate Services Database Rows Deleted	Information
EVID 4898 : Cert Svcs Template Loaded	Sub Rule	Certificate Services Loaded Template	Information
EVID 4899 : Cert Svcs Template Updated	Sub Rule	Certificate Services Updated Template	Information
EVID 4900 : Cert Svcs Template Sec Updated	Sub Rule	Certificate Services Template Security Updated	Information
EVID 4944 : Active Firewall Policy On Start	Sub Rule	Active Firewall Policy On Start	Information
EVID 4945 : Rule Listed On Firewall Start	Sub Rule	Rule Listed On Firewall Start	Information
EVID 5056 : Cryptographic Self Test Performed	Sub Rule	Cryptographic Self Test Performed	Information
EVID 5062 : Cryptographic Self Test Performed	Sub Rule	Cryptographic Self Test Performed	Information
EVID 5376 : Credentials Backed Up	Sub Rule	Credentials Backed Up	Information
EVID 5377 : Credentials Restored From Backup	Sub Rule	Credentials Restored From Backup	Information
EVID 5440 : Filtering Platform Startup State	Sub Rule	Filtering Platform Startup State	Information
EVID 5441 : Filtering Platform Startup State	Sub Rule	Filtering Platform Startup State	Information
EVID 5442 : Filtering Platform Startup State	Sub Rule	Filtering Platform Startup State	Information
EVID 5443 : Filtering Platform Startup State	Sub Rule	Filtering Platform Startup State	Information
EVID 5444 : Filtering Platform Startup State	Sub Rule	Filtering Platform Startup State	Information
EVID 4615 : Invalid Use Of LPC Port	Sub Rule	Unauthorized Activity	Misuse
EVID 5154 : Filtering Allowed App To Listen	Sub Rule	Application Allowed To Listen For Connections	Information
EVID 5156 : Filtering Allowed Connection	Sub Rule	Traffic Allowed by Host Firewall	Network Allow
EVID 5158 : Filtering Permitted Port Bind	Sub Rule	Permitted Bind To Local Port	Information
EVID 4960 : IPSEC Dropped Inbound Packet	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 4961 : IPSEC Dropped Inbound Packet	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 4962 : IPSEC Dropped Inbound Packet	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 4963 : IPSEC Dropped Inbound Packet	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 4983 : IPSEC Negotiation Failed	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 4984 : IPSEC Negotiation Failed	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 5031 : Firewall Blocked Connection To App	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 5152 : Filtering Blocked Packet	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 5153 : Filtering Blocked Packet	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 5155 : Filtering Blocked App From Listening	Sub Rule	Application Blocked From Listening For Connections	Warning
EVID 5157 : Filtering Blocked Connection	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 5159 : Filtering Denied Port Bind	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 5453 : IPSEC Negotiation Failed	Sub Rule	Traffic Denied by Host Firewall	Network Deny
EVID 4985 : Transaction State Change	Sub Rule	Transaction State Change	Network Traffic
EVID 5125 : Request Submitted To OCSP Responder	Sub Rule	Request Submitted To OCSP Responder	Network Traffic
EVID 5451 : IPSEC Security Association Established	Sub Rule	IPSEC Security Association Established	Network Traffic
EVID 5452 : IPSEC Security Association Ended	Sub Rule	IPSEC Security Association Ended	Network Traffic
EVID 5712 : RPC Attempted	Sub Rule	Remote Procedure Call Attempt	Network Traffic
EVID 4675 : SIDs Filtered	Sub Rule	SIDs Filtered	Other Audit
EVID 4696 : Primary Token Assigned	Sub Rule	Primary Token Assigned	Information
EVID 4711 : General Audit Message	Sub Rule	General Audit Message	Other Audit
EVID 4800 : Workstation Locked	Sub Rule	Workstation Locked	Other Audit Success
EVID 4801 : Workstation Unlocked	Sub Rule	Workstation Unlocked	Other Audit Success
EVID 4869 : Cert Svcs Rcvd Resubmitted Cert Req	Sub Rule	Certificate Services Rcvd Resubmitted Cert Request	Other Audit
EVID 5063 : Cryptographic Provider Op Attempted	Sub Rule	Cryptographic Provider Operation Attempted	Other Audit
EVID 5064 : Cryptographic Context Op Attempted	Sub Rule	Cryptographic Context Operation Attempted	Other Audit
EVID 5066 : Cryptographic Function Op Attempted	Sub Rule	Cryptographic Function Operation Attempted	Other Audit
EVID 5068 : Cryptographic Funct Provider Op Atmt	Sub Rule	Cryptographic Function Provider Operation Attempt	Other Audit
EVID 5069 : Cryptographic Func Prop Op Attempt	Sub Rule	Cryptographic Function Property Operation Attempt	Other Audit
EVID 5632 : WLAN Authentication Request	Sub Rule	Authentication Activity	Authentication Success
EVID 5633 : Wired Network Authentication Request	Sub Rule	Authentication Activity	Authentication Success
EVID 6274 : Network Policy Svr Discarded Request	Sub Rule	Network Policy Server Discarded Request	Other Audit
EVID 6275 : Network Policy Svr Discarded Request	Sub Rule	Network Policy Server Discarded Request	Other Audit
EVID 6276 : Network Policy Server Quarantined User	Sub Rule	Network Policy Server Quarantined User	Other Audit
EVID 4652 : IPSEC Negotiation Failed	Sub Rule	IPSEC Negotiation Failed	Error
EVID 4653 : IPSEC Negotiation Failed	Sub Rule	IPSEC Negotiation Failed	Error
EVID 4654 : IPSEC Negotiation Failed	Sub Rule	IPSEC Negotiation Failed	Error
EVID 4766 : Add SID History Failed	Sub Rule	General Audit Failure	Error
EVID 4775 : Account Map For Logon Failed	Sub Rule	Account Logon Mapping Failed	Other Audit Failure
EVID 4777 : Credentials Validation Failed	Sub Rule	User Logon Failure : Bad Password	Authentication Failure
EVID 4868 : Cert Man Denied Pending Request	Sub Rule	Certificate Manager Denied Pending Cert Request	Warning
EVID 4888 : Cert Svcs Denied Certificate Request	Sub Rule	Certificate Services Denied Certificate Request	Warning
EVID 5378 : Credential Delegation Disallowed	Sub Rule	Credential Delegation Disallowed	Other Audit Failure
EVID 5458 : IPSEC Policy Application Failed	Sub Rule	IPSEC Policy Application Failed	Other Audit Failure
EVID 5461 : IPSEC Policy Application Failed	Sub Rule	IPSEC Policy Application Failed	Other Audit Failure
EVID 5462 : IPSEC Policy Application Failed	Sub Rule	IPSEC Policy Application Failed	Other Audit Failure
EVID 5472 : IPSEC Policy Application Failed	Sub Rule	IPSEC Policy Application Failed	Other Audit Failure
EVID 5474 : IPSEC Policy Application Failed	Sub Rule	IPSEC Policy Application Failed	Other Audit Failure
EVID 4650 : IPSEC Sec Assoc Established	Sub Rule	Trust Relationship Established	Access Granted
EVID 4651 : IPSEC Sec Assoc Established	Sub Rule	Trust Relationship Established	Access Granted
EVID 4655 : IPSEC Security Assoc Ended	Sub Rule	Authentication Activity	Authentication Success
EVID 4661 : Object Handle Requested	Sub Rule	Object Handle Requested	Other Audit Success
EVID 4672 : Special Privs Assigned To New Logon	Sub Rule	Privilege Granted	Access Granted
EVID 4765 : Add SID History	Sub Rule	Configuration Modified : System	Configuration
EVID 4768 : Kerberos Auth Ticket Requested	Sub Rule	Authentication Activity	Authentication Success
EVID 4769 : Kerberos Svc Ticket Requested	Sub Rule	Authentication Activity	Authentication Success
EVID 4770 : Kerberos Svc Ticket Renewed	Sub Rule	Authentication Activity	Authentication Success
EVID 4774 : Account Mapped For Logon	Sub Rule	Account Mapped For Logon	Other Audit Success
EVID 4776 : Credentials Validation	Sub Rule	Authentication Activity	Authentication Success
EVID 4778 : Win Session Reconnect	Sub Rule	User Logon	Authentication Success
EVID 4779 : Win Session Disconnect	Sub Rule	Session Disconnected	Other Audit Success
EVID 4886 : Cert Svcs Certificate Request	Sub Rule	Certificate Services Received Certificate Request	Other Audit Success
EVID 4964 : Special Groups Assigned To New Logon	Sub Rule	Special Groups Assigned To New Logon	Other Audit Success
EVID 4670 : Object Permissions Changed	Sub Rule	Policy Modified : Object	Policy
EVID 4706 : Trusted Domain Added	Sub Rule	Trust Relationship Established	Access Granted
EVID 4707 : Trusted Domain Removed	Sub Rule	Trust Relationship Revoked	Access Revoked
EVID 4713 : Kerberos Policy Changed	Sub Rule	Policy Modified : System	Policy
EVID 4714 : Encrypted Data Recovery Policy Changed	Sub Rule	Policy Modified : Encryption	Policy
EVID 4715 : Object Audit Policy Changed	Sub Rule	Policy Modified : Object	Policy
EVID 4716 : Trusted Domain Info Modified	Sub Rule	Policy Modified : Domain	Policy
EVID 4719 : Sys Audit Policy Changed	Sub Rule	Policy Modified : Auditing	Policy
EVID 4739 : Domain Policy Changed	Sub Rule	Policy Modified : Domain	Policy
EVID 4780 : Admins Account ACL Set	Sub Rule	Policy Enabled : User/Password	Policy
EVID 4865 : Trusted Forest Entry Added	Sub Rule	Trust Relationship Established	Access Granted
EVID 4866 : Trusted Forest Entry Removed	Sub Rule	Trust Relationship Revoked	Access Revoked
EVID 4867 : Trusted Forest Entry Modified	Sub Rule	Trust Relationship Established	Access Granted
EVID 4882 : Cert Svcs Sec Permissions Changed	Sub Rule	Policy Modified : System	Policy
EVID 4885 : Cert Svcs Audit Filter Changed	Sub Rule	Policy Modified : Auditing	Policy
EVID 4897 : Role Separation Enabled	Sub Rule	Policy Modified : System	Policy
EVID 4906 : CrashOnAuditFail Value Changed	Sub Rule	Policy Modified : Auditing	Policy
EVID 4907 : Audit Settings On Object Changed	Sub Rule	Policy Modified : Auditing	Policy
EVID 4909 : TBS Local Policy Settings Changed	Sub Rule	Policy Modified : System	Policy
EVID 4910 : TBS Group Policy Settings Changed	Sub Rule	Policy Modified : Domain	Policy
EVID 4912 : Per-User Audit Policy Changed	Sub Rule	Policy Modified : Auditing	Policy
EVID 4954 : Firewall Group Policy Settings Changed	Sub Rule	Policy Modified : Domain	Policy
EVID 5456 : IPSEC Policy Applied	Sub Rule	Policy Enabled : Network	Policy
EVID 5457 : IPSEC Policy Applied	Sub Rule	Policy Enabled : Network	Policy
EVID 5459 : IPSEC Policy Applied	Sub Rule	Policy Enabled : Network	Policy
EVID 5460 : IPSEC Policy Applied	Sub Rule	Policy Enabled : Network	Policy
EVID 5463 : Polled For IPSEC Policy Changes	Sub Rule	Polled For IPSEC Policy Changes	Information
EVID 5464 : IPSEC Policy Changes Applied	Sub Rule	Policy Modified : Network	Policy
EVID 5465 : IPSEC Policy Reloaded	Sub Rule	Authentication Activity	Authentication Success
EVID 5466 : IPSEC Policy Changes Applied	Sub Rule	Policy Modified : Network	Policy
EVID 5467 : Polled For IPSEC Policy Changes	Sub Rule	Polled For IPSEC Policy Changes	Information
EVID 5468 : IPSEC Policy Changes Applied	Sub Rule	Policy Modified : Network	Policy
EVID 5471 : IPSEC Policy Applied	Sub Rule	Policy Enabled : Network	Policy
EVID 5473 : IPSEC Policy Applied	Sub Rule	Policy Enabled : Network	Policy
EVID 6144 : GPO Security Policy Applied	Sub Rule	Policy Enabled : Domain	Policy
EVID 4688 : New Process Created	Sub Rule	Process/Service Started	Startup and Shutdown
EVID 4689 : Process Exited	Sub Rule	Process/Service Stopped	Startup and Shutdown
EVID 4875 : Cert Svcs Shutdown Request	Sub Rule	Process/Service Stopping	Startup and Shutdown
EVID 4880 : Certificate Services Started	Sub Rule	Process/Service Started	Startup and Shutdown
EVID 4881 : Certificate Services Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
EVID 5024 : Firewall Service Started	Sub Rule	Process/Service Started	Startup and Shutdown
EVID 5025 : Firewall Service Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
EVID 5033 : Firewall Driver Started	Sub Rule	Process/Service Started	Startup and Shutdown
EVID 5034 : Firewall Driver Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
EVID 5120 : OCSP Responder Service Started	Sub Rule	Process/Service Started	Startup and Shutdown
EVID 5121 : OCSP Responder Service Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
EVID 5478 : IPSEC Service Started	Sub Rule	Process/Service Started	Startup and Shutdown
EVID 5479 : IPSEC Service Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
EVID 4618 : Monitored Sec Event	Sub Rule	Suspicious Activity	Suspicious
EVID 4976 : IPSEC Received Invalid Negot Packet	Sub Rule	Protocol Anomaly	Attack
EVID 4977 : IPSEC Received Invalid Negot Packet	Sub Rule	Protocol Anomaly	Attack
EVID 4978 : IPSEC Received Invalid Negot Packet	Sub Rule	Protocol Anomaly	Attack
EVID 4612 : Audit Queuing Resources Exh	Sub Rule	Audit Queuing Resources Exhausted	Warning
EVID 4951 : Firewall Rule Ignored	Sub Rule	Firewall Rule Ignored Due To Version	Warning
EVID 4952 : Firewall Rule Ignored	Sub Rule	Firewall Rule Ignored Due To Version	Warning
EVID 4953 : Firewall Rule Ignored	Sub Rule	Firewall Rule Ignored Due To Bad Parsing	Warning
EVID 4957 : Firewall Rule Not Applied	Sub Rule	Firewall Rule Not Applied	Warning
EVID 4958 : Firewall Rule Not Applied	Sub Rule	Firewall Rule Not Applied	Warning
EVID 5027 : Firewall Service Policy Load Failed	Sub Rule	Firewall Service Failed To Load Local Policy	Warning
EVID 5028 : Firewall Service Policy Load Failed	Sub Rule	Firewall Service Failed To Load Local Policy	Warning
EVID 5032 : Firewall Notification Failed	Sub Rule	Firewall Notification Failed	Warning
EVID 5480 : IPSEC Network Interface List Failed	Sub Rule	IPSEC Network Interface List Failed	Warning

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1011079	V 2.0 : Catch All	Base Rule	General Audit Message	Other Audit
	V 2.0 : EVID 4649 : Replay Attack Detected	Sub Rule	Replay Activity	Attack
	V 2.0 : EVID 4675 : SIDs Were Filtered	Sub Rule	SIDs Filtered	Other Audit
	V 2.0 : EVID 4765 : SID History Added To Account	Sub Rule	User Account Attribute Modified	Account Modified
	V 2.0 : EVID 4766 : SID History Add Failed	Sub Rule	Modify Object Attribute Failure	Access Failure
	V 2.0 : EVID 5378 : Credential Delegation Disallow	Sub Rule	Access Object Failure	Access Failure
	V 2.0 : EVID 4709 : IPSEC - Service Started	Sub Rule	Process/Service Started	Startup and Shutdown
	V 2.0 : EVID 4710 : IPSEC - Service Disabled	Sub Rule	Process/Service Stopped	Startup and Shutdown
	V 2.0 : EVID 4711 : PAStore - General Event	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 4712 : IPSEC - Fatal Error Encounter	Sub Rule	General IPSec Critical	Critical
	V 2.0 : EVID 5040 : IPSEC - Auth. Set Added	Sub Rule	Configuration Loaded : Security	Configuration
	V 2.0 : EVID 5041 : IPSEC - Auth. Set Modified	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : EVID 5042 : IPSEC - Auth. Set Deleted	Sub Rule	Configuration Deleted : Security	Configuration
	V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule Added	Sub Rule	Configuration Loaded : Security	Configuration
	V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule Modified	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule Deleted	Sub Rule	Configuration Deleted : Security	Configuration
	V 2.0 : EVID 5046 : IPSEC - Crypto Set Added	Sub Rule	Configuration Loaded : Security	Configuration
	V 2.0 : EVID 5047 : IPSEC - Crypto Set Modified	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : EVID 5048 : IPSEC - Crypto Set Deleted	Sub Rule	Configuration Deleted : Security	Configuration
	V 2.0 : EVID 5440 : WFP - Callout Present At Start	Sub Rule	Filtering Platform Startup State	Information
	V 2.0 : EVID 5441 : WFP - Filter Present At Start	Sub Rule	Filtering Platform Startup State	Information
	V 2.0 : EVID 5442 : WFP - Prov. Present At Start	Sub Rule	Filtering Platform Startup State	Information
	V 2.0 : EVID 5443 : WFP - Prov. Cont Pres At Start	Sub Rule	Filtering Platform Startup State	Information
	V 2.0 : EVID 5444 : WFP - Sub-Layer Pres At Start	Sub Rule	Filtering Platform Startup State	Information
	V 2.0 : EVID 5446 : WFP - Callout Changed	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : EVID 5449 : WFP - Prov. Context Changed	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : EVID 5448 : WFP - Provider Changed	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : EVID 5450 : WFP - Sub-layer Changed	Sub Rule	Configuration Modified : Security	Configuration
	V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy Appl	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy Fail	Sub Rule	IPSEC Policy Application Failed	Other Audit Failure
	V 2.0 : EVID 5458 : PAStore-Cached AD IPSEC Policy	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 5459 : PAStore-Cached AD IPSEC Policy	Sub Rule	General IPSec Error	Error
	V 2.0 : EVID 5460 : PAStore -Registry IPSEC Policy	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 5461 : PAStore -Registry IPSEC Policy	Sub Rule	General IPSec Error	Error
	V 2.0 : EVID 5462 : PAStore - Fail To Apply IPSEC	Sub Rule	General IPSec Error	Error
	V 2.0 : EVID 5463 : PAStore- Poll For IPSEC Policy	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 5464 : PAStore-Poll For IPSEC Policy	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 5465 : PAStore-IPSEC Policy Forcibly	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 5466 : PAStore-Unabled To Reach AD	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 5467 : PAStore -Poll For IPSEC Policy	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 5468 : PAStore-Poll For IPSEC Policy	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 5471 : PAStore-Local IPSEC Policy Loa	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 4772 : Kerberos TGT Request Failed	Sub Rule	Windows Audit Failure Event	Other Audit Failure
	V 2.0 : EVID 4773 : Kerberos TGS Request Failed	Sub Rule	Access Object Failure	Access Failure
	V 2.0 : EVID 4774 : Account Successfully Mapped	Sub Rule	Account Mapped For Logon	Other Audit Success
	V 2.0 : EVID 4774 : Account Failed To Be Mapped	Sub Rule	Account Logon Mapping Failed	Other Audit Failure
	V 2.0 : EVID 4775 : Account Could Not Be Mapped	Sub Rule	Account Logon Mapping Failed	Other Audit Failure
	V 2.0 : EVID 4777 : Domain Contrler Faild To Valid	Sub Rule	Windows Audit Failure Event	Other Audit Failure
	V 2.0 : EVID 4646 : IPSEC -DoS Prevention Mode Str	Sub Rule	General IPSEC Message	Information
	V 2.0 : EVID 4650 : IPSEC - Main Mode Security	Sub Rule	IPSEC Security Association Established	Network Traffic
	V 2.0 : EVID 4651 : IPSEC - Main Mode Security	Sub Rule	IPSEC Security Association Established	Network Traffic
	V 2.0 : EVID 4652 : IPSEC - Main Mode Negotiation	Sub Rule	IPSEC Negotiation Failed	Error
	V 2.0 : EVID 4653 : IPSEC - Main Mode Negotiation	Sub Rule	IPSEC Negotiation Failed	Error
	V 2.0 : EVID 4655 : IPSEC - Main Mode Security	Sub Rule	IPSEC Security Association Ended	Network Traffic
	V 2.0 : EVID 4960 : IPSEC - Inbound Pck Intrgty Fl	Sub Rule	Integrity Check Failed	Error
	V 2.0 : EVID 4961 : IPSEC - Inbound Packet Replay	Sub Rule	Integrity Check Failed	Error
	V 2.0 : EVID 4962 : IPSEC - Inbound Packet Replay	Sub Rule	Integrity Check Failed	Error
	V 2.0 : EVID 4963 : IPSEC - Inbound Packet In Clr	Sub Rule	General IPSec Warning	Warning
	V 2.0 : EVID 4965 : IPSEC Packet Received Invalid	Sub Rule	IPSEC Received Bad Packet	Error
	V 2.0 : EVID 4976 : IPSEC - Main Mode Invld Negt	Sub Rule	IPSEC Received Bad Packet	Error
	V 2.0 : EVID 4977 : IPSEC - Quick Mode Invld Negot	Sub Rule	IPSEC Received Bad Packet	Error
	V 2.0 : EVID 4978 : IPSEC - Extended Mode Invalid	Sub Rule	IPSEC Received Bad Packet	Error
	V 2.0 : EVID 4979 : IPSEC - Main And Extended Mode	Sub Rule	IPSEC Security Association Established	Network Traffic
	V 2.0 : EVID 4980 : IPSEC - Main And Extended Mode	Sub Rule	IPSEC Security Association Established	Network Traffic
V 2.0 : EVID 4981 : IPSEC - Main And Extended Mode	Sub Rule	IPSEC Security Association Established	Network Traffic
V 2.0 : EVID 5024 : Firewall - Service Started	Sub Rule	Process/Service Started	Startup and Shutdown
V 2.0 : EVID 5025 : Firewall - Service Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 : EVID 5027 : Firewall-ServiceUnableToRetrie	Sub Rule	Firewall Service Failed To Load Local Policy	Warning
V 2.0 : EVID 5028 : Firewall-Service FailedToParse	Sub Rule	Firewall Service Failed To Load Local Policy	Warning
V 2.0 : EVID 5029 : Firewall-ServiceFailedToLoadDr	Sub Rule	Driver Failed To Load	Warning
V 2.0 : EVID 4982 : IPSEC - Main And Extended Mode	Sub Rule	IPSEC Security Association Established	Network Traffic
V 2.0 : EVID 5030 : Firewall-Service FailedToStart	Sub Rule	Firewall Service Failed To Start	Critical
V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotion	Sub Rule	IPSEC Negotiation Failed	Error
V 2.0 : EVID 5032 : Firewall - Unable ToNotifyUser	Sub Rule	Firewall Notification Failed	Warning
V 2.0 : EVID 4984 : IPSEC - Extended Mode NegotFai	Sub Rule	IPSEC Negotiation Failed	Error
V 2.0 : EVID 5049 : IPSEC - Security Assoc Deleted	Sub Rule	Configuration Deleted : Security	Configuration
V 2.0 : EVID 5033 : Firewall - Driver StartedSucs	Sub Rule	Process/Service Started	Startup and Shutdown
V 2.0 : EVID 5451 : IPSEC - Quick Mode Security As	Sub Rule	IPSEC Security Association Established	Network Traffic
V 2.0 : EVID 5034 : Firewall - Driver Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 : EVID 5452 : IPSEC - Quick Mode Security As	Sub Rule	IPSEC Security Association Ended	Network Traffic
V 2.0 : EVID 5035 : Firewall - DriverFailedToStart	Sub Rule	Firewall Driver Startup Failed	Critical
V 2.0 : EVID 5453 : IPSEC - Negotiation Failed Due	Sub Rule	IPSEC Negotiation Failed	Error
V 2.0 : EVID 5478 : IPSEC - Service Started	Sub Rule	Process/Service Started	Startup and Shutdown
V 2.0 : EVID 5037 : Firewall-DriverCriticalRuntime	Sub Rule	Firewall Driver Critical Condition	Critical
V 2.0 : EVID 5479 : IPSEC - Service Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 : EVID 5480 : IPSEC - Failed To Obtain Netw	Sub Rule	IPSEC Network Interface List Failed	Warning
V 2.0 : EVID 5483 : IPSEC - Failed To Intlize RPC	Sub Rule	IPSEC Service Failed To Start	Error
V 2.0 : EVID 5484 : IPSEC - Critical Service Failu	Sub Rule	IPSEC Service Error Caused Shutdown	Critical
V 2.0 : EVID 5485 : IPSEC - Failed To Prcss Filter	Sub Rule	IPSEC Filter Processing Failed	Error
V 2.0 : EVID 6400 : BranchCache-IncorrectlyFrmated	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6401 : BranchCache-InvalidPeerDataRec	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6402 : BranchCache - IncorectlyFrmatd	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6403 : BranchCache - IncorectlyFrmatd	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6404 : BranchCache - UnablToAuth	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6405 : BranchCache - Mult EventsRecv	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6406 : BranchCache - Registration	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6407 : BranchCache - General Event	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6408 : BranchCache - Regt Wind Firewa	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6409 : BranchCache - Service Conn	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 6145 : Sec Policy GPOs Fail To Apply	Sub Rule	Policy Failed	Error
V 2.0 : EVID 6144 : Security Policy GPOs Applied	Sub Rule	Policy Enabled : System	Policy
V 2.0 : EVID 5447 : WFP - Filter Changed	Sub Rule	Configuration Modified : Security	Configuration
V 2.0 : EVID 4906 : CrashOnAuditFail Value Changed	Sub Rule	Configuration Modified : System	Configuration
V 2.0 : EVID 4908 : Special Groups Logon Table Mod	Sub Rule	Configuration Modified : System	Configuration
V 2.0 : EVID 4909 : Local TBS Policy Settings Mod.	Sub Rule	Policy Modified : System	Policy
V 2.0 : EVID 4910 : Group TBS Policy Settings Modi	Sub Rule	Policy Modified : System	Policy
V 2.0 : EVID 4902 : Per-User Policy Table Created	Sub Rule	Policy Created : System	Policy
V 2.0 : EVID 4826 : Boot Configuration Data Loaded	Sub Rule	Configuration Loaded : System	Configuration
V 2.0 : EVID 4864 : Namespace Collision Detected	Sub Rule	Namespace Collision	Error
V 2.0 : EVID 4714 : Encrypted Data Rec Policy Mod	Sub Rule	Policy Modified : System	Policy
V 2.0 : EVID 4671 : Application Attempted Access	Sub Rule	Access Object Failure	Access Failure
V 2.0 : EVID 5148 : WFP - DoS Attack Detected	Sub Rule	Failed Network Denial Of Service	Failed Denial of Service
V 2.0 : EVID 5149 : WFP - DoS Attack Ended	Sub Rule	General Security	Other Security
V 2.0 : EVID 4608 : Windows Starting Up	Sub Rule	System Started	Startup and Shutdown
V 2.0 : EVID 4612 : Audit Queuing Resources Exhaus	Sub Rule	Audit Queuing Resources Exhausted	Warning
V 2.0 : EVID 4615 : Invalid LPC Port Use	Sub Rule	Unauthorized Activity	Misuse
V 2.0 : EVID 4618 : User-Defined Security Event	Sub Rule	General Event Log Information	Information
V 2.0 : EVID 4621 : Admin Recovrd Frm CrashOnAudi	Sub Rule	Crash On Audit Fail Recovered	Information
V 2.0 : EVID 4816 : RPC Message Integrity Violatio	Sub Rule	RPC Integrity Violation	Error
V 2.0 : EVID 5038 : Invalid Image Hash	Sub Rule	Integrity Check Failed	Error
V 2.0 : EVID 5056 : CNG - Crypto Self-Check Perf	Sub Rule	Cryptographic Self Test Performed	Information
V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check	Sub Rule	Cryptographic Self Test Performed	Information
V 2.0 : EVID 5057 : CNG - Primitive Crypto Op Fail	Sub Rule	Cryptographic Failure	Error
V 2.0 : EVID 5060 : CNG - Crypto Verification Fail	Sub Rule	Cryptographic Failure	Error
V 2.0 : EVID 6281 : Invalid Page Hash In Image Fil	Sub Rule	Integrity Check Failed	Error
V 2.0 : EVID 6410 : File Failed Security Check	Sub Rule	Failed Suspicious Activity	Failed Suspicious
V 2.0 : EVID 5712 : RPC Attempted	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 4944 : WFP - Policy Active And Window	Sub Rule	Active Firewall Policy On Start	Information
V 2.0 : EVID 4949 : WFP Settings Restored Default	Sub Rule	Configuration Modified : Security	Configuration
V 2.0 : EVID 4954 : WFP - Group Policy Settings	Sub Rule	Configuration Modified : Security	Configuration
V 2.0 : EVID 4783 : Basic Application Group Create	Sub Rule	Group Created	Account Created
V 2.0 : EVID 4784 : Basic Application Group Change	Sub Rule	Group Attribute Modified	Account Modified
V 2.0 : EVID 4785 : Member Add To Basic App Group	Sub Rule	Account Added To Group	Access Granted
V 2.0 : EVID 4786 : Member Remove From Basic App	Sub Rule	Account Removed From Group	Access Revoked
V 2.0 : EVID 4787 : Non-Member Add To Basic App	Sub Rule	Account Added To Group	Access Granted
V 2.0 : EVID 4788 : Non-Memb Remove From Basic App	Sub Rule	Account Removed From Group	Access Revoked
V 2.0 : EVID 4789 : Basic Application Group Delete	Sub Rule	Group Deleted	Account Deleted
V 2.0 : EVID 4790 : LDAP Query Group Created	Sub Rule	Group Created	Account Created
V 2.0 : EVID 4791 : LDAP Query Group Changed	Sub Rule	Group Attribute Modified	Account Modified
V 2.0 : EVID 4934 : AD Object Attributes Replicate	Sub Rule	AD Object Attributes Replicated	Information
V 2.0 : EVID 4935 : Replication Failure Begins	Sub Rule	AD Replication Failure Begins	Error
V 2.0 : EVID 4936 : Replication Failure Ends	Sub Rule	AD Replication Failure Ends	Error
V 2.0 : EVID 4937 : Lingering Obj Removed Frm ADRe	Sub Rule	Object Deleted/Removed	Access Success
V 2.0 : EVID 4792 : LDAP Query Group Deleted	Sub Rule	Group Deleted	Account Deleted
V 2.0 : EVID 4664 : File Hard Link Created	Sub Rule	Object Created	Access Success
V 2.0 : EVID 4690 : Object Handle Duplicated	Sub Rule	Object Created	Access Success
V 2.0 : EVID 5039 : Registry Key Virtualized	Sub Rule	Registry Key Virtualized	Other Audit Success
V 2.0 : EVID 5051 : File Virtualized	Sub Rule	File Virtualized	Other Audit Success
V 2.0 : EVID 5168 : SPN Check For SMB Failed	Sub Rule	Access Object Failure	Access Failure
V 2.0 : EVID 6275 : NPS - Accounting Request Disca	Sub Rule	Bad Request	Warning
V 2.0 : EVID 6276 : NPS - User Quarantined	Sub Rule	Network Policy Server Quarantined User	Other Audit
V 2.0 : EVID 6277 : NPS - Access Granted User	Sub Rule	Access Granted Activity	Access Granted
V 2.0 : EVID 6279 : NPS - User Account Locked	Sub Rule	Account Locked	Access Revoked
V 2.0 : EVID 6280 : NPS - User Account Unlocked	Sub Rule	Account Unlocked	Access Granted
V 2.0 : EVID 4626 : User/Device Claims Information	Sub Rule	User Information	Information
V 2.0 : EVID 4666 : AM - App Attempted Operation	Sub Rule	General Application Information	Information
V 2.0 : EVID 4665 : AM - App Client Context Create	Sub Rule	General Application Information	Information
V 2.0 : EVID 4667 : AM - App Client Context Delete	Sub Rule	General Application Information	Information
V 2.0 : EVID 4668 : AM - Application Initialized	Sub Rule	General Application Information	Information
V 2.0 : EVID 4985 : Transaction State Change	Sub Rule	General Transaction Information	Information
V 2.0 : EVID 1101 : Audit Events Dropped	Sub Rule	Message Dropped	Error
V 2.0 : EVID 4609 : Windows Shutting Down	Sub Rule	System Shutting Down	Startup and Shutdown
V 2.0 : EVID 4654 : Quick Mode Negotiation Failed	Sub Rule	IPSEC Negotiation Failed	Error
V 2.0 : EVID 4797 : Blank Passwords Queried	Sub Rule	General Audit Message	Other Audit
V 2.0 : EVID 4820 : TGT Denied - ACL	Sub Rule	User Logon Failure	Authentication Failure
V 2.0 : EVID 4821 : TGS Denied - ACL	Sub Rule	Access Object Failure	Access Failure
V 2.0 : EVID 4822 : NTLM Auth Denied	Sub Rule	User Logon Failure	Authentication Failure
V 2.0 : EVID 4823 : NTLM Auth Denied	Sub Rule	User Logon Failure	Authentication Failure
V 2.0 : EVID 4824 : Kerberos Pre-Auth Failed	Sub Rule	User Logon Failure	Authentication Failure
V 2.0 : EVID 4825 : RDP Access Denied	Sub Rule	User Logon Failure	Authentication Failure
V 2.0 : EVID 4830 : SID History Removed From Accou	Sub Rule	User Account Attribute Modified	Account Modified
V 2.0 : EVID 4899 : Certificate Template Updated	Sub Rule	Object Modified	Access Success
V 2.0 : EVID 4900 : Certificate Template Sec Updat	Sub Rule	Object Attribute Modified	Access Success
V 2.0 : EVID 5150 : Firewall - Disable Attempt	Sub Rule	Suspicious Activity	Suspicious
V 2.0 : EVID 5071 : Key Access Denied	Sub Rule	Access Object Failure	Access Failure
V 2.0 : EVID 5146 : WFP - Packed Blocked	Sub Rule	Traffic Denied by Host Firewall	Network Deny
V 2.0 : EVID 5147 : WFP - Packed Blocked	Sub Rule	Traffic Denied by Host Firewall	Network Deny
V 2.0 : EVID 5151 : File Virtualized	Sub Rule	File Virtualized	Other Audit Success
V 2.0 : EVID 5170 : AD Object Modified	Sub Rule	Object Modified	Access Success
V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy F	Sub Rule	General IPSec Error	Error
V 2.0 : EVID 5473 : PAStore - Directory Storage IP	Sub Rule	General IPSEC Message	Information
V 2.0 : EVID 5477 : PAStore - Failed To Add Quick	Sub Rule	General IPSEC Message	Information
V 2.0 : EVID 6278 : NPS - Full Access Granted To U	Sub Rule	Access Granted Activity	Access Granted
V 2.0 : EVID 6417 : FIPS Selftest Passed	Sub Rule	Cryptographic Self Test Performed	Information
V 2.0 : EVID 6418 : FIPS Selftest Failed	Sub Rule	Cryptographic Failure	Error
V 2.0 : EVID 4868 : CS - Certificate Manager Denie	Sub Rule	Certificate Manager Denied Pending Cert Request	Warning
V 2.0 : EVID 4869 : CS - Received Resubmitted Cert	Sub Rule	Certificate Services Rcvd Resubmitted Cert Request	Other Audit
V 2.0 : EVID 4870 : CS - Certificate Revoked	Sub Rule	Certificate Services Rcvd Resubmitted Cert Request	Other Audit
V 2.0 : EVID 4871 : CS - CRL Publication Request R	Sub Rule	Certificate Svcs Received Request To Publish CRL	Information
V 2.0 : EVID 4872 : CS - CRL Published	Sub Rule	Certificate Services Published CRL	Information
V 2.0 : EVID 4873 : CS - Certificate Request Extn	Sub Rule	Certificate Request Extension Changed	Information
V 2.0 : EVID 4874 : CS - Certificate Request Chang	Sub Rule	Certificate Request Attributes Changed	Information
V 2.0 : EVID 4875 : CS - Shutdown Request Received	Sub Rule	Process/Service Startup Or Shutdown Activity	Startup and Shutdown
V 2.0 : EVID 4876 : CS - Backup Started	Sub Rule	Backup Active	Information
V 2.0 : EVID 4877 : CS - Backup Complete	Sub Rule	Backup Completed	Information
V 2.0 : EVID 4878 : CS - Restore Started	Sub Rule	Backup Restored	Information
V 2.0 : EVID 4879 : CS - Restore Completed	Sub Rule	Backup Restored	Information
V 2.0 : EVID 4880 : CS - Services Started	Sub Rule	Process/Service Started	Startup and Shutdown
V 2.0 : EVID 4881 : CS - Services Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 : EVID 4882 : CS -Security Permissions Modif	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4883 : CS - Archived Key Retrieved	Sub Rule	Certificate Services Retrieved Archived Key	Information
V 2.0 : EVID 4884 : CS - Certificate Imported	Sub Rule	Certificate Services Imported Certificate	Information
V 2.0 : EVID 4885 : CS - Audit Filter Modified	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4886 : CS - Certificate Request Rcvd	Sub Rule	Certificate Services Received Certificate Request	Other Audit Success
V 2.0 : EVID 4887 : CS - Certificate Issued	Sub Rule	Certificate Services Issued Certificate	Information
V 2.0 : EVID 4888 : CS - Certificate Request Denie	Sub Rule	Certificate Services Denied Certificate Request	Warning
V 2.0 : EVID 4889 : CS - Certificate Request Statu	Sub Rule	Certificate Services Set Cert Status To Pending	Information
V 2.0 : EVID 4890 : CS - Certificate Manager Setti	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4891 : CS - Configuration Entry Modif	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4892 : CS - Property Modified	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4893 : CS - Key Archived	Sub Rule	Certificate Services Archived A Key	Information
V 2.0 : EVID 4894 : CS - Key Imported And Archived	Sub Rule	Certificate Services Imported And Archived Key	Information
V 2.0 : EVID 4895 : CS -ADDS CA Certificate Publis	Sub Rule	Certificate Services Published CA Certificate	Information
V 2.0 : EVID 4896 : CS - Rows Deleted From Databas	Sub Rule	Certificate Services Database Rows Deleted	Information
V 2.0 : EVID 4897 : CS - Role Separation Enabled	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4898 : CS - Template Loaded	Sub Rule	Certificate Services Loaded Template	Information
V 2.0 : EVID 5120 : CS - OCSP Responder Started	Sub Rule	Process/Service Started	Startup and Shutdown
V 2.0 : EVID 5121 : CS - OCSP Responder Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 : EVID 5122 : CS - OCSP Config Changed	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4649 : Replay Attack Detected	Sub Rule	Replay Activity	Attack
V 2.0 : EVID 5123 : CS - OCSP Config Changed	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 5124 : CS - OCSP Security Changed	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 5125 : CS - OCSP Request	Sub Rule	Request Received	Other Audit Success
V 2.0 : EVID 5126 : CS - OCSP Signer Updated	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 5127 : CS - OCSP Provider Updated	Sub Rule	Configuration Modified : Application	Configuration