Event Details
|
Event Type |
Multiple |
|---|---|
|
Event Description |
Catch all rule to handle Windows Security Events. |
|
Event ID |
Multiple |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|
|---|---|---|---|
|
Provider |
N/A |
N/A |
|
|
EventID |
<vmid> |
<vmid> |
|
|
Version |
N/A |
N/A |
|
|
Level |
N/A |
<severity> |
|
|
Task |
N/A |
<vendorinfo> |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
<tag1> |
<result>, <tag2> |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
N/A |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
<dname> |
|
|
Error Code |
N/A |
<responsecode> |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1006507 |
Catch All : Level 3 |
Base Rule |
General Audit |
Other Audit Success |
|
EVID 4609 : System Shutdown |
Sub Rule |
System Shutdown |
Startup and Shutdown |
|
|
EVID 4610 : Authentication Package Loaded |
Sub Rule |
Object Initialized |
Access Success |
|
|
EVID 4611 : Trusted Logon Process Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4614 : Auth Package Loaded By SAM |
Sub Rule |
Auth Package Loaded By SAM |
Other Audit Success |
|
|
EVID 4637 : General Audit |
Sub Rule |
General Audit |
Other Audit Success |
|
|
EVID 4638 : General Audit |
Sub Rule |
General Audit |
Other Audit Success |
|
|
EVID 4639 : General Audit |
Sub Rule |
General Audit |
Other Audit Success |
|
|
EVID 4640 : General Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4641 : General Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4642 : General Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4643 : General Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4657 : Handle Allocated |
Sub Rule |
Handle Allocated |
Information |
|
|
EVID 4658 : Handle Closed |
Sub Rule |
Handle Closed |
Information |
|
|
EVID 4660 : Object Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 4690 : Handle Duplicated |
Sub Rule |
Handle Duplicated |
Information |
|
|
EVID 4709 : IPSec Policy Agent Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4710 : IPSec Policy Agent Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
General : Audit Success |
Sub Rule |
General Audit |
Other Audit Success |
|
|
General : Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4931 : Directory Services Access |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4932 : Directory Services Access |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4933 : Directory Services Access |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4616 : System Time Changed |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
EVID 4663 : General Access Attempt |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4902 : Per User Audit Policy Refreshed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4903 : Per User Audit Policy Set |
Sub Rule |
Policy Enabled : Auditing |
Policy |
|
|
EVID 4608 : System Started |
Sub Rule |
System Started |
Startup and Shutdown |
|
|
EVID 1100 : Logging Service Shut Down |
Sub Rule |
Process/Service Stopping |
Startup and Shutdown |
|
|
EVID 1102 : Audit Log Cleared |
Sub Rule |
Log Cleared |
Access Success |
|
|
EVID 4671 : App Blocked Ordinal Access Attempt |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 5060 : Verification Operation Failed |
Sub Rule |
Command Execution Failure |
Access Failure |
|
|
EVID 6273 : Network Policy Server Denied Access |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 4704 : User Right Assigned |
Sub Rule |
Privilege Granted |
Access Granted |
|
|
EVID 4717 : Sys Sec Access Granted |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 4728 : User Added Glbl Security Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4732 : User Added To Local Sec Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4746 : User Added Local Dstr Group |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4751 : User Added Global Dstr Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4756 : User Added To Univ Sec Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4761 : User Added To Univ Dstr Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4785 : User Added To Basic App Group |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4787 : Non-Member Added Basic App Group |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4887 : Cert Svcs Issued Certificate |
Sub Rule |
Certificate Services Issued Certificate |
Information |
|
|
EVID 4705 : User Right Removed |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
EVID 4718 : Sys Sec Access Removed |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
EVID 4729 : User Removed Glbl Security Group |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4733 : User Removed From Local Sec Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4747 : User Removed From Local Dstr Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4752 : User Removed From Global Dstr Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4757 : User Removed From Univ Sec Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4762 : User Removed From Univ Dstr Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4786 : User Removed From Basic App Group |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4788 : Non-Member Removed Basic App Group |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4870 : Cert Svcs Revoked Certificate |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
EVID 4656 : Object Opened |
Sub Rule |
Object Read |
Access Success |
|
|
EVID 4656 : Object Open Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 4657 : Registry Value Modification Failed |
Sub Rule |
Modify Object Failure |
Access Failure |
|
|
EVID 4659 : Object Opened For Delete |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 4660 : Object Delete Failed |
Sub Rule |
Delete/Remove Object Failure |
Access Failure |
|
|
EVID 4662 : Object Operation |
Sub Rule |
Object Operation |
Other Audit Success |
|
|
EVID 4662 : Failed Object Operation |
Sub Rule |
Failed Object Operation |
Error |
|
|
EVID 4664 : Hard Link Creation Attempt |
Sub Rule |
Hard Link Creation Attempt |
Other Audit Success |
|
|
EVID 4666 : Application Operation |
Sub Rule |
Application Operation |
Other Audit Success |
|
|
EVID 4666 : Application Operation Failed |
Sub Rule |
Command Execution Failure |
Access Failure |
|
|
EVID 4668 : Application Initialized |
Sub Rule |
Object Initialized |
Access Success |
|
|
EVID 4668 : Application Initialization Failed |
Sub Rule |
Application Initialization Failed |
Critical |
|
|
EVID 4673 : Privileged Service Called |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4674 : Privileged Object Operation |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4691 : Indirect Object Access |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4692 : Data Protection Master Key Backed Up |
Sub Rule |
Data Protection Master Key Backup Attempt |
Other Audit Success |
|
|
EVID 4693 : Data Protection Master Key Recovered |
Sub Rule |
Data Protection Master Key Recovered |
Other Audit Success |
|
|
EVID 4694 : Auditable Protected Data Protected |
Sub Rule |
Auditable Protected Data Protected |
Other Audit Success |
|
|
EVID 4695 : Auditable Protected Data Unprotected |
Sub Rule |
Auditable Protected Data Unprotected |
Other Audit Success |
|
|
EVID 4782 : Password Hash Accessed |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 5039 : Registry Key Virtualized |
Sub Rule |
Registry Key Virtualized |
Other Audit Success |
|
|
EVID 5051 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
|
EVID 5058 : Key File Operation |
Sub Rule |
Key File Operation |
Other Audit Success |
|
|
EVID 5059 : Key Migration Operation |
Sub Rule |
Key Migration Operation |
Other Audit Success |
|
|
EVID 5061 : Cryptographic Operation |
Sub Rule |
Cryptographic Operation |
Other Audit Success |
|
|
EVID 5136 : Directory Service Object Modified |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 5137 : Directory Service Object Created |
Sub Rule |
Object Created |
Access Success |
|
|
EVID 5138 : Directory Service Object Restored |
Sub Rule |
Directory Service Object Restored |
Other Audit Success |
|
|
EVID 5139 : Directory Service Object Moved |
Sub Rule |
Object Moved |
Access Success |
|
|
EVID 5140 : Network Share Object Accessed |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 5141 : Directory Service Object Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 5888 : COM+ Object Modified |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 5889 : COM+ Object Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 5890 : COM+ Object Added |
Sub Rule |
Object Added |
Access Success |
|
|
EVID 6272 : Network Policy Server Granted Access |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 6277 : Network Policy Server Granted Access |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 6278 : Network Policy Server Granted Access |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 4720 : User Account Created |
Sub Rule |
User Account Created |
Account Created |
|
|
EVID 4727 : Global Security Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4731 : Local Security Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4741 : Computer Account Created |
Sub Rule |
Computer Account Created |
Account Created |
|
|
EVID 4744 : Local Dstr Grp Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4749 : Global Dstr Grp Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4754 : Universal Sec Grp Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4759 : Universal Dstr Grp Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4783 : Basic App Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4790 : LDAP Query Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4726 : User Account Deleted |
Sub Rule |
User Account Deleted |
Account Deleted |
|
|
EVID 4730 : Global Security Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4734 : Local Security Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4743 : Computer Account Deleted |
Sub Rule |
Computer Account Deleted |
Account Deleted |
|
|
EVID 4748 : Local Dstr Grp Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4753 : Global Dstr Grp Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4758 : Universal Sec Grp Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4763 : Universal Dstr Grp Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4789 : Basic App Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4792 : LDAP Query Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4722 : User Account Enabled |
Sub Rule |
Account Enabled |
Access Granted |
|
|
EVID 4723 : Password Change Attempted |
Sub Rule |
Password Modified |
Account Modified |
|
|
EVID 4724 : Password Reset |
Sub Rule |
Password Modified |
Account Modified |
|
|
EVID 4725 : User Account Disabled |
Sub Rule |
Account Disabled |
Access Revoked |
|
|
EVID 4735 : Local Security Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4737 : Global Security Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4738 : User Account Changed |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
EVID 4740 : User Account Locked Out |
Sub Rule |
Account Locked |
Access Revoked |
|
|
EVID 4742 : Computer Account Changed |
Sub Rule |
Computer Account Attribute Modified |
Account Modified |
|
|
EVID 4745 : Local Dstr Grp Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4750 : Global Dstr Grp Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4755 : Universal Sec Grp Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4760 : Universal Dstr Grp Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4764 : Group Type Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4767 : User Account Unlocked |
Sub Rule |
Account Unlocked |
Access Granted |
|
|
EVID 4781 : Account Name Change |
Sub Rule |
User Account Name Modified |
Account Modified |
|
|
EVID 4784 : Basic App Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4791 : Basic App Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 6279 : User Account Locked Out |
Sub Rule |
Account Locked |
Access Revoked |
|
|
EVID 6280 : User Account Unlocked |
Sub Rule |
Account Unlocked |
Access Granted |
|
|
EVID 4649 : Replay Attack |
Sub Rule |
General Attack Activity |
Attack |
|
|
EVID 4625 : Authentication Failure |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 4771 : Failed Pre-Authentication |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 4772 : Kerberos Ticket Request Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 4773 : Kerberos Service Ticket Request Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 4624 : Authentication |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4634 : Logoff |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4647 : Logoff |
Sub Rule |
User Logoff |
Authentication Success |
|
|
EVID 4648 : Logon Using Explicit Credentials |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4622 : Security Package Loaded By SAM |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 4665 : Application - Client Context Created |
Sub Rule |
Configuration Enabled : Application |
Configuration |
|
|
EVID 4667 : Application - Client Context Deleted |
Sub Rule |
Configuration Deleted : Application |
Configuration |
|
|
EVID 4697 : Service Installed |
Sub Rule |
Software Installed |
Configuration |
|
|
EVID 4698 : Scheduled Task Created |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
|
EVID 4699 : Scheduled Task Deleted |
Sub Rule |
Configuration Deleted : System |
Configuration |
|
|
EVID 4700 : Scheduled Task Enabled |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
|
EVID 4701 : Scheduled Task Disabled |
Sub Rule |
Configuration Disabled : System |
Configuration |
|
|
EVID 4702 : Scheduled Task Updated |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
|
EVID 4794 : DS Restore Mode Admin Password Set |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4890 : Cert Svcs Settings Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 4891 : Cert Svcs Config Entry Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 4892 : Cert Svcs Property Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 4904 : Sec Event Source Registered |
Sub Rule |
Configuration Enabled : Security |
Configuration |
|
|
EVID 4905 : Sec Event Source Un-Registered |
Sub Rule |
Configuration Disabled : Security |
Configuration |
|
|
EVID 4908 : Special Groups Logon Table Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4928 : AD Replica Src Naming Context Estab |
Sub Rule |
Configuration Loaded : Directory Services |
Configuration |
|
|
EVID 4929 : AD Replica Src Naming Context Removed |
Sub Rule |
Configuration Deleted : Directory Services |
Configuration |
|
|
EVID 4930 : AD Replica Src Naming Context Modified |
Sub Rule |
Configuration Modified : Directory Services |
Configuration |
|
|
EVID 4934 : AD Object Attributes Replicated |
Sub Rule |
AD Object Attributes Replicated |
Information |
|
|
EVID 4937 : Lingering Object Removed From Replica |
Sub Rule |
Configuration Deleted : System |
Configuration |
|
|
EVID 4946 : Firewall Exception Rule Added |
Sub Rule |
Configuration Loaded : Network Access |
Configuration |
|
|
EVID 4947 : Firewall Exception Rule Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4948 : Firewall Exception Rule Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 4949 : Firewall Settings Restored To Default |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4950 : Firewall Settings Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4956 : Firewall Changed Active Profile |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4979 : IPSEC Security Mode Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4980 : IPSEC Security Mode Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4981 : IPSEC Security Mode Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4982 : IPSEC Security Mode Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 5040 : IPSEC Authentication Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5041 : IPSEC Authentication Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5042 : IPSEC Authentication Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5043 : IPSEC Connection Security Rule Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5044 : IPSEC Conn Security Rule Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5045 : IPSEC Connection Security Rule Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5046 : IPSEC Crypto Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5047 : IPSEC Crypto Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5048 : IPSEC Crypto Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5049 : IPSEC Security Association Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5065 : Cryptographic Context Mod Attempted |
Sub Rule |
Cryptographic Context Modification Attempted |
Warning |
|
|
EVID 5067 : Cryptographic Function Mod Attempted |
Sub Rule |
Cryptographic Function Modification Attempted |
Warning |
|
|
EVID 5070 : Cryptographic Funct Prop Mod Attempted |
Sub Rule |
Cryptographic Function Property Mod Attempt |
Warning |
|
|
EVID 5122 : OCSP Responder Configuration Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5123 : OCSP Responder Configuration Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5124 : OCSP Responder Sec Setting Updated |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5126 : OCSP Updated Signing Certificate |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5127 : OCSP Revoc Provider Updated Revoc Info |
Sub Rule |
OCSP Revocation Provider Updated Revocation Info |
Information |
|
|
EVID 5446 : Filtering Platform Callout Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5447 : Filtering Platform Filter Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5448 : Filtering Platform Provider Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5449 : Filtering Platform Prov Context Change |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5450 : Filtering Platform Sub-Layer Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5029 : Firewall Driver Init Failed |
Sub Rule |
Firewall Driver Init Failed |
Critical |
|
|
EVID 5030 : Firewall Service Failed To Start |
Sub Rule |
Firewall Service Failed To Start |
Critical |
|
|
EVID 5035 : Firewall Driver Startup Failed |
Sub Rule |
Firewall Driver Startup Failed |
Critical |
|
|
EVID 5037 : Firewall Driver Critical Condition |
Sub Rule |
Firewall Driver Critical Condition |
Critical |
|
|
EVID 5038 : Possible Disk Error |
Sub Rule |
Computed Hash Match Failure |
Error |
|
|
EVID 5484 : IPSEC Service Error Caused Shutdown |
Sub Rule |
IPSEC Service Error Caused Shutdown |
Critical |
|
|
EVID 4712 : IPSEC Service Failure |
Sub Rule |
IPSEC Service Serious Failure |
Error |
|
|
EVID 4816 : RPC Integrity Violation |
Sub Rule |
RPC Integrity Violation |
Error |
|
|
EVID 4864 : Namespace Collision |
Sub Rule |
Namespace Collision |
Error |
|
|
EVID 4935 : AD Replication Failure Begins |
Sub Rule |
AD Replication Failure Begins |
Error |
|
|
EVID 4936 : AD Replication Failure Ends |
Sub Rule |
AD Replication Failure Ends |
Error |
|
|
EVID 4965 : IPSEC Received Bad Packet |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
EVID 5050 : Programmatic Firewall Disable Attempt |
Sub Rule |
Programmatic Firewall Disable Attempted |
Error |
|
|
EVID 5057 : Cryptographic Self Test Failed |
Sub Rule |
Cryptographic Self Test Failed |
Error |
|
|
EVID 5477 : Failed To Load Quick Mode Filter |
Sub Rule |
Failed To Load Quick Mode Filter |
Error |
|
|
EVID 5483 : IPSEC Service Failed To Start |
Sub Rule |
IPSEC Service Failed To Start |
Error |
|
|
EVID 5485 : IPSEC Filter Processing Failed |
Sub Rule |
IPSEC Filter Processing Failed |
Error |
|
|
EVID 6145 : GPO Security Policy Application Error |
Sub Rule |
GPO Security Policy Application Error |
Error |
|
|
EVID 4621 : Recovered From Crash On Audit Fail |
Sub Rule |
Crash On Audit Fail Recovered |
Information |
|
|
EVID 4793 : Password Policy Checker API Called |
Sub Rule |
Policy Modified : Object |
Policy |
|
|
EVID 4802 : Screen Saver Invoked |
Sub Rule |
Screen Saver Invoked |
Information |
|
|
EVID 4803 : Screen Saver Dismissed |
Sub Rule |
Screen Saver Dismissed |
Information |
|
|
EVID 4871 : Cert Svcs Request CRL |
Sub Rule |
Certificate Svcs Received Request To Publish CRL |
Information |
|
|
EVID 4872 : Cert Svcs Published CRL |
Sub Rule |
Certificate Services Published CRL |
Information |
|
|
EVID 4873 : Certificate Request Extension Changed |
Sub Rule |
Certificate Request Extension Changed |
Information |
|
|
EVID 4874 : Certificate Request Attributes Changed |
Sub Rule |
Certificate Request Attributes Changed |
Information |
|
|
EVID 4876 : Cert Svcs Backup Started |
Sub Rule |
Certificate Services Backup Started |
Information |
|
|
EVID 4877 : Cert Svcs Backup Complete |
Sub Rule |
Certificate Services Backup Completed |
Information |
|
|
EVID 4878 : Cert Svcs Restore Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4879 : Cert Svcs Restore Completed |
Sub Rule |
Certificate Services Restore Completed |
Information |
|
|
EVID 4883 : Cert Svcs Retrieved Archived Key |
Sub Rule |
Certificate Services Retrieved Archived Key |
Information |
|
|
EVID 4884 : Cert Svcs Imported Certificate |
Sub Rule |
Certificate Services Imported Certificate |
Information |
|
|
EVID 4889 : Cert Svcs Cert Status To Pending |
Sub Rule |
Certificate Services Set Cert Status To Pending |
Information |
|
|
EVID 4893 : Cert Svcs Archived A Key |
Sub Rule |
Certificate Services Archived A Key |
Information |
|
|
EVID 4894 : Cert Svcs Imported & Archived Key |
Sub Rule |
Certificate Services Imported And Archived Key |
Information |
|
|
EVID 4895 : Cert Svcs Published CA Cert |
Sub Rule |
Certificate Services Published CA Certificate |
Information |
|
|
EVID 4896 : Cert Svcs DB Rows Deleted |
Sub Rule |
Certificate Services Database Rows Deleted |
Information |
|
|
EVID 4898 : Cert Svcs Template Loaded |
Sub Rule |
Certificate Services Loaded Template |
Information |
|
|
EVID 4899 : Cert Svcs Template Updated |
Sub Rule |
Certificate Services Updated Template |
Information |
|
|
EVID 4900 : Cert Svcs Template Sec Updated |
Sub Rule |
Certificate Services Template Security Updated |
Information |
|
|
EVID 4944 : Active Firewall Policy On Start |
Sub Rule |
Active Firewall Policy On Start |
Information |
|
|
EVID 4945 : Rule Listed On Firewall Start |
Sub Rule |
Rule Listed On Firewall Start |
Information |
|
|
EVID 5056 : Cryptographic Self Test Performed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
EVID 5062 : Cryptographic Self Test Performed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
EVID 5376 : Credentials Backed Up |
Sub Rule |
Credentials Backed Up |
Information |
|
|
EVID 5377 : Credentials Restored From Backup |
Sub Rule |
Credentials Restored From Backup |
Information |
|
|
EVID 5440 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 5441 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 5442 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 5443 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 5444 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 4615 : Invalid Use Of LPC Port |
Sub Rule |
Unauthorized Activity |
Misuse |
|
|
EVID 5154 : Filtering Allowed App To Listen |
Sub Rule |
Application Allowed To Listen For Connections |
Information |
|
|
EVID 5156 : Filtering Allowed Connection |
Sub Rule |
Traffic Allowed by Host Firewall |
Network Allow |
|
|
EVID 5158 : Filtering Permitted Port Bind |
Sub Rule |
Permitted Bind To Local Port |
Information |
|
|
EVID 4960 : IPSEC Dropped Inbound Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4961 : IPSEC Dropped Inbound Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4962 : IPSEC Dropped Inbound Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4963 : IPSEC Dropped Inbound Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4983 : IPSEC Negotiation Failed |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4984 : IPSEC Negotiation Failed |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5031 : Firewall Blocked Connection To App |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5152 : Filtering Blocked Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5153 : Filtering Blocked Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5155 : Filtering Blocked App From Listening |
Sub Rule |
Application Blocked From Listening For Connections |
Warning |
|
|
EVID 5157 : Filtering Blocked Connection |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5159 : Filtering Denied Port Bind |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5453 : IPSEC Negotiation Failed |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4985 : Transaction State Change |
Sub Rule |
Transaction State Change |
Network Traffic |
|
|
EVID 5125 : Request Submitted To OCSP Responder |
Sub Rule |
Request Submitted To OCSP Responder |
Network Traffic |
|
|
EVID 5451 : IPSEC Security Association Established |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
EVID 5452 : IPSEC Security Association Ended |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
|
EVID 5712 : RPC Attempted |
Sub Rule |
Remote Procedure Call Attempt |
Network Traffic |
|
|
EVID 4675 : SIDs Filtered |
Sub Rule |
SIDs Filtered |
Other Audit |
|
|
EVID 4696 : Primary Token Assigned |
Sub Rule |
Primary Token Assigned |
Information |
|
|
EVID 4711 : General Audit Message |
Sub Rule |
General Audit Message |
Other Audit |
|
|
EVID 4800 : Workstation Locked |
Sub Rule |
Workstation Locked |
Other Audit Success |
|
|
EVID 4801 : Workstation Unlocked |
Sub Rule |
Workstation Unlocked |
Other Audit Success |
|
|
EVID 4869 : Cert Svcs Rcvd Resubmitted Cert Req |
Sub Rule |
Certificate Services Rcvd Resubmitted Cert Request |
Other Audit |
|
|
EVID 5063 : Cryptographic Provider Op Attempted |
Sub Rule |
Cryptographic Provider Operation Attempted |
Other Audit |
|
|
EVID 5064 : Cryptographic Context Op Attempted |
Sub Rule |
Cryptographic Context Operation Attempted |
Other Audit |
|
|
EVID 5066 : Cryptographic Function Op Attempted |
Sub Rule |
Cryptographic Function Operation Attempted |
Other Audit |
|
|
EVID 5068 : Cryptographic Funct Provider Op Atmt |
Sub Rule |
Cryptographic Function Provider Operation Attempt |
Other Audit |
|
|
EVID 5069 : Cryptographic Func Prop Op Attempt |
Sub Rule |
Cryptographic Function Property Operation Attempt |
Other Audit |
|
|
EVID 5632 : WLAN Authentication Request |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 5633 : Wired Network Authentication Request |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 6274 : Network Policy Svr Discarded Request |
Sub Rule |
Network Policy Server Discarded Request |
Other Audit |
|
|
EVID 6275 : Network Policy Svr Discarded Request |
Sub Rule |
Network Policy Server Discarded Request |
Other Audit |
|
|
EVID 6276 : Network Policy Server Quarantined User |
Sub Rule |
Network Policy Server Quarantined User |
Other Audit |
|
|
EVID 4652 : IPSEC Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
EVID 4653 : IPSEC Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
EVID 4654 : IPSEC Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
EVID 4766 : Add SID History Failed |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4775 : Account Map For Logon Failed |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
|
EVID 4777 : Credentials Validation Failed |
Sub Rule |
User Logon Failure : Bad Password |
Authentication Failure |
|
|
EVID 4868 : Cert Man Denied Pending Request |
Sub Rule |
Certificate Manager Denied Pending Cert Request |
Warning |
|
|
EVID 4888 : Cert Svcs Denied Certificate Request |
Sub Rule |
Certificate Services Denied Certificate Request |
Warning |
|
|
EVID 5378 : Credential Delegation Disallowed |
Sub Rule |
Credential Delegation Disallowed |
Other Audit Failure |
|
|
EVID 5458 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 5461 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 5462 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 5472 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 5474 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 4650 : IPSEC Sec Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4651 : IPSEC Sec Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4655 : IPSEC Security Assoc Ended |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4661 : Object Handle Requested |
Sub Rule |
Object Handle Requested |
Other Audit Success |
|
|
EVID 4672 : Special Privs Assigned To New Logon |
Sub Rule |
Privilege Granted |
Access Granted |
|
|
EVID 4765 : Add SID History |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
EVID 4768 : Kerberos Auth Ticket Requested |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4769 : Kerberos Svc Ticket Requested |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4770 : Kerberos Svc Ticket Renewed |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4774 : Account Mapped For Logon |
Sub Rule |
Account Mapped For Logon |
Other Audit Success |
|
|
EVID 4776 : Credentials Validation |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4778 : Win Session Reconnect |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4779 : Win Session Disconnect |
Sub Rule |
Session Disconnected |
Other Audit Success |
|
|
EVID 4886 : Cert Svcs Certificate Request |
Sub Rule |
Certificate Services Received Certificate Request |
Other Audit Success |
|
|
EVID 4964 : Special Groups Assigned To New Logon |
Sub Rule |
Special Groups Assigned To New Logon |
Other Audit Success |
|
|
EVID 4670 : Object Permissions Changed |
Sub Rule |
Policy Modified : Object |
Policy |
|
|
EVID 4706 : Trusted Domain Added |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4707 : Trusted Domain Removed |
Sub Rule |
Trust Relationship Revoked |
Access Revoked |
|
|
EVID 4713 : Kerberos Policy Changed |
Sub Rule |
Policy Modified : System |
Policy |
|
|
EVID 4714 : Encrypted Data Recovery Policy Changed |
Sub Rule |
Policy Modified : Encryption |
Policy |
|
|
EVID 4715 : Object Audit Policy Changed |
Sub Rule |
Policy Modified : Object |
Policy |
|
|
EVID 4716 : Trusted Domain Info Modified |
Sub Rule |
Policy Modified : Domain |
Policy |
|
|
EVID 4719 : Sys Audit Policy Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4739 : Domain Policy Changed |
Sub Rule |
Policy Modified : Domain |
Policy |
|
|
EVID 4780 : Admins Account ACL Set |
Sub Rule |
Policy Enabled : User/Password |
Policy |
|
|
EVID 4865 : Trusted Forest Entry Added |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4866 : Trusted Forest Entry Removed |
Sub Rule |
Trust Relationship Revoked |
Access Revoked |
|
|
EVID 4867 : Trusted Forest Entry Modified |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4882 : Cert Svcs Sec Permissions Changed |
Sub Rule |
Policy Modified : System |
Policy |
|
|
EVID 4885 : Cert Svcs Audit Filter Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4897 : Role Separation Enabled |
Sub Rule |
Policy Modified : System |
Policy |
|
|
EVID 4906 : CrashOnAuditFail Value Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4907 : Audit Settings On Object Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4909 : TBS Local Policy Settings Changed |
Sub Rule |
Policy Modified : System |
Policy |
|
|
EVID 4910 : TBS Group Policy Settings Changed |
Sub Rule |
Policy Modified : Domain |
Policy |
|
|
EVID 4912 : Per-User Audit Policy Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4954 : Firewall Group Policy Settings Changed |
Sub Rule |
Policy Modified : Domain |
Policy |
|
|
EVID 5456 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5457 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5459 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5460 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5463 : Polled For IPSEC Policy Changes |
Sub Rule |
Polled For IPSEC Policy Changes |
Information |
|
|
EVID 5464 : IPSEC Policy Changes Applied |
Sub Rule |
Policy Modified : Network |
Policy |
|
|
EVID 5465 : IPSEC Policy Reloaded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 5466 : IPSEC Policy Changes Applied |
Sub Rule |
Policy Modified : Network |
Policy |
|
|
EVID 5467 : Polled For IPSEC Policy Changes |
Sub Rule |
Polled For IPSEC Policy Changes |
Information |
|
|
EVID 5468 : IPSEC Policy Changes Applied |
Sub Rule |
Policy Modified : Network |
Policy |
|
|
EVID 5471 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5473 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 6144 : GPO Security Policy Applied |
Sub Rule |
Policy Enabled : Domain |
Policy |
|
|
EVID 4688 : New Process Created |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4689 : Process Exited |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 4875 : Cert Svcs Shutdown Request |
Sub Rule |
Process/Service Stopping |
Startup and Shutdown |
|
|
EVID 4880 : Certificate Services Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4881 : Certificate Services Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5024 : Firewall Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 5025 : Firewall Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5033 : Firewall Driver Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 5034 : Firewall Driver Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5120 : OCSP Responder Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 5121 : OCSP Responder Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5478 : IPSEC Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 5479 : IPSEC Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 4618 : Monitored Sec Event |
Sub Rule |
Suspicious Activity |
Suspicious |
|
|
EVID 4976 : IPSEC Received Invalid Negot Packet |
Sub Rule |
Protocol Anomaly |
Attack |
|
|
EVID 4977 : IPSEC Received Invalid Negot Packet |
Sub Rule |
Protocol Anomaly |
Attack |
|
|
EVID 4978 : IPSEC Received Invalid Negot Packet |
Sub Rule |
Protocol Anomaly |
Attack |
|
|
EVID 4612 : Audit Queuing Resources Exh |
Sub Rule |
Audit Queuing Resources Exhausted |
Warning |
|
|
EVID 4951 : Firewall Rule Ignored |
Sub Rule |
Firewall Rule Ignored Due To Version |
Warning |
|
|
EVID 4952 : Firewall Rule Ignored |
Sub Rule |
Firewall Rule Ignored Due To Version |
Warning |
|
|
EVID 4953 : Firewall Rule Ignored |
Sub Rule |
Firewall Rule Ignored Due To Bad Parsing |
Warning |
|
|
EVID 4957 : Firewall Rule Not Applied |
Sub Rule |
Firewall Rule Not Applied |
Warning |
|
|
EVID 4958 : Firewall Rule Not Applied |
Sub Rule |
Firewall Rule Not Applied |
Warning |
|
|
EVID 5027 : Firewall Service Policy Load Failed |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
EVID 5028 : Firewall Service Policy Load Failed |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
EVID 5032 : Firewall Notification Failed |
Sub Rule |
Firewall Notification Failed |
Warning |
|
|
EVID 5480 : IPSEC Network Interface List Failed |
Sub Rule |
IPSEC Network Interface List Failed |
Warning |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|
1011079
|
V 2.0 : Catch All |
Base Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Replay Activity |
Attack |
|
|
V 2.0 : EVID 4675 : SIDs Were Filtered |
Sub Rule |
SIDs Filtered |
Other Audit |
|
|
V 2.0 : EVID 4765 : SID History Added To Account |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4766 : SID History Add Failed |
Sub Rule |
Modify Object Attribute Failure |
Access Failure |
|
|
V 2.0 : EVID 5378 : Credential Delegation Disallow |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4709 : IPSEC - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 4710 : IPSEC - Service Disabled |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 4711 : PAStore - General Event |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 4712 : IPSEC - Fatal Error Encounter |
Sub Rule |
General IPSec Critical |
Critical |
|
|
V 2.0 : EVID 5040 : IPSEC - Auth. Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 5041 : IPSEC - Auth. Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5042 : IPSEC - Auth. Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5046 : IPSEC - Crypto Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 5047 : IPSEC - Crypto Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5048 : IPSEC - Crypto Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5440 : WFP - Callout Present At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5441 : WFP - Filter Present At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5442 : WFP - Prov. Present At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5443 : WFP - Prov. Cont Pres At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5444 : WFP - Sub-Layer Pres At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5446 : WFP - Callout Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5449 : WFP - Prov. Context Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5448 : WFP - Provider Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5450 : WFP - Sub-layer Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy Appl |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy Fail |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
V 2.0 : EVID 5458 : PAStore-Cached AD IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5459 : PAStore-Cached AD IPSEC Policy |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5460 : PAStore -Registry IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5461 : PAStore -Registry IPSEC Policy |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5462 : PAStore - Fail To Apply IPSEC |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5463 : PAStore- Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5464 : PAStore-Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5465 : PAStore-IPSEC Policy Forcibly |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5466 : PAStore-Unabled To Reach AD |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5467 : PAStore -Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5468 : PAStore-Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5471 : PAStore-Local IPSEC Policy Loa |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 4772 : Kerberos TGT Request Failed |
Sub Rule |
Windows Audit Failure Event |
Other Audit Failure |
|
|
V 2.0 : EVID 4773 : Kerberos TGS Request Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4774 : Account Successfully Mapped |
Sub Rule |
Account Mapped For Logon |
Other Audit Success |
|
|
V 2.0 : EVID 4774 : Account Failed To Be Mapped |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
|
V 2.0 : EVID 4775 : Account Could Not Be Mapped |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
|
V 2.0 : EVID 4777 : Domain Contrler Faild To Valid |
Sub Rule |
Windows Audit Failure Event |
Other Audit Failure |
|
|
V 2.0 : EVID 4646 : IPSEC -DoS Prevention Mode Str |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 4650 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4651 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4652 : IPSEC - Main Mode Negotiation |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 4653 : IPSEC - Main Mode Negotiation |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 4655 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
|
V 2.0 : EVID 4960 : IPSEC - Inbound Pck Intrgty Fl |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 4961 : IPSEC - Inbound Packet Replay |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 4962 : IPSEC - Inbound Packet Replay |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 4963 : IPSEC - Inbound Packet In Clr |
Sub Rule |
General IPSec Warning |
Warning |
|
|
V 2.0 : EVID 4965 : IPSEC Packet Received Invalid |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4976 : IPSEC - Main Mode Invld Negt |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4977 : IPSEC - Quick Mode Invld Negot |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4978 : IPSEC - Extended Mode Invalid |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4979 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4980 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4981 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 5024 : Firewall - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5025 : Firewall - Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5027 : Firewall-ServiceUnableToRetrie |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
V 2.0 : EVID 5028 : Firewall-Service FailedToParse |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
V 2.0 : EVID 5029 : Firewall-ServiceFailedToLoadDr |
Sub Rule |
Driver Failed To Load |
Warning |
|
|
V 2.0 : EVID 4982 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 5030 : Firewall-Service FailedToStart |
Sub Rule |
Firewall Service Failed To Start |
Critical |
|
|
V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotion |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 5032 : Firewall - Unable ToNotifyUser |
Sub Rule |
Firewall Notification Failed |
Warning |
|
|
V 2.0 : EVID 4984 : IPSEC - Extended Mode NegotFai |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 5049 : IPSEC - Security Assoc Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5033 : Firewall - Driver StartedSucs |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5451 : IPSEC - Quick Mode Security As |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 5034 : Firewall - Driver Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5452 : IPSEC - Quick Mode Security As |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
|
V 2.0 : EVID 5035 : Firewall - DriverFailedToStart |
Sub Rule |
Firewall Driver Startup Failed |
Critical |
|
|
V 2.0 : EVID 5453 : IPSEC - Negotiation Failed Due |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 5478 : IPSEC - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5037 : Firewall-DriverCriticalRuntime |
Sub Rule |
Firewall Driver Critical Condition |
Critical |
|
|
V 2.0 : EVID 5479 : IPSEC - Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5480 : IPSEC - Failed To Obtain Netw |
Sub Rule |
IPSEC Network Interface List Failed |
Warning |
|
|
V 2.0 : EVID 5483 : IPSEC - Failed To Intlize RPC |
Sub Rule |
IPSEC Service Failed To Start |
Error |
|
|
V 2.0 : EVID 5484 : IPSEC - Critical Service Failu |
Sub Rule |
IPSEC Service Error Caused Shutdown |
Critical |
|
|
V 2.0 : EVID 5485 : IPSEC - Failed To Prcss Filter |
Sub Rule |
IPSEC Filter Processing Failed |
Error |
|
|
V 2.0 : EVID 6400 : BranchCache-IncorrectlyFrmated |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6401 : BranchCache-InvalidPeerDataRec |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6402 : BranchCache - IncorectlyFrmatd |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6403 : BranchCache - IncorectlyFrmatd |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6404 : BranchCache - UnablToAuth |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6405 : BranchCache - Mult EventsRecv |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6406 : BranchCache - Registration |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6407 : BranchCache - General Event |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6408 : BranchCache - Regt Wind Firewa |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6409 : BranchCache - Service Conn |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6145 : Sec Policy GPOs Fail To Apply |
Sub Rule |
Policy Failed |
Error |
|
|
V 2.0 : EVID 6144 : Security Policy GPOs Applied |
Sub Rule |
Policy Enabled : System |
Policy |
|
|
V 2.0 : EVID 5447 : WFP - Filter Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4906 : CrashOnAuditFail Value Changed |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
V 2.0 : EVID 4908 : Special Groups Logon Table Mod |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
V 2.0 : EVID 4909 : Local TBS Policy Settings Mod. |
Sub Rule |
Policy Modified : System |
Policy |
|
|
V 2.0 : EVID 4910 : Group TBS Policy Settings Modi |
Sub Rule |
Policy Modified : System |
Policy |
|
|
V 2.0 : EVID 4902 : Per-User Policy Table Created |
Sub Rule |
Policy Created : System |
Policy |
|
|
V 2.0 : EVID 4826 : Boot Configuration Data Loaded |
Sub Rule |
Configuration Loaded : System |
Configuration |
|
|
V 2.0 : EVID 4864 : Namespace Collision Detected |
Sub Rule |
Namespace Collision |
Error |
|
|
V 2.0 : EVID 4714 : Encrypted Data Rec Policy Mod |
Sub Rule |
Policy Modified : System |
Policy |
|
|
V 2.0 : EVID 4671 : Application Attempted Access |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 5148 : WFP - DoS Attack Detected |
Sub Rule |
Failed Network Denial Of Service |
Failed Denial of Service |
|
|
V 2.0 : EVID 5149 : WFP - DoS Attack Ended |
Sub Rule |
General Security |
Other Security |
|
|
V 2.0 : EVID 4608 : Windows Starting Up |
Sub Rule |
System Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 4612 : Audit Queuing Resources Exhaus |
Sub Rule |
Audit Queuing Resources Exhausted |
Warning |
|
|
V 2.0 : EVID 4615 : Invalid LPC Port Use |
Sub Rule |
Unauthorized Activity |
Misuse |
|
|
V 2.0 : EVID 4618 : User-Defined Security Event |
Sub Rule |
General Event Log Information |
Information |
|
|
V 2.0 : EVID 4621 : Admin Recovrd Frm CrashOnAudi |
Sub Rule |
Crash On Audit Fail Recovered |
Information |
|
|
V 2.0 : EVID 4816 : RPC Message Integrity Violatio |
Sub Rule |
RPC Integrity Violation |
Error |
|
|
V 2.0 : EVID 5038 : Invalid Image Hash |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 5056 : CNG - Crypto Self-Check Perf |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
V 2.0 : EVID 5057 : CNG - Primitive Crypto Op Fail |
Sub Rule |
Cryptographic Failure |
Error |
|
|
V 2.0 : EVID 5060 : CNG - Crypto Verification Fail |
Sub Rule |
Cryptographic Failure |
Error |
|
|
V 2.0 : EVID 6281 : Invalid Page Hash In Image Fil |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 6410 : File Failed Security Check |
Sub Rule |
Failed Suspicious Activity |
Failed Suspicious |
|
|
V 2.0 : EVID 5712 : RPC Attempted |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 4944 : WFP - Policy Active And Window |
Sub Rule |
Active Firewall Policy On Start |
Information |
|
|
V 2.0 : EVID 4949 : WFP Settings Restored Default |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4954 : WFP - Group Policy Settings |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4783 : Basic Application Group Create |
Sub Rule |
Group Created |
Account Created |
|
|
V 2.0 : EVID 4784 : Basic Application Group Change |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4785 : Member Add To Basic App Group |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
V 2.0 : EVID 4786 : Member Remove From Basic App |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
V 2.0 : EVID 4787 : Non-Member Add To Basic App |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
V 2.0 : EVID 4788 : Non-Memb Remove From Basic App |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
V 2.0 : EVID 4789 : Basic Application Group Delete |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
V 2.0 : EVID 4790 : LDAP Query Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
V 2.0 : EVID 4791 : LDAP Query Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4934 : AD Object Attributes Replicate |
Sub Rule |
AD Object Attributes Replicated |
Information |
|
|
V 2.0 : EVID 4935 : Replication Failure Begins |
Sub Rule |
AD Replication Failure Begins |
Error |
|
|
V 2.0 : EVID 4936 : Replication Failure Ends |
Sub Rule |
AD Replication Failure Ends |
Error |
|
|
V 2.0 : EVID 4937 : Lingering Obj Removed Frm ADRe |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
V 2.0 : EVID 4792 : LDAP Query Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
V 2.0 : EVID 4664 : File Hard Link Created |
Sub Rule |
Object Created |
Access Success |
|
|
V 2.0 : EVID 4690 : Object Handle Duplicated |
Sub Rule |
Object Created |
Access Success |
|
|
V 2.0 : EVID 5039 : Registry Key Virtualized |
Sub Rule |
Registry Key Virtualized |
Other Audit Success |
|
|
V 2.0 : EVID 5051 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
|
V 2.0 : EVID 5168 : SPN Check For SMB Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 6275 : NPS - Accounting Request Disca |
Sub Rule |
Bad Request |
Warning |
|
|
V 2.0 : EVID 6276 : NPS - User Quarantined |
Sub Rule |
Network Policy Server Quarantined User |
Other Audit |
|
|
V 2.0 : EVID 6277 : NPS - Access Granted User |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
V 2.0 : EVID 6279 : NPS - User Account Locked |
Sub Rule |
Account Locked |
Access Revoked |
|
|
V 2.0 : EVID 6280 : NPS - User Account Unlocked |
Sub Rule |
Account Unlocked |
Access Granted |
|
|
V 2.0 : EVID 4626 : User/Device Claims Information |
Sub Rule |
User Information |
Information |
|
|
V 2.0 : EVID 4666 : AM - App Attempted Operation |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4665 : AM - App Client Context Create |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4667 : AM - App Client Context Delete |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4668 : AM - Application Initialized |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4985 : Transaction State Change |
Sub Rule |
General Transaction Information |
Information |
|
|
V 2.0 : EVID 1101 : Audit Events Dropped |
Sub Rule |
Message Dropped |
Error |
|
|
V 2.0 : EVID 4609 : Windows Shutting Down |
Sub Rule |
System Shutting Down |
Startup and Shutdown |
|
|
V 2.0 : EVID 4654 : Quick Mode Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 4797 : Blank Passwords Queried |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 4820 : TGT Denied - ACL |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4821 : TGS Denied - ACL |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4822 : NTLM Auth Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4823 : NTLM Auth Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4824 : Kerberos Pre-Auth Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4825 : RDP Access Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4830 : SID History Removed From Accou |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4899 : Certificate Template Updated |
Sub Rule |
Object Modified |
Access Success |
|
|
V 2.0 : EVID 4900 : Certificate Template Sec Updat |
Sub Rule |
Object Attribute Modified |
Access Success |
|
|
V 2.0 : EVID 5150 : Firewall - Disable Attempt |
Sub Rule |
Suspicious Activity |
Suspicious |
|
|
V 2.0 : EVID 5071 : Key Access Denied |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 5146 : WFP - Packed Blocked |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
V 2.0 : EVID 5147 : WFP - Packed Blocked |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
V 2.0 : EVID 5151 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
|
V 2.0 : EVID 5170 : AD Object Modified |
Sub Rule |
Object Modified |
Access Success |
|
|
V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy F |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5473 : PAStore - Directory Storage IP |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5477 : PAStore - Failed To Add Quick |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 6278 : NPS - Full Access Granted To U |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
V 2.0 : EVID 6417 : FIPS Selftest Passed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
V 2.0 : EVID 6418 : FIPS Selftest Failed |
Sub Rule |
Cryptographic Failure |
Error |
|
|
V 2.0 : EVID 4868 : CS - Certificate Manager Denie |
Sub Rule |
Certificate Manager Denied Pending Cert Request |
Warning |
|
|
V 2.0 : EVID 4869 : CS - Received Resubmitted Cert |
Sub Rule |
Certificate Services Rcvd Resubmitted Cert Request |
Other Audit |
|
|
V 2.0 : EVID 4870 : CS - Certificate Revoked |
Sub Rule |
Certificate Services Rcvd Resubmitted Cert Request |
Other Audit |
|
|
V 2.0 : EVID 4871 : CS - CRL Publication Request R |
Sub Rule |
Certificate Svcs Received Request To Publish CRL |
Information |
|
|
V 2.0 : EVID 4872 : CS - CRL Published |
Sub Rule |
Certificate Services Published CRL |
Information |
|
|
V 2.0 : EVID 4873 : CS - Certificate Request Extn |
Sub Rule |
Certificate Request Extension Changed |
Information |
|
|
V 2.0 : EVID 4874 : CS - Certificate Request Chang |
Sub Rule |
Certificate Request Attributes Changed |
Information |
|
|
V 2.0 : EVID 4875 : CS - Shutdown Request Received |
Sub Rule |
Process/Service Startup Or Shutdown Activity |
Startup and Shutdown |
|
|
V 2.0 : EVID 4876 : CS - Backup Started |
Sub Rule |
Backup Active |
Information |
|
|
V 2.0 : EVID 4877 : CS - Backup Complete |
Sub Rule |
Backup Completed |
Information |
|
|
V 2.0 : EVID 4878 : CS - Restore Started |
Sub Rule |
Backup Restored |
Information |
|
|
V 2.0 : EVID 4879 : CS - Restore Completed |
Sub Rule |
Backup Restored |
Information |
|
|
V 2.0 : EVID 4880 : CS - Services Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 4881 : CS - Services Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 4882 : CS -Security Permissions Modif |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4883 : CS - Archived Key Retrieved |
Sub Rule |
Certificate Services Retrieved Archived Key |
Information |
|
|
V 2.0 : EVID 4884 : CS - Certificate Imported |
Sub Rule |
Certificate Services Imported Certificate |
Information |
|
|
V 2.0 : EVID 4885 : CS - Audit Filter Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4886 : CS - Certificate Request Rcvd |
Sub Rule |
Certificate Services Received Certificate Request |
Other Audit Success |
|
|
V 2.0 : EVID 4887 : CS - Certificate Issued |
Sub Rule |
Certificate Services Issued Certificate |
Information |
|
|
V 2.0 : EVID 4888 : CS - Certificate Request Denie |
Sub Rule |
Certificate Services Denied Certificate Request |
Warning |
|
|
V 2.0 : EVID 4889 : CS - Certificate Request Statu |
Sub Rule |
Certificate Services Set Cert Status To Pending |
Information |
|
|
V 2.0 : EVID 4890 : CS - Certificate Manager Setti |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4891 : CS - Configuration Entry Modif |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4892 : CS - Property Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4893 : CS - Key Archived |
Sub Rule |
Certificate Services Archived A Key |
Information |
|
|
V 2.0 : EVID 4894 : CS - Key Imported And Archived |
Sub Rule |
Certificate Services Imported And Archived Key |
Information |
|
|
V 2.0 : EVID 4895 : CS -ADDS CA Certificate Publis |
Sub Rule |
Certificate Services Published CA Certificate |
Information |
|
|
V 2.0 : EVID 4896 : CS - Rows Deleted From Databas |
Sub Rule |
Certificate Services Database Rows Deleted |
Information |
|
|
V 2.0 : EVID 4897 : CS - Role Separation Enabled |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4898 : CS - Template Loaded |
Sub Rule |
Certificate Services Loaded Template |
Information |
|
|
V 2.0 : EVID 5120 : CS - OCSP Responder Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5121 : CS - OCSP Responder Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5122 : CS - OCSP Config Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Replay Activity |
Attack |
|
|
V 2.0 : EVID 5123 : CS - OCSP Config Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 5124 : CS - OCSP Security Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 5125 : CS - OCSP Request |
Sub Rule |
Request Received |
Other Audit Success |
|
|
V 2.0 : EVID 5126 : CS - OCSP Signer Updated |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 5127 : CS - OCSP Provider Updated |
Sub Rule |
Configuration Modified : Application |
Configuration |