Multiple EVIDs : Catch All : Level 3 (Security)
Event Details
| Event Type | Multiple |
|---|---|
| Event Description | Catch all rule to handle other Windows Security Events. |
| Event IDs | Multiple |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 | |
|---|---|---|---|
| Provider | <subject> | N/A | |
| EventID | <vmid> | N/A | |
| Version | N/A | N/A | |
| Level | <severity> | N/A | |
| Task | <vendorinfo> | N/A | |
| Opcode | N/A | N/A | |
| Keywords | <tag1> | N/A | |
| TimeCreated | N/A | N/A | |
| EventRecordID | N/A | N/A | |
| Correlation | N/A | N/A | |
| Execution | N/A | N/A | |
| Processid | N/A | N/A | |
| Channel | N/A | N/A | |
| Computer | <dname> | N/A | |
| EventData | N/A | N/A | |
| Security Id | <login>, <domain> | N/A | |
| Logon Id | <session> | N/A | |
| Object | N/A | N/A | |
| Objectname | <objectname> | N/A | |
| Objecttype | <objecttype> | N/A | |
| FileName | <object> | N/A | |
| Creator Process Id | <parentprocessid> | N/A | |
| Group Name | <group> | N/A | |
| Task Name | <object> | N/A | |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1000291 | EVID 4608 : System Started | Sub Rule | System Started | Startup and Shutdown |
| EVID 4903 : Per User Audit Policy Set | Sub Rule | Policy Enabled : Auditing | Policy | |
| EVID 4902 : Per User Audit Policy Refreshed | Sub Rule | Policy Modified : Auditing | Policy | |
| EVID 4663 : General Access Attempt | Sub Rule | Object Accessed | Access Success | |
| EVID 4616 : System Time Changed | Sub Rule | Configuration Modified : System | Configuration | |
| EVID 4933 : Directory Services Access | Sub Rule | Object Accessed | Access Success | |
| EVID 4932 : Directory Services Access | Sub Rule | Object Accessed | Access Success | |
| EVID 4931 : Directory Services Access | Sub Rule | Object Accessed | Access Success | |
| General : Audit Failure | Sub Rule | General Audit Failure | Error | |
| General : Audit Success | Sub Rule | General Audit | Other Audit Success | |
| EVID 4710 : IPSec Policy Agent Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 4709 : IPSec Policy Agent Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 4690 : Handle Duplicated | Sub Rule | Handle Duplicated | Information | |
| EVID 4660 : Object Deleted | Sub Rule | Object Deleted/Removed | Access Success | |
| EVID 4658 : Handle Closed | Sub Rule | Handle Closed | Information | |
| EVID 4657 : Handle Allocated | Sub Rule | Handle Allocated | Information | |
| EVID 4643 : General Audit Failure | Sub Rule | General Audit Failure | Error | |
| EVID 4642 : General Audit Failure | Sub Rule | General Audit Failure | Error | |
| EVID 4641 : General Audit Failure | Sub Rule | General Audit Failure | Error | |
| EVID 4640 : General Audit Failure | Sub Rule | General Audit Failure | Error | |
| EVID 4639 : General Audit | Sub Rule | General Audit | Other Audit Success | |
| EVID 4638 : General Audit | Sub Rule | General Audit | Other Audit Success | |
| EVID 4637 : General Audit | Sub Rule | General Audit | Other Audit Success | |
| EVID 4614 : Auth Package Loaded By SAM | Sub Rule | Auth Package Loaded By SAM | Other Audit Success | |
| EVID 4611 : Trusted Logon Process Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 4610 : Authentication Package Loaded | Sub Rule | Object Initialized | Access Success | |
| EVID 4609 : System Shutdown | Sub Rule | System Shutdown | Startup and Shutdown | |
| Catch All : Level 3 | Base Rule | General Audit | Other Audit Success | |
| EVID 5480 : IPSEC Network Interface List Failed | Sub Rule | IPSEC Network Interface List Failed | Warning | |
| EVID 5032 : Firewall Notification Failed | Sub Rule | Firewall Notification Failed | Warning | |
| EVID 5028 : Firewall Service Policy Load Failed | Sub Rule | Firewall Service Failed To Load Local Policy | Warning | |
| EVID 5027 : Firewall Service Policy Load Failed | Sub Rule | Firewall Service Failed To Load Local Policy | Warning | |
| EVID 4958 : Firewall Rule Not Applied | Sub Rule | Firewall Rule Not Applied | Warning | |
| EVID 4957 : Firewall Rule Not Applied | Sub Rule | Firewall Rule Not Applied | Warning | |
| EVID 4953 : Firewall Rule Ignored | Sub Rule | Firewall Rule Ignored Due To Bad Parsing | Warning | |
| EVID 4952 : Firewall Rule Ignored | Sub Rule | Firewall Rule Ignored Due To Version | Warning | |
| EVID 4951 : Firewall Rule Ignored | Sub Rule | Firewall Rule Ignored Due To Version | Warning | |
| EVID 4612 : Audit Queuing Resources Exh | Sub Rule | Audit Queuing Resources Exhausted | Warning | |
| EVID 4978 : IPSEC Received Invalid Negot Packet | Sub Rule | Protocol Anomaly | Attack | |
| EVID 4977 : IPSEC Received Invalid Negot Packet | Sub Rule | Protocol Anomaly | Attack | |
| EVID 4976 : IPSEC Received Invalid Negot Packet | Sub Rule | Protocol Anomaly | Attack | |
| EVID 4618 : Monitored Sec Event | Sub Rule | Suspicious Activity | Suspicious | |
| EVID 5479 : IPSEC Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 5478 : IPSEC Service Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 5121 : OCSP Responder Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 5120 : OCSP Responder Service Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 5034 : Firewall Driver Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 5033 : Firewall Driver Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 5025 : Firewall Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 5024 : Firewall Service Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 4881 : Certificate Services Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 4880 : Certificate Services Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 4875 : Cert Svcs Shutdown Request | Sub Rule | Process/Service Stopping | Startup and Shutdown | |
| EVID 4689 : Process Exited | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 4688 : New Process Created | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 6144 : GPO Security Policy Applied | Sub Rule | Policy Enabled : Domain | Policy | |
| EVID 5473 : IPSEC Policy Applied | Sub Rule | Policy Enabled : Network | Policy | |
| EVID 5471 : IPSEC Policy Applied | Sub Rule | Policy Enabled : Network | Policy | |
| EVID 5468 : IPSEC Policy Changes Applied | Sub Rule | Policy Modified : Network | Policy | |
| EVID 5467 : Polled For IPSEC Policy Changes | Sub Rule | Polled For IPSEC Policy Changes | Information | |
| EVID 5466 : IPSEC Policy Changes Applied | Sub Rule | Policy Modified : Network | Policy | |
| EVID 5465 : IPSEC Policy Reloaded | Sub Rule | Authentication Activity | Authentication Success | |
| EVID 5464 : IPSEC Policy Changes Applied | Sub Rule | Policy Modified : Network | Policy | |
| EVID 5463 : Polled For IPSEC Policy Changes | Sub Rule | Polled For IPSEC Policy Changes | Information | |
| EVID 5460 : IPSEC Policy Applied | Sub Rule | Policy Enabled : Network | Policy | |
| EVID 5459 : IPSEC Policy Applied | Sub Rule | Policy Enabled : Network | Policy | |
| EVID 5457 : IPSEC Policy Applied | Sub Rule | Policy Enabled : Network | Policy | |
| EVID 5456 : IPSEC Policy Applied | Sub Rule | Policy Enabled : Network | Policy | |
| EVID 4954 : Firewall Group Policy Settings Changed | Sub Rule | Policy Modified : Domain | Policy | |
| EVID 4912 : Per-User Audit Policy Changed | Sub Rule | Policy Modified : Auditing | Policy | |
| EVID 4910 : TBS Group Policy Settings Changed | Sub Rule | Policy Modified : Domain | Policy | |
| EVID 4909 : TBS Local Policy Settings Changed | Sub Rule | Policy Modified : System | Policy | |
| EVID 4907 : Audit Settings On Object Changed | Sub Rule | Policy Modified : Auditing | Policy | |
| EVID 4906 : CrashOnAuditFail Value Changed | Sub Rule | Policy Modified : Auditing | Policy | |
| EVID 4897 : Role Separation Enabled | Sub Rule | Policy Modified : System | Policy | |
| EVID 4885 : Cert Svcs Audit Filter Changed | Sub Rule | Policy Modified : Auditing | Policy | |
| EVID 4882 : Cert Svcs Sec Permissions Changed | Sub Rule | Policy Modified : System | Policy | |
| EVID 4867 : Trusted Forest Entry Modified | Sub Rule | Trust Relationship Established | Access Granted | |
| EVID 4866 : Trusted Forest Entry Removed | Sub Rule | Trust Relationship Revoked | Access Revoked | |
| EVID 4865 : Trusted Forest Entry Added | Sub Rule | Trust Relationship Established | Access Granted | |
| EVID 4780 : Admins Account ACL Set | Sub Rule | Policy Enabled : User/Password | Policy | |
| EVID 4739 : Domain Policy Changed | Sub Rule | Policy Modified : Domain | Policy | |
| EVID 4719 : Sys Audit Policy Changed | Sub Rule | Policy Modified : Auditing | Policy | |
| EVID 4716 : Trusted Domain Info Modified | Sub Rule | Policy Modified : Domain | Policy | |
| EVID 4715 : Object Audit Policy Changed | Sub Rule | Policy Modified : Object | Policy | |
| EVID 4714 : Encrypted Data Recovery Policy Changed | Sub Rule | Policy Modified : Encryption | Policy | |
| EVID 4713 : Kerberos Policy Changed | Sub Rule | Policy Modified : System | Policy | |
| EVID 4707 : Trusted Domain Removed | Sub Rule | Trust Relationship Revoked | Access Revoked | |
| EVID 4706 : Trusted Domain Added | Sub Rule | Trust Relationship Established | Access Granted | |
| EVID 4670 : Object Permissions Changed | Sub Rule | Policy Modified : Object | Policy | |
| EVID 4964 : Special Groups Assigned To New Logon | Sub Rule | Special Groups Assigned To New Logon | Other Audit Success | |
| EVID 4886 : Cert Svcs Certificate Request | Sub Rule | Certificate Services Received Certificate Request | Other Audit Success | |
| EVID 4779 : Win Session Disconnect | Sub Rule | Session Disconnected | Other Audit Success | |
| EVID 4778 : Win Session Reconnect | Sub Rule | User Logon | Authentication Success | |
| EVID 4776 : Credentials Validation | Sub Rule | Authentication Activity | Authentication Success | |
| EVID 4774 : Account Mapped For Logon | Sub Rule | Account Mapped For Logon | Other Audit Success | |
| EVID 4770 : Kerberos Svc Ticket Renewed | Sub Rule | Authentication Activity | Authentication Success | |
| EVID 4769 : Kerberos Svc Ticket Requested | Sub Rule | Authentication Activity | Authentication Success | |
| EVID 4768 : Kerberos Auth Ticket Requested | Sub Rule | Authentication Activity | Authentication Success | |
| EVID 4765 : Add SID History | Sub Rule | Configuration Modified : System | Configuration | |
| EVID 4672 : Special Privs Assigned To New Logon | Sub Rule | Privilege Granted | Access Granted | |
| EVID 4661 : Object Handle Requested | Sub Rule | Object Handle Requested | Other Audit Success | |
| EVID 4655 : IPSEC Security Assoc Ended | Sub Rule | Authentication Activity | Authentication Success | |
| EVID 4651 : IPSEC Sec Assoc Established | Sub Rule | Trust Relationship Established | Access Granted | |
| EVID 4650 : IPSEC Sec Assoc Established | Sub Rule | Trust Relationship Established | Access Granted | |
| EVID 5474 : IPSEC Policy Application Failed | Sub Rule | IPSEC Policy Application Failed | Other Audit Failure | |
| EVID 5472 : IPSEC Policy Application Failed | Sub Rule | IPSEC Policy Application Failed | Other Audit Failure | |
| EVID 5462 : IPSEC Policy Application Failed | Sub Rule | IPSEC Policy Application Failed | Other Audit Failure | |
| EVID 5461 : IPSEC Policy Application Failed | Sub Rule | IPSEC Policy Application Failed | Other Audit Failure | |
| EVID 5458 : IPSEC Policy Application Failed | Sub Rule | IPSEC Policy Application Failed | Other Audit Failure | |
| EVID 5378 : Credential Delegation Disallowed | Sub Rule | Credential Delegation Disallowed | Other Audit Failure | |
| EVID 4888 : Cert Svcs Denied Certificate Request | Sub Rule | Certificate Services Denied Certificate Request | Warning | |
| EVID 4868 : Cert Man Denied Pending Request | Sub Rule | Certificate Manager Denied Pending Cert Request | Warning | |
| EVID 4777 : Credentials Validation Failed | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
| EVID 4775 : Account Map For Logon Failed | Sub Rule | Account Logon Mapping Failed | Other Audit Failure | |
| EVID 4766 : Add SID History Failed | Sub Rule | General Audit Failure | Error | |
| EVID 4654 : IPSEC Negotiation Failed | Sub Rule | IPSEC Negotiation Failed | Error | |
| EVID 4653 : IPSEC Negotiation Failed | Sub Rule | IPSEC Negotiation Failed | Error | |
| EVID 4652 : IPSEC Negotiation Failed | Sub Rule | IPSEC Negotiation Failed | Error | |
| EVID 6276 : Network Policy Server Quarantined User | Sub Rule | Network Policy Server Quarantined User | Other Audit | |
| EVID 6275 : Network Policy Svr Discarded Request | Sub Rule | Network Policy Server Discarded Request | Other Audit | |
| EVID 6274 : Network Policy Svr Discarded Request | Sub Rule | Network Policy Server Discarded Request | Other Audit | |
| EVID 5633 : Wired Network Authentication Request | Sub Rule | Authentication Activity | Authentication Success | |
| EVID 5632 : WLAN Authentication Request | Sub Rule | Authentication Activity | Authentication Success | |
| EVID 5069 : Cryptographic Func Prop Op Attempt | Sub Rule | Cryptographic Function Property Operation Attempt | Other Audit | |
| EVID 5068 : Cryptographic Funct Provider Op Atmt | Sub Rule | Cryptographic Function Provider Operation Attempt | Other Audit | |
| EVID 5066 : Cryptographic Function Op Attempted | Sub Rule | Cryptographic Function Operation Attempted | Other Audit | |
| EVID 5064 : Cryptographic Context Op Attempted | Sub Rule | Cryptographic Context Operation Attempted | Other Audit | |
| EVID 5063 : Cryptographic Provider Op Attempted | Sub Rule | Cryptographic Provider Operation Attempted | Other Audit | |
| EVID 4869 : Cert Svcs Rcvd Resubmitted Cert Req | Sub Rule | Certificate Services Rcvd Resubmitted Cert Request | Other Audit | |
| EVID 4801 : Workstation Unlocked | Sub Rule | Workstation Unlocked | Other Audit Success | |
| EVID 4800 : Workstation Locked | Sub Rule | Workstation Locked | Other Audit Success | |
| EVID 4711 : General Audit Message | Sub Rule | General Audit Message | Other Audit | |
| EVID 4696 : Primary Token Assigned | Sub Rule | Primary Token Assigned | Information | |
| EVID 4675 : SIDs Filtered | Sub Rule | SIDs Filtered | Other Audit | |
| EVID 5712 : RPC Attempted | Sub Rule | Remote Procedure Call Attempt | Network Traffic | |
| EVID 5452 : IPSEC Security Association Ended | Sub Rule | IPSEC Security Association Ended | Network Traffic | |
| EVID 5451 : IPSEC Security Association Established | Sub Rule | IPSEC Security Association Established | Network Traffic | |
| EVID 5125 : Request Submitted To OCSP Responder | Sub Rule | Request Submitted To OCSP Responder | Network Traffic | |
| EVID 4985 : Transaction State Change | Sub Rule | Transaction State Change | Network Traffic | |
| EVID 5453 : IPSEC Negotiation Failed | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 5159 : Filtering Denied Port Bind | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 5157 : Filtering Blocked Connection | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 5155 : Filtering Blocked App From Listening | Sub Rule | Application Blocked From Listening For Connections | Warning | |
| EVID 5153 : Filtering Blocked Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 5152 : Filtering Blocked Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 5031 : Firewall Blocked Connection To App | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 4984 : IPSEC Negotiation Failed | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 4983 : IPSEC Negotiation Failed | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 4963 : IPSEC Dropped Inbound Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 4962 : IPSEC Dropped Inbound Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 4961 : IPSEC Dropped Inbound Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 4960 : IPSEC Dropped Inbound Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| EVID 5158 : Filtering Permitted Port Bind | Sub Rule | Permitted Bind To Local Port | Information | |
| EVID 5156 : Filtering Allowed Connection | Sub Rule | Traffic Allowed by Host Firewall | Network Allow | |
| EVID 5154 : Filtering Allowed App To Listen | Sub Rule | Application Allowed To Listen For Connections | Information | |
| EVID 4615 : Invalid Use Of LPC Port | Sub Rule | Unauthorized Activity | Misuse | |
| EVID 5444 : Filtering Platform Startup State | Sub Rule | Filtering Platform Startup State | Information | |
| EVID 5443 : Filtering Platform Startup State | Sub Rule | Filtering Platform Startup State | Information | |
| EVID 5442 : Filtering Platform Startup State | Sub Rule | Filtering Platform Startup State | Information | |
| EVID 5441 : Filtering Platform Startup State | Sub Rule | Filtering Platform Startup State | Information | |
| EVID 5440 : Filtering Platform Startup State | Sub Rule | Filtering Platform Startup State | Information | |
| EVID 5377 : Credentials Restored From Backup | Sub Rule | Credentials Restored From Backup | Information | |
| EVID 5376 : Credentials Backed Up | Sub Rule | Credentials Backed Up | Information | |
| EVID 5062 : Cryptographic Self Test Performed | Sub Rule | Cryptographic Self Test Performed | Information | |
| EVID 5056 : Cryptographic Self Test Performed | Sub Rule | Cryptographic Self Test Performed | Information | |
| EVID 4945 : Rule Listed On Firewall Start | Sub Rule | Rule Listed On Firewall Start | Information | |
| EVID 4944 : Active Firewall Policy On Start | Sub Rule | Active Firewall Policy On Start | Information | |
| EVID 4900 : Cert Svcs Template Sec Updated | Sub Rule | Certificate Services Template Security Updated | Information | |
| EVID 4899 : Cert Svcs Template Updated | Sub Rule | Certificate Services Updated Template | Information | |
| EVID 4898 : Cert Svcs Template Loaded | Sub Rule | Certificate Services Loaded Template | Information | |
| EVID 4896 : Cert Svcs DB Rows Deleted | Sub Rule | Certificate Services Database Rows Deleted | Information | |
| EVID 4895 : Cert Svcs Published CA Cert | Sub Rule | Certificate Services Published CA Certificate | Information | |
| EVID 4894 : Cert Svcs Imported & Archived Key | Sub Rule | Certificate Services Imported And Archived Key | Information | |
| EVID 4893 : Cert Svcs Archived A Key | Sub Rule | Certificate Services Archived A Key | Information | |
| EVID 4889 : Cert Svcs Cert Status To Pending | Sub Rule | Certificate Services Set Cert Status To Pending | Information | |
| EVID 4884 : Cert Svcs Imported Certificate | Sub Rule | Certificate Services Imported Certificate | Information | |
| EVID 4883 : Cert Svcs Retrieved Archived Key | Sub Rule | Certificate Services Retrieved Archived Key | Information | |
| EVID 4879 : Cert Svcs Restore Completed | Sub Rule | Certificate Services Restore Completed | Information | |
| EVID 4878 : Cert Svcs Restore Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 4877 : Cert Svcs Backup Complete | Sub Rule | Certificate Services Backup Completed | Information | |
| EVID 4876 : Cert Svcs Backup Started | Sub Rule | Certificate Services Backup Started | Information | |
| EVID 4874 : Certificate Request Attributes Changed | Sub Rule | Certificate Request Attributes Changed | Information | |
| EVID 4873 : Certificate Request Extension Changed | Sub Rule | Certificate Request Extension Changed | Information | |
| EVID 4872 : Cert Svcs Published CRL | Sub Rule | Certificate Services Published CRL | Information | |
| EVID 4871 : Cert Svcs Request CRL | Sub Rule | Certificate Svcs Received Request To Publish CRL | Information | |
| EVID 4803 : Screen Saver Dismissed | Sub Rule | Screen Saver Dismissed | Information | |
| EVID 4802 : Screen Saver Invoked | Sub Rule | Screen Saver Invoked | Information | |
| EVID 4793 : Password Policy Checker API Called | Sub Rule | Policy Modified : Object | Policy | |
| EVID 4621 : Recovered From Crash On Audit Fail | Sub Rule | Crash On Audit Fail Recovered | Information | |
| EVID 6145 : GPO Security Policy Application Error | Sub Rule | GPO Security Policy Application Error | Error | |
| EVID 5485 : IPSEC Filter Processing Failed | Sub Rule | IPSEC Filter Processing Failed | Error | |
| EVID 5483 : IPSEC Service Failed To Start | Sub Rule | IPSEC Service Failed To Start | Error | |
| EVID 5477 : Failed To Load Quick Mode Filter | Sub Rule | Failed To Load Quick Mode Filter | Error | |
| EVID 5057 : Cryptographic Self Test Failed | Sub Rule | Cryptographic Self Test Failed | Error | |
| EVID 5050 : Programmatic Firewall Disable Attempt | Sub Rule | Programmatic Firewall Disable Attempted | Error | |
| EVID 4965 : IPSEC Received Bad Packet | Sub Rule | IPSEC Received Bad Packet | Error | |
| EVID 4936 : AD Replication Failure Ends | Sub Rule | AD Replication Failure Ends | Error | |
| EVID 4935 : AD Replication Failure Begins | Sub Rule | AD Replication Failure Begins | Error | |
| EVID 4864 : Namespace Collision | Sub Rule | Namespace Collision | Error | |
| EVID 4816 : RPC Integrity Violation | Sub Rule | RPC Integrity Violation | Error | |
| EVID 4712 : IPSEC Service Failure | Sub Rule | IPSEC Service Serious Failure | Error | |
| EVID 5484 : IPSEC Service Error Caused Shutdown | Sub Rule | IPSEC Service Error Caused Shutdown | Critical | |
| EVID 5038 : Possible Disk Error | Sub Rule | Computed Hash Match Failure | Error | |
| EVID 5037 : Firewall Driver Critical Condition | Sub Rule | Firewall Driver Critical Condition | Critical | |
| EVID 5035 : Firewall Driver Startup Failed | Sub Rule | Firewall Driver Startup Failed | Critical | |
| EVID 5030 : Firewall Service Failed To Start | Sub Rule | Firewall Service Failed To Start | Critical | |
| EVID 5029 : Firewall Driver Init Failed | Sub Rule | Firewall Driver Init Failed | Critical | |
| EVID 5450 : Filtering Platform Sub-Layer Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| EVID 5449 : Filtering Platform Prov Context Chng | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 5448 : Filtering Platform Provider Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| EVID 5447 : Filtering Platform Filter Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| EVID 5446 : Filtering Platform Callout Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| EVID 5127 : OCSP Revoc Provider Updated Revoc Info | Sub Rule | OCSP Revocation Provider Updated Revocation Info | Information | |
| EVID 5126 : OCSP Updated Signing Certificate | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 5124 : OCSP Responder Sec Setting Updated | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 5123 : OCSP Responder Configuration Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| EVID 5122 : OCSP Responder Configuration Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| EVID 5070 : Cryptographic Funct Prop Mod Attempted | Sub Rule | Cryptographic Function Property Mod Attempt | Warning | |
| EVID 5067 : Cryptographic Function Mod Attempted | Sub Rule | Cryptographic Function Modification Attempted | Warning | |
| EVID 5065 : Cryptographic Context Mod Attempted | Sub Rule | Cryptographic Context Modification Attempted | Warning | |
| EVID 5049 : IPSEC Security Association Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| EVID 5048 : IPSEC Crypto Set Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| EVID 5047 : IPSEC Crypto Set Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 5046 : IPSEC Crypto Set Added | Sub Rule | Configuration Loaded : Security | Configuration | |
| EVID 5045 : IPSEC Connection Security Rule Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| EVID 5044 : IPSEC Conn Security Rule Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 5043 : IPSEC Connection Security Rule Added | Sub Rule | Configuration Loaded : Security | Configuration | |
| EVID 5042 : IPSEC Authentication Set Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| EVID 5041 : IPSEC Authentication Set Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 5040 : IPSEC Authentication Set Added | Sub Rule | Configuration Loaded : Security | Configuration | |
| EVID 4982 : IPSEC Security Mode Assoc Established | Sub Rule | Trust Relationship Established | Access Granted | |
| EVID 4981 : IPSEC Security Mode Assoc Established | Sub Rule | Trust Relationship Established | Access Granted | |
| EVID 4980 : IPSEC Security Mode Assoc Established | Sub Rule | Trust Relationship Established | Access Granted | |
| EVID 4979 : IPSEC Security Mode Assoc Established | Sub Rule | Trust Relationship Established | Access Granted | |
| EVID 4956 : Firewall Changed Active Profile | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 4950 : Firewall Settings Changed | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 4949 : Firewall Settings Restored To Default | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 4948 : Firewall Exception Rule Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| EVID 4947 : Firewall Exception Rule Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 4946 : Firewall Exception Rule Added | Sub Rule | Configuration Loaded : Network Access | Configuration | |
| EVID 4937 : Lingering Object Removed From Replica | Sub Rule | Configuration Deleted : System | Configuration | |
| EVID 4934 : AD Object Attributes Replicated | Sub Rule | AD Object Attributes Replicated | Information | |
| EVID 4930 : AD Replica Src Naming Context Modified | Sub Rule | Configuration Modified : Directory Services | Configuration | |
| EVID 4929 : AD Replica Src Naming Context Removed | Sub Rule | Configuration Deleted : Directory Services | Configuration | |
| EVID 4928 : AD Replica Src Naming Context Estab | Sub Rule | Configuration Loaded : Directory Services | Configuration | |
| EVID 4908 : Special Groups Logon Table Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 4905 : Sec Event Source Un-Registered | Sub Rule | Configuration Disabled : Security | Configuration | |
| EVID 4904 : Sec Event Source Registered | Sub Rule | Configuration Enabled : Security | Configuration | |
| EVID 4892 : Cert Svcs Property Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| EVID 4891 : Cert Svcs Config Entry Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| EVID 4890 : Cert Svcs Settings Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| EVID 4794 : DS Restore Mode Admin Password Set | Sub Rule | Configuration Modified : Security | Configuration | |
| EVID 4702 : Scheduled Task Updated | Sub Rule | Configuration Enabled : System | Configuration | |
| EVID 4701 : Scheduled Task Disabled | Sub Rule | Configuration Disabled : System | Configuration | |
| EVID 4700 : Scheduled Task Enabled | Sub Rule | Configuration Enabled : System | Configuration | |
| EVID 4699 : Scheduled Task Deleted | Sub Rule | Configuration Deleted : System | Configuration | |
| EVID 4698 : Scheduled Task Created | Sub Rule | Configuration Enabled : System | Configuration | |
| EVID 4697 : Service Installed | Sub Rule | Software Installed | Configuration | |
| EVID 4667 : Application - Client Context Deleted | Sub Rule | Configuration Deleted : Application | Configuration | |
| EVID 4665 : Application - Client Context Created | Sub Rule | Configuration Enabled : Application | Configuration | |
| EVID 4622 : Security Package Loaded By SAM | Sub Rule | Configuration Loaded : Security | Configuration | |
| EVID 4648 : Logon Using Explicit Credentials | Sub Rule | User Logon | Authentication Success | |
| EVID 4647 : Logoff | Sub Rule | User Logoff | Authentication Success | |
| EVID 4634 : Logoff | Sub Rule | Authentication Activity | Authentication Success | |
| EVID 4624 : Authentication | Sub Rule | User Logon | Authentication Success | |
| EVID 4773 : Kerberos Service Ticket Request Failed | Sub Rule | Authentication Failure Activity | Authentication Failure | |
| EVID 4772 : Kerberos Ticket Request Failed | Sub Rule | Authentication Failure Activity | Authentication Failure | |
| EVID 4771 : Failed Pre-Authentication | Sub Rule | Authentication Failure Activity | Authentication Failure | |
| EVID 4625 : Authentication Failure | Sub Rule | Authentication Failure Activity | Authentication Failure | |
| EVID 4649 : Replay Attack | Sub Rule | General Attack Activity | Attack | |
| EVID 6280 : User Account Unlocked | Sub Rule | Account Unlocked | Access Granted | |
| EVID 6279 : User Account Locked Out | Sub Rule | Account Locked | Access Revoked | |
| EVID 4791 : Basic App Group Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| EVID 4784 : Basic App Group Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| EVID 4781 : Account Name Change | Sub Rule | User Account Name Modified | Account Modified | |
| EVID 4767 : User Account Unlocked | Sub Rule | Account Unlocked | Access Granted | |
| EVID 4764 : Group Type Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| EVID 4760 : Universal Dstr Grp Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| EVID 4755 : Universal Sec Grp Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| EVID 4750 : Global Dstr Grp Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| EVID 4745 : Local Dstr Grp Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| EVID 4742 : Computer Account Changed | Sub Rule | Computer Account Attribute Modified | Account Modified | |
| EVID 4740 : User Account Locked Out | Sub Rule | Account Locked | Access Revoked | |
| EVID 4738 : User Account Changed | Sub Rule | User Account Attribute Modified | Account Modified | |
| EVID 4737 : Global Security Group Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| EVID 4735 : Local Security Group Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| EVID 4725 : User Account Disabled | Sub Rule | Account Disabled | Access Revoked | |
| EVID 4724 : Password Reset | Sub Rule | Password Modified | Account Modified | |
| EVID 4723 : Password Change Attempted | Sub Rule | Password Modified | Account Modified | |
| EVID 4722 : User Account Enabled | Sub Rule | Account Enabled | Access Granted | |
| EVID 4792 : LDAP Query Group Deleted | Sub Rule | Group Deleted | Account Deleted | |
| EVID 4789 : Basic App Group Deleted | Sub Rule | Group Deleted | Account Deleted | |
| EVID 4763 : Universal Dstr Grp Deleted | Sub Rule | Group Deleted | Account Deleted | |
| EVID 4758 : Universal Sec Grp Deleted | Sub Rule | Group Deleted | Account Deleted | |
| EVID 4753 : Global Dstr Grp Deleted | Sub Rule | Group Deleted | Account Deleted | |
| EVID 4748 : Local Dstr Grp Deleted | Sub Rule | Group Deleted | Account Deleted | |
| EVID 4743 : Computer Account Deleted | Sub Rule | Computer Account Deleted | Account Deleted | |
| EVID 4734 : Local Security Group Deleted | Sub Rule | Group Deleted | Account Deleted | |
| EVID 4730 : Global Security Group Deleted | Sub Rule | Group Deleted | Account Deleted | |
| EVID 4726 : User Account Deleted | Sub Rule | User Account Deleted | Account Deleted | |
| EVID 4790 : LDAP Query Group Created | Sub Rule | Group Created | Account Created | |
| EVID 4783 : Basic App Group Created | Sub Rule | Group Created | Account Created | |
| EVID 4759 : Universal Dstr Grp Created | Sub Rule | Group Created | Account Created | |
| EVID 4754 : Universal Sec Grp Created | Sub Rule | Group Created | Account Created | |
| EVID 4749 : Global Dstr Grp Created | Sub Rule | Group Created | Account Created | |
| EVID 4744 : Local Dstr Grp Created | Sub Rule | Group Created | Account Created | |
| EVID 4741 : Computer Account Created | Sub Rule | Computer Account Created | Account Created | |
| EVID 4731 : Local Security Group Created | Sub Rule | Group Created | Account Created | |
| EVID 4727 : Global Security Group Created | Sub Rule | Group Created | Account Created | |
| EVID 4720 : User Account Created | Sub Rule | User Account Created | Account Created | |
| EVID 6278 : Network Policy Server Granted Access | Sub Rule | Access Granted Activity | Access Granted | |
| EVID 6277 : Network Policy Server Granted Access | Sub Rule | Access Granted Activity | Access Granted | |
| EVID 6272 : Network Policy Server Granted Access | Sub Rule | Access Granted Activity | Access Granted | |
| EVID 5890 : COM+ Object Added | Sub Rule | Object Added | Access Success | |
| EVID 5889 : COM+ Object Deleted | Sub Rule | Object Deleted/Removed | Access Success | |
| EVID 5888 : COM+ Object Modified | Sub Rule | Object Modified | Access Success | |
| EVID 5141 : Directory Service Object Deleted | Sub Rule | Object Deleted/Removed | Access Success | |
| EVID 5140 : Network Share Object Accessed | Sub Rule | Object Accessed | Access Success | |
| EVID 5139 : Directory Service Object Moved | Sub Rule | Object Moved | Access Success | |
| EVID 5138 : Directory Service Object Restored | Sub Rule | Directory Service Object Restored | Other Audit Success | |
| EVID 5137 : Directory Service Object Created | Sub Rule | Object Created | Access Success | |
| EVID 5136 : Directory Service Object Modified | Sub Rule | Object Modified | Access Success | |
| EVID 5061 : Cryptographic Operation | Sub Rule | Cryptographic Operation | Other Audit Success | |
| EVID 5059 : Key Migration Operation | Sub Rule | Key Migration Operation | Other Audit Success | |
| EVID 5058 : Key File Operation | Sub Rule | Key File Operation | Other Audit Success | |
| EVID 5051 : File Virtualized | Sub Rule | File Virtualized | Other Audit Success | |
| EVID 5039 : Registry Key Virtualized | Sub Rule | Registry Key Virtualized | Other Audit Success | |
| EVID 4782 : Password Hash Accessed | Sub Rule | Object Accessed | Access Success | |
| EVID 4695 : Auditable Protected Data Unprotected | Sub Rule | Auditable Protected Data Unprotected | Other Audit Success | |
| EVID 4694 : Auditable Protected Data Protected | Sub Rule | Auditable Protected Data Protected | Other Audit Success | |
| EVID 4693 : Data Protection Master Key Recovered | Sub Rule | Data Protection Master Key Recovered | Other Audit Success | |
| EVID 4692 : Data Protection Master Key Backed Up | Sub Rule | Data Protection Master Key Backup Attempt | Other Audit Success | |
| EVID 4691 : Indirect Object Access | Sub Rule | Object Accessed | Access Success | |
| EVID 4674 : Privileged Object Operation | Sub Rule | Object Accessed | Access Success | |
| EVID 4673 : Privileged Service Called | Sub Rule | Object Accessed | Access Success | |
| EVID 4668 : Application Initialization Failed | Sub Rule | Application Initialization Failed | Critical | |
| EVID 4668 : Application Initialized | Sub Rule | Object Initialized | Access Success | |
| EVID 4666 : Application Operation Failed | Sub Rule | Command Execution Failure | Access Failure | |
| EVID 4666 : Application Operation | Sub Rule | Application Operation | Other Audit Success | |
| EVID 4664 : Hard Link Creation Attempt | Sub Rule | Hard Link Creation Attempt | Other Audit Success | |
| EVID 4662 : Failed Object Operation | Sub Rule | Failed Object Operation | Error | |
| EVID 4662 : Object Operation | Sub Rule | Object Operation | Other Audit Success | |
| EVID 4660 : Object Delete Failed | Sub Rule | Delete/Remove Object Failure | Access Failure | |
| EVID 4659 : Object Opened For Delete | Sub Rule | Object Deleted/Removed | Access Success | |
| EVID 4657 : Registry Value Modification Failed | Sub Rule | Modify Object Failure | Access Failure | |
| EVID 4656 : Object Open Failed | Sub Rule | Access Object Failure | Access Failure | |
| EVID 4656 : Object Opened | Sub Rule | Object Read | Access Success | |
| EVID 4870 : Cert Svcs Revoked Certificate | Sub Rule | Access Revoked Activity | Access Revoked | |
| EVID 4788 : Non-Member Removed Basic App Group | Sub Rule | Account Removed From Group | Access Revoked | |
| EVID 4786 : Usr Removed From Basic App Group | Sub Rule | Account Removed From Group | Access Revoked | |
| EVID 4762 : User Rmvd From Univ Dstr Grp | Sub Rule | Account Removed From Group | Access Revoked | |
| EVID 4757 : Usr Rmvd From Univ Sec Grp | Sub Rule | Account Removed From Group | Access Revoked | |
| EVID 4752 : Usr Rmvd From Global Dstr Grp | Sub Rule | Account Removed From Group | Access Revoked | |
| EVID 4747 : User Rmvd From Local Dstr Grp | Sub Rule | Account Removed From Group | Access Revoked | |
| EVID 4733 : Usr Rmvd From Local Sec Grp | Sub Rule | Account Removed From Group | Access Revoked | |
| EVID 4729 : User Removed Glbl Security Group | Sub Rule | Account Removed From Group | Access Revoked | |
| EVID 4718 : Sys Sec Access Removed | Sub Rule | Access Revoked Activity | Access Revoked | |
| EVID 4705 : User Right Removed | Sub Rule | User Account Attribute Modified | Account Modified | |
| EVID 4887 : Cert Svcs Issued Certificate | Sub Rule | Certificate Services Issued Certificate | Information | |
| EVID 4787 : Non-Member Added Basic App Group | Sub Rule | Account Added To Group | Access Granted | |
| EVID 4785 : Usr Added To Basic App Group | Sub Rule | Account Added To Group | Access Granted | |
| EVID 4761 : Usr Added To Univ Dstr Grp | Sub Rule | Account Added To Group | Access Granted | |
| EVID 4756 : Usr Added To Univ Sec Grp | Sub Rule | Account Added To Group | Access Granted | |
| EVID 4751 : Usr Added Global Dstr Grp | Sub Rule | Account Added To Group | Access Granted | |
| EVID 4746 : User Added Local Dstr Group | Sub Rule | Account Added To Group | Access Granted | |
| EVID 4732 : Usr Added To Local Sec Grp | Sub Rule | Account Added To Group | Access Granted | |
| EVID 4728 : User Added Glbl Security Grp | Sub Rule | Account Added To Group | Access Granted | |
| EVID 4717 : Sys Sec Access Granted | Sub Rule | Access Granted Activity | Access Granted | |
| EVID 4704 : User Right Assigned | Sub Rule | Privilege Granted | Access Granted | |
| EVID 6273 : Network Policy Server Denied Access | Sub Rule | Access Object Failure | Access Failure | |
| EVID 5060 : Verification Operation Failed | Sub Rule | Command Execution Failure | Access Failure | |
| EVID 4671 : App Blocked Ordinal Access Attempt | Sub Rule | Access Object Failure | Access Failure | |
| EVID 1102 : Audit Log Cleared | Sub Rule | Log Cleared | Access Success | |
| EVID 1100 : Logging Service Shut Down | Sub Rule | Process/Service Stopping | Startup and Shutdown | |
| EVID 4797 : Query For Blank Password | Sub Rule | Query Information | Information | |
| EVID 5380 : Vault Find Credential | Sub Rule | MS Windows User Rights Access Credential | Other Audit | |
| EVID 5382 : Credential Were Read | Sub Rule | Object Read | Access Success |
LogRhythm Default v2.0
There are no changes for LogRhythm Default v2.0.