Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : Catch All |
Base Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Replay Activity |
Attack |
|
V 2.0 : EVID 4675 : SIDs Were Filtered |
Sub Rule |
SIDs Filtered |
Other Audit |
|
V 2.0 : EVID 4765 : SID History Added to Account |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
V 2.0 : EVID 4766 : SID History Add Failed |
Sub Rule |
Modify Object Attribute Failure |
Access Failure |
|
V 2.0 : EVID 5378 : Credential Delegation Disallow |
Sub Rule |
Access Object Failure |
Access Failure |
|
V 2.0 : EVID 4709 : IPSEC - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
V 2.0 : EVID 4710 : IPSEC - Service Disabled |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
V 2.0 : EVID 4711 : PAStore - General Event |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 4712 : IPSEC - Fatal Error Encounter |
Sub Rule |
General IPSec Critical |
Critical |
|
V 2.0 : EVID 5040 : IPSEC - Auth. Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
V 2.0 : EVID 5041 : IPSEC - Auth. Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 5042 : IPSEC - Auth. Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
V 2.0 : EVID 5046 : IPSEC - Crypto Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
V 2.0 : EVID 5047 : IPSEC - Crypto Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 5048 : IPSEC - Crypto Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
V 2.0 : EVID 5440 : WFP - Callout Present at Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
V 2.0 : EVID 5441 : WFP - Filter Present at Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
V 2.0 : EVID 5442 : WFP - Prov. Present at Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
V 2.0 : EVID 5443 : WFP - Prov. Cont Pres at Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
V 2.0 : EVID 5444 : WFP - Sub-Layer Pres at Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
V 2.0 : EVID 5446 : WFP - Callout Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 5449 : WFP - Prov. Context Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 5448 : WFP - Provider Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 5450 : WFP - Sub-layer Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy Applied |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy Fail |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
V 2.0 : EVID 5458 : PAStore - Cached AD IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5459 : PAStore - Cached AD IPSEC Policy |
Sub Rule |
General IPSec Error |
Error |
|
V 2.0 : EVID 5460 : PAStore - Registry IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5461 : PAStore - Registry IPSEC Policy |
Sub Rule |
General IPSec Error |
Error |
|
V 2.0 : EVID 5462 : PAStore - Fail to Apply IPSEC |
Sub Rule |
General IPSec Error |
Error |
|
V 2.0 : EVID 5463 : PAStore - Poll for IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5464 : PAStore - Poll for IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5465 : PAStore - IPSEC Policy Forcibly |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5466 : PAStore - Unable to Reach AD |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5467 : PAStore - Poll for IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5468 : PAStore - Poll for IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5471 : PAStore - Local IPSEC Policy Loaded |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 4772 : Kerberos TGT Request Failed |
Sub Rule |
Windows Audit Failure Event |
Other Audit Failure |
|
V 2.0 : EVID 4773 : Kerberos TGS Request Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
V 2.0 : EVID 4774 : Account Successfully Mapped |
Sub Rule |
Account Mapped for Logon |
Other Audit Success |
|
V 2.0 : EVID 4774 : Account Failed to Be Mapped |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
V 2.0 : EVID 4775 : Account Could Not Be Mapped |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
V 2.0 : EVID 4777 : Domain Controller Failed to Valid |
Sub Rule |
Windows Audit Failure Event |
Other Audit Failure |
|
V 2.0 : EVID 4646 : IPSEC - DoS Prevention Mode Str |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 4650 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
V 2.0 : EVID 4651 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
V 2.0 : EVID 4652 : IPSEC - Main Mode Negotiation |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
V 2.0 : EVID 4653 : IPSEC - Main Mode Negotiation |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
V 2.0 : EVID 4655 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
V 2.0 : EVID 4960 : IPSEC - Inbound Packet Integrity Fl |
Sub Rule |
Integrity Check Failed |
Error |
|
V 2.0 : EVID 4961 : IPSEC - Inbound Packet Replay |
Sub Rule |
Integrity Check Failed |
Error |
|
V 2.0 : EVID 4962 : IPSEC - Inbound Packet Replay |
Sub Rule |
Integrity Check Failed |
Error |
|
V 2.0 : EVID 4963 : IPSEC - Inbound Packet in Clr |
Sub Rule |
General IPSec Warning |
Warning |
|
V 2.0 : EVID 4965 : IPSEC Packet Received Invalid |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
V 2.0 : EVID 4976 : IPSEC - Main Mode Invalid Negotiation |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
V 2.0 : EVID 4977 : IPSEC - Quick Mode Invalid Negotiation |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
V 2.0 : EVID 4978 : IPSEC - Extended Mode Invalid |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
V 2.0 : EVID 4979 : IPSEC - Main and Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
V 2.0 : EVID 4980 : IPSEC - Main and Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
V 2.0 : EVID 4981 : IPSEC - Main and Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
V 2.0 : EVID 5024 : Firewall - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
V 2.0 : EVID 5025 : Firewall - Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
V 2.0 : EVID 5027 : Firewall - Service Unable to Retry |
Sub Rule |
Firewall Service Failed to Load Local Policy |
Warning |
|
V 2.0 : EVID 5028 : Firewall - Service Failed to Parse |
Sub Rule |
Firewall Service Failed to Load Local Policy |
Warning |
|
V 2.0 : EVID 5029 : Firewall - Service Failed to Load Driver |
Sub Rule |
Driver Failed to Load |
Warning |
|
V 2.0 : EVID 4982 : IPSEC - Main and Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
V 2.0 : EVID 5030 : Firewall - Service Failed to Start |
Sub Rule |
Firewall Service Failed to Start |
Critical |
|
V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
V 2.0 : EVID 5032 : Firewall - Unable to Notify User |
Sub Rule |
Firewall Notification Failed |
Warning |
|
V 2.0 : EVID 4984 : IPSEC - Extended Mode Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
V 2.0 : EVID 5049 : IPSEC - Security Assoc Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
V 2.0 : EVID 5033 : Firewall - Driver Started Success |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
V 2.0 : EVID 5451 : IPSEC - Quick Mode Security Association |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
V 2.0 : EVID 5034 : Firewall - Driver Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
V 2.0 : EVID 5452 : IPSEC - Quick Mode Security Association |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
V 2.0 : EVID 5035 : Firewall - Driver Failed to Start |
Sub Rule |
Firewall Driver Startup Failed |
Critical |
|
V 2.0 : EVID 5453 : IPSEC - Negotiation Failed Due |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
V 2.0 : EVID 5478 : IPSEC - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
V 2.0 : EVID 5037 : Firewall - Driver Critical Runtime |
Sub Rule |
Firewall Driver Critical Condition |
Critical |
|
V 2.0 : EVID 5479 : IPSEC - Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
V 2.0 : EVID 5480 : IPSEC - Failed to Obtain Network |
Sub Rule |
IPSEC Network Interface List Failed |
Warning |
|
V 2.0 : EVID 5483 : IPSEC - Failed to Initialize RPC |
Sub Rule |
IPSEC Service Failed to Start |
Error |
|
V 2.0 : EVID 5484 : IPSEC - Critical Service Failure |
Sub Rule |
IPSEC Service Error Caused Shutdown |
Critical |
|
V 2.0 : EVID 5485 : IPSEC - Failed to Process Filter |
Sub Rule |
IPSEC Filter Processing Failed |
Error |
|
V 2.0 : EVID 6400 : Branch Cache - Incorrectly Formatted |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6401 : Branch Cache - Invalid Peer Data Received |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6402 : Branch Cache - Incorrectly Formatted |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6403 : Branch Cache - Incorrectly Formatted |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6404 : Branch Cache - Unable to Auth |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6405 : Branch Cache - Multiple Events Received |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6406 : Branch Cache - Registration |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6407 : Branch Cache - General Event |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6408 : Branch Cache - Regt Wind Firewall |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6409 : Branch Cache - Service Conn |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6145 : Sec Policy GPOs Fail to Apply |
Sub Rule |
Policy Failed |
Error |
|
V 2.0 : EVID 6144 : Security Policy GPOs Applied |
Sub Rule |
Policy Enabled : System |
Policy |
|
V 2.0 : EVID 5447 : WFP - Filter Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 4906 : Crash on Audit Fail Value Changed |
Sub Rule |
Configuration Modified : System |
Configuration |
|
V 2.0 : EVID 4908 : Special Groups Logon Table Modified |
Sub Rule |
Configuration Modified : System |
Configuration |
|
V 2.0 : EVID 4909 : Local TBS Policy Settings Modified |
Sub Rule |
Policy Modified : System |
Policy |
|
V 2.0 : EVID 4910 : Group TBS Policy Settings Modified |
Sub Rule |
Policy Modified : System |
Policy |
|
V 2.0 : EVID 4902 : Per-User Policy Table Created |
Sub Rule |
Policy Created : System |
Policy |
|
V 2.0 : EVID 4826 : Boot Configuration Data Loaded |
Sub Rule |
Configuration Loaded : System |
Configuration |
|
V 2.0 : EVID 4864 : Namespace Collision Detected |
Sub Rule |
Namespace Collision |
Error |
|
V 2.0 : EVID 4714 : Encrypted Data Rec Policy Modified |
Sub Rule |
Policy Modified : System |
Policy |
|
V 2.0 : EVID 4671 : Application Attempted Access |
Sub Rule |
Access Object Failure |
Access Failure |
|
V 2.0 : EVID 5148 : WFP - DoS Attack Detected |
Sub Rule |
Failed Network Denial of Service |
Failed Denial of Service |
|
V 2.0 : EVID 5149 : WFP - DoS Attack Ended |
Sub Rule |
General Security |
Other Security |
|
V 2.0 : EVID 4608 : Windows Starting Up |
Sub Rule |
System Started |
Startup and Shutdown |
|
V 2.0 : EVID 4612 : Audit Queuing Resources Exhausted |
Sub Rule |
Audit Queuing Resources Exhausted |
Warning |
|
V 2.0 : EVID 4615 : Invalid LPC Port Use |
Sub Rule |
Unauthorized Activity |
Misuse |
|
V 2.0 : EVID 4618 : User-Defined Security Event |
Sub Rule |
General Event Log Information |
Information |
|
V 2.0 : EVID 4621 : Admin Recovered from Crash on Audit |
Sub Rule |
Crash on Audit Fail Recovered |
Information |
|
V 2.0 : EVID 4816 : RPC Message Integrity Violation |
Sub Rule |
RPC Integrity Violation |
Error |
|
V 2.0 : EVID 5038 : Invalid Image Hash |
Sub Rule |
Integrity Check Failed |
Error |
|
V 2.0 : EVID 5056 : CNG - Crypto Self-Check Performed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check Performed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
V 2.0 : EVID 5057 : CNG - Primitive Crypto Op Failure |
Sub Rule |
Cryptographic Failure |
Error |
|
V 2.0 : EVID 5060 : CNG - Crypto Verification Failure |
Sub Rule |
Cryptographic Failure |
Error |
|
V 2.0 : EVID 6281 : Invalid Page Hash in Image Filter |
Sub Rule |
Integrity Check Failed |
Error |
|
V 2.0 : EVID 6410 : File Failed Security Check |
Sub Rule |
Failed Suspicious Activity |
Failed Suspicious |
|
V 2.0 : EVID 5712 : RPC Attempted |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 4944 : WFP - Policy Active and Window |
Sub Rule |
Active Firewall Policy on Start |
Information |
|
V 2.0 : EVID 4949 : WFP Settings Restored Default |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 4954 : WFP - Group Policy Settings |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 4783 : Basic Application Group Created |
Sub Rule |
Group Created |
Account Created |
|
V 2.0 : EVID 4784 : Basic Application Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
V 2.0 : EVID 4785 : Member Added to Basic App Group |
Sub Rule |
Account Added to Group |
Access Granted |
|
V 2.0 : EVID 4786 : Member Removed from Basic App |
Sub Rule |
Account Removed from Group |
Access Revoked |
|
V 2.0 : EVID 4787 : Non-Member Added to Basic App |
Sub Rule |
Account Added to Group |
Access Granted |
|
V 2.0 : EVID 4788 : Non-Member Removed from Basic App |
Sub Rule |
Account Removed from Group |
Access Revoked |
|
V 2.0 : EVID 4789 : Basic Application Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
V 2.0 : EVID 4790 : LDAP Query Group Created |
Sub Rule |
Group Created |
Account Created |
|
V 2.0 : EVID 4791 : LDAP Query Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
V 2.0 : EVID 4934 : AD Object Attributes Replicated |
Sub Rule |
AD Object Attributes Replicated |
Information |
|
V 2.0 : EVID 4935 : Replication Failure Begins |
Sub Rule |
AD Replication Failure Begins |
Error |
|
V 2.0 : EVID 4936 : Replication Failure Ends |
Sub Rule |
AD Replication Failure Ends |
Error |
|
V 2.0 : EVID 4937 : Lingering Obj Removed from ADRe |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
V 2.0 : EVID 4792 : LDAP Query Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
V 2.0 : EVID 4664 : File Hard Link Created |
Sub Rule |
Object Created |
Access Success |
|
V 2.0 : EVID 4690 : Object Handle Duplicated |
Sub Rule |
Object Created |
Access Success |
|
V 2.0 : EVID 5039 : Registry Key Virtualized |
Sub Rule |
Registry Key Virtualized |
Other Audit Success |
|
V 2.0 : EVID 5051 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
V 2.0 : EVID 5168 : SPN Check for SMB Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
V 2.0 : EVID 6275 : NPS - Accounting Request Discarded |
Sub Rule |
Bad Request |
Warning |
|
V 2.0 : EVID 6276 : NPS - User Quarantined |
Sub Rule |
Network Policy Server Quarantined User |
Other Audit |
|
V 2.0 : EVID 6277 : NPS - Access Granted User |
Sub Rule |
Access Granted Activity |
Access Granted |
|
V 2.0 : EVID 6279 : NPS - User Account Locked |
Sub Rule |
Account Locked |
Access Revoked |
|
V 2.0 : EVID 6280 : NPS - User Account Unlocked |
Sub Rule |
Account Unlocked |
Access Granted |
|
V 2.0 : EVID 4626 : User/Device Claims Information |
Sub Rule |
User Information |
Information |
|
V 2.0 : EVID 4666 : AM - App Attempted Operation |
Sub Rule |
General Application Information |
Information |
|
V 2.0 : EVID 4665 : AM - App Client Context Created |
Sub Rule |
General Application Information |
Information |
|
V 2.0 : EVID 4667 : AM - App Client Context Deleted |
Sub Rule |
General Application Information |
Information |
|
V 2.0 : EVID 4668 : AM - Application Initialized |
Sub Rule |
General Application Information |
Information |
|
V 2.0 : EVID 4985 : Transaction State Changed |
Sub Rule |
General Transaction Information |
Information |
|
V 2.0 : EVID 1101 : Audit Events Dropped |
Sub Rule |
Message Dropped |
Error |
|
V 2.0 : EVID 4609 : Windows Shutting Down |
Sub Rule |
System Shutting Down |
Startup and Shutdown |
|
V 2.0 : EVID 4654 : Quick Mode Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
V 2.0 : EVID 4797 : Blank Passwords Queried |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 4820 : TGT Denied - ACL |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
V 2.0 : EVID 4821 : TGS Denied - ACL |
Sub Rule |
Access Object Failure |
Access Failure |
|
V 2.0 : EVID 4822 : NTLM Auth Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
V 2.0 : EVID 4823 : NTLM Auth Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
V 2.0 : EVID 4824 : Kerberos Pre-Auth Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
V 2.0 : EVID 4825 : RDP Access Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
V 2.0 : EVID 4830 : SID History Removed from Account |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
V 2.0 : EVID 4899 : Certificate Template Updated |
Sub Rule |
Object Modified |
Access Success |
|
V 2.0 : EVID 4900 : Certificate Template Sec Updated |
Sub Rule |
Object Attribute Modified |
Access Success |
|
V 2.0 : EVID 5150 : Firewall - Disable Attempt |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0 : EVID 5071 : Key Access Denied |
Sub Rule |
Access Object Failure |
Access Failure |
|
V 2.0 : EVID 5146 : WFP - Packed Blocked |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
V 2.0 : EVID 5147 : WFP - Packed Blocked |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
V 2.0 : EVID 5151 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
V 2.0 : EVID 5170 : AD Object Modified |
Sub Rule |
Object Modified |
Access Success |
|
V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy Failure |
Sub Rule |
General IPSec Error |
Error |
|
V 2.0 : EVID 5473 : PAStore - Directory Storage IP |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 5477 : PAStore - Failed to Add Quick |
Sub Rule |
General IPSEC Message |
Information |
|
V 2.0 : EVID 6278 : NPS - Full Access Granted to User |
Sub Rule |
Access Granted Activity |
Access Granted |
|
V 2.0 : EVID 6417 : FIPS Selftest Passed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
V 2.0 : EVID 6418 : FIPS Selftest Failed |
Sub Rule |
Cryptographic Failure |
Error |
|
V 2.0 : EVID 4868 : CS - Certificate Manager Denied |
Sub Rule |
Certificate Manager Denied Pending Cert Request |
Warning |
|
V 2.0 : EVID 4869 : CS - Received Resubmitted Cert |
Sub Rule |
Certificate Services Received Resubmitted Cert Request |
Other Audit |
|
V 2.0 : EVID 4870 : CS - Certificate Revoked |
Sub Rule |
Certificate Services Received Resubmitted Cert Request |
Other Audit |
|
V 2.0 : EVID 4871 : CS - CRL Publication Request Received |
Sub Rule |
Certificate Services Received Request to Publish CRL |
Information |
|
V 2.0 : EVID 4872 : CS - CRL Published |
Sub Rule |
Certificate Services Published CRL |
Information |
|
V 2.0 : EVID 4873 : CS - Certificate Request Extension |
Sub Rule |
Certificate Request Extension Changed |
Information |
|
V 2.0 : EVID 4874 : CS - Certificate Request Changed |
Sub Rule |
Certificate Request Attributes Changed |
Information |
|
V 2.0 : EVID 4875 : CS - Shutdown Request Received |
Sub Rule |
Process/Service Startup Or Shutdown Activity |
Startup and Shutdown |
|
V 2.0 : EVID 4876 : CS - Backup Started |
Sub Rule |
Backup Active |
Information |
|
V 2.0 : EVID 4877 : CS - Backup Completed |
Sub Rule |
Backup Completed |
Information |
|
V 2.0 : EVID 4878 : CS - Restore Started |
Sub Rule |
Backup Restored |
Information |
|
V 2.0 : EVID 4879 : CS - Restore Completed |
Sub Rule |
Backup Restored |
Information |
|
V 2.0 : EVID 4880 : CS - Services Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
V 2.0 : EVID 4881 : CS - Services Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
V 2.0 : EVID 4882 : CS -Security Permissions Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 4883 : CS - Archived Key Retrieved |
Sub Rule |
Certificate Services Retrieved Archived Key |
Information |
|
V 2.0 : EVID 4884 : CS - Certificate Imported |
Sub Rule |
Certificate Services Imported Certificate |
Information |
|
V 2.0 : EVID 4885 : CS - Audit Filter Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 4886 : CS - Certificate Request Received |
Sub Rule |
Certificate Services Received Certificate Request |
Other Audit Success |
|
V 2.0 : EVID 4887 : CS - Certificate Issued |
Sub Rule |
Certificate Services Issued Certificate |
Information |
|
V 2.0 : EVID 4888 : CS - Certificate Request Denied |
Sub Rule |
Certificate Services Denied Certificate Request |
Warning |
|
V 2.0 : EVID 4889 : CS - Certificate Request Status |
Sub Rule |
Certificate Services Set Cert Status to Pending |
Information |
|
V 2.0 : EVID 4890 : CS - Certificate Manager Settings |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 4891 : CS - Configuration Entry Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 4892 : CS - Property Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 4893 : CS - Key Archived |
Sub Rule |
Certificate Services Archived A Key |
Information |
|
V 2.0 : EVID 4894 : CS - Key Imported and Archived |
Sub Rule |
Certificate Services Imported and Archived Key |
Information |
|
V 2.0 : EVID 4895 : CS -ADDS CA Certificate Published |
Sub Rule |
Certificate Services Published CA Certificate |
Information |
|
V 2.0 : EVID 4896 : CS - Rows Deleted from Database |
Sub Rule |
Certificate Services Database Rows Deleted |
Information |
|
V 2.0 : EVID 4897 : CS - Role Separation Enabled |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 4898 : CS - Template Loaded |
Sub Rule |
Certificate Services Loaded Template |
Information |
|
V 2.0 : EVID 5120 : CS - OCSP Responder Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
V 2.0 : EVID 5121 : CS - OCSP Responder Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
V 2.0 : EVID 5122 : CS - OCSP Config Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Replay Activity |
Attack |
|
V 2.0 : EVID 5123 : CS - OCSP Config Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 5124 : CS - OCSP Security Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 5125 : CS - OCSP Request |
Sub Rule |
Request Received |
Other Audit Success |
|
V 2.0 : EVID 5126 : CS - OCSP Signer Updated |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
V 2.0 : EVID 5127 : CS - OCSP Provider Updated |
Sub Rule |
Configuration Modified : Application |
Configuration |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Provider |
N/A |
N/A |
Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
|
EventID |
<vmid>
|
Number |
The identifier that the provider used to identify the event. |
|
Version |
N/A |
N/A |
The version number of the event's definition. |
|
Level |
<severity> |
Text/String |
The severity level defined in the event. |
|
Task |
<vendorinfo> |
Text/String |
The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
|
Opcode |
N/A |
N/A |
The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
|
Keywords |
<result> <tag2> |
Text/String |
A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
|
TimeCreated |
N/A |
N/A |
The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
|
EventRecordID |
N/A |
N/A |
The record number assigned to the event when it was logged. |
|
Correlation |
N/A |
N/A |
The activity identifiers that consumers can use to group related events together. |
|
Execution |
N/A |
N/A |
Contains information about the process and thread that logged the event. |
|
Channel |
N/A |
N/A |
The channel to which the event was logged. |
|
Computer |
<dname> |
Text/String |
The name of the computer on which the event occurred. |
|
ErrorCode |
<responsecode> |
Text/String |
Unique error code. |