Skip to main content
Skip table of contents

V 2.0 : Catch All 1

Vendor Documentation

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5027

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 : Catch AllBase RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 4649 : Replay Attack DetectedSub RuleReplay ActivityAttack
V 2.0 : EVID 4675 : SIDs Were FilteredSub RuleSIDs FilteredOther Audit
V 2.0 : EVID 4765 : SID History Added to AccountSub RuleUser Account Attribute ModifiedAccount Modified
V 2.0 : EVID 4766 : SID History Add FailedSub RuleModify Object Attribute FailureAccess Failure
V 2.0 : EVID 5378 : Credential Delegation DisallowSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4709 : IPSEC - Service StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 4710 : IPSEC - Service DisabledSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 4711 : PAStore - General EventSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 4712 : IPSEC - Fatal Error EncounterSub RuleGeneral IPSec CriticalCritical
V 2.0 : EVID 5040 : IPSEC - Auth. Set AddedSub RuleConfiguration Loaded : SecurityConfiguration
V 2.0 : EVID 5041 : IPSEC - Auth. Set ModifiedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5042 : IPSEC - Auth. Set DeletedSub RuleConfiguration Deleted : SecurityConfiguration
V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule AddedSub RuleConfiguration Loaded : SecurityConfiguration
V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule ModifiedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule DeletedSub RuleConfiguration Deleted : SecurityConfiguration
V 2.0 : EVID 5046 : IPSEC - Crypto Set AddedSub RuleConfiguration Loaded : SecurityConfiguration
V 2.0 : EVID 5047 : IPSEC - Crypto Set ModifiedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5048 : IPSEC - Crypto Set DeletedSub RuleConfiguration Deleted : SecurityConfiguration
V 2.0 : EVID 5440 : WFP - Callout Present at StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5441 : WFP - Filter Present at StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5442 : WFP - Prov. Present at StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5443 : WFP - Prov. Cont Pres at StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5444 : WFP - Sub-Layer Pres at StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5446 : WFP - Callout ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5449 : WFP - Prov. Context ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5448 : WFP - Provider ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5450 : WFP - Sub-layer ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy AppliedSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy FailSub RuleIPSEC Policy Application FailedOther Audit Failure
V 2.0 : EVID 5458 : PAStore - Cached AD IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5459 : PAStore - Cached AD IPSEC PolicySub RuleGeneral IPSec ErrorError
V 2.0 : EVID 5460 : PAStore - Registry IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5461 : PAStore - Registry IPSEC PolicySub RuleGeneral IPSec ErrorError
V 2.0 : EVID 5462 : PAStore - Fail to Apply IPSECSub RuleGeneral IPSec ErrorError
V 2.0 : EVID 5463 : PAStore - Poll for IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5464 : PAStore - Poll for IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5465 : PAStore - IPSEC Policy ForciblySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5466 : PAStore - Unable to Reach ADSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5467 : PAStore - Poll for IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5468 : PAStore - Poll for IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5471 : PAStore - Local IPSEC Policy LoadedSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 4772 : Kerberos TGT Request FailedSub RuleWindows Audit Failure EventOther Audit Failure
V 2.0 : EVID 4773 : Kerberos TGS Request FailedSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4774 : Account Successfully MappedSub RuleAccount Mapped for LogonOther Audit Success
V 2.0 : EVID 4774 : Account Failed to Be MappedSub RuleAccount Logon Mapping FailedOther Audit Failure
V 2.0 : EVID 4775 : Account Could Not Be MappedSub RuleAccount Logon Mapping FailedOther Audit Failure
V 2.0 : EVID 4777 : Domain Controller Failed to ValidSub RuleWindows Audit Failure EventOther Audit Failure
V 2.0 : EVID 4646 : IPSEC - DoS Prevention Mode StrSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 4650 : IPSEC - Main Mode SecuritySub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 4651 : IPSEC - Main Mode SecuritySub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 4652 : IPSEC - Main Mode NegotiationSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 4653 : IPSEC - Main Mode NegotiationSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 4655 : IPSEC - Main Mode SecuritySub RuleIPSEC Security Association EndedNetwork Traffic
V 2.0 : EVID 4960 : IPSEC - Inbound Packet Integrity FlSub RuleIntegrity Check FailedError
V 2.0 : EVID 4961 : IPSEC - Inbound Packet ReplaySub RuleIntegrity Check FailedError
V 2.0 : EVID 4962 : IPSEC - Inbound Packet ReplaySub RuleIntegrity Check FailedError
V 2.0 : EVID 4963 : IPSEC - Inbound Packet in ClrSub RuleGeneral IPSec WarningWarning
V 2.0 : EVID 4965 : IPSEC  Packet Received InvalidSub RuleIPSEC Received Bad PacketError
V 2.0 : EVID 4976 : IPSEC - Main Mode Invalid NegotiationSub RuleIPSEC Received Bad PacketError
V 2.0 : EVID 4977 : IPSEC - Quick Mode Invalid NegotiationSub RuleIPSEC Received Bad PacketError
V 2.0 : EVID 4978 : IPSEC - Extended Mode InvalidSub RuleIPSEC Received Bad PacketError
V 2.0 : EVID 4979 : IPSEC - Main and Extended ModeSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 4980 : IPSEC - Main and Extended ModeSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 4981 : IPSEC - Main and Extended ModeSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 5024 : Firewall - Service StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 5025 : Firewall - Service StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 5027 : Firewall - Service Unable to RetrySub RuleFirewall Service Failed to Load Local PolicyWarning
V 2.0 : EVID 5028 : Firewall - Service Failed to ParseSub RuleFirewall Service Failed to Load Local PolicyWarning
V 2.0 : EVID 5029 : Firewall - Service Failed to Load DriverSub RuleDriver Failed to LoadWarning
V 2.0 : EVID 4982 : IPSEC - Main and Extended ModeSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 5030 : Firewall - Service Failed to StartSub RuleFirewall Service Failed to StartCritical
V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotiation FailedSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 5032 : Firewall - Unable to Notify UserSub RuleFirewall Notification FailedWarning
V 2.0 : EVID 4984 : IPSEC - Extended Mode Negotiation FailedSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 5049 : IPSEC - Security Assoc DeletedSub RuleConfiguration Deleted : SecurityConfiguration
V 2.0 : EVID 5033 : Firewall - Driver Started SuccessSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 5451 : IPSEC - Quick Mode Security AssociationSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 5034 : Firewall - Driver StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 5452 : IPSEC - Quick Mode Security AssociationSub RuleIPSEC Security Association EndedNetwork Traffic
V 2.0 : EVID 5035 : Firewall - Driver Failed to StartSub RuleFirewall Driver Startup FailedCritical
V 2.0 : EVID 5453 : IPSEC - Negotiation Failed DueSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 5478 : IPSEC - Service StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 5037 : Firewall - Driver Critical RuntimeSub RuleFirewall Driver Critical ConditionCritical
V 2.0 : EVID 5479 : IPSEC - Service StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 5480 : IPSEC - Failed to Obtain NetworkSub RuleIPSEC Network Interface List FailedWarning
V 2.0 : EVID 5483 : IPSEC - Failed to Initialize RPCSub RuleIPSEC Service Failed to StartError
V 2.0 : EVID 5484 : IPSEC - Critical Service FailureSub RuleIPSEC Service Error Caused ShutdownCritical
V 2.0 : EVID 5485 : IPSEC - Failed to Process FilterSub RuleIPSEC Filter Processing FailedError
V 2.0 : EVID 6400 : Branch Cache - Incorrectly FormattedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6401 : Branch Cache - Invalid Peer Data ReceivedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6402 : Branch Cache - Incorrectly FormattedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6403 : Branch Cache - Incorrectly FormattedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6404 : Branch Cache - Unable to AuthSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6405 : Branch Cache - Multiple Events ReceivedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6406 : Branch Cache - RegistrationSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6407 : Branch Cache - General EventSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6408 : Branch Cache - Regt Wind FirewallSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6409 : Branch Cache - Service ConnSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6145 : Sec Policy GPOs Fail to ApplySub RulePolicy FailedError
V 2.0 : EVID 6144 : Security Policy GPOs AppliedSub RulePolicy Enabled : SystemPolicy
V 2.0 : EVID 5447 : WFP - Filter ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 4906 : Crash on Audit Fail Value ChangedSub RuleConfiguration Modified : SystemConfiguration
V 2.0 : EVID 4908 : Special Groups Logon Table ModifiedSub RuleConfiguration Modified : SystemConfiguration
V 2.0 : EVID 4909 : Local TBS Policy Settings ModifiedSub RulePolicy Modified : SystemPolicy
V 2.0 : EVID 4910 : Group TBS Policy Settings ModifiedSub RulePolicy Modified : SystemPolicy
V 2.0 : EVID 4902 : Per-User Policy Table CreatedSub RulePolicy Created : SystemPolicy
V 2.0 : EVID 4826 : Boot Configuration Data LoadedSub RuleConfiguration Loaded : SystemConfiguration
V 2.0 : EVID 4864 : Namespace Collision DetectedSub RuleNamespace CollisionError
V 2.0 : EVID 4714 : Encrypted Data Rec Policy ModifiedSub RulePolicy Modified : SystemPolicy
V 2.0 : EVID 4671 : Application Attempted AccessSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 5148 : WFP - DoS Attack DetectedSub RuleFailed Network Denial of ServiceFailed Denial of Service
V 2.0 : EVID 5149 : WFP - DoS Attack EndedSub RuleGeneral SecurityOther Security
V 2.0 : EVID 4608 : Windows Starting UpSub RuleSystem StartedStartup and Shutdown
V 2.0 : EVID 4612 : Audit Queuing Resources ExhaustedSub RuleAudit Queuing Resources ExhaustedWarning
V 2.0 : EVID 4615 : Invalid LPC Port UseSub RuleUnauthorized ActivityMisuse
V 2.0 : EVID 4618 : User-Defined Security EventSub RuleGeneral Event Log InformationInformation
V 2.0 : EVID 4621 : Admin Recovered from Crash on AuditSub RuleCrash on Audit Fail RecoveredInformation
V 2.0 : EVID 4816 : RPC Message Integrity ViolationSub RuleRPC Integrity ViolationError
V 2.0 : EVID 5038 : Invalid Image HashSub RuleIntegrity Check FailedError
V 2.0 : EVID 5056 : CNG - Crypto Self-Check PerformedSub RuleCryptographic Self Test PerformedInformation
V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check PerformedSub RuleCryptographic Self Test PerformedInformation
V 2.0 : EVID 5057 : CNG - Primitive Crypto Op FailureSub RuleCryptographic FailureError
V 2.0 : EVID 5060 : CNG - Crypto Verification FailureSub RuleCryptographic FailureError
V 2.0 : EVID 6281 : Invalid Page Hash in Image FilterSub RuleIntegrity Check FailedError
V 2.0 : EVID 6410 : File Failed Security CheckSub RuleFailed Suspicious ActivityFailed Suspicious
V 2.0 : EVID 5712 : RPC AttemptedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 4944 : WFP - Policy Active and WindowSub RuleActive Firewall Policy on StartInformation
V 2.0 : EVID 4949 : WFP Settings Restored DefaultSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 4954 : WFP - Group Policy SettingsSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 4783 : Basic Application Group CreatedSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4784 : Basic Application Group ChangedSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4785 : Member Added to Basic App GroupSub RuleAccount Added to GroupAccess Granted
V 2.0 : EVID 4786 : Member Removed from Basic AppSub RuleAccount Removed from GroupAccess Revoked
V 2.0 : EVID 4787 : Non-Member Added to Basic AppSub RuleAccount Added to GroupAccess Granted
V 2.0 : EVID 4788 : Non-Member Removed from Basic AppSub RuleAccount Removed from GroupAccess Revoked
V 2.0 : EVID 4789 : Basic Application Group DeletedSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4790 : LDAP Query Group CreatedSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4791 : LDAP Query Group ChangedSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4934 : AD Object Attributes ReplicatedSub RuleAD Object Attributes ReplicatedInformation
V 2.0 : EVID 4935 : Replication Failure BeginsSub RuleAD Replication Failure BeginsError
V 2.0 : EVID 4936 : Replication Failure EndsSub RuleAD Replication Failure EndsError
V 2.0 : EVID 4937 : Lingering Obj Removed from ADReSub RuleObject Deleted/RemovedAccess Success
V 2.0 : EVID 4792 : LDAP Query Group DeletedSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4664 : File Hard Link CreatedSub RuleObject CreatedAccess Success
V 2.0 : EVID 4690 : Object Handle DuplicatedSub RuleObject CreatedAccess Success
V 2.0 : EVID 5039 : Registry Key VirtualizedSub RuleRegistry Key VirtualizedOther Audit Success
V 2.0 : EVID 5051 : File VirtualizedSub RuleFile VirtualizedOther Audit Success
V 2.0 : EVID 5168 :  SPN Check for SMB FailedSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 6275 : NPS - Accounting Request DiscardedSub RuleBad RequestWarning
V 2.0 : EVID 6276 : NPS - User QuarantinedSub RuleNetwork Policy Server Quarantined UserOther Audit
V 2.0 : EVID 6277 : NPS - Access Granted UserSub RuleAccess Granted ActivityAccess Granted
V 2.0 : EVID 6279 : NPS - User Account LockedSub RuleAccount LockedAccess Revoked
V 2.0 : EVID 6280 : NPS - User Account UnlockedSub RuleAccount UnlockedAccess Granted
V 2.0 : EVID 4626 : User/Device Claims InformationSub RuleUser InformationInformation
V 2.0 : EVID 4666 : AM - App Attempted OperationSub RuleGeneral Application InformationInformation
V 2.0 : EVID 4665 : AM - App Client Context CreatedSub RuleGeneral Application InformationInformation
V 2.0 : EVID 4667 : AM - App Client Context DeletedSub RuleGeneral Application InformationInformation
V 2.0 : EVID 4668 : AM - Application InitializedSub RuleGeneral Application InformationInformation
V 2.0 : EVID 4985 : Transaction State ChangedSub RuleGeneral Transaction InformationInformation
V 2.0 : EVID 1101 : Audit Events DroppedSub RuleMessage DroppedError
V 2.0 : EVID 4609 : Windows Shutting DownSub RuleSystem Shutting DownStartup and Shutdown
V 2.0 : EVID 4654 : Quick Mode Negotiation FailedSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 4797 : Blank Passwords QueriedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 4820 : TGT Denied - ACLSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4821 : TGS Denied - ACLSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4822 : NTLM Auth DeniedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4823 : NTLM Auth DeniedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4824 : Kerberos Pre-Auth FailedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4825 : RDP Access DeniedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4830 : SID History Removed from AccountSub RuleUser Account Attribute ModifiedAccount Modified
V 2.0 : EVID 4899 : Certificate Template UpdatedSub RuleObject ModifiedAccess Success
V 2.0 : EVID 4900 : Certificate Template Sec UpdatedSub RuleObject Attribute ModifiedAccess Success
V 2.0 : EVID 5150 : Firewall - Disable AttemptSub RuleSuspicious ActivitySuspicious
V 2.0 : EVID 5071 : Key Access DeniedSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 5146 : WFP - Packed BlockedSub RuleTraffic Denied by Host FirewallNetwork Deny
V 2.0 : EVID 5147 : WFP - Packed BlockedSub RuleTraffic Denied by Host FirewallNetwork Deny
V 2.0 : EVID 5151 : File VirtualizedSub RuleFile VirtualizedOther Audit Success
V 2.0 : EVID 5170 : AD Object ModifiedSub RuleObject ModifiedAccess Success
V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy FailureSub RuleGeneral IPSec ErrorError
V 2.0 : EVID 5473 : PAStore - Directory Storage IPSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5477 : PAStore - Failed to Add QuickSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 6278 : NPS - Full Access Granted to UserSub RuleAccess Granted ActivityAccess Granted
V 2.0 : EVID 6417 : FIPS Selftest PassedSub RuleCryptographic Self Test PerformedInformation
V 2.0 : EVID 6418 : FIPS Selftest FailedSub RuleCryptographic FailureError
V 2.0 : EVID 4868 : CS - Certificate Manager DeniedSub RuleCertificate Manager Denied Pending Cert RequestWarning
V 2.0 : EVID 4869 : CS - Received Resubmitted CertSub RuleCertificate Services Received Resubmitted Cert RequestOther Audit
V 2.0 : EVID 4870 : CS - Certificate RevokedSub RuleCertificate Services Received Resubmitted Cert RequestOther Audit
V 2.0 : EVID 4871 : CS - CRL Publication Request ReceivedSub RuleCertificate Services Received Request to Publish CRLInformation
V 2.0 : EVID 4872 : CS - CRL PublishedSub RuleCertificate Services Published CRLInformation
V 2.0 : EVID 4873 : CS - Certificate Request ExtensionSub RuleCertificate Request Extension ChangedInformation
V 2.0 : EVID 4874 : CS - Certificate Request ChangedSub RuleCertificate Request Attributes ChangedInformation
V 2.0 : EVID 4875 : CS - Shutdown Request ReceivedSub RuleProcess/Service Startup Or Shutdown ActivityStartup and Shutdown
V 2.0 : EVID 4876 : CS - Backup StartedSub RuleBackup ActiveInformation
V 2.0 : EVID 4877 : CS - Backup CompletedSub RuleBackup CompletedInformation
V 2.0 : EVID 4878 : CS - Restore StartedSub RuleBackup RestoredInformation
V 2.0 : EVID 4879 : CS - Restore CompletedSub RuleBackup RestoredInformation
V 2.0 : EVID 4880 : CS - Services StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 4881 : CS - Services StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 4882 : CS -Security Permissions ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4883 : CS - Archived Key RetrievedSub RuleCertificate Services Retrieved Archived KeyInformation
V 2.0 : EVID 4884 : CS - Certificate ImportedSub RuleCertificate Services Imported CertificateInformation
V 2.0 : EVID 4885 : CS - Audit Filter ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4886 : CS - Certificate Request ReceivedSub RuleCertificate Services Received Certificate RequestOther Audit Success
V 2.0 : EVID 4887 : CS - Certificate IssuedSub RuleCertificate Services Issued CertificateInformation
V 2.0 : EVID 4888 : CS - Certificate Request DeniedSub RuleCertificate Services Denied Certificate RequestWarning
V 2.0 : EVID 4889 : CS - Certificate Request StatusSub RuleCertificate Services Set Cert Status to PendingInformation
V 2.0 : EVID 4890 : CS - Certificate Manager SettingsSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4891 : CS - Configuration Entry ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4892 : CS - Property ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4893 : CS - Key ArchivedSub RuleCertificate Services Archived A KeyInformation
V 2.0 : EVID 4894 : CS - Key Imported and ArchivedSub RuleCertificate Services Imported and Archived KeyInformation
V 2.0 : EVID 4895 : CS -ADDS CA Certificate PublishedSub RuleCertificate Services Published CA CertificateInformation
V 2.0 : EVID 4896 : CS - Rows Deleted from DatabaseSub RuleCertificate Services Database Rows DeletedInformation
V 2.0 : EVID 4897 : CS - Role Separation EnabledSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4898 : CS - Template LoadedSub RuleCertificate Services Loaded TemplateInformation
V 2.0 : EVID 5120 : CS - OCSP Responder StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 5121 : CS - OCSP Responder StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 5122 : CS - OCSP Config ChangedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4649 : Replay Attack DetectedSub RuleReplay ActivityAttack
V 2.0 : EVID 5123 : CS - OCSP Config ChangedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 5124 : CS - OCSP Security ChangedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 5125 : CS - OCSP RequestSub RuleRequest ReceivedOther Audit Success
V 2.0 : EVID 5126 : CS - OCSP Signer UpdatedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 5127 : CS - OCSP Provider UpdatedSub RuleConfiguration Modified : ApplicationConfiguration

Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
ProviderN/A N/AIdentifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID<vmid>
<tag1>		NumberThe identifier that the provider used to identify the event.
VersionN/A N/AThe version number of the event's definition.
Level<severity>Text/StringThe severity level defined in the event.
Task<vendorinfo>Text/StringThe task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
OpcodeN/A N/AThe opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Keywords

<result>

<tag2>

Text/StringA bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreatedN/A N/AThe time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
EventRecordIDN/A N/AThe record number assigned to the event when it was logged.
CorrelationN/A N/AThe activity identifiers that consumers can use to group related events together.
ExecutionN/A N/AContains information about the process and thread that logged the event.
Channel N/AN/AThe channel to which the event was logged.
Computer<dname>Text/StringThe name of the computer on which the event occurred.
ErrorCode<responsecode>Text/StringUnique error code.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close