Skip to main content
Skip table of contents

V 2.0 : Certification Services Events

Vendor Documentation

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services

Classification

Rule NameRule TypeCommon EventClassification
V 2.0 : Certification Services EventsBase RuleGeneral System EventInformation
V 2.0 : EVID 4868 : CS - Certificate Manager DeniedSub RuleCertificate Manager Denied Pending Cert RequestWarning
V 2.0 : EVID 4869 : Received Resubmitted CertificateSub RuleCertificate Services Received Resubmitted Cert RequestOther Audit
V 2.0 : EVID 4871 : CS - CRL Publication RequestSub RuleCertificate Services Received Request To Publish CRLInformation
V 2.0 : EVID 4872 : CS - CRL PublishedSub RuleCertificate Services Published CRLInformation
V 2.0 : EVID 4873 : CS - Certificate Request Extension ChangedSub RuleCertificate Request Extension ChangedInformation
V 2.0 : EVID 4874 : CS- Certificate Request Attributes ChangedSub RuleCertificate Request Attributes ChangedInformation
V 2.0 : EVID 4875 : CS - Shutdown Request ReceivedSub RuleProcess/Service Startup Or Shutdown ActivityStartup and Shutdown
V 2.0 : EVID 4876 : CS - Backup StartedSub RuleBackup ActiveInformation
V 2.0 : EVID 4877 : CS - Backup CompleteSub RuleBackup CompletedInformation
V 2.0 : EVID 4878 : CS - Restore StartedSub RuleBackup RestoredInformation
V 2.0 : EVID 4879 : CS - Restore CompletedSub RuleBackup RestoredInformation
V 2.0 : EVID 4880 : CS - Services StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 4881 : CS - Services StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 4882 : CS - Security Permissions ModiSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4883 : CS - Archived Key RetrievedSub RuleCertificate Services Retrieved Archived KeyInformation
V 2.0 : EVID 4884 : CS - Certificate ImportedSub RuleCertificate Services Imported CertificateInformation
V 2.0 : EVID 4885 : CS - Audit Filter ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4886 : CS - Certificate Request ReceivedSub RuleCertificate Services Received Certificate RequestOther Audit Success
V 2.0 : EVID 4887 : CS - Certificate IssuedSub RuleCertificate Services Issued CertificateInformation
V 2.0 : EVID 4888 : CS - Certificate Request DeniedSub RuleCertificate Services Denied Certificate RequestWarning
V 2.0 : EVID 4889 : CS - Certificate Request StatusSub RuleCertificate Services Set Cert Status To PendingInformation
V 2.0 : EVID 4890 : CS - Certificate Manager Settings ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4891 : CS - Configuration Entry ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4892 : CS - Property ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4893 : CS - Key ArchivedSub RuleCertificate Services Archived A KeyInformation
V 2.0 : EVID 4894 : CS - Key Imported and ArchivedSub RuleCertificate Services Imported And Archived KeyInformation
V 2.0 : EVID 4895 : CS - ADDS CA Certificate PublishedSub RuleCertificate Services Published CA CertificateInformation
V 2.0 : EVID 4896 : CS - Rows Deleted from DatabaseSub RuleCertificate Services Database Rows DeletedInformation
V 2.0 : EVID 4897 : CS - Role Separation EnabledSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4898 : CS - Template LoadedSub RuleCertificate Services Loaded TemplateInformation
V 2.0 : EVID 4870 : Certificate RevokedSub RuleCertificate Revocation List AddedInformation

Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
ProviderN/A N/AIdentifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID<vmid>
<tag1>		NumberThe identifier that the provider used to identify the event.
Version N/AN/AThe version number of the event's definition.
Level<severity>String/NumberThe severity level defined in the event.
Task<vendorinfo>String/NumberThe task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
OpcodeN/A N/AThe opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Keywords<result>Text/StringA bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreatedN/A N/AThe time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
EventRecordIDN/A N/AThe record number assigned to the event when it was logged.
CorrelationN/A N/AThe activity identifiers that consumers can use to group related events together.
ExecutionN/A N/AContains information about the process and thread that logged the event.
ChannelN/A N/AThe channel to which the event was logged.
Computer<dname>Text/StringThe name of the computer on which the event occurred.
IsBaseCRL<status>Text/StringN/A
PublishURLs<url>Text/StringN/A
Requester<domainorigin>,<login>Text/StringN/A
Attributes<sname>Text/StringN/A
SubjectKeyIdentifier<object>Text/StringN/A
Subject<subject>Text/StringN/A
TemplateInternalName<object>Text/StringN/A
TemplateVersion<version>NumberN/A
TemplateDSObjectFQDN<subject>Text/StringN/A


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close