admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add_TA

Browse Source
master
admingit 2 years ago
parent 0745d48db2
commit 0438e12642
72 changed files with 2738 additions and 0 deletions
Show Stats Download Patch File Download Diff File

18
deployment-apps/TA-microsoft-windows/default/app.conf
Unescape View File

@ -0,0 +1,18 @@
#
# Splunk app configuration file
#
[install]
is_configured = 0
[ui]
is_visible = 0
label = Technology Add-On for Microsoft Windows
[launcher]
author = my2ndhead
description = Technology Add-On for Microsoft Windows
version = 1.0
[package]
id = TA-microsoft-windows

292
deployment-apps/TA-microsoft-windows/default/eventgen.conf
Unescape View File

@ -0,0 +1,292 @@
#### Use TA-microsoft-windows/default/inputs.conf sequence
#### Default replacement for all DhcpSrvLog logs
[sample.DhcpSrvLog]
index = windows
source=c:\windows\system32\dhcp\dhcpsrvlog.log
sourcetype = DhcpSrvLog
interval = 300
## Generate all events in sample
count = 0
earliest = -5m
latest = now
## replace timestamp 10,07/21/06,19:42:47
token.0.token = ^\d+\,(\d{2}\/\d{2}\/\d{2}\,\d{2}:\d{2}:\d{2})
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%y,%H:%M:%S
#### Default replacements for all WindowsUpdateLog logs
[.*\.WindowsUpdateLog]
index = windows
source = WindowsUpdateLog
sourcetype = WindowsUpdateLog
interval = 7200
## Generate all events in sample
count = 0
earliest = -5m
latest = now
## replace timestamp 2010-06-16 18:35:22:743
token.0.token = ^(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}):\d+
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S
[WindowsUpdateClient.19.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
interval = 7200
## Generate all events in sample
count = 10
## replace ComputerName:
token.0.token = ComputerName=(\S+)
token.0.replacementType = file
token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample
#### Replacement for win_listening_ports
[sample.win_listening_ports]
index = windows
source = Script:ListeningPorts
sourcetype = Script:ListeningPorts
spoolFile = win_listening_ports.bat
interval = 300
count = 10
earliest = -5m
latest = now
## replace timestamp 04/14/2011 19:42:27
token.0.token = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S
## replace ip
token.1.token = dest_ip=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
token.1.replacementType = random
token.1.replacement = ipv4
## replace port
token.2.token = dest_port=(\d+)
token.2.replacementType = random
token.2.replacement = integer[0:1024]
## replace pid
token.3.token = pid=(\d+)
token.3.replacementType = random
token.3.replacement = integer[1:65535]
#### Replacement for win_installed_apps
[sample.win_installed_apps]
index = windows
source = Script:InstalledApps
sourcetype = Script:InstalledApps
breaker = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
spoolFile = win_installed_apps.bat
interval = 3600
count = 3
earliest = -60m
latest = now
## replace timestamp 05/19/2011 10:48:34
token.0.token = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S
#### Default replacement for all perfmon logs
[.*\.perfmon]
index = perfmon
interval = 3600
count = 10
earliest = -5m
latest = now
## replace timestamp 04/14/2011 11:53:26.486
token.0.token = (\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S
#### Perfmon:CPU
[CPUTime.perfmon]
index = perfmon
source = Perfmon:CPU
sourcetype = Perfmon:CPU
breaker = counter="% Processor Time"
token.0.token = @@proc_time
token.0.replacementType = random
token.0.replacement = integer[25:100]
token.1.token = @@user_time
token.1.replacementType = random
token.1.replacement = integer[0:25]
#### Perfmon:FreeDiskSpace
[FreeDiskSpace.perfmon]
index = perfmon
source = Perfmon:FreeDiskSpace
sourcetype = Perfmon:FreeDiskSpace
breaker = counter="Free Megabytes"
token.0.token = @@mbytes_free
token.0.replacementType = random
token.0.replacement = integer[1000:10000]
token.1.token = @@perc_free
token.1.replacementType = random
token.1.replacement = integer[0:100]
#### Perfmon:Memory
[Memory.perfmon]
source = Perfmon:Memory
sourcetype = Perfmon:Memory
breaker = counter="Available MBytes"
#### Perfmon:LocalNetwork
[LocalNetwork.perfmon]
source = Perfmon:LocalNetwork
sourcetype = Perfmon:LocalNetwork
breaker = counter="Current Bandwidth"
#### Default replacement for all windows logs
[.*\.windows]
index = wineventlog
breaker = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
interval = 3600
count = 10
earliest = -5m
latest = now
## replace timestamp 03/11/10 01:12:01 PM
token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %I:%M:%S %p
## replace @@RecordNumber
token.1.token = RecordNumber=(\d+)
token.1.replacementType = random
token.1.replacement = integer[0:999999999]
## replace Source Port:
token.2.token = Source Port:\s*(.*)
token.2.replacementType = random
token.2.replacement = integer[1025:65535]
## Moving the stanza below to exclude renaming anomalous eventtypes
## replace ComputerName:
#token.3.token = ComputerName=(\S+)
#token.3.replacementType = file
#token.3.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample
[SCM.7036.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
[LSASRV.40961.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
[AppPopup.26.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
[W32Time\.[0-9]*\.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
[Security\.[0-9]*\.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
## replace ComputerName:
token.0.token = ComputerName=(\S+)
token.0.replacementType = file
token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample
#### Sample specific settings
## replace @@AuditType
#token.token = Type=(Success|Failure)\s+Audit
#token.replacementType = file
#token.replacement = $SPLUNK_HOME/etc/apps/TA-microsoft-windows/samples/audit_types.list
##################################################
## Anomalous events
##################################################
[Security.1102.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
interval = 3600
## Generate all events in sample
count = 0
[Security.4726.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
interval = 900
## Generate all events in sample
count = 0
[Security.4743.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
interval = 900
## Generate all events in sample
count = 0
[Security.4672.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
## replace @@user
token.0.token = @@user
token.0.replacementType = file
token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/dist.all.last
#### Default replacements for all WinRegistry logs
[.*\.winregistry]
index = windows
source = WinRegistry
sourcetype = WinRegistry
breaker = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+
interval = 300
count = 10
earliest = -5m
latest = now
## replace timestamp 09/09/2010 23:36:32.0128
token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S
[WinHostMon-OperatingSystem]
index = windows
sourcetype = WinHostMon
source = OperatingSystem
count = 0
[WinHostMon-Processor]
index = windows
sourcetype = Processor
source = Computer
count = 0
[XmlSecurity\.[0-9]*\.windows\.xml]
index = wineventlog
source = WinEventLog:Security
sourcetype = XmlWinEventLog:Security
breaker = ^<\/Events>$
[XmlSystem.update_.*\.xml]
index = wineventlog
source = WinEventLog:System
sourcetype = XmlWinEventLog:System
breaker = ^<\/Events>$

195
deployment-apps/TA-microsoft-windows/default/eventtypes.conf
Unescape View File

@ -0,0 +1,195 @@
### Security: Account Logon
[microsoft_windows_security_authentication]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=4624 OR event_id=4625 OR event_id=4648 OR event_id=4672 OR event_id=4768 OR event_id=4772 OR event_id=4769 OR event_id=4773 OR event_id=4770 OR event_id=4771 OR event_id=4776 OR event_id=4777 OR event_id=4778 OR event_id=4779)
#tags = authentication
## A logon was attempted using explicit credentials
## EventCodes 4648
[microsoft_windows_security_authentication_privileged]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4648 OR event_id=4672
#tags = privileged
### Security: Account Management
[microsoft_windows_account_management]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=4720 OR event_id=4722 OR event_id=4723 OR event_id=4724 OR event_id=4725 OR event_id=4726 OR event_id=4738 OR event_id=4740 OR event_id=4741 OR event_id=4742 OR event_id=4765 OR event_id=4766 OR event_id=4767 OR event_id=4780 OR event_id=4781 OR event_id=4794 OR event_id=5376 OR event_id=5377)
#tags = account change
### Security: Audit (Event Log) ###
[microsoft_windows_audit]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=1100 OR event_id=1101 OR event_id=1102 OR event_id=1104 OR event_id=1105 OR event_id=1108)
#tags = audit change
### Security: Object Access
## Object Open
## EventCodes 4656
[microsoft_windows_object_open]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4656
## Handle Closed
## EventCodes 4658
[microsoft_windows_handle_closed]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4658
### Security: Policy Change
## Audit Policy Change/The audit policy (SACL) on an object was changed
## EventCodes 4715, 4719
[microsoft_windows_audit_policy_change_object]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=4715 OR event_id=4719)
#tags = audit change
## System security access was granted to an account
## EventCodes 4717
[microsoft_windows_security_access_granted]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4717
## System security access was removed from an account
## EventCodes 4718
[microsoft_windows_security_access_removed]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4718
## Per User Audit Policy was changed
## EventCodes 4912
[microsoft_windows_audit_policy_change_user]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4912
#tags = audit change
## A change has been made to Windows Firewall
## EventCodes 4946, 4947, 4948
[microsoft_windows_audit_policy_change_firewall]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=4946 OR event_id=4947 OR event_id=4948)
#tags = audit change
## The Windows Firewall has detected an application listening for incoming traffic
## EventCodes 4957
[microsoft_windows_firewall_port_listening]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4957
### Security: Privilege Use
## Privileged Service Called
## EventCodes 4673
[microsoft_windows_privileged_service_call]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4673
## Privileged object operation
## EventCodes 4674
[microsoft_windows_privileged_object_operation]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4674
### Security: Process Tracking
## A new process has been created
## EventCodes 4688
[microsoft_windows_process_new]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4688
## A process has exited
## EventCodes 4689
[microsoft_windows_process_exit]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4689
## A process was assigned a primary token
## EventCodes 4696
[microsoft_windows_process_token]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4696
### Security: System
## An authentication package has been loaded by the Local Security Authority
## EventCodes 4610
[microsoft_windows_auth_package]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4610
## A trusted logon process has registered with the Local Security Authority
## EventCodes 4611
[microsoft_windows_logon_process]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4611
## A notification package has been loaded by the Security Account Manager
## EventCodes 4614
[microsoft_windows_notification_package]
search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4614
### Perfmon
[microsoft_windows_perfmon]
search = sourcetype=Perfmon:*
#tags = os
[microsoft_windows_perfmon_cputime]
search = sourcetype=Perfmon:CPU OR sourcetype=Perfmon:CPUTime
#tags = performance cpu report
[microsoft_windows_perfmon_logicaldisk]
search = sourcetype=Perfmon:LogicalDisk
#tags = performance storage
[microsoft_windows_perfmon_memory]
search = sourcetype=Perfmon:Memory
#tags = performance memory report
[microsoft_windows_perfmon_network]
search = sourcetype=Perfmon:Network
#tags = performance network
[microsoft_windows_perfmon_network_throughput]
search = sourcetype=PERFMON:LocalNetwork counter="Bytes Total/sec"
#tags = performance network
[microsoft_windows_perfmon_network_bandwidth]
search = sourcetype=PERFMON:LocalNetwork counter="Current Bandwidth"
#tags = performance network
[microsoft_windows_perfmon_process]
search = sourcetype=Perfmon:Process
#tags = performance process
### Hostmon
[microsoft_windows_hostmon_disk]
search = sourcetype=WinHostMon source=disk
#tags = inventory performance storage
[microsoft_windows_hostmon_os]
search = sourcetype=WinHostMon source=os
#tags = cpu inventory memory performance system version
[microsoft_windows_hostmon_process]
search = sourcetype=WinHostMon source=process
#tages = process report
[microsoft_windows_hostmon_service]
search = sourcetype=WinHostMon source=service
#tags = services report
[microsoft_windows_hostmon_service_time]
search = sourcetype=WinHostMon source=service Name=W32Time
#tags = time synchronize
### Windowsupdatelog
[microsoft_windows_windowsupdatelog]
search = sourcetype=WindowsUpdateLog
#tags = update
[microsoft_windows_windowsupdatelog_status]
search = sourcetype="WindowsUpdateLog" "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update"
#tags = status
### WinRegistry
[microsoft_windows_winregistry]
search = sourcetype=WinRegistry
#tags = endpoint change
### Windows Timesync
[microsoft_windows_timesync]
search = ((sourcetype=WinEventLog:System OR sourcetype=XmlWinEventLog:System) ("W32Time" OR "Microsoft-Windows-Time-Service") (event_id=17 OR event_id=29 OR event_id=35 OR event_id=36 OR event_id=37 OR event_id=38)) OR (sourcetype=Script:TimesyncStatus action=success)
#tags = os performance time synchronize
### Windows Listening Ports
[microsoft_windows_ports_listening]
search = sourcetype="Script:ListeningPorts"
#tags = listening port

134
deployment-apps/TA-microsoft-windows/default/inputs.conf.example
Unescape View File

@ -0,0 +1,134 @@
# Sample inputs.conf for sourcetypes supported by app
[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=true
[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=true
[WinEventLog://System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=true
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows
[script://.\bin\win_installed_apps.bat]
disabled = 0
index = windows
sourcetype = Script:InstalledApps
interval = 600
[script://.\bin\win_listening_ports.bat]
disabled = 0
index = windows
sourcetype = Script:ListeningPorts
interval = 3600
[script://.\bin\win_timesync_configuration.bat]
disabled = 0
index = windows
sourcetype = Script:TimesyncConfiguration
[script://.\bin\win_timesync_status.bat]
disabled = 0
index = windows
sourcetype = Script:TimesyncStatus
[perfmon://CPUTime]
disabled = 0
index = perfmon
interval = 600
[perfmon://CPU]
disabled = 0
index = perfmon
interval = 600
[perfmon://FreeDiskSpace]
disabled = 0
index = perfmon
interval = 600
[perfmon://Memory]
disabled = 0
index = perfmon
interval = 600
[perfmon://LocalNetwork]
disabled = 0
index = perfmon
interval = 600
[perfmon://LogicalDisk]
counters = *
disabled = 0
instances = *
interval = 10
object = LogicalDisk
index = perfmon
[perfmon://Process]
counters = *
disabled = 0
instances = *
interval = 10
object = Process
index = perfmon
[perfmon://System]
counters = *
disabled = 0
instances = *
interval = 10
object = System
index = perfmon
[WinHostMon://os]
type = operatingSystem
interval = 86400
index = windows
[WinHostMon://disk]
type = disk
interval = 86400
index = windows
[WinHostMon://network]
type = networkAdapter
interval = 86400
index = windows
[WinHostMon://service]
type = service
interval = 300
index = windows
[WinHostMon://process]
type = process
interval = 300
index = windows

273
deployment-apps/TA-microsoft-windows/default/props.conf
Unescape View File

@ -0,0 +1,273 @@
### XmlWinEventLog
[XmlWinEventLog:Security]
KV_MODE = none
EXTRACT-dest = <Data Name='TargetServerName'>(?<dest>[^<]+)<\/Data>
EXTRACT-dest_01 = <Data Name='DestAddress'>(?<dest>[^<]+)<\/Data>
# Set Computer as last dest
EXTRACT-dest_02 = <Computer>(?<dest>[^<]+)<\/Computer>
EXTRACT-dest_nt_domain = <Data Name='TargetDomainName'>(?<dest_nt_domain>[^<]+)<\/Data>
EXTRACT-dest_port = <Data Name='DestPort'>(?<dest_port>[^<]+)<\/Data>
EXTRACT-event_id,signature_id = <EventID>(?<signature_id>(?<event_id>\d+))<\/EventID>
EXTRACT-event_record_id = <EventRecordID>(?<event_record_id>\d+)<\/EventRecordID>
EXTRACT-logon_id = <Data Name='SubjectLogonId'>(?<logon_id>[^<]+)<\/Data>
EXTRACT-logon_type = <Data Name='LogonType'>(?<logon_type>\d+)<\/Data>
EXTRACT-object_attrs = <Data Name='RuleName'>(?<object_attrs>[^<]+)<\/Data>
EXTRACT-process = <Data Name='ProcessName'>(?<process>[^<]+)<\/Data>
EXTRACT-process_id = <Execution ProcessID='(?<process_id>\d+)'
EXTRACT-src = <Data Name='IpAddress'>(?<src>[^<]+)</Data>
EXTRACT-src_01 = <Data Name='SourceAddress'>(?<src>[^<]+)<\/Data>
EXTRACT-src_nt_domain = <Data Name='SubjectDomainName'>(?<src_nt_domain>[^<]+)<\/Data>
EXTRACT-src_port = <Data Name='SourcePort'>(?<src_port>[^<]+)<\/Data>
EXTRACT-src_user = <Data Name='SubjectUserName'>(?<src_user>[^<]+)<\/Data>
EXTRACT-signature_sub_id = <Data Name='Status'>(?<signature_sub_id>[^<]+)<\/Data>
EXTRACT-thread_id = <Execution ProcessID='\d+' ThreadID='(?<thread_id>\d+)'
EXTRACT-user = <Data Name='TargetUserName'>(?<user>[^<]+)<\/Data>
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_security_signature_id = wineventlog_security_signature_id signature_id OUTPUTNEW action, category, object, object_category, subcategory, signature, status
LOOKUP-wineventlog_security_signature_sub_id = wineventlog_security_signature_sub_id signature_id signature_sub_id OUTPUTNEW signature_sub
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_app-event_id = wineventlog_app event_id OUTPUTNEW app
LOOKUP-wineventlog_app-src = wineventlog_app src OUTPUTNEW app
LOOKUP-wineventlog_app-logon_type = wineventlog_app logon_type OUTPUTNEW logon_type_description app
[XmlWinEventLog:System]
KV_MODE = none
EXTRACT-dest = <Computer>(?<dest>[^<]+)<\/Computer>
EXTRACT-event_id = <EventID>(?<event_id>\d+)<\/EventID>
EXTRACT-event_record_id = <EventRecordID>(?<event_record_id>\d+)<\/EventRecordID>
EXTRACT-event_source = EventSourceName='(?<event_source>[^']+)'
EXTRACT-guid = Guid='(?<guid>[^']+)'
EXTRACT-provider = <Provider Name='(?<provider>[^']+)'
EXTRACT-vendor_severity_id = <Level>(?<vendor_severity_id>\d+)<\/Level>
REPORT-signature,signature_id = xmleventlog_updatelist,xmleventlog_signature_signature_id
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity
LOOKUP-windows_timesync_action = windows_timesync_action event_id, provider OUTPUTNEW action
[XmlWinEventLog:Application]
KV_MODE = none
EXTRACT-event_id = <EventID(?: Qualifiers='\d+')?>(?<event_id>\d+)<\/EventID>
EXTRACT-event_record_id = <EventRecordID>(?<event_record_id>\d+)<\/EventRecordID>
EXTRACT-event_source = EventSourceName='(?<event_source>[^']+)'
EXTRACT-guid = Guid='(?<guid>[^']+)'
EXTRACT-provider = <Provider Name='(?<provider>[^']+)'
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity
### WinEventLog
[source::WinEventLog...]
# Disable unneeded $SPLUNK_HOME/etc/default/props.conf report
REPORT-MESSAGE =
[WinEventLog:Security]
KV_MODE = none
EXTRACT-dest = (?s)Network Information:.*?Destination Address:\s+(?<dest>\S+).*?(?:(?:\r*\n){2})
# Set ComputerName as last dest
EXTRACT-dest_01 = ComputerName=(?<dest>\S+)
EXTRACT-dest_port = (?s)Network Information:.*?Destination Port:\s+(?<dest_port>\S+).*?(?:(?:\r*\n){2})
EXTRACT-dest_nt_domain = (?s)Account Whose Credentials Were Used:.*?Account Domain:\s+(?<dest_nt_domain>\S+).*?(?:(?:\r*\n){2})
EXTRACT-event_id,signature_id = EventCode=(?<signature_id>(?<event_id>\d+))
EXTRACT-event_record_id = RecordNumber=(?<event_record_id>\d+)
EXTRACT-logon_id = Logon ID:\s+(?<logon_id>\S+)
EXTRACT-logon_type = Logon Type:\s+(?<logon_type>\d+)
EXTRACT-object_attrs = Rule Name:\s+(?<object_attrs>[^$]+)$
EXTRACT-process = (?s)Application Information:.*?Process Name:\s+(?<process>\S+).*?(?:(?:\r*\n){2})
EXTRACT-process_id = (?s)Application Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
EXTRACT-process_id_01 = (?s)Process Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
EXTRACT-signature_sub_id = (?s)Failure Information:.*?Sub Status:\s+(?<signature_sub_id>\S+).*?(?:(?:\r*\n){2})
EXTRACT-src = (?s)Network Information:.*?Source Address:\s+(?<src>\S+).*?(?:(?:\r*\n){2})
EXTRACT-src_nt_domain =(?s)Subject:.*?Account Domain:\s+(?<src_nt_domain>\S+).*?(?:(?:\r*\n){2})
EXTRACT-src_port = (?s)Network Information:.*?Source Port:\s+(?<src_port>\S+).*?(?:(?:\r*\n){2})
EXTRACT-src_user = (?s)Subject:.*?Account Name:\s+(?<src_user>\S+).*?(?:(?:\r*\n){2})
EXTRACT-user = (?s)Account Whose Credentials Were Used:.*?Account Name:\s+(?<user>\S+).*?(?:(?:\r*\n){2})
EXTRACT-vendor_direction = (?s)Network Information:.*?Direction:\s+(?<vendor_direction>\S+).*?(?:(?:\r*\n){2})
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_security_signature_id = wineventlog_security_signature_id signature_id OUTPUTNEW action, category, object, object_category, subcategory, signature, status
LOOKUP-wineventlog_security_signature_sub_id = wineventlog_security_signature_sub_id signature_id signature_sub_id OUTPUTNEW signature_sub
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_app-event_id = wineventlog_app event_id OUTPUTNEW app
LOOKUP-wineventlog_app-src = wineventlog_app src OUTPUTNEW app
LOOKUP-wineventlog_app-logon_type = wineventlog_app logon_type OUTPUTNEW logon_type_description app
[WinEventLog:System]
KV_MODE = none
EXTRACT-dest = ComputerName=(?<dest>\S+)
EXTRACT-event_id = EventCode=(?<event_id>\d+)
EXTRACT-event_record_id = RecordNumber=(?<event_record_id>\d+)
EXTRACT-event_source = SourceName=(?<event_source>\S+)
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity
LOOKUP-windows_timesync_action = windows_timesync_action event_id, provider as event_source OUTPUT action
[WinEventLog:Application]
KV_MODE = none
EXTRACT-event_id = EventCode=(?<event_id>\d+)
EXTRACT-event_record_id = RecordNumber=(?<event_record_id>\d+)
EXTRACT-event_source = SourceName=(?<event_source>\S+)
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity
### Perfmon
[Perfmon:CPU]
EXTRACT-cpu_load_mhz = (?s)counter="Processor Frequency".*?Value=(?<cpu_load_mhz>\S+)
EXTRACT-cpu_load_percent = (?s)counter="% Processor Time".*?instance=_Total.*?Value=(?<cpu_load_percent>\S+)
EXTRACT-cpu_user_percent = (?s)counter="% User Time".*?instance=_Total.*?Value=(?<cpu_user_percent>\S+)
EXTRACT-cpu_interrupts = (?s)counter="Interrupts/sec".*?instance=_Total.*?Value=(?<cpu_interrupts>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
[Perfmon:CPUTime]
EXTRACT-cpu_load_mhz = (?s)counter="Processor Frequency".*?Value=(?<cpu_load_mhz>\S+)
EXTRACT-cpu_load_percent = (?s)counter="% Processor Time".*?Value=(?<cpu_load_percent>\S+)
EXTRACT-cpu_user_percent = (?s)counter="% User Time".*?Value=(?<cpu_user_percent>\S+)
EXTRACT-cpu_interrupts = (?s)counter="Interrupts/sec".*?Value=(?<cpu_interrupts>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
[Perfmon:System]
EXTRACT-wait_threads_count = (?s)counter="Processor Queue Length".*?Value=(?<wait_threads_count>\S+)
EXTRACT-system_threads_count = (?s)counter="Threads".*?Value=(?<system_threads_count>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
[Perfmon:FreeDiskSpace]
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
FIELDALIAS-mount = instance as mount
EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null())
EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null())
[Perfmon:LogicalDisk]
EXTRACT-read_latency = (?s)counter="Avg. Disk sec/Read".*?Value=(?<read_latency>\S+)
EXTRACT-write_latency = (?s)counter="Avg. Disk sec/Write".*?Value=(?<write_latency>\S+)
EXTRACT-storage_free_percent = (?s)counter="% Free Space".*?Value=(?<storage_free_percent>\S+)
EXTRACT-read_ops = (?s)counter="Disk Reads/sec".*?Value=(?<read_ops>\S+)
EXTRACT-write_ops = (?s)counter="Disk Writes/sec".*?Value=(?<write_ops>\S+)
EXTRACT-total_ops = (?s)counter="Disk Transfers/sec".*?Value=(?<total_ops>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
EVAL-mount = if(instance=="_Total", null(), instance)
# Keeping this field in ms
EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null())
[Perfmon:LocalNetwork]
EXTRACT-thruput = (?s)counter="Bytes Total/sec".*?Value=(?<thruput>\S+)
EXTRACT-thruput_max = (?s)counter="Current Bandwidth".*?Value=(?<thruput>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
[Perfmon:Process]
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())
[Perfmon:Memory]
EXTRACT-mem_committed = (?s)counter="Committed Bytes".*?Value=(?<mem_committed>\S+)
EXTRACT-mem_page_ops = (?s)counter="Pages/sec".*?Value=(?<mem_page_ops>\S+)
EXTRACT-swap_free = (?s)counter="Pool Nonpaged Bytes".*?Value=(?<swap_free>\S+)
EXTRACT-swap_used = (?s)counter="Pool Paged Bytes".*?Value=(?<swap_used>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
### WinHostMon
[WinHostMon]
EXTRACT-mount = Type=Disk.*?Name="(?<mount>[^"]+)"
EXTRACT-process = Type=Process.*?Name="(?<process>[^"]+)"
EXTRACT-service = DisplayName="(?<service>[^"]+)"
FIELDALIAS-cpu_mhz = ClockSpeedMHz as cpu_mhz
FIELDALIAS-cpu_cores = NumberOfCores AS cpu_cores
FIELDALIAS-cpu_count = NumberOfProcessors AS cpu_count
FIELDALIAS-dest = host as dest
FIELDALIAS-family = Architecture as family
FIELDALIAS-os = OS as os
FIELDALIAS-version = Version as version
EVAL-mem_free_percent = FreePhysicalMemoryKB/TotalPhysicalMemoryKB
EVAL-mem_used = (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024
EVAL-mem = if(source=="os", TotalPhysicalMemoryKB/1024, null())
EVAL-storage = if (source=="disk", TotalSpaceKB/1024, null())
EVAL-storage_free = if (source=="disk", FreeSpaceKB/1024, null())
EVAL-storage_used = if (source=="disk", (TotalSpaceKB-FreeSpaceKB)/1024, null())
LOOKUP-windows_service_startmode = windows_service_startmode StartMode OUTPUT start_mode
LOOKUP-windows_service_status = windows_service_status Status State OUTPUT status
### Script:InstalledApps
[Script:InstalledApps]
SHOULD_LINEMERGE = true
LINE_BREAKER =
### Script:ListeningPorts
[Script:ListeningPorts]
SHOULD_LINEMERGE = false
KV_MODE = none
EXTRACT-dest_ip = dest_ip=\[(?<dest>(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\]
EXTRACT-dest_port = dest_port=(?<dest_port>\d+)
EXTRACT-process_id = pid=(?<process_id>\d+)
EXTRACT-transport = transport=(?<transport>\S+)
FIELDALIAS-dest = host as dest
### Script:TimesyncConfiguration
[Script:TimesyncConfiguration]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)Current time:
KV_MODE = None
### Script:TimesyncStatus
[Script:TimesyncStatus]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)Current time:
KV_MODE = None
EXTRACT-last_sync_error = Last Sync Error: (?<last_sync_error>\d+)
LOOKUP-windows_timesync_action = windows_timesync_action last_sync_error OUTPUT action
### WindowsUpdateLog
[WindowsUpdateLog]
KV_MODE = none
FIELDALIAS-dest_for_windowsupdate = host as dest
EXTRACT-signature = Windows successfully installed the following update:\s+(?<signature>.*?(?<signature_id>KB\d+)[^$]+)
EXTRACT-component = ^\S+\s+\S+\s+\S+\s+\S+\s+(?<component>\S+)
EXTRACT-process_id = ^\S+\s+\S+\s+(?<process_id>\S+)
EXTRACT-thread_id = ^\S+\s+\S+\s+\d+\s+(?<thread_id>\S+)
EXTRACT-vendor_status = (?<vendor_status>(?:Installation\s+successful\s+and\s+restart\s+required|Installation\s+(Successful|Failure)|Restart\s+Required|Installation\s+Ready))
REPORT-signature,signature_id = windowsupdatelog_signature_message,windowsupdatelog_signature_signature_id
LOOKUP-windowsupdatelog_status = windowsupdatelog_status vendor_status OUTPUT status
### DHCP
[DhcpSrvLog]
SHOULD_LINEMERGE = false
KV_MODE = none
TRANSFORMS-dhcp_discard_headers = dhcpsrvlog_discard_headers
EXTRACT-msdhcp_id,description,dest_ip,dest_nt_host,dest_mac = (?<msdhcp_id>[^,]+),[^,]+,[^,]+,(?<description>[^,]?),(?<dest_ip>[^,]+),(?<dest_nt_host>[^,]+),(?<dest_mac>[^$]+)
REPORT-dest = dchpsrvlog_dest_nt_host_as_dest,dchpsrvlog_dest_mac_as_dest,dchpsrvlog_dest_ip_as_dest
LOOKUP-windows_msdhcp_id = windows_msdhcp_id msdhcp_id OUTPUT signature
### WinRegistry
[WinRegistry]
KV_MODE = none
EXTRACT-object_path = key_path="(?<object_path>[^"]+)"
EXTRACT-object = (?s)key_path="(\\[^\n]+)*\\(?<object>[^"]+)".*?data_type
EXTRACT-user = (?s)process_image="(\\[^\n]+)*\\(?<user>[^"]+)".*?registry_type
EXTRACT-vendor_action = registry_type="(?<vendor_action>[^"]+)"
EXTRACT-vendor_status,msg = event_status="\((?<vendor_status>[0-9-]+)\)(?<msg>[^\"]+)"
LOOKUP-windows_object_category = windows_object_category object as sourcetype OUTPUT object_category
LOOKUP-windows_status = windows_status vendor_status OUTPUT status
LOOKUP-windows_vendor_action = windows_vendor_action sourcetype, vendor_action OUTPUT action
FIELDALIAS-dest = host as dest

114
deployment-apps/TA-microsoft-windows/default/tags.conf
Unescape View File

@ -0,0 +1,114 @@
### WinEventLog
[eventtype=microsoft_windows_security_authentication]
authentication = enabled
[eventtype=microsoft_windows_security_authentication_privileged]
privileged = enabled
[eventtype=microsoft_windows_account_management]
account = enabled
change = enabled
[eventtype=microsoft_windows_audit]
audit = enabled
change = enabled
[eventtype=microsoft_windows_audit_policy_change_object]
audit = enabled
change = enabled
[eventtype=microsoft_windows_audit_policy_change_user]
audit = enabled
change = enabled
[eventtype=microsoft_windows_audit_policy_change_firewall]
audit = enabled
change = enabled
### Perfmon
[eventtype=microsoft_windows_perfmon]
os = enabled
[eventtype=microsoft_windows_perfmon_cputime]
cpu = enabled
performance = enabled
report = enabled
[eventtype=microsoft_windows_perfmon_logicaldisk]
performance = enabled
storage = enabled
[eventtype=microsoft_windows_perfmon_memory]
performance = enabled
memory = enabled
report = enabled
[eventtype=microsoft_windows_perfmon_network]
performance = enabled
network enabled
[eventtype=microsoft_windows_perfmon_network_throughput]
performance = enabled
network = enabled
[eventtype=microsoft_windows_perfmon_network_bandwidth]
performance = enabled
network = enabled
[eventtype=microsoft_windows_perfmon_process]
performance = enabled
process = enabled
### Hostmon
[eventtype=microsoft_windows_hostmon_os]
cpu = enabled
memory = enabled
performance = enabled
system = enabled
version = enabled
inventory = enabled
[eventtype=microsoft_windows_hostmon_disk]
inventory = enabled
performance = enabled
storage = enabled
[eventtype=microsoft_windows_hostmon_process]
process = enabled
report = enabled
[eventtype=microsoft_windows_hostmon_service]
service = enabled
report = enabled
[eventtype=microsoft_windows_hostmon_service_time]
time = enabled
synchronize = enabled
### WindowsUpdateLog
[eventtype=microsoft_windows_windowsupdatelog]
update = enabled
[eventtype=microsoft_windows_windowsupdatelog_status]
status = enabled
### WinRegisty
[eventtype=microsoft_windows_winregistry]
endpoint = enabled
change = enabled
### Timesync
[eventtype=microsoft_windows_timesync]
os = enabled
performance = enabled
time = enabled
synchronize = enabled
### Ports Listening
[eventtype=microsoft_windows_ports_listening]
listening = enabled
port = enabled

86
deployment-apps/TA-microsoft-windows/default/transforms.conf
Unescape View File

@ -0,0 +1,86 @@
[wineventlog_security_signature_id]
filename = wineventlog_security_signature_id.csv
[wineventlog_security_signature_sub_id]
filename = wineventlog_security_signature_sub_id.csv
[wineventlog_sourcetype_vendor_product]
filename = wineventlog_sourcetype_vendor_product.csv
[wineventlog_app]
filename = wineventlog_app.csv
[wineventlog_vendor_severity_id]
filename = wineventlog_vendor_severity_id.csv
[xmleventlog_updatelist]
REGEX = <updatelist xmlns='[^']+'>([^<]+)<\/updatelist>
FORMAT = updatelist::"$1"
[xmleventlog_signature_signature_id]
SOURCE_KEY = updatelist
REGEX = -\s(.*?\((KB\S+)\))
FORMAT = signature::"$1" signature_id::"$2"
MV_ADD = true
[windowsupdatelog_signature_message]
REGEX = (?:Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on .*?|Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates: .*?|Restart Required: To complete the installation of the following updates, the computer will be restarted within \d+ minutes:.*?)(-.*)
FORMAT = signature_message::"$1"
[windowsupdatelog_signature_signature_id]
SOURCE_KEY = signature_message
REGEX = -\s(.*?\((KB\S+)\))
FORMAT = signature::"$1" signature_id::"$2"
MV_ADD = true
[windowsupdatelog_status]
filename = windowsupdatelog_status.csv
[windows_msdhcp_id]
filename = windows_msdhcp_id.csv
[dhcpsrvlog_discard_headers]
REGEX = ^(ID|#)
DEST_KEY = queue
FORMAT = nullQueue
[dchpsrvlog_dest_nt_host_as_dest]
SOURCE_KEY = dest_nt_host
REGEX = (.+)
FORMAT = dest::"$1"
MV_ADD = true
[dchpsrvlog_dest_ip_as_dest]
SOURCE_KEY = dest_ip
REGEX = (.+)
FORMAT = dest::"$1"
MV_ADD = true
[dchpsrvlog_dest_mac_as_dest]
SOURCE_KEY = dest_mac
REGEX = (.+)
FORMAT = dest::"$1"
MV_ADD = true
[windows_object_category]
filename = windows_object_category.csv
[windows_status]
filename = windows_status.csv
default_match = failure
min_matches = 1
max_matches = 1
[windows_timesync_action]
filename = windows_timesync_action.csv
match_type = WILDCARD(last_sync_error)
max_matches = 1
[windows_vendor_action]
filename = windows_vendor_action.csv
[windows_service_startmode]
filename = windows_service_startmode.csv
[windows_service_status]
filename = windows_service_status.csv

70
deployment-apps/TA-microsoft-windows/lookups/windows_msdhcp_id.csv
Unescape View File

@ -0,0 +1,70 @@
msdhcp_id,signature
00,"The log was started"
01,"The log was stopped"
02,"The log was temporarily paused due to low disk space"
10,"A new IP address was leased to a client"
11,"A lease was renewed by a client"
12,"A lease was released by a client"
13,"An IP address was found to be in use on the network"
14,"A lease request could not be satisfied because the scope's address pool was exhausted"
15,"A lease was denied"
16,"A lease was deleted"
17,"A lease was expired"
20,"A BOOTP address was leased to a client"
21,"A dynamic BOOTP address was leased to a client"
22,"A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"
23,"A BOOTP IP address was deleted after checking to see that it was not in use"
30,"DNS dynamic update request"
31,"DNS dynamic update failed"
32,"DNS dynamic update successful"
50,"Rogue Server Detection"
51,"Rogue Server Detection"
52,"Rogue Server Detection"
53,"Rogue Server Detection"
54,"Rogue Server Detection"
55,"Rogue Server Detection"
56,"Rogue Server Detection"
57,"Rogue Server Detection"
58,"Rogue Server Detection"
59,"Rogue Server Detection"
60,"Rogue Server Detection"
61,"Rogue Server Detection"
62,"Rogue Server Detection"
63,"Rogue Server Detection"
64,"Rogue Server Detection"
65,"Rogue Server Detection"
66,"Rogue Server Detection"
67,"Rogue Server Detection"
68,"Rogue Server Detection"
69,"Rogue Server Detection"
70,"Rogue Server Detection"
71,"Rogue Server Detection"
72,"Rogue Server Detection"
73,"Rogue Server Detection"
74,"Rogue Server Detection"
75,"Rogue Server Detection"
76,"Rogue Server Detection"
77,"Rogue Server Detection"
78,"Rogue Server Detection"
79,"Rogue Server Detection"
80,"Rogue Server Detection"
81,"Rogue Server Detection"
82,"Rogue Server Detection"
83,"Rogue Server Detection"
84,"Rogue Server Detection"
85,"Rogue Server Detection"
86,"Rogue Server Detection"
87,"Rogue Server Detection"
88,"Rogue Server Detection"
89,"Rogue Server Detection"
90,"Rogue Server Detection"
91,"Rogue Server Detection"
92,"Rogue Server Detection"
93,"Rogue Server Detection"
94,"Rogue Server Detection"
95,"Rogue Server Detection"
96,"Rogue Server Detection"
97,"Rogue Server Detection"
98,"Rogue Server Detection"
99,"Rogue Server Detection"
100,"Rogue Server Detection"
1 msdhcp_id signature
2 00 The log was started
3 01 The log was stopped
4 02 The log was temporarily paused due to low disk space
5 10 A new IP address was leased to a client
6 11 A lease was renewed by a client
7 12 A lease was released by a client
8 13 An IP address was found to be in use on the network
9 14 A lease request could not be satisfied because the scope's address pool was exhausted
10 15 A lease was denied
11 16 A lease was deleted
12 17 A lease was expired
13 20 A BOOTP address was leased to a client
14 21 A dynamic BOOTP address was leased to a client
15 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted
16 23 A BOOTP IP address was deleted after checking to see that it was not in use
17 30 DNS dynamic update request
18 31 DNS dynamic update failed
19 32 DNS dynamic update successful
20 50 Rogue Server Detection
21 51 Rogue Server Detection
22 52 Rogue Server Detection
23 53 Rogue Server Detection
24 54 Rogue Server Detection
25 55 Rogue Server Detection
26 56 Rogue Server Detection
27 57 Rogue Server Detection
28 58 Rogue Server Detection
29 59 Rogue Server Detection
30 60 Rogue Server Detection
31 61 Rogue Server Detection
32 62 Rogue Server Detection
33 63 Rogue Server Detection
34 64 Rogue Server Detection
35 65 Rogue Server Detection
36 66 Rogue Server Detection
37 67 Rogue Server Detection
38 68 Rogue Server Detection
39 69 Rogue Server Detection
40 70 Rogue Server Detection
41 71 Rogue Server Detection
42 72 Rogue Server Detection
43 73 Rogue Server Detection
44 74 Rogue Server Detection
45 75 Rogue Server Detection
46 76 Rogue Server Detection
47 77 Rogue Server Detection
48 78 Rogue Server Detection
49 79 Rogue Server Detection
50 80 Rogue Server Detection
51 81 Rogue Server Detection
52 82 Rogue Server Detection
53 83 Rogue Server Detection
54 84 Rogue Server Detection
55 85 Rogue Server Detection
56 86 Rogue Server Detection
57 87 Rogue Server Detection
58 88 Rogue Server Detection
59 89 Rogue Server Detection
60 90 Rogue Server Detection
61 91 Rogue Server Detection
62 92 Rogue Server Detection
63 93 Rogue Server Detection
64 94 Rogue Server Detection
65 95 Rogue Server Detection
66 96 Rogue Server Detection
67 97 Rogue Server Detection
68 98 Rogue Server Detection
69 99 Rogue Server Detection
70 100 Rogue Server Detection

3
deployment-apps/TA-microsoft-windows/lookups/windows_object_category.csv
Unescape View File

@ -0,0 +1,3 @@
object,object_category
WinRegistry,registry
fs_notification,filesystem
1 object object_category
2 WinRegistry registry
3 fs_notification filesystem

4
deployment-apps/TA-microsoft-windows/lookups/windows_service_startmode.csv
Unescape View File

@ -0,0 +1,4 @@
StartMode, start_mode
Manual,disabled
Auto,auto
Disabled,disabled
1 StartMode start_mode
2 Manual disabled
3 Auto auto
4 Disabled disabled

7
deployment-apps/TA-microsoft-windows/lookups/windows_service_status.csv
Unescape View File

@ -0,0 +1,7 @@
Status, State, status
OK, Running, started
OK, Stopped, stopped
OK, Paused, stopped
OK, Start Pending, started
Degraded, Stop Pending, stopped
Degraded, Running, warning
1 Status State status
2 OK Running started
3 OK Stopped stopped
4 OK Paused stopped
5 OK Start Pending started
6 Degraded Stop Pending stopped
7 Degraded Running warning

2
deployment-apps/TA-microsoft-windows/lookups/windows_status.csv
Unescape View File

@ -0,0 +1,2 @@
vendor_status,status
0,success
1 vendor_status status
2 0 success

16
deployment-apps/TA-microsoft-windows/lookups/windows_timesync_action.csv
Unescape View File

@ -0,0 +1,16 @@
event_id,provider,last_sync_error,action
17,Microsoft-Windows-Time-Service,,failure
29,Microsoft-Windows-Time-Service,,failure
35,Microsoft-Windows-Time-Service,,success
36,Microsoft-Windows-Time-Service,,failure
37,Microsoft-Windows-Time-Service,,success
38,Microsoft-Windows-Time-Service,,failure
17,W32Time,,failure
29,W32Time,,failure
35,W32Time,,success
36,W32Time,,failure
37,W32Time,,success
38,W32Time,,failure
,,0*,success
.,*,failure
Can't render this file because it has a wrong number of fields in line 15.

5
deployment-apps/TA-microsoft-windows/lookups/windows_vendor_action.csv
Unescape View File

@ -0,0 +1,5 @@
sourcetype,vendor_action,action
WinRegistry,CreateKey,created
WinRegistry,SetValue,modified
WinRegistry,DeleteKey,deleted
WinRegistry,RenameKey,modified
1 sourcetype vendor_action action
2 WinRegistry CreateKey created
3 WinRegistry SetValue modified
4 WinRegistry DeleteKey deleted
5 WinRegistry RenameKey modified

6
deployment-apps/TA-microsoft-windows/lookups/windowsupdatelog_status.csv
Unescape View File

@ -0,0 +1,6 @@
vendor_status,status
"Installation Ready",available
"Installation Successful",installed
"Restart Required","restart required"
"Installation successful and restart required","restart required"
"Installation Failure",failure
1 vendor_status status
2 Installation Ready available
3 Installation Successful installed
4 Restart Required restart required
5 Installation successful and restart required restart required
6 Installation Failure failure

17
deployment-apps/TA-microsoft-windows/lookups/wineventlog_app.csv
Unescape View File

@ -0,0 +1,17 @@
event_id,src,logon_type,logon_type_description,app
4648,,,,win:remote
4672,,,,win:local
4776,,,,win:remote
,127.0.0.1,,,win:local
,::1,,,win:local
,,0,"System",win:unknown
,,2,"Interactive",win:local
,,3,"Network",win:remote
,,4,"Batch",win:local
,,5,"Service",win:local
,,6,"Proxy",win:local
,,7,"Unlock",win:local
,,8,"NetworkCleartext",win:remote
,,9,"NewCredentials",win:local
,,10,"RemoteInteractive",win:remote
,,11,"CachedInteractive",win:local
1 event_id src logon_type logon_type_description app
2 4648 win:remote
3 4672 win:local
4 4776 win:remote
5 127.0.0.1 win:local
6 ::1 win:local
7 0 System win:unknown
8 2 Interactive win:local
9 3 Network win:remote
10 4 Batch win:local
11 5 Service win:local
12 6 Proxy win:local
13 7 Unlock win:local
14 8 NetworkCleartext win:remote
15 9 NewCredentials win:local
16 10 RemoteInteractive win:remote
17 11 CachedInteractive win:local

367
deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_id.csv
Unescape View File

@ -0,0 +1,367 @@
action,category,os,signature,"signature_id",subcategory,status,object,"object_category"
deleted,"Object Access","Windows 7, Windows Server 2008 R2","The audit log was cleared",1102,"Log clear",success,Microsoft-Windows-Eventlog,auditlog
success,System,"Windows Vista, Windows Server 2008","Windows is starting up.",4608,"Security State Change",,,
unknown,System,"Windows Vista, Windows Server 2008","Windows is shutting down.",4609,"Security State Change",,,
unknown,System,"Windows Vista, Windows Server 2008","An authentication package has been loaded by the Local Security Authority.",4610,"Security System Extension",,,
success,System,"Windows Vista, Windows Server 2008","A trusted logon process has been registered with the Local Security Authority.",4611,"Security System Extension",,,
unknown,System,"Windows Vista, Windows Server 2008","Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.",4612,"System Integrity",,,
unknown,System,"Windows Vista, Windows Server 2008","A notification package has been loaded by the Security Account Manager.",4614,"Security System Extension",,,
unknown,System,"Windows Vista, Windows Server 2008","Invalid use of LPC port.",4615,"System Integrity",,,
success,System,"Windows Vista, Windows Server 2008","The system time was changed.",4616,"Security State Change",,,
unknown,System,"Windows Vista, Windows Server 2008","A monitored security event pattern has occurred.",4618,"System Integrity",,,
unknown,System,"Windows Vista, Windows Server 2008","Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.",4621,"Security State Change",,,
unknown,System,"Windows Vista, Windows Server 2008","A security package has been loaded by the Local Security Authority.",4622,"Security System Extension",,,
success,"Logon/Logoff","Windows Vista, Windows Server 2008","An account was successfully logged on.",4624,Logon,,,
failure,"Logon/Logoff","Windows Vista, Windows Server 2008","An account failed to log on.",4625,Logon,,,
unknown,"Logon/Logoff","Windows 8, Windows Server 2012","User/Device claims information.",4626,Logon,,,
success,"Logon/Logoff","Windows Vista, Windows Server 2008","An account was logged off.",4634,Logoff,,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IKE DoS-prevention mode started.",4646,"IPsec Main Mode",,,
success,"Logon/Logoff","Windows Vista, Windows Server 2008","User initiated logoff.",4647,Logoff,,,
success,"Logon/Logoff","Windows Vista, Windows Server 2008","A logon was attempted using explicit credentials.",4648,Logon,,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","A replay attack was detected.",4649,"Other Logon/Logoff Events",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.",4650,"IPsec Main Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.",4651,"IPsec Main Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode negotiation failed.",4652,"IPsec Main Mode",,,
failure,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode negotiation failed.",4653,"IPsec Main Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Quick Mode negotiation failed.",4654,"IPsec Quick Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode security association ended.",4655,"IPsec Main Mode",,,
failure,"Object Access","Windows Vista, Windows Server 2008","A handle to an object was requested.",4656,"Handle Manipulation",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A registry value was modified.",4657,Registry,,,
success,"Object Access","Windows Vista, Windows Server 2008","The handle to an object was closed.",4658,"Handle Manipulation",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A handle to an object was requested with intent to delete.",4659,Special,,,
unknown,"Object Access","Windows Vista, Windows Server 2008","An object was deleted.",4660,Special,,,
success,"Object Access","Windows Vista, Windows Server 2008","A handle to an object was requested.",4661,Special,,,
success,"DS Access","Windows Vista, Windows Server 2008","An operation was performed on an object.",4662,"Directory Service Access",,,
success,"Object Access","Windows Vista, Windows Server 2008","An attempt was made to access an object.",4663,Special,,,
success,"Object Access","Windows Vista, Windows Server 2008","An attempt was made to create a hard link.",4664,"File System",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","An attempt was made to create an application client context.",4665,"Application Generated",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","An application attempted an operation:",4666,"Application Generated",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","An application client context was deleted.",4667,"Application Generated",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","An application was initialized.",4668,"Application Generated",,,
success,"Policy Change","Windows Vista, Windows Server 2008","Permissions on an object were changed.",4670,"Subcategory (special)",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","An application attempted to access a blocked ordinal through the TBS.",4671,"Other Object Access Events",,,
success,"Privilege Use","Windows Vista, Windows Server 2008","Special privileges assigned to new logon.",4672,"Sensitive Privilege Use / Non Sensitive Privilege Use",,,
failure,"Privilege Use","Windows Vista, Windows Server 2008","A privileged service was called.",4673,"Sensitive Privilege Use / Non Sensitive Privilege Use",,,
success,"Privilege Use","Windows Vista, Windows Server 2008","An operation was attempted on a privileged object.",4674,"Sensitive Privilege Use / Non Sensitive Privilege Use",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","SIDs were filtered.",4675,Logon,,,
success,"Detailed Tracking","Windows Vista, Windows Server 2008","A new process has been created.",4688,"Process Creation",,,
success,"Detailed Tracking","Windows Vista, Windows Server 2008","A process has exited.",4689,"Process Termination",,,
success,"Object Access","Windows Vista, Windows Server 2008","An attempt was made to duplicate a handle to an object.",4690,"Handle Manipulation",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Indirect access to an object was requested.",4691,"Other Object Access Events",,,
unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","Backup of data protection master key was attempted.",4692,"DPAPI Activity",,,
unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","Recovery of data protection master key was attempted.",4693,"DPAPI Activity",,,
unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","Protection of auditable protected data was attempted.",4694,"DPAPI Activity",,,
unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","Unprotection of auditable protected data was attempted.",4695,"DPAPI Activity",,,
unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","A primary token was assigned to process.",4696,"Process Creation",,,
unknown,System,"Windows Vista, Windows Server 2008","A service was installed in the system.",4697,"Security System Extension",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was created.",4698,"Other Object Access Events",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was deleted.",4699,"Other Object Access Events",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was enabled.",4700,"Other Object Access Events",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was disabled.",4701,"Other Object Access Events",,,
success,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was updated.",4702,"Other Object Access Events",,,
success,"Policy Change","Windows Vista, Windows Server 2008","A user right was assigned.",4704,"Authorization Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A user right was removed.",4705,"Authorization Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A new trust was created to a domain.",4706,"Authorization Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A trust to a domain was removed.",4707,"Authorization Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","IPsec Services was started.",4709,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","IPsec Services was disabled.",4710,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.^MPAStore Engine applied Active Directory storage IPsec policy on the computer.^MPAStore Engine applied local registry storage IPsec policy on the computer.^MPAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.^MPAStore Engine failed to apply Active Directory storage IPsec policy on the computer.^MPAStore Engine failed to apply local registry storage IPsec policy on the computer.^MPAStore Engine failed to apply some rules of the active IPsec policy on the computer.^MPAStore Engine failed to load directory storage IPsec policy on the computer.^MPAStore Engine loaded directory storage IPsec policy on the computer.^MPAStore Engine failed to load local storage IPsec policy on the computer.^MPAStore Engine loaded local storage IPsec policy on the computer.^MPAStore Engine polled for changes to the active IPsec policy and detected no changes.",4711,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","IPsec Services encountered a potentially serious failure.",4712,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","Kerberos policy was changed.",4713,"Authentication Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","Encrypted data recovery policy was changed.",4714,"Authorization Policy Change",,,
acl_modified,"Policy Change","Windows Vista, Windows Server 2008","The audit policy (SACL) on an object was changed.",4715,"Audit Policy Change",success,"Audit Policy",policy
unknown,"Policy Change","Windows Vista, Windows Server 2008","Trusted domain information was modified.",4716,"Authentication Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","System security access was granted to an account.",4717,"Authentication Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","System security access was removed from an account.",4718,"Authentication Policy Change",,,
acl_modified,"Policy Change","Windows Vista, Windows Server 2008","System audit policy was changed.",4719,"Audit Policy Change",success,"Audit Policy",policy
created,"Account Management","Windows Vista, Windows Server 2008","A user account was created.",4720,"User Account Management",success,"Account Management",user
modified,"Account Management","Windows Vista, Windows Server 2008","A user account was enabled.",4722,"User Account Management",success,"Account Management",user
modified,"Account Management","Windows Vista, Windows Server 2008","An attempt was made to change an account's password.",4723,"User Account Management",success,"Account Management",user
modified,"Account Management","Windows Vista, Windows Server 2008","An attempt was made to reset an account's password.",4724,"User Account Management",success,"Account Management",user
modified,"Account Management","Windows Vista, Windows Server 2008","A user account was disabled.",4725,"User Account Management",success,"Account Management",user
deleted,"Account Management","Windows Vista, Windows Server 2008","A user account was deleted.",4726,"User Account Management",,"Account Management",user
success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled global group was created.",4727,"Security Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-enabled global group.",4728,"Security Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-enabled global group.",4729,"Security Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-enabled global group was deleted.",4730,"Security Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-enabled local group was created.",4731,"Security Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-enabled local group.",4732,"Security Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-enabled local group.",4733,"Security Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-enabled local group was deleted.",4734,"Security Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled local group was changed.",4735,"Security Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled global group was changed.",4737,"Security Group Management",,,
modified,"Account Management","Windows Vista, Windows Server 2008","A user account was changed.",4738,"User Account Management",success,"Account Management",user
unknown,"Policy Change","Windows Vista, Windows Server 2008","Domain Policy was changed.",4739,"Authentication Policy Change",,,
modified,"Account Management","Windows Vista, Windows Server 2008","A user account was locked out.",4740,"User Account Management",success,"Account Management",user
modified,"Account Management","Windows Vista, Windows Server 2008","A computer account was changed.",4742,"Computer Account Management",success,"Account Management",computer
deleted,"Account Management","Windows Vista, Windows Server 2008","A computer account was deleted.",4743,"Computer Account Management",success,"Account Management",computer
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled local group was created.",4744,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled local group was changed.",4745,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-disabled local group.",4746,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-disabled local group.",4747,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled local group was deleted.",4748,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled global group was created.",4749,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled global group was changed.",4750,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-disabled global group.",4751,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-disabled global group.",4752,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled global group was deleted.",4753,"Distribution Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled universal group was created.",4754,"Security Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled universal group was changed.",4755,"Security Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-enabled universal group.",4756,"Security Group Management",,,
success,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-enabled universal group.",4757,"Security Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-enabled universal group was deleted.",4758,"Security Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled universal group was created.",4759,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled universal group was changed.",4760,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-disabled universal group.",4761,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-disabled universal group.",4762,"Distribution Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A group<75>s type was changed.",4764,"Security Group Management",,,
created,"Account Management","Windows Vista, Windows Server 2008","SID History was added to an account.",4765,"User Account Management",success,"Account Management",sid
created,"Account Management","Windows Vista, Windows Server 2008","An attempt to add SID History to an account failed.",4766,"User Account Management",failure,"Account Management",sid
modified,"Account Management","Windows Vista, Windows Server 2008","A user account was unlocked.",4767,"User Account Management",success,"Account Management",user
failure,"Account Logon","Windows Vista, Windows Server 2008","A Kerberos authentication ticket (TGT) was requested.",4768,"Kerberos Authentication Service",,,
failure,"Account Logon","Windows Vista, Windows Server 2008","A Kerberos service ticket was requested.",4769,"Kerberos Service Ticket Operations",,,
success,"Account Logon","Windows Vista, Windows Server 2008","A Kerberos service ticket was renewed.",4770,"Kerberos Service Ticket Operations",,,
failure,"Account Logon","Windows Vista, Windows Server 2008","Kerberos pre-authentication failed.",4771,"Kerberos Authentication Service",,,
unknown,"Account Logon","Windows Vista, Windows Server 2008","A Kerberos authentication ticket request failed.",4772,"Kerberos Authentication Service",,,
unknown,"Account Logon","Windows Vista, Windows Server 2008","An account was mapped for logon.",4774,"Credential Validation",,,
unknown,"Account Logon","Windows Vista, Windows Server 2008","An account could not be mapped for logon.",4775,"Credential Validation",,,
failure,"Account Logon","Windows Vista, Windows Server 2008","The domain controller attempted to validate the credentials for an account.",4776,"Credential Validation",,,
unknown,"Account Logon","Windows Vista, Windows Server 2008","The domain controller failed to validate the credentials for an account.",4777,"Credential Validation",,,
success,"Logon/Logoff","Windows Vista, Windows Server 2008","A session was reconnected to a Window Station.",4778,"Other Logon/Logoff Events",,,
success,"Logon/Logoff","Windows Vista, Windows Server 2008","A session was disconnected from a Window Station.",4779,"Other Logon/Logoff Events",,,
acl_modified,"Account Management","Windows Vista, Windows Server 2008","The ACL was set on accounts which are members of administrators groups.",4780,"User Account Management",success,"Account Management",group
modified,"Account Management","Windows Vista, Windows Server 2008","The name of an account was changed:",4781,"User Account Management",success,"Account Management",user
unknown,"Account Management","Windows Vista, Windows Server 2008","The password hash an account was accessed.",4782,"Other Account Management Events",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A basic application group was created.",4783,"Application Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A basic application group was changed.",4784,"Application Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A member was added to a basic application group.",4785,"Application Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a basic application group.",4786,"Application Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A non-member was added to a basic application group.",4787,"Application Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A non-member was removed from a basic application group.",4788,"Application Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","A basic application group was deleted.",4789,"Application Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","An LDAP query group was created.",4790,"Application Group Management",,,
unknown,"Account Management","Windows Vista, Windows Server 2008","The Password Policy Checking API was called.",4793,"Other Account Management Events",,,
modified,"Account Management","Windows Vista, Windows Server 2008","An attempt was made to set the Directory Services Restore Mode.",4794,"User Account Management",success,"Account Management",user
success,"Logon/Logoff","Windows Vista, Windows Server 2008","The workstation was locked.",4800,"Other Logon/Logoff Events",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","The workstation was unlocked.",4801,"Other Logon/Logoff Events",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","The screen saver was invoked.",4802,"Other Logon/Logoff Events",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","The screen saver was dismissed.",4803,"Other Logon/Logoff Events",,,
unknown,System,"Windows Vista, Windows Server 2008","RPC detected an integrity violation while decrypting an incoming message.",4816,"System Integrity",,,
unknown,"Policy Change","Windows 7, Windows Server 2008 R2","Auditing settings on an object were changed.",4817,"Audit Policy Change",,,
unknown,"Object Access","Windows 8, Windows Server 2012","Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy",4818,"Central Policy Staging",,,
unknown,"Policy Change","Windows 8, Windows Server 2012","Central Access Policies on the machine have been changed.",4819,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A namespace collision was detected.",4864,"Authentication Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A trusted forest information entry was added.",4865,"Authentication Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A trusted forest information entry was removed.",4866,"Authentication Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A trusted forest information entry was modified.",4867,"Authentication Policy Change",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","The certificate manager denied a pending certificate request.",4868,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services received a resubmitted certificate request.",4869,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services revoked a certificate.",4870,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services received a request to publish the certificate revocation list (CRL).",4871,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services published the certificate revocation list (CRL).",4872,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A certificate request extension changed.",4873,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","One or more certificate request attributes changed.",4874,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services received a request to shut down.",4875,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services backup started.",4876,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services backup completed.",4877,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services restore started.",4878,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services restore completed.",4879,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services started.",4880,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services stopped.",4881,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","The security permissions for Certificate Services changed.",4882,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services retrieved an archived key.",4883,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services imported a certificate into its database.",4884,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","The audit filter for Certificate Services changed.",4885,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services received a certificate request.",4886,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services approved a certificate request and issued a certificate.",4887,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services denied a certificate request.",4888,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services set the status of a certificate request to pending.",4889,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","The certificate manager settings for Certificate Services changed.",4890,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A configuration entry changed in Certificate Services.",4891,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A property of Certificate Services changed.",4892,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services archived a key.",4893,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services imported and archived a key.",4894,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services published the CA certificate to Active Directory Domain Services.",4895,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","One or more rows have been deleted from the certificate database.",4896,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Role separation enabled:",4897,"Certification Services",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services loaded a template.",4898,"Certification Services",,,
success,"Policy Change","Windows Vista, Windows Server 2008","The Per-user audit policy table was created.",4902,"Audit Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","An attempt was made to register a security event source.",4904,"Audit Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","An attempt was made to unregister a security event source.",4905,"Audit Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","The CrashOnAuditFail value has changed.",4906,"Audit Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","Auditing settings on object were changed.",4907,"Audit Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","Special Groups Logon table modified.",4908,"Audit Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","The local policy settings for the TBS were changed.",4909,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","The group policy settings for the TBS were changed.",4910,"Other Policy Change Events",,,
unknown,"Policy Change","Windows 8, Windows Server 2012","Resource attributes of the object were changed.",4911,"Authorization Policy Change",,,
modified,"Policy Change","Windows Vista, Windows Server 2008","Per User Audit Policy was changed.",4912,"Audit Policy Change",success,"Policy Change",policy
unknown,"Policy Change","Windows 8, Windows Server 2012","Central Access Policy on the object was changed.",4913,"Authorization Policy Change",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","An Active Directory replica source naming context was established.",4928,"Detailed Directory Service Replication",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","An Active Directory replica source naming context was removed.",4929,"Detailed Directory Service Replication",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","An Active Directory replica source naming context was modified.",4930,"Detailed Directory Service Replication",,,
success,"DS Access","Windows Vista, Windows Server 2008","An Active Directory replica destination naming context was modified.",4931,"Detailed Directory Service Replication",,,
success,"DS Access","Windows Vista, Windows Server 2008","Synchronization of a replica of an Active Directory naming context has begun.",4932,"Directory Service Replication",,,
failure,"DS Access","Windows Vista, Windows Server 2008","Synchronization of a replica of an Active Directory naming context has ended.",4933,"Directory Service Replication",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","Attributes of an Active Directory object were replicated.",4934,"Detailed Directory Service Replication",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","Replication failure begins.",4935,"Detailed Directory Service Replication",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","Replication failure ends.",4936,"Detailed Directory Service Replication",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","A lingering object was removed from a replica.",4937,"Detailed Directory Service Replication",,,
success,"Policy Change","Windows Vista, Windows Server 2008","The following policy was active when the Windows Firewall started.",4944,"MPSSVC Rule-Level Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","A rule was listed when the Windows Firewall started.",4945,"MPSSVC Rule-Level Policy Change",,,
created,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to Windows Firewall exception list. A rule was added.",4946,"MPSSVC Rule-Level Policy Change",success,Windows Firewall,policy
modified,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to Windows Firewall exception list. A rule was modified.",4947,"MPSSVC Rule-Level Policy Change",success,Windows Firewall,policy
deleted,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to Windows Firewall exception list. A rule was deleted.",4948,"MPSSVC Rule-Level Policy Change",success,Windows Firewall,policy
unknown,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall settings were restored to the default values.",4949,"MPSSVC Rule-Level Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A Windows Firewall setting has changed.",4950,"MPSSVC Rule-Level Policy Change",,,
failure,"Policy Change","Windows Vista, Windows Server 2008","A rule has been ignored because its major version number was not recognized by Windows Firewall.",4951,"MPSSVC Rule-Level Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.",4952,"MPSSVC Rule-Level Policy Change",,,
failure,"Policy Change","Windows Vista, Windows Server 2008","A rule has been ignored by Windows Firewall because it could not parse the rule.",4953,"MPSSVC Rule-Level Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall Group Policy settings have changed. The new settings have been applied.",4954,"MPSSVC Rule-Level Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall has changed the active profile.",4956,"MPSSVC Rule-Level Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall did not apply the following rule:",4957,"MPSSVC Rule-Level Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:",4958,"MPSSVC Rule-Level Policy Change",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.",4960,"IPsec Driver",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.",4961,"IPsec Driver",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.",4962,"IPsec Driver",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.",4963,"IPsec Driver",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","Special groups have been assigned to a new logon.",4964,"Special Logon",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.",4965,"IPsec Driver",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",4976,"IPsec Main Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",4977,"IPsec Quick Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",4978,"IPsec Extended Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IPsec Main Mode and Extended Mode security associations were established.",4979,"IPsec Extended Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IPsec Main Mode and Extended Mode security associations were established.",4980,"IPsec Extended Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IPsec Main Mode and Extended Mode security associations were established.",4981,"IPsec Extended Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IPsec Main Mode and Extended Mode security associations were established.",4982,"IPsec Extended Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.",4983,"IPsec Extended Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.",4984,"IPsec Extended Mode",,,
success,"Object Access","Windows Vista, Windows Server 2008","The state of a transaction has changed.",4985,"File System",,,
success,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service has started successfully.",5024,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service has been stopped.",5025,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.",5027,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.",5028,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.",5029,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service failed to start.",5030,"Other System Events",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","The Windows Firewall Service blocked an application from accepting incoming connections on the network.",5031,"Filtering Platform Connection",,,
unknown,System,"Windows Vista, Windows Server 2008","Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.",5032,"Other System Events",,,
success,System,"Windows Vista, Windows Server 2008","The Windows Firewall Driver has started successfully.",5033,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Driver has been stopped.",5034,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Driver failed to start.",5035,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Driver detected critical runtime error. Terminating.",5037,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.",5038,"System Integrity",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A registry key was virtualized.",5039,Registry,,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. An Authentication Set was added.",5040,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. An Authentication Set was modified.",5041,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. An Authentication Set was deleted.",5042,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Connection Security Rule was added.",5043,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Connection Security Rule was modified.",5044,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Connection Security Rule was deleted.",5045,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Crypto Set was added.",5046,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Crypto Set was modified.",5047,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Crypto Set was deleted.",5048,"Filtering Platform Policy Change",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Security Association was deleted.",5049,"IPsec Main Mode",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A file was virtualized.",5051,"File System",,,
success,System,"Windows Vista, Windows Server 2008","A cryptographic self test was performed.",5056,"System Integrity",,,
unknown,System,"Windows Vista, Windows Server 2008","A cryptographic primitive operation failed.",5057,"System Integrity",,,
success,System,"Windows Vista, Windows Server 2008","Key file operation.",5058,"Other System Events",,,
success,System,"Windows Vista, Windows Server 2008","Key migration operation.",5059,"Other System Events",,,
unknown,System,"Windows Vista, Windows Server 2008","Verification operation failed.",5060,"System Integrity",,,
failure,System,"Windows Vista, Windows Server 2008","Cryptographic operation.",5061,"System Integrity",,,
unknown,System,"Windows Vista, Windows Server 2008","A kernel-mode cryptographic self test was performed.",5062,"System Integrity",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic provider operation was attempted.",5063,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic context operation was attempted.",5064,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic context modification was attempted.",5065,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function operation was attempted.",5066,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function modification was attempted.",5067,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function provider operation was attempted.",5068,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function property operation was attempted.",5069,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function property modification was attempted.",5070,"Other Policy Change Events",,,
success,"DS Access","Windows Vista, Windows Server 2008","A directory service object was modified.",5136,"Directory Service Changes",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","A directory service object was created.",5137,"Directory Service Changes",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","A directory service object was undeleted.",5138,"Directory Service Changes",,,
unknown,"DS Access","Windows Vista, Windows Server 2008","A directory service object was moved.",5139,"Directory Service Changes",,,
failure,"Object Access","Windows Vista, Windows Server 2008","A network share object was accessed.",5140,"File Share",,,
unknown,"DS Access","Windows Vista SP1, Windows Server 2008","A directory service object was deleted.",5141,"Directory Service Changes",,,
unknown,"Object Access","Windows 7, Windows Server 2008 R2","A network share object was added.",5142,"File Share",,,
success,"Object Access","Windows 7, Windows Server 2008 R2","A network share object was modified.",5143,"File Share",,,
unknown,"Object Access","Windows 7, Windows Server 2008 R2","A network share object was deleted.",5144,"File Share",,,
unknown,"Object Access","Windows 7, Windows Server 2008 R2","A network share object was checked to see whether the client can be granted desired access.",5145,"Detailed File Share",,,
unknown,"Object Access","Windows 7, Windows Server 2008 R2","The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.",5148,"Other Object Access Events",,,
unknown,"Object Access","Windows 7, Windows Server 2008 R2","The DoS attack has subsided and normal processing is being resumed.",5149,"Other Object Access Events",,,
unknown,"Object Access","Windows 7, Windows Server 2008 R2","The Windows Filtering Platform has blocked a packet.",5150,"Filtering Platform Connection",,,
unknown,"Object Access","Windows 7, Windows Server 2008 R2","A more restrictive Windows Filtering Platform filter has blocked a packet.",5151,"Filtering Platform Connection",,,
failure,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform blocked a packet.",5152,"Filtering Platform Packet Drop",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","A more restrictive Windows Filtering Platform filter has blocked a packet.",5153,"Filtering Platform Packet Drop",,,
success,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.",5154,"Filtering Platform Connection",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.",5155,"Filtering Platform Connection",,,
success,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has allowed a connection.",5156,"Filtering Platform Connection",,,
failure,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has blocked a connection.",5157,"Filtering Platform Connection",,,
success,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has permitted a bind to a local port.",5158,"Filtering Platform Connection",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has blocked a bind to a local port.",5159,"Filtering Platform Connection",,,
unknown,"Object Access","Windows 7, Windows Server 2008 R2","Spn check for SMB/SMB2 failed.",5168,"File Share",,,
read,"Account Management","Windows Vista, Windows Server 2008","Credential Manager credentials were backed up.",5376,"User Account Management",success,"Account Management",user
modified,"Account Management","Windows Vista, Windows Server 2008","Credential Manager credentials were restored from a backup.",5377,"User Account Management",success,"Account Management",user
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","The requested credentials delegation was disallowed by policy.",5378,"Other Logon/Logoff Events",,,
success,"Policy Change","Windows Vista, Windows Server 2008","The following callout was present when the Windows Filtering Platform Base Filtering Engine started.",5440,"Filtering Platform Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","The following filter was present when the Windows Filtering Platform Base Filtering Engine started.",5441,"Filtering Platform Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","The following provider was present when the Windows Filtering Platform Base Filtering Engine started.",5442,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.",5443,"Filtering Platform Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.",5444,"Filtering Platform Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform callout has been changed.",5446,"Filtering Platform Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform filter has been changed.",5447,"Other Policy Change Events",,,
success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform provider has been changed.",5448,"Filtering Platform Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform provider context has been changed.",5449,"Filtering Platform Policy Change",,,
success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform sub-layer has been changed.",5450,"Filtering Platform Policy Change",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Quick Mode security association was established.",5451,"IPsec Quick Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Quick Mode security association ended.",5452,"IPsec Quick Mode",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.",5453,"IPsec Main Mode",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine applied Active Directory storage IPsec policy on the computer.",5456,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.",5457,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.",5458,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.",5459,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine applied local registry storage IPsec policy on the computer.",5460,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to apply local registry storage IPsec policy on the computer.",5461,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.",5462,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the active IPsec policy and detected no changes.",5463,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.",5464,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.",5465,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.",5466,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.",5467,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.",5468,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine loaded local storage IPsec policy on the computer.",5471,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to load local storage IPsec policy on the computer.",5472,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine loaded directory storage IPsec policy on the computer.",5473,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to load directory storage IPsec policy on the computer.",5474,"Filtering Platform Policy Change",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to add quick mode filter.",5477,"Filtering Platform Policy Change",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec Services has started successfully.",5478,"IPsec Driver",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.",5479,"IPsec Driver",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.",5480,"IPsec Driver",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec Services failed to initialize RPC server. IPsec Services could not be started.",5483,"IPsec Driver",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.",5484,"IPsec Driver",,,
unknown,System,"Windows Vista, Windows Server 2008","IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.",5485,"IPsec Driver",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","A request was made to authenticate to a wireless network.",5632,"Other Logon/Logoff Events",,,
unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","A request was made to authenticate to a wired network.",5633,"Other Logon/Logoff Events",,,
unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","A Remote Procedure Call (RPC) was attempted.",5712,"RPC Events",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","An object in the COM+ Catalog was modified.",5888,"Other Object Access Events",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","An object was deleted from the COM+ Catalog.",5889,"Other Object Access Events",,,
unknown,"Object Access","Windows Vista, Windows Server 2008","An object was added to the COM+ Catalog.",5890,"Other Object Access Events",,,
success,"Policy Change","Windows Vista, Windows Server 2008","Security policy in the group policy objects has been applied successfully.",6144,"Other Policy Change Events",,,
unknown,"Policy Change","Windows Vista, Windows Server 2008","One or more errors occurred while processing security policy in the group policy objects.",6145,"Other Policy Change Events",,,
unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server granted access to a user.",6272,"Network Policy Server",,,
unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server denied access to a user.",6273,"Network Policy Server",,,
unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server discarded the request for a user.",6274,"Network Policy Server",,,
unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server discarded the accounting request for a user.",6275,"Network Policy Server",,,
unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server quarantined a user.",6276,"Network Policy Server",,,
unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.",6277,"Network Policy Server",,,
unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server granted full access to a user because the host met the defined health policy.",6278,"Network Policy Server",,,
unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server locked the user account due to repeated failed authentication attempts.",6279,"Network Policy Server",,,
unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server unlocked the user account.",6280,"Network Policy Server",,,
unknown,System,"Windows 7, Windows Server 2008 R2","Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error",6281,"System Integrity",,,
unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: Received an incorrectly formatted response while discovering availability of content.",6400,"Other System Events",,,
unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: Received invalid data from a peer. Data discarded.",6401,"Other System Events",,,
unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: The message to the hosted cache offering it data is incorrectly formatted.",6402,"Other System Events",,,
unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: The hosted cache sent an incorrectly formatted response to the client.",6403,"Other System Events",,,
unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.",6404,"Other System Events",,,
unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: %2 instance(s) of event id %1 occurred.",6405,"Other System Events",,,
unknown,System,"Windows 7, Windows Server 2008 R2","%1 registered to Windows Firewall to control filtering for the following: %2",6406,"Other System Events",,,
unknown,System,"Windows 7, Windows Server 2008 R2","1%",6407,"Other System Events",,,
1 action category os signature signature_id subcategory status object object_category
2 deleted Object Access Windows 7, Windows Server 2008 R2 The audit log was cleared 1102 Log clear success Microsoft-Windows-Eventlog auditlog
3 success System Windows Vista, Windows Server 2008 Windows is starting up. 4608 Security State Change
4 unknown System Windows Vista, Windows Server 2008 Windows is shutting down. 4609 Security State Change
5 unknown System Windows Vista, Windows Server 2008 An authentication package has been loaded by the Local Security Authority. 4610 Security System Extension
6 success System Windows Vista, Windows Server 2008 A trusted logon process has been registered with the Local Security Authority. 4611 Security System Extension
7 unknown System Windows Vista, Windows Server 2008 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. 4612 System Integrity
8 unknown System Windows Vista, Windows Server 2008 A notification package has been loaded by the Security Account Manager. 4614 Security System Extension
9 unknown System Windows Vista, Windows Server 2008 Invalid use of LPC port. 4615 System Integrity
10 success System Windows Vista, Windows Server 2008 The system time was changed. 4616 Security State Change
11 unknown System Windows Vista, Windows Server 2008 A monitored security event pattern has occurred. 4618 System Integrity
12 unknown System Windows Vista, Windows Server 2008 Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. 4621 Security State Change
13 unknown System Windows Vista, Windows Server 2008 A security package has been loaded by the Local Security Authority. 4622 Security System Extension
14 success Logon/Logoff Windows Vista, Windows Server 2008 An account was successfully logged on. 4624 Logon
15 failure Logon/Logoff Windows Vista, Windows Server 2008 An account failed to log on. 4625 Logon
16 unknown Logon/Logoff Windows 8, Windows Server 2012 User/Device claims information. 4626 Logon
17 success Logon/Logoff Windows Vista, Windows Server 2008 An account was logged off. 4634 Logoff
18 unknown Logon/Logoff Windows Vista, Windows Server 2008 IKE DoS-prevention mode started. 4646 IPsec Main Mode
19 success Logon/Logoff Windows Vista, Windows Server 2008 User initiated logoff. 4647 Logoff
20 success Logon/Logoff Windows Vista, Windows Server 2008 A logon was attempted using explicit credentials. 4648 Logon
21 unknown Logon/Logoff Windows Vista, Windows Server 2008 A replay attack was detected. 4649 Other Logon/Logoff Events
22 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. 4650 IPsec Main Mode
23 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. 4651 IPsec Main Mode
24 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Main Mode negotiation failed. 4652 IPsec Main Mode
25 failure Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Main Mode negotiation failed. 4653 IPsec Main Mode
26 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Quick Mode negotiation failed. 4654 IPsec Quick Mode
27 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Main Mode security association ended. 4655 IPsec Main Mode
28 failure Object Access Windows Vista, Windows Server 2008 A handle to an object was requested. 4656 Handle Manipulation
29 unknown Object Access Windows Vista, Windows Server 2008 A registry value was modified. 4657 Registry
30 success Object Access Windows Vista, Windows Server 2008 The handle to an object was closed. 4658 Handle Manipulation
31 unknown Object Access Windows Vista, Windows Server 2008 A handle to an object was requested with intent to delete. 4659 Special
32 unknown Object Access Windows Vista, Windows Server 2008 An object was deleted. 4660 Special
33 success Object Access Windows Vista, Windows Server 2008 A handle to an object was requested. 4661 Special
34 success DS Access Windows Vista, Windows Server 2008 An operation was performed on an object. 4662 Directory Service Access
35 success Object Access Windows Vista, Windows Server 2008 An attempt was made to access an object. 4663 Special
36 success Object Access Windows Vista, Windows Server 2008 An attempt was made to create a hard link. 4664 File System
37 unknown Object Access Windows Vista, Windows Server 2008 An attempt was made to create an application client context. 4665 Application Generated
38 unknown Object Access Windows Vista, Windows Server 2008 An application attempted an operation: 4666 Application Generated
39 unknown Object Access Windows Vista, Windows Server 2008 An application client context was deleted. 4667 Application Generated
40 unknown Object Access Windows Vista, Windows Server 2008 An application was initialized. 4668 Application Generated
41 success Policy Change Windows Vista, Windows Server 2008 Permissions on an object were changed. 4670 Subcategory (special)
42 unknown Object Access Windows Vista, Windows Server 2008 An application attempted to access a blocked ordinal through the TBS. 4671 Other Object Access Events
43 success Privilege Use Windows Vista, Windows Server 2008 Special privileges assigned to new logon. 4672 Sensitive Privilege Use / Non Sensitive Privilege Use
44 failure Privilege Use Windows Vista, Windows Server 2008 A privileged service was called. 4673 Sensitive Privilege Use / Non Sensitive Privilege Use
45 success Privilege Use Windows Vista, Windows Server 2008 An operation was attempted on a privileged object. 4674 Sensitive Privilege Use / Non Sensitive Privilege Use
46 unknown Logon/Logoff Windows Vista, Windows Server 2008 SIDs were filtered. 4675 Logon
47 success Detailed Tracking Windows Vista, Windows Server 2008 A new process has been created. 4688 Process Creation
48 success Detailed Tracking Windows Vista, Windows Server 2008 A process has exited. 4689 Process Termination
49 success Object Access Windows Vista, Windows Server 2008 An attempt was made to duplicate a handle to an object. 4690 Handle Manipulation
50 unknown Object Access Windows Vista, Windows Server 2008 Indirect access to an object was requested. 4691 Other Object Access Events
51 unknown Detailed Tracking Windows Vista, Windows Server 2008 Backup of data protection master key was attempted. 4692 DPAPI Activity
52 unknown Detailed Tracking Windows Vista, Windows Server 2008 Recovery of data protection master key was attempted. 4693 DPAPI Activity
53 unknown Detailed Tracking Windows Vista, Windows Server 2008 Protection of auditable protected data was attempted. 4694 DPAPI Activity
54 unknown Detailed Tracking Windows Vista, Windows Server 2008 Unprotection of auditable protected data was attempted. 4695 DPAPI Activity
55 unknown Detailed Tracking Windows Vista, Windows Server 2008 A primary token was assigned to process. 4696 Process Creation
56 unknown System Windows Vista, Windows Server 2008 A service was installed in the system. 4697 Security System Extension
57 unknown Object Access Windows Vista, Windows Server 2008 A scheduled task was created. 4698 Other Object Access Events
58 unknown Object Access Windows Vista, Windows Server 2008 A scheduled task was deleted. 4699 Other Object Access Events
59 unknown Object Access Windows Vista, Windows Server 2008 A scheduled task was enabled. 4700 Other Object Access Events
60 unknown Object Access Windows Vista, Windows Server 2008 A scheduled task was disabled. 4701 Other Object Access Events
61 success Object Access Windows Vista, Windows Server 2008 A scheduled task was updated. 4702 Other Object Access Events
62 success Policy Change Windows Vista, Windows Server 2008 A user right was assigned. 4704 Authorization Policy Change
63 unknown Policy Change Windows Vista, Windows Server 2008 A user right was removed. 4705 Authorization Policy Change
64 unknown Policy Change Windows Vista, Windows Server 2008 A new trust was created to a domain. 4706 Authorization Policy Change
65 unknown Policy Change Windows Vista, Windows Server 2008 A trust to a domain was removed. 4707 Authorization Policy Change
66 unknown Policy Change Windows Vista, Windows Server 2008 IPsec Services was started. 4709 Filtering Platform Policy Change
67 unknown Policy Change Windows Vista, Windows Server 2008 IPsec Services was disabled. 4710 Filtering Platform Policy Change
68 unknown Policy Change Windows Vista, Windows Server 2008 May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.^MPAStore Engine applied Active Directory storage IPsec policy on the computer.^MPAStore Engine applied local registry storage IPsec policy on the computer.^MPAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.^MPAStore Engine failed to apply Active Directory storage IPsec policy on the computer.^MPAStore Engine failed to apply local registry storage IPsec policy on the computer.^MPAStore Engine failed to apply some rules of the active IPsec policy on the computer.^MPAStore Engine failed to load directory storage IPsec policy on the computer.^MPAStore Engine loaded directory storage IPsec policy on the computer.^MPAStore Engine failed to load local storage IPsec policy on the computer.^MPAStore Engine loaded local storage IPsec policy on the computer.^MPAStore Engine polled for changes to the active IPsec policy and detected no changes. 4711 Filtering Platform Policy Change
69 unknown Policy Change Windows Vista, Windows Server 2008 IPsec Services encountered a potentially serious failure. 4712 Filtering Platform Policy Change
70 unknown Policy Change Windows Vista, Windows Server 2008 Kerberos policy was changed. 4713 Authentication Policy Change
71 unknown Policy Change Windows Vista, Windows Server 2008 Encrypted data recovery policy was changed. 4714 Authorization Policy Change
72 acl_modified Policy Change Windows Vista, Windows Server 2008 The audit policy (SACL) on an object was changed. 4715 Audit Policy Change success Audit Policy policy
73 unknown Policy Change Windows Vista, Windows Server 2008 Trusted domain information was modified. 4716 Authentication Policy Change
74 success Policy Change Windows Vista, Windows Server 2008 System security access was granted to an account. 4717 Authentication Policy Change
75 unknown Policy Change Windows Vista, Windows Server 2008 System security access was removed from an account. 4718 Authentication Policy Change
76 acl_modified Policy Change Windows Vista, Windows Server 2008 System audit policy was changed. 4719 Audit Policy Change success Audit Policy policy
77 created Account Management Windows Vista, Windows Server 2008 A user account was created. 4720 User Account Management success Account Management user
78 modified Account Management Windows Vista, Windows Server 2008 A user account was enabled. 4722 User Account Management success Account Management user
79 modified Account Management Windows Vista, Windows Server 2008 An attempt was made to change an account's password. 4723 User Account Management success Account Management user
80 modified Account Management Windows Vista, Windows Server 2008 An attempt was made to reset an account's password. 4724 User Account Management success Account Management user
81 modified Account Management Windows Vista, Windows Server 2008 A user account was disabled. 4725 User Account Management success Account Management user
82 deleted Account Management Windows Vista, Windows Server 2008 A user account was deleted. 4726 User Account Management Account Management user
83 success Account Management Windows Vista, Windows Server 2008 A security-enabled global group was created. 4727 Security Group Management
84 success Account Management Windows Vista, Windows Server 2008 A member was added to a security-enabled global group. 4728 Security Group Management
85 success Account Management Windows Vista, Windows Server 2008 A member was removed from a security-enabled global group. 4729 Security Group Management
86 unknown Account Management Windows Vista, Windows Server 2008 A security-enabled global group was deleted. 4730 Security Group Management
87 unknown Account Management Windows Vista, Windows Server 2008 A security-enabled local group was created. 4731 Security Group Management
88 success Account Management Windows Vista, Windows Server 2008 A member was added to a security-enabled local group. 4732 Security Group Management
89 success Account Management Windows Vista, Windows Server 2008 A member was removed from a security-enabled local group. 4733 Security Group Management
90 unknown Account Management Windows Vista, Windows Server 2008 A security-enabled local group was deleted. 4734 Security Group Management
91 success Account Management Windows Vista, Windows Server 2008 A security-enabled local group was changed. 4735 Security Group Management
92 success Account Management Windows Vista, Windows Server 2008 A security-enabled global group was changed. 4737 Security Group Management
93 modified Account Management Windows Vista, Windows Server 2008 A user account was changed. 4738 User Account Management success Account Management user
94 unknown Policy Change Windows Vista, Windows Server 2008 Domain Policy was changed. 4739 Authentication Policy Change
95 modified Account Management Windows Vista, Windows Server 2008 A user account was locked out. 4740 User Account Management success Account Management user
96 modified Account Management Windows Vista, Windows Server 2008 A computer account was changed. 4742 Computer Account Management success Account Management computer
97 deleted Account Management Windows Vista, Windows Server 2008 A computer account was deleted. 4743 Computer Account Management success Account Management computer
98 unknown Account Management Windows Vista, Windows Server 2008 A security-disabled local group was created. 4744 Distribution Group Management
99 unknown Account Management Windows Vista, Windows Server 2008 A security-disabled local group was changed. 4745 Distribution Group Management
100 unknown Account Management Windows Vista, Windows Server 2008 A member was added to a security-disabled local group. 4746 Distribution Group Management
101 unknown Account Management Windows Vista, Windows Server 2008 A member was removed from a security-disabled local group. 4747 Distribution Group Management
102 unknown Account Management Windows Vista, Windows Server 2008 A security-disabled local group was deleted. 4748 Distribution Group Management
103 unknown Account Management Windows Vista, Windows Server 2008 A security-disabled global group was created. 4749 Distribution Group Management
104 unknown Account Management Windows Vista, Windows Server 2008 A security-disabled global group was changed. 4750 Distribution Group Management
105 unknown Account Management Windows Vista, Windows Server 2008 A member was added to a security-disabled global group. 4751 Distribution Group Management
106 unknown Account Management Windows Vista, Windows Server 2008 A member was removed from a security-disabled global group. 4752 Distribution Group Management
107 unknown Account Management Windows Vista, Windows Server 2008 A security-disabled global group was deleted. 4753 Distribution Group Management
108 success Account Management Windows Vista, Windows Server 2008 A security-enabled universal group was created. 4754 Security Group Management
109 success Account Management Windows Vista, Windows Server 2008 A security-enabled universal group was changed. 4755 Security Group Management
110 success Account Management Windows Vista, Windows Server 2008 A member was added to a security-enabled universal group. 4756 Security Group Management
111 success Account Management Windows Vista, Windows Server 2008 A member was removed from a security-enabled universal group. 4757 Security Group Management
112 unknown Account Management Windows Vista, Windows Server 2008 A security-enabled universal group was deleted. 4758 Security Group Management
113 unknown Account Management Windows Vista, Windows Server 2008 A security-disabled universal group was created. 4759 Distribution Group Management
114 unknown Account Management Windows Vista, Windows Server 2008 A security-disabled universal group was changed. 4760 Distribution Group Management
115 unknown Account Management Windows Vista, Windows Server 2008 A member was added to a security-disabled universal group. 4761 Distribution Group Management
116 unknown Account Management Windows Vista, Windows Server 2008 A member was removed from a security-disabled universal group. 4762 Distribution Group Management
117 unknown Account Management Windows Vista, Windows Server 2008 A group�s type was changed. 4764 Security Group Management
118 created Account Management Windows Vista, Windows Server 2008 SID History was added to an account. 4765 User Account Management success Account Management sid
119 created Account Management Windows Vista, Windows Server 2008 An attempt to add SID History to an account failed. 4766 User Account Management failure Account Management sid
120 modified Account Management Windows Vista, Windows Server 2008 A user account was unlocked. 4767 User Account Management success Account Management user
121 failure Account Logon Windows Vista, Windows Server 2008 A Kerberos authentication ticket (TGT) was requested. 4768 Kerberos Authentication Service
122 failure Account Logon Windows Vista, Windows Server 2008 A Kerberos service ticket was requested. 4769 Kerberos Service Ticket Operations
123 success Account Logon Windows Vista, Windows Server 2008 A Kerberos service ticket was renewed. 4770 Kerberos Service Ticket Operations
124 failure Account Logon Windows Vista, Windows Server 2008 Kerberos pre-authentication failed. 4771 Kerberos Authentication Service
125 unknown Account Logon Windows Vista, Windows Server 2008 A Kerberos authentication ticket request failed. 4772 Kerberos Authentication Service
126 unknown Account Logon Windows Vista, Windows Server 2008 An account was mapped for logon. 4774 Credential Validation
127 unknown Account Logon Windows Vista, Windows Server 2008 An account could not be mapped for logon. 4775 Credential Validation
128 failure Account Logon Windows Vista, Windows Server 2008 The domain controller attempted to validate the credentials for an account. 4776 Credential Validation
129 unknown Account Logon Windows Vista, Windows Server 2008 The domain controller failed to validate the credentials for an account. 4777 Credential Validation
130 success Logon/Logoff Windows Vista, Windows Server 2008 A session was reconnected to a Window Station. 4778 Other Logon/Logoff Events
131 success Logon/Logoff Windows Vista, Windows Server 2008 A session was disconnected from a Window Station. 4779 Other Logon/Logoff Events
132 acl_modified Account Management Windows Vista, Windows Server 2008 The ACL was set on accounts which are members of administrators groups. 4780 User Account Management success Account Management group
133 modified Account Management Windows Vista, Windows Server 2008 The name of an account was changed: 4781 User Account Management success Account Management user
134 unknown Account Management Windows Vista, Windows Server 2008 The password hash an account was accessed. 4782 Other Account Management Events
135 unknown Account Management Windows Vista, Windows Server 2008 A basic application group was created. 4783 Application Group Management
136 unknown Account Management Windows Vista, Windows Server 2008 A basic application group was changed. 4784 Application Group Management
137 unknown Account Management Windows Vista, Windows Server 2008 A member was added to a basic application group. 4785 Application Group Management
138 unknown Account Management Windows Vista, Windows Server 2008 A member was removed from a basic application group. 4786 Application Group Management
139 unknown Account Management Windows Vista, Windows Server 2008 A non-member was added to a basic application group. 4787 Application Group Management
140 unknown Account Management Windows Vista, Windows Server 2008 A non-member was removed from a basic application group. 4788 Application Group Management
141 unknown Account Management Windows Vista, Windows Server 2008 A basic application group was deleted. 4789 Application Group Management
142 unknown Account Management Windows Vista, Windows Server 2008 An LDAP query group was created. 4790 Application Group Management
143 unknown Account Management Windows Vista, Windows Server 2008 The Password Policy Checking API was called. 4793 Other Account Management Events
144 modified Account Management Windows Vista, Windows Server 2008 An attempt was made to set the Directory Services Restore Mode. 4794 User Account Management success Account Management user
145 success Logon/Logoff Windows Vista, Windows Server 2008 The workstation was locked. 4800 Other Logon/Logoff Events
146 unknown Logon/Logoff Windows Vista, Windows Server 2008 The workstation was unlocked. 4801 Other Logon/Logoff Events
147 unknown Logon/Logoff Windows Vista, Windows Server 2008 The screen saver was invoked. 4802 Other Logon/Logoff Events
148 unknown Logon/Logoff Windows Vista, Windows Server 2008 The screen saver was dismissed. 4803 Other Logon/Logoff Events
149 unknown System Windows Vista, Windows Server 2008 RPC detected an integrity violation while decrypting an incoming message. 4816 System Integrity
150 unknown Policy Change Windows 7, Windows Server 2008 R2 Auditing settings on an object were changed. 4817 Audit Policy Change
151 unknown Object Access Windows 8, Windows Server 2012 Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy 4818 Central Policy Staging
152 unknown Policy Change Windows 8, Windows Server 2012 Central Access Policies on the machine have been changed. 4819 Other Policy Change Events
153 unknown Policy Change Windows Vista, Windows Server 2008 A namespace collision was detected. 4864 Authentication Policy Change
154 unknown Policy Change Windows Vista, Windows Server 2008 A trusted forest information entry was added. 4865 Authentication Policy Change
155 unknown Policy Change Windows Vista, Windows Server 2008 A trusted forest information entry was removed. 4866 Authentication Policy Change
156 unknown Policy Change Windows Vista, Windows Server 2008 A trusted forest information entry was modified. 4867 Authentication Policy Change
157 unknown Object Access Windows Vista, Windows Server 2008 The certificate manager denied a pending certificate request. 4868 Certification Services
158 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services received a resubmitted certificate request. 4869 Certification Services
159 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services revoked a certificate. 4870 Certification Services
160 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services received a request to publish the certificate revocation list (CRL). 4871 Certification Services
161 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services published the certificate revocation list (CRL). 4872 Certification Services
162 unknown Object Access Windows Vista, Windows Server 2008 A certificate request extension changed. 4873 Certification Services
163 unknown Object Access Windows Vista, Windows Server 2008 One or more certificate request attributes changed. 4874 Certification Services
164 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services received a request to shut down. 4875 Certification Services
165 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services backup started. 4876 Certification Services
166 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services backup completed. 4877 Certification Services
167 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services restore started. 4878 Certification Services
168 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services restore completed. 4879 Certification Services
169 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services started. 4880 Certification Services
170 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services stopped. 4881 Certification Services
171 unknown Object Access Windows Vista, Windows Server 2008 The security permissions for Certificate Services changed. 4882 Certification Services
172 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services retrieved an archived key. 4883 Certification Services
173 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services imported a certificate into its database. 4884 Certification Services
174 unknown Object Access Windows Vista, Windows Server 2008 The audit filter for Certificate Services changed. 4885 Certification Services
175 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services received a certificate request. 4886 Certification Services
176 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services approved a certificate request and issued a certificate. 4887 Certification Services
177 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services denied a certificate request. 4888 Certification Services
178 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services set the status of a certificate request to pending. 4889 Certification Services
179 unknown Object Access Windows Vista, Windows Server 2008 The certificate manager settings for Certificate Services changed. 4890 Certification Services
180 unknown Object Access Windows Vista, Windows Server 2008 A configuration entry changed in Certificate Services. 4891 Certification Services
181 unknown Object Access Windows Vista, Windows Server 2008 A property of Certificate Services changed. 4892 Certification Services
182 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services archived a key. 4893 Certification Services
183 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services imported and archived a key. 4894 Certification Services
184 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services published the CA certificate to Active Directory Domain Services. 4895 Certification Services
185 unknown Object Access Windows Vista, Windows Server 2008 One or more rows have been deleted from the certificate database. 4896 Certification Services
186 unknown Object Access Windows Vista, Windows Server 2008 Role separation enabled: 4897 Certification Services
187 unknown Object Access Windows Vista, Windows Server 2008 Certificate Services loaded a template. 4898 Certification Services
188 success Policy Change Windows Vista, Windows Server 2008 The Per-user audit policy table was created. 4902 Audit Policy Change
189 success Policy Change Windows Vista, Windows Server 2008 An attempt was made to register a security event source. 4904 Audit Policy Change
190 success Policy Change Windows Vista, Windows Server 2008 An attempt was made to unregister a security event source. 4905 Audit Policy Change
191 unknown Policy Change Windows Vista, Windows Server 2008 The CrashOnAuditFail value has changed. 4906 Audit Policy Change
192 success Policy Change Windows Vista, Windows Server 2008 Auditing settings on object were changed. 4907 Audit Policy Change
193 unknown Policy Change Windows Vista, Windows Server 2008 Special Groups Logon table modified. 4908 Audit Policy Change
194 unknown Policy Change Windows Vista, Windows Server 2008 The local policy settings for the TBS were changed. 4909 Other Policy Change Events
195 unknown Policy Change Windows Vista, Windows Server 2008 The group policy settings for the TBS were changed. 4910 Other Policy Change Events
196 unknown Policy Change Windows 8, Windows Server 2012 Resource attributes of the object were changed. 4911 Authorization Policy Change
197 modified Policy Change Windows Vista, Windows Server 2008 Per User Audit Policy was changed. 4912 Audit Policy Change success Policy Change policy
198 unknown Policy Change Windows 8, Windows Server 2012 Central Access Policy on the object was changed. 4913 Authorization Policy Change
199 unknown DS Access Windows Vista, Windows Server 2008 An Active Directory replica source naming context was established. 4928 Detailed Directory Service Replication
200 unknown DS Access Windows Vista, Windows Server 2008 An Active Directory replica source naming context was removed. 4929 Detailed Directory Service Replication
201 unknown DS Access Windows Vista, Windows Server 2008 An Active Directory replica source naming context was modified. 4930 Detailed Directory Service Replication
202 success DS Access Windows Vista, Windows Server 2008 An Active Directory replica destination naming context was modified. 4931 Detailed Directory Service Replication
203 success DS Access Windows Vista, Windows Server 2008 Synchronization of a replica of an Active Directory naming context has begun. 4932 Directory Service Replication
204 failure DS Access Windows Vista, Windows Server 2008 Synchronization of a replica of an Active Directory naming context has ended. 4933 Directory Service Replication
205 unknown DS Access Windows Vista, Windows Server 2008 Attributes of an Active Directory object were replicated. 4934 Detailed Directory Service Replication
206 unknown DS Access Windows Vista, Windows Server 2008 Replication failure begins. 4935 Detailed Directory Service Replication
207 unknown DS Access Windows Vista, Windows Server 2008 Replication failure ends. 4936 Detailed Directory Service Replication
208 unknown DS Access Windows Vista, Windows Server 2008 A lingering object was removed from a replica. 4937 Detailed Directory Service Replication
209 success Policy Change Windows Vista, Windows Server 2008 The following policy was active when the Windows Firewall started. 4944 MPSSVC Rule-Level Policy Change
210 success Policy Change Windows Vista, Windows Server 2008 A rule was listed when the Windows Firewall started. 4945 MPSSVC Rule-Level Policy Change
211 created Policy Change Windows Vista, Windows Server 2008 A change has been made to Windows Firewall exception list. A rule was added. 4946 MPSSVC Rule-Level Policy Change success Windows Firewall policy
212 modified Policy Change Windows Vista, Windows Server 2008 A change has been made to Windows Firewall exception list. A rule was modified. 4947 MPSSVC Rule-Level Policy Change success Windows Firewall policy
213 deleted Policy Change Windows Vista, Windows Server 2008 A change has been made to Windows Firewall exception list. A rule was deleted. 4948 MPSSVC Rule-Level Policy Change success Windows Firewall policy
214 unknown Policy Change Windows Vista, Windows Server 2008 Windows Firewall settings were restored to the default values. 4949 MPSSVC Rule-Level Policy Change
215 unknown Policy Change Windows Vista, Windows Server 2008 A Windows Firewall setting has changed. 4950 MPSSVC Rule-Level Policy Change
216 failure Policy Change Windows Vista, Windows Server 2008 A rule has been ignored because its major version number was not recognized by Windows Firewall. 4951 MPSSVC Rule-Level Policy Change
217 unknown Policy Change Windows Vista, Windows Server 2008 Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. 4952 MPSSVC Rule-Level Policy Change
218 failure Policy Change Windows Vista, Windows Server 2008 A rule has been ignored by Windows Firewall because it could not parse the rule. 4953 MPSSVC Rule-Level Policy Change
219 unknown Policy Change Windows Vista, Windows Server 2008 Windows Firewall Group Policy settings have changed. The new settings have been applied. 4954 MPSSVC Rule-Level Policy Change
220 success Policy Change Windows Vista, Windows Server 2008 Windows Firewall has changed the active profile. 4956 MPSSVC Rule-Level Policy Change
221 unknown Policy Change Windows Vista, Windows Server 2008 Windows Firewall did not apply the following rule: 4957 MPSSVC Rule-Level Policy Change
222 unknown Policy Change Windows Vista, Windows Server 2008 Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: 4958 MPSSVC Rule-Level Policy Change
223 unknown System Windows Vista, Windows Server 2008 IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. 4960 IPsec Driver
224 unknown System Windows Vista, Windows Server 2008 IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. 4961 IPsec Driver
225 unknown System Windows Vista, Windows Server 2008 IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. 4962 IPsec Driver
226 unknown System Windows Vista, Windows Server 2008 IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. 4963 IPsec Driver
227 unknown Logon/Logoff Windows Vista, Windows Server 2008 Special groups have been assigned to a new logon. 4964 Special Logon
228 unknown System Windows Vista, Windows Server 2008 IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. 4965 IPsec Driver
229 unknown Logon/Logoff Windows Vista, Windows Server 2008 During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. 4976 IPsec Main Mode
230 unknown Logon/Logoff Windows Vista, Windows Server 2008 During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. 4977 IPsec Quick Mode
231 unknown Logon/Logoff Windows Vista, Windows Server 2008 During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. 4978 IPsec Extended Mode
232 unknown Logon/Logoff Windows Vista, Windows Server 2008 IPsec Main Mode and Extended Mode security associations were established. 4979 IPsec Extended Mode
233 unknown Logon/Logoff Windows Vista, Windows Server 2008 IPsec Main Mode and Extended Mode security associations were established. 4980 IPsec Extended Mode
234 unknown Logon/Logoff Windows Vista, Windows Server 2008 IPsec Main Mode and Extended Mode security associations were established. 4981 IPsec Extended Mode
235 unknown Logon/Logoff Windows Vista, Windows Server 2008 IPsec Main Mode and Extended Mode security associations were established. 4982 IPsec Extended Mode
236 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. 4983 IPsec Extended Mode
237 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. 4984 IPsec Extended Mode
238 success Object Access Windows Vista, Windows Server 2008 The state of a transaction has changed. 4985 File System
239 success System Windows Vista, Windows Server 2008 The Windows Firewall Service has started successfully. 5024 Other System Events
240 unknown System Windows Vista, Windows Server 2008 The Windows Firewall Service has been stopped. 5025 Other System Events
241 unknown System Windows Vista, Windows Server 2008 The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. 5027 Other System Events
242 unknown System Windows Vista, Windows Server 2008 The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. 5028 Other System Events
243 unknown System Windows Vista, Windows Server 2008 The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. 5029 Other System Events
244 unknown System Windows Vista, Windows Server 2008 The Windows Firewall Service failed to start. 5030 Other System Events
245 unknown Object Access Windows Vista, Windows Server 2008 The Windows Firewall Service blocked an application from accepting incoming connections on the network. 5031 Filtering Platform Connection
246 unknown System Windows Vista, Windows Server 2008 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. 5032 Other System Events
247 success System Windows Vista, Windows Server 2008 The Windows Firewall Driver has started successfully. 5033 Other System Events
248 unknown System Windows Vista, Windows Server 2008 The Windows Firewall Driver has been stopped. 5034 Other System Events
249 unknown System Windows Vista, Windows Server 2008 The Windows Firewall Driver failed to start. 5035 Other System Events
250 unknown System Windows Vista, Windows Server 2008 The Windows Firewall Driver detected critical runtime error. Terminating. 5037 Other System Events
251 unknown System Windows Vista, Windows Server 2008 Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. 5038 System Integrity
252 unknown Object Access Windows Vista, Windows Server 2008 A registry key was virtualized. 5039 Registry
253 unknown Policy Change Windows Vista, Windows Server 2008 A change has been made to IPsec settings. An Authentication Set was added. 5040 Filtering Platform Policy Change
254 unknown Policy Change Windows Vista, Windows Server 2008 A change has been made to IPsec settings. An Authentication Set was modified. 5041 Filtering Platform Policy Change
255 unknown Policy Change Windows Vista, Windows Server 2008 A change has been made to IPsec settings. An Authentication Set was deleted. 5042 Filtering Platform Policy Change
256 unknown Policy Change Windows Vista, Windows Server 2008 A change has been made to IPsec settings. A Connection Security Rule was added. 5043 Filtering Platform Policy Change
257 unknown Policy Change Windows Vista, Windows Server 2008 A change has been made to IPsec settings. A Connection Security Rule was modified. 5044 Filtering Platform Policy Change
258 unknown Policy Change Windows Vista, Windows Server 2008 A change has been made to IPsec settings. A Connection Security Rule was deleted. 5045 Filtering Platform Policy Change
259 unknown Policy Change Windows Vista, Windows Server 2008 A change has been made to IPsec settings. A Crypto Set was added. 5046 Filtering Platform Policy Change
260 unknown Policy Change Windows Vista, Windows Server 2008 A change has been made to IPsec settings. A Crypto Set was modified. 5047 Filtering Platform Policy Change
261 unknown Policy Change Windows Vista, Windows Server 2008 A change has been made to IPsec settings. A Crypto Set was deleted. 5048 Filtering Platform Policy Change
262 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Security Association was deleted. 5049 IPsec Main Mode
263 unknown Object Access Windows Vista, Windows Server 2008 A file was virtualized. 5051 File System
264 success System Windows Vista, Windows Server 2008 A cryptographic self test was performed. 5056 System Integrity
265 unknown System Windows Vista, Windows Server 2008 A cryptographic primitive operation failed. 5057 System Integrity
266 success System Windows Vista, Windows Server 2008 Key file operation. 5058 Other System Events
267 success System Windows Vista, Windows Server 2008 Key migration operation. 5059 Other System Events
268 unknown System Windows Vista, Windows Server 2008 Verification operation failed. 5060 System Integrity
269 failure System Windows Vista, Windows Server 2008 Cryptographic operation. 5061 System Integrity
270 unknown System Windows Vista, Windows Server 2008 A kernel-mode cryptographic self test was performed. 5062 System Integrity
271 unknown Policy Change Windows Vista, Windows Server 2008 A cryptographic provider operation was attempted. 5063 Other Policy Change Events
272 unknown Policy Change Windows Vista, Windows Server 2008 A cryptographic context operation was attempted. 5064 Other Policy Change Events
273 unknown Policy Change Windows Vista, Windows Server 2008 A cryptographic context modification was attempted. 5065 Other Policy Change Events
274 unknown Policy Change Windows Vista, Windows Server 2008 A cryptographic function operation was attempted. 5066 Other Policy Change Events
275 unknown Policy Change Windows Vista, Windows Server 2008 A cryptographic function modification was attempted. 5067 Other Policy Change Events
276 unknown Policy Change Windows Vista, Windows Server 2008 A cryptographic function provider operation was attempted. 5068 Other Policy Change Events
277 unknown Policy Change Windows Vista, Windows Server 2008 A cryptographic function property operation was attempted. 5069 Other Policy Change Events
278 unknown Policy Change Windows Vista, Windows Server 2008 A cryptographic function property modification was attempted. 5070 Other Policy Change Events
279 success DS Access Windows Vista, Windows Server 2008 A directory service object was modified. 5136 Directory Service Changes
280 unknown DS Access Windows Vista, Windows Server 2008 A directory service object was created. 5137 Directory Service Changes
281 unknown DS Access Windows Vista, Windows Server 2008 A directory service object was undeleted. 5138 Directory Service Changes
282 unknown DS Access Windows Vista, Windows Server 2008 A directory service object was moved. 5139 Directory Service Changes
283 failure Object Access Windows Vista, Windows Server 2008 A network share object was accessed. 5140 File Share
284 unknown DS Access Windows Vista SP1, Windows Server 2008 A directory service object was deleted. 5141 Directory Service Changes
285 unknown Object Access Windows 7, Windows Server 2008 R2 A network share object was added. 5142 File Share
286 success Object Access Windows 7, Windows Server 2008 R2 A network share object was modified. 5143 File Share
287 unknown Object Access Windows 7, Windows Server 2008 R2 A network share object was deleted. 5144 File Share
288 unknown Object Access Windows 7, Windows Server 2008 R2 A network share object was checked to see whether the client can be granted desired access. 5145 Detailed File Share
289 unknown Object Access Windows 7, Windows Server 2008 R2 The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. 5148 Other Object Access Events
290 unknown Object Access Windows 7, Windows Server 2008 R2 The DoS attack has subsided and normal processing is being resumed. 5149 Other Object Access Events
291 unknown Object Access Windows 7, Windows Server 2008 R2 The Windows Filtering Platform has blocked a packet. 5150 Filtering Platform Connection
292 unknown Object Access Windows 7, Windows Server 2008 R2 A more restrictive Windows Filtering Platform filter has blocked a packet. 5151 Filtering Platform Connection
293 failure Object Access Windows Vista, Windows Server 2008 The Windows Filtering Platform blocked a packet. 5152 Filtering Platform Packet Drop
294 unknown Object Access Windows Vista, Windows Server 2008 A more restrictive Windows Filtering Platform filter has blocked a packet. 5153 Filtering Platform Packet Drop
295 success Object Access Windows Vista, Windows Server 2008 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. 5154 Filtering Platform Connection
296 unknown Object Access Windows Vista, Windows Server 2008 The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. 5155 Filtering Platform Connection
297 success Object Access Windows Vista, Windows Server 2008 The Windows Filtering Platform has allowed a connection. 5156 Filtering Platform Connection
298 failure Object Access Windows Vista, Windows Server 2008 The Windows Filtering Platform has blocked a connection. 5157 Filtering Platform Connection
299 success Object Access Windows Vista, Windows Server 2008 The Windows Filtering Platform has permitted a bind to a local port. 5158 Filtering Platform Connection
300 unknown Object Access Windows Vista, Windows Server 2008 The Windows Filtering Platform has blocked a bind to a local port. 5159 Filtering Platform Connection
301 unknown Object Access Windows 7, Windows Server 2008 R2 Spn check for SMB/SMB2 failed. 5168 File Share
302 read Account Management Windows Vista, Windows Server 2008 Credential Manager credentials were backed up. 5376 User Account Management success Account Management user
303 modified Account Management Windows Vista, Windows Server 2008 Credential Manager credentials were restored from a backup. 5377 User Account Management success Account Management user
304 unknown Logon/Logoff Windows Vista, Windows Server 2008 The requested credentials delegation was disallowed by policy. 5378 Other Logon/Logoff Events
305 success Policy Change Windows Vista, Windows Server 2008 The following callout was present when the Windows Filtering Platform Base Filtering Engine started. 5440 Filtering Platform Policy Change
306 success Policy Change Windows Vista, Windows Server 2008 The following filter was present when the Windows Filtering Platform Base Filtering Engine started. 5441 Filtering Platform Policy Change
307 success Policy Change Windows Vista, Windows Server 2008 The following provider was present when the Windows Filtering Platform Base Filtering Engine started. 5442 Filtering Platform Policy Change
308 unknown Policy Change Windows Vista, Windows Server 2008 The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. 5443 Filtering Platform Policy Change
309 success Policy Change Windows Vista, Windows Server 2008 The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. 5444 Filtering Platform Policy Change
310 success Policy Change Windows Vista, Windows Server 2008 A Windows Filtering Platform callout has been changed. 5446 Filtering Platform Policy Change
311 success Policy Change Windows Vista, Windows Server 2008 A Windows Filtering Platform filter has been changed. 5447 Other Policy Change Events
312 success Policy Change Windows Vista, Windows Server 2008 A Windows Filtering Platform provider has been changed. 5448 Filtering Platform Policy Change
313 success Policy Change Windows Vista, Windows Server 2008 A Windows Filtering Platform provider context has been changed. 5449 Filtering Platform Policy Change
314 success Policy Change Windows Vista, Windows Server 2008 A Windows Filtering Platform sub-layer has been changed. 5450 Filtering Platform Policy Change
315 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Quick Mode security association was established. 5451 IPsec Quick Mode
316 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec Quick Mode security association ended. 5452 IPsec Quick Mode
317 unknown Logon/Logoff Windows Vista, Windows Server 2008 An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. 5453 IPsec Main Mode
318 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine applied Active Directory storage IPsec policy on the computer. 5456 Filtering Platform Policy Change
319 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. 5457 Filtering Platform Policy Change
320 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. 5458 Filtering Platform Policy Change
321 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. 5459 Filtering Platform Policy Change
322 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine applied local registry storage IPsec policy on the computer. 5460 Filtering Platform Policy Change
323 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine failed to apply local registry storage IPsec policy on the computer. 5461 Filtering Platform Policy Change
324 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. 5462 Filtering Platform Policy Change
325 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine polled for changes to the active IPsec policy and detected no changes. 5463 Filtering Platform Policy Change
326 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. 5464 Filtering Platform Policy Change
327 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. 5465 Filtering Platform Policy Change
328 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. 5466 Filtering Platform Policy Change
329 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. 5467 Filtering Platform Policy Change
330 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. 5468 Filtering Platform Policy Change
331 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine loaded local storage IPsec policy on the computer. 5471 Filtering Platform Policy Change
332 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine failed to load local storage IPsec policy on the computer. 5472 Filtering Platform Policy Change
333 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine loaded directory storage IPsec policy on the computer. 5473 Filtering Platform Policy Change
334 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine failed to load directory storage IPsec policy on the computer. 5474 Filtering Platform Policy Change
335 unknown Policy Change Windows Vista, Windows Server 2008 PAStore Engine failed to add quick mode filter. 5477 Filtering Platform Policy Change
336 unknown System Windows Vista, Windows Server 2008 IPsec Services has started successfully. 5478 IPsec Driver
337 unknown System Windows Vista, Windows Server 2008 IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. 5479 IPsec Driver
338 unknown System Windows Vista, Windows Server 2008 IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. 5480 IPsec Driver
339 unknown System Windows Vista, Windows Server 2008 IPsec Services failed to initialize RPC server. IPsec Services could not be started. 5483 IPsec Driver
340 unknown System Windows Vista, Windows Server 2008 IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. 5484 IPsec Driver
341 unknown System Windows Vista, Windows Server 2008 IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. 5485 IPsec Driver
342 unknown Logon/Logoff Windows Vista, Windows Server 2008 A request was made to authenticate to a wireless network. 5632 Other Logon/Logoff Events
343 unknown Logon/Logoff Windows Vista, Windows Server 2008 A request was made to authenticate to a wired network. 5633 Other Logon/Logoff Events
344 unknown Detailed Tracking Windows Vista, Windows Server 2008 A Remote Procedure Call (RPC) was attempted. 5712 RPC Events
345 unknown Object Access Windows Vista, Windows Server 2008 An object in the COM+ Catalog was modified. 5888 Other Object Access Events
346 unknown Object Access Windows Vista, Windows Server 2008 An object was deleted from the COM+ Catalog. 5889 Other Object Access Events
347 unknown Object Access Windows Vista, Windows Server 2008 An object was added to the COM+ Catalog. 5890 Other Object Access Events
348 success Policy Change Windows Vista, Windows Server 2008 Security policy in the group policy objects has been applied successfully. 6144 Other Policy Change Events
349 unknown Policy Change Windows Vista, Windows Server 2008 One or more errors occurred while processing security policy in the group policy objects. 6145 Other Policy Change Events
350 unknown Logon/Logoff Windows Vista SP1, Windows Server 2008 Network Policy Server granted access to a user. 6272 Network Policy Server
351 unknown Logon/Logoff Windows Vista SP1, Windows Server 2008 Network Policy Server denied access to a user. 6273 Network Policy Server
352 unknown Logon/Logoff Windows Vista SP1, Windows Server 2008 Network Policy Server discarded the request for a user. 6274 Network Policy Server
353 unknown Logon/Logoff Windows Vista SP1, Windows Server 2008 Network Policy Server discarded the accounting request for a user. 6275 Network Policy Server
354 unknown Logon/Logoff Windows Vista SP1, Windows Server 2008 Network Policy Server quarantined a user. 6276 Network Policy Server
355 unknown Logon/Logoff Windows Vista SP1, Windows Server 2008 Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. 6277 Network Policy Server
356 unknown Logon/Logoff Windows Vista SP1, Windows Server 2008 Network Policy Server granted full access to a user because the host met the defined health policy. 6278 Network Policy Server
357 unknown Logon/Logoff Windows Vista SP1, Windows Server 2008 Network Policy Server locked the user account due to repeated failed authentication attempts. 6279 Network Policy Server
358 unknown Logon/Logoff Windows Vista SP1, Windows Server 2008 Network Policy Server unlocked the user account. 6280 Network Policy Server
359 unknown System Windows 7, Windows Server 2008 R2 Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error 6281 System Integrity
360 unknown System Windows 7, Windows Server 2008 R2 BranchCache: Received an incorrectly formatted response while discovering availability of content. 6400 Other System Events
361 unknown System Windows 7, Windows Server 2008 R2 BranchCache: Received invalid data from a peer. Data discarded. 6401 Other System Events
362 unknown System Windows 7, Windows Server 2008 R2 BranchCache: The message to the hosted cache offering it data is incorrectly formatted. 6402 Other System Events
363 unknown System Windows 7, Windows Server 2008 R2 BranchCache: The hosted cache sent an incorrectly formatted response to the client. 6403 Other System Events
364 unknown System Windows 7, Windows Server 2008 R2 BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. 6404 Other System Events
365 unknown System Windows 7, Windows Server 2008 R2 BranchCache: %2 instance(s) of event id %1 occurred. 6405 Other System Events
366 unknown System Windows 7, Windows Server 2008 R2 %1 registered to Windows Firewall to control filtering for the following: %2 6406 Other System Events
367 unknown System Windows 7, Windows Server 2008 R2 1% 6407 Other System Events

24
deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_sub_id.csv
Unescape View File

@ -0,0 +1,24 @@
signature_id,signature_sub_id,signature_sub
4625,0xc000005e,"There are currently no logon servers available to service the logon request"
4625,0xc0000064,"User name does not exist"
4625,0xC0000064,"User name does not exist"
4625,0xc000006a,"User name is correct but the password is wrong"
4625,0xC000006A,"User name is correct but the password is wrong"
4625,0xc0000234,"User is currently locked out"
4625,0xC0000234,"User is currently locked out"
4625,0xc0000072,"Account is currently disabled"
4625,0xC0000072,"Account is currently disabled"
4625,0xc000006f,"User tried to logon outside his day of week or time of day restrictions"
4625,0xC000006F,"User tried to logon outside his day of week or time of day restrictions"
4625,0xc0000070,"Workstation restriction"
4625,0xC0000070,"Workstation restriction"
4625,0xc0000193,"Account expiration"
4625,0xC0000193,"Account expiration"
4625,0xc0000071,"Expired password"
4625,0xC0000071,"Expired password"
4625,0xc0000133,"Clocks between DC and other computer too far out of sync"
4625,0xC0000133,"Clocks between DC and other computer too far out of sync"
4625,0xc0000224,"User is required to change password at next logon"
4625,0xC0000224,"User is required to change password at next logon"
4625,0xc0000225,"Evidently a bug in Windows and not a risk"
4625,0xC0000225,"Evidently a bug in Windows and not a risk"
1 signature_id signature_sub_id signature_sub
2 4625 0xc000005e There are currently no logon servers available to service the logon request
3 4625 0xc0000064 User name does not exist
4 4625 0xC0000064 User name does not exist
5 4625 0xc000006a User name is correct but the password is wrong
6 4625 0xC000006A User name is correct but the password is wrong
7 4625 0xc0000234 User is currently locked out
8 4625 0xC0000234 User is currently locked out
9 4625 0xc0000072 Account is currently disabled
10 4625 0xC0000072 Account is currently disabled
11 4625 0xc000006f User tried to logon outside his day of week or time of day restrictions
12 4625 0xC000006F User tried to logon outside his day of week or time of day restrictions
13 4625 0xc0000070 Workstation restriction
14 4625 0xC0000070 Workstation restriction
15 4625 0xc0000193 Account expiration
16 4625 0xC0000193 Account expiration
17 4625 0xc0000071 Expired password
18 4625 0xC0000071 Expired password
19 4625 0xc0000133 Clocks between DC and other computer too far out of sync
20 4625 0xC0000133 Clocks between DC and other computer too far out of sync
21 4625 0xc0000224 User is required to change password at next logon
22 4625 0xC0000224 User is required to change password at next logon
23 4625 0xc0000225 Evidently a bug in Windows and not a risk
24 4625 0xC0000225 Evidently a bug in Windows and not a risk

5
deployment-apps/TA-microsoft-windows/lookups/wineventlog_sourcetype_vendor_product.csv
Unescape View File

@ -0,0 +1,5 @@
sourcetype,vendor,product
WinEventLog:Security,Microsoft,Windows
WinEventLog:System,Microsoft,Windows
XmlWinEventLog:Security,Microsoft,Windows
XmlWinEventLog:System,Microsoft,Windows
1 sourcetype vendor product
2 WinEventLog:Security Microsoft Windows
3 WinEventLog:System Microsoft Windows
4 XmlWinEventLog:Security Microsoft Windows
5 XmlWinEventLog:System Microsoft Windows

6
deployment-apps/TA-microsoft-windows/lookups/wineventlog_vendor_severity_id.csv
Unescape View File

@ -0,0 +1,6 @@
vendor_severity_id, vendor_severity
1, critical
2, error
3, warning
4, informational
5, verbose
1 vendor_severity_id vendor_severity
2 1 critical
3 2 error
4 3 warning
5 4 informational
6 5 verbose

4
deployment-apps/TA-microsoft-windows/metadata/default.meta
Unescape View File

@ -0,0 +1,4 @@
[]
access = read : [ * ], write : [ admin ]
export = system

11
deployment-apps/TA-microsoft-windows/samples/AppPopup.26.windows
Unescape View File

@ -0,0 +1,11 @@
04/20/10 03:42:32 PM
LogName=System
SourceName=Application Popup
EventCode=26
EventType=4
Type=Information
ComputerName=HOST0167
Category=0
CategoryString=none
RecordNumber=4
Message=Application popup: Windows - Virtual Memory Minimum Too Low : Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. For more information, see Help.

27
deployment-apps/TA-microsoft-windows/samples/CPUTime.perfmon
Unescape View File

@ -0,0 +1,27 @@
04/14/2011 11:53:26.486
collection="CPU Load"
object=Processor
counter="% Processor Time"
instance=_Total
Value=@@proc_time
04/14/2011 11:53:26.486
collection="CPU Load"
object=Processor
counter="% User Time"
instance=_Total
Value=@@user_time
04/14/2011 11:53:26.486
collection="CPU Load"
object=Processor
counter="% Processor Time"
instance=_Total
Value=100
04/14/2011 11:53:26.486
collection="CPU Load"
object=Processor
counter="% User Time"
instance=_Total
Value=37

27
deployment-apps/TA-microsoft-windows/samples/FreeDiskSpace.perfmon
Unescape View File

@ -0,0 +1,27 @@
04/14/2011 13:45:37.170
collection=FreeDiskSpace
object=LogicalDisk
counter="Free Megabytes"
instance=E:
Value=@@mbytes_free
04/14/2011 13:45:37.170
collection=FreeDiskSpace
object=LogicalDisk
counter="% Free Space"
instance=E:
Value=@@perc_free
04/14/2011 13:45:37.170
collection=FreeDiskSpace
object=LogicalDisk
counter="Free Megabytes"
instance=F:
Value=3080
04/14/2011 13:45:37.170
collection=FreeDiskSpace
object=LogicalDisk
counter="% Free Space"
instance=F:
Value=0

11
deployment-apps/TA-microsoft-windows/samples/LSASRV.40961.windows
Unescape View File

@ -0,0 +1,11 @@
04/20/10 03:26:19 PM
LogName=System
SourceName=LSASRV
EventCode=40961
EventType=2
Type=Warning
ComputerName=HOST0201
Category=3
CategoryString=SPNEGO (Negotiator)
RecordNumber=2
Message=The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available.

6
deployment-apps/TA-microsoft-windows/samples/LocalNetwork.perfmon
Unescape View File

@ -0,0 +1,6 @@
04/14/2011 16:00:14.071
collection=LocalNetwork
object="Network Interface"
counter="Current Bandwidth"
instance="Intel[R] PRO_1000 MT Network Connection"
Value=1000000000

23
deployment-apps/TA-microsoft-windows/samples/Memory.perfmon
Unescape View File

@ -0,0 +1,23 @@
04/14/2011 12:27:07.498
collection="Available Memory"
object=Memory
counter="Available MBytes"
Value=432
04/14/2011 12:27:07.498
collection="Available Memory"
object=Memory
counter="Committed Bytes"
Value=649986048
04/14/2011 12:27:07.498
collection="Available Memory"
object=Memory
counter="Available MBytes"
Value=0
04/14/2011 12:27:07.498
collection="Available Memory"
object=Memory
counter="Committed Bytes"
Value=1102970880

11
deployment-apps/TA-microsoft-windows/samples/SCM.7036.windows
Unescape View File

@ -0,0 +1,11 @@
04/22/10 11:15:40 AM
LogName=System
SourceName=Service Control Manager
EventCode=7036
EventType=4
Type=Information
ComputerName=HOST0167
Category=0
CategoryString=none
RecordNumber=299
Message=The Windows Time service entered the running state.

17
deployment-apps/TA-microsoft-windows/samples/Security.1102.windows
Unescape View File

@ -0,0 +1,17 @@
07/25/2011 01:55:36 PM
LogName=Security
SourceName=Microsoft-Windows-Eventlog
EventCode=1102
EventType=4
Type=Information
ComputerName=SOLN-W2008R2-4
TaskCategory=Log clear
OpCode=Info
RecordNumber=2450
Keywords=Audit Success
Message=The audit log was cleared.
Subject:
Security ID: S-1-5-21-1850455071-2977647103-2894007570-1000
Account Name: bamboo
Domain Name: SOLN-W2008R2-4
Logon ID: 0x77220

27
deployment-apps/TA-microsoft-windows/samples/Security.4672.windows
Unescape View File

@ -0,0 +1,27 @@
09/11/09 03:08:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=WIN-L25DGSHI03K
TaskCategory=Special Logon
OpCode=Info
RecordNumber=105
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-4095465814-4193276578-644264660-500
Account Name: @@user
Account Domain: WIN-L25DGSHI03K
Logon ID: 0x5ba26
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

29
deployment-apps/TA-microsoft-windows/samples/Security.4673.windows
Unescape View File

@ -0,0 +1,29 @@
05/02/11 03:39:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=WIN-L25DGSHI03K
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=1307
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: S-1-5-18
Account Name: WIN-L25DGSHI03K$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x1dc
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege

32
deployment-apps/TA-microsoft-windows/samples/Security.4688.windows
Unescape View File

@ -0,0 +1,32 @@
05/02/11 03:49:28 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=WIN-L25DGSHI03K
TaskCategory=Process Creation
OpCode=Info
RecordNumber=2184
Keywords=Audit Success
Message=A new process has been created.
Subject:
Security ID: S-1-5-18
Account Name: WIN-L25DGSHI03K$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Process Information:
New Process ID: 0x7f4
New Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x74c
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

23
deployment-apps/TA-microsoft-windows/samples/Security.4689.windows
Unescape View File

@ -0,0 +1,23 @@
05/02/11 03:47:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=WIN-L25DGSHI03K
TaskCategory=Process Termination
OpCode=Info
RecordNumber=2021
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: S-1-5-18
Account Name: WIN-L25DGSHI03K$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Process Information:
Process ID: 0x72c
Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe
Exit Status: 0xffffffe1

24
deployment-apps/TA-microsoft-windows/samples/Security.4717.windows
Unescape View File

@ -0,0 +1,24 @@
09/11/09 03:08:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4717
EventType=0
Type=Information
ComputerName=WIN-L25DGSHI03K
TaskCategory=Authentication Policy Change
OpCode=Info
RecordNumber=162
Keywords=Audit Success
Message=System security access was granted to an account.
Subject:
Security ID: S-1-5-18
Account Name: WIN-L25DGSHI03K$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Account Modified:
Account Name: S-1-5-21-4095465814-4193276578-644264660-1000
Access Granted:
Access Right: SeServiceLogonRight

24
deployment-apps/TA-microsoft-windows/samples/Security.4718.windows
Unescape View File

@ -0,0 +1,24 @@
09/11/09 03:08:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4718
EventType=0
Type=Information
ComputerName=WIN-L25DGSHI03K
TaskCategory=Authentication Policy Change
OpCode=Info
RecordNumber=169
Keywords=Audit Success
Message=System security access was removed from an account.
Subject:
Security ID: S-1-5-18
Account Name: WIN-L25DGSHI03K$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Account Modified:
Account Name: S-1-5-32-544
Access Removed:
Access Right: SeRemoteInteractiveLogonRight

26
deployment-apps/TA-microsoft-windows/samples/Security.4726.windows
Unescape View File

@ -0,0 +1,26 @@
03/07/2012 07:13:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4726
EventType=0
Type=Information
ComputerName=SOLN-W2008R2-6
TaskCategory=User Account Management
OpCode=Info
RecordNumber=17758522
Keywords=Audit Success
Message=A user account was deleted.
Subject:
Security ID: SPLUNK\splunker_admin
Account Name: splunker_admin
Account Domain: SPLUNK
Logon ID: 0x55e4059d
Target Account:
Security ID: S-1-5-21-807344451-4160805990-1156053029-3440
Account Name: splunkertest
Account Domain: SPLUNK
Additional Information:
Privileges -

26
deployment-apps/TA-microsoft-windows/samples/Security.4743.windows
Unescape View File

@ -0,0 +1,26 @@
03/07/2012 10:14:25 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4743
EventType=0
Type=Information
ComputerName=devlan.local
TaskCategory=Computer Account Management
OpCode=Info
RecordNumber=5999972
Keywords=Audit Success
Message=A computer account was deleted.
Subject:
Security ID: SPLUNK\splunk_admin
Account Name: splunk_admin
Account Domain: SPLUNK
Logon ID: 0x7702f1fc
Target Computer:
Security ID: S-1-5-21-807344451-4160805990-1156053029-2593
Account Name: splunktest
Account Domain: SPLUNK
Additional Information:
Privileges: -

14
deployment-apps/TA-microsoft-windows/samples/W32Time.17.windows
Unescape View File

@ -0,0 +1,14 @@
04/22/10 11:15:40 AM
LogName=System
SourceName=W32Time
EventCode=17
EventType=1
Type=Error
ComputerName=HOST0167
Category=0
CategoryString=none
RecordNumber=297
Message=Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'invalid.address.org'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)

14
deployment-apps/TA-microsoft-windows/samples/W32Time.29.windows
Unescape View File

@ -0,0 +1,14 @@
04/22/10 11:15:40 AM
LogName=System
SourceName=W32Time
EventCode=29
EventType=1
Type=Error
ComputerName=HOST0167
Category=0
CategoryString=none
RecordNumber=296
Message=The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

12
deployment-apps/TA-microsoft-windows/samples/W32Time.35.windows
Unescape View File

@ -0,0 +1,12 @@
04/22/10 09:49:37 AM
LogName=System
SourceName=W32Time
EventCode=35
EventType=4
Type=Information
ComputerName=HOST0201
Category=0
CategoryString=none
RecordNumber=271
Message=The time service is now synchronizing the system time with the time
source time-a.nist.gov (ntp.m|0x1|192.168.165.148:123->129.6.15.28:123).

22
deployment-apps/TA-microsoft-windows/samples/WinHostMon-OperatingSystem
Unescape View File

@ -0,0 +1,22 @@
Type=OperatingSystem
OS="Microsoft Windows 7 Enterprise "
Architecture="64-bit"
Version="6.1.7601"
BuildNumber="7601"
BuildType="Multiprocessor Free"
ServicePack="Service Pack 1"
SerialNumber="55041-011-3142585-86240"
ComputerName="ARAMANI-XC1"
InstallDate="20140409044852.000000-420"
LastBootUpTime="20150527114617.109999-420"
Locale="0409"
TotalPhysicalMemoryKB="8040020"
FreePhysicalMemoryKB="4276976"
TotalVirtualMemoryKB="16078184"
FreeVirtualMemoryKB="11603632"
Status="OK"
CodeSet="1252"
CountryCode="1"
SystemDevice="\Device\HarddiskVolume2"
SystemDrive="C:"
SystemDirectory="C:\Windows\system32"

8
deployment-apps/TA-microsoft-windows/samples/WinHostMon-Processor
Unescape View File

@ -0,0 +1,8 @@
Type=Processor
Name="Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz"
Manufacturer="GenuineIntel"
Architecture="x64"
ClockSpeedMHz=2079
NumberOfCores=2
NumberOfProcessors=4
Processor Id="BFEBFBFF00040651"

150
deployment-apps/TA-microsoft-windows/samples/WindowsUpdateClient.19.windows
Unescape View File

@ -0,0 +1,150 @@
06/16/10 06:48:43 PM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=28136
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535)
06/16/10 06:48:43 PM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=28137
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911)
06/16/10 06:48:43 PM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=28138
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB975562)
06/16/10 06:48:43 PM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=28139
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632)
06/16/10 06:48:43 PM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=28140
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195)
06/16/10 06:48:43 PM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=28141
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB980218)
06/16/10 06:48:43 PM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=28142
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381)
06/16/10 06:48:43 PM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=28143
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979559)
06/16/10 06:48:43 PM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=28136
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535)
10/06/09 10:37:04 AM
LogName=System
SourceName=Microsoft-Windows-WindowsUpdateClient
EventCode=19
EventType=4
Type=Information
ComputerName=WIN-5K02CFOZADA
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Windows Update Agent
OpCode=Installation
RecordNumber=11640
Keywords=Installation
Message=Installation Successful: Windows successfully installed the following update: Windows Update Aux

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4608.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4608</EventID><Version>0</Version><Level>0</Level><Task>12288</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-10T20:01:01.569766600Z'/><EventRecordID>28</EventRecordID><Correlation/><Execution ProcessID='464' ThreadID='468'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4616.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4616</EventID><Version>1</Version><Level>0</Level><Task>12288</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-21T22:45:15.049706900Z'/><EventRecordID>418</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='128'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-9DV9ENFEJEG$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PreviousTime'>2014-07-21T22:45:03.965938600Z</Data><Data Name='NewTime'>2014-07-21T22:45:15.050000000Z</Data><Data Name='ProcessId'>0x504</Data><Data Name='ProcessName'>C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4624.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>1</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-22T04:31:59.442383400Z'/><EventRecordID>524</EventRecordID><Correlation/><Execution ProcessID='492' ThreadID='520'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-9DV9ENFEJEG$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x1e4</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4625.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2014-08-13T00:43:36.302481600Z'/><EventRecordID>1880</EventRecordID><Correlation/><Execution ProcessID='508' ThreadID='2248'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-9DV9ENFEJEG$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='Status'>0xc000010b</Data><Data Name='FailureReason'>%%2304</Data><Data Name='SubStatus'>0x0</Data><Data Name='LogonType'>11</Data><Data Name='LogonProcessName'>CredPro</Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>WIN-9DV9ENFEJEG</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0xd20</Data><Data Name='ProcessName'>C:\Windows\System32\consent.exe</Data><Data Name='IpAddress'>::1</Data><Data Name='IpPort'>0</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4634.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4634</EventID><Version>0</Version><Level>0</Level><Task>12545</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-08-13T00:45:05.216561500Z'/><EventRecordID>1895</EventRecordID><Correlation/><Execution ProcessID='508' ThreadID='3228'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='TargetUserSid'>S-1-5-21-3971707290-3287975982-528657165-500</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='TargetLogonId'>0xaf04b0</Data><Data Name='LogonType'>2</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4647.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4647</EventID><Version>0</Version><Level>0</Level><Task>12545</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-11T19:36:20.285256700Z'/><EventRecordID>182</EventRecordID><Correlation/><Execution ProcessID='464' ThreadID='2148'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='TargetUserSid'>S-1-5-21-3971707290-3287975982-528657165-500</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='TargetLogonId'>0x20157d</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4648.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4648</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-21T22:52:48.146031400Z'/><EventRecordID>430</EventRecordID><Correlation/><Execution ProcessID='496' ThreadID='528'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-9DV9ENFEJEG$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TargetUserName'>DWM-1</Data><Data Name='TargetDomainName'>Window Manager</Data><Data Name='TargetLogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TargetServerName'>localhost</Data><Data Name='TargetInfo'>localhost</Data><Data Name='ProcessId'>0x1a4</Data><Data Name='ProcessName'>C:\Windows\System32\winlogon.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event></Events>

11
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4672.windows.xml
Unescape View File

@ -0,0 +1,11 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-08-04T09:38:36.049352200Z'/><EventRecordID>768</EventRecordID><Correlation/><Execution ProcessID='488' ThreadID='3672'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege</Data></EventData></Event></Events>

4
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4720.windows.xml
Unescape View File

@ -0,0 +1,4 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4720</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-08-13T00:42:24.599269400Z'/><EventRecordID>1850</EventRecordID><Correlation/><Execution ProcessID='508' ThreadID='3228'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='TargetUserName'>aramani</Data><Data Name='TargetDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='TargetSid'>S-1-5-21-3971707290-3287975982-528657165-1001</Data><Data Name='SubjectUserSid'>S-1-5-21-3971707290-3287975982-528657165-500</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='SubjectLogonId'>0x9caebb</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>aramani</Data><Data Name='DisplayName'>%%1793</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>%%1793</Data><Data Name='HomePath'>%%1793</Data><Data Name='ScriptPath'>%%1793</Data><Data Name='ProfilePath'>%%1793</Data><Data Name='UserWorkstations'>%%1793</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>%%1794</Data><Data Name='PrimaryGroupId'>513</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x0</Data><Data Name='NewUacValue'>0x15</Data><Data Name='UserAccountControl'>
%%2080
%%2082
%%2084</Data><Data Name='UserParameters'>%%1793</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>%%1797</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4722.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4722</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-08-13T00:42:24.599269400Z'/><EventRecordID>1851</EventRecordID><Correlation/><Execution ProcessID='508' ThreadID='3228'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='TargetUserName'>aramani</Data><Data Name='TargetDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='TargetSid'>S-1-5-21-3971707290-3287975982-528657165-1001</Data><Data Name='SubjectUserSid'>S-1-5-21-3971707290-3287975982-528657165-500</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='SubjectLogonId'>0x9caebb</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4724.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4724</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-10T20:02:27.896702700Z'/><EventRecordID>128</EventRecordID><Correlation/><Execution ProcessID='464' ThreadID='1580'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='TargetSid'>S-1-5-21-3971707290-3287975982-528657165-500</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-9DV9ENFEJEG$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4728.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4728</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-08-13T00:42:24.599269400Z'/><EventRecordID>1849</EventRecordID><Correlation/><Execution ProcessID='508' ThreadID='3228'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='MemberName'>-</Data><Data Name='MemberSid'>S-1-5-21-3971707290-3287975982-528657165-1001</Data><Data Name='TargetUserName'>None</Data><Data Name='TargetDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='TargetSid'>S-1-5-21-3971707290-3287975982-528657165-513</Data><Data Name='SubjectUserSid'>S-1-5-21-3971707290-3287975982-528657165-500</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='SubjectLogonId'>0x9caebb</Data><Data Name='PrivilegeList'>-</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4732.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4732</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-08-13T00:44:49.117128200Z'/><EventRecordID>1891</EventRecordID><Correlation/><Execution ProcessID='508' ThreadID='1436'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='MemberName'>-</Data><Data Name='MemberSid'>S-1-5-21-807344451-4160805990-1156053029-512</Data><Data Name='TargetUserName'>Administrators</Data><Data Name='TargetDomainName'>Builtin</Data><Data Name='TargetSid'>S-1-5-32-544</Data><Data Name='SubjectUserSid'>S-1-5-21-3971707290-3287975982-528657165-500</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='SubjectLogonId'>0xaf1ccd</Data><Data Name='PrivilegeList'>-</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4735.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4735</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-10T20:01:09.038246500Z'/><EventRecordID>57</EventRecordID><Correlation/><Execution ProcessID='464' ThreadID='488'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='TargetUserName'>Replicator</Data><Data Name='TargetDomainName'>Builtin</Data><Data Name='TargetSid'>S-1-5-32-552</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-9DV9ENFEJEG$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='SidHistory'>-</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4738.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-08-13T00:42:24.614904300Z'/><EventRecordID>1855</EventRecordID><Correlation/><Execution ProcessID='508' ThreadID='3228'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>aramani</Data><Data Name='TargetDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='TargetSid'>S-1-5-21-3971707290-3287975982-528657165-1001</Data><Data Name='SubjectUserSid'>S-1-5-21-3971707290-3287975982-528657165-500</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='SubjectLogonId'>0x9caebb</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>aramani</Data><Data Name='DisplayName'>aramani</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>%%1793</Data><Data Name='HomePath'>%%1793</Data><Data Name='ScriptPath'>%%1793</Data><Data Name='ProfilePath'>%%1793</Data><Data Name='UserWorkstations'>%%1793</Data><Data Name='PasswordLastSet'>8/12/2014 5:42:24 PM</Data><Data Name='AccountExpires'>%%1794</Data><Data Name='PrimaryGroupId'>513</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x210</Data><Data Name='NewUacValue'>0x210</Data><Data Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>%%1797</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4776.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4776</EventID><Version>0</Version><Level>0</Level><Task>14336</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-10T20:27:54.517083400Z'/><EventRecordID>157</EventRecordID><Correlation/><Execution ProcessID='464' ThreadID='3032'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='PackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='Workstation'>WIN-9DV9ENFEJEG</Data><Data Name='Status'>0x0</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4781.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4781</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-10T20:01:09.038246500Z'/><EventRecordID>49</EventRecordID><Correlation/><Execution ProcessID='464' ThreadID='488'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='OldTargetUserName'>Users</Data><Data Name='NewTargetUserName'>Users</Data><Data Name='TargetDomainName'>Builtin</Data><Data Name='TargetSid'>S-1-5-32-545</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-9DV9ENFEJEG$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>-</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4797.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4797</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-08-13T00:43:01.130636100Z'/><EventRecordID>1874</EventRecordID><Correlation/><Execution ProcessID='508' ThreadID='1436'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-21-3971707290-3287975982-528657165-1001</Data><Data Name='SubjectUserName'>aramani</Data><Data Name='SubjectDomainName'>WIN-9DV9ENFEJEG</Data><Data Name='SubjectLogonId'>0xa13207</Data><Data Name='Workstation'>WIN-9DV9ENFEJEG</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>WIN-9DV9ENFEJEG</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4902.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4902</EventID><Version>0</Version><Level>0</Level><Task>13568</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-07-21T22:42:02.171020600Z'/><EventRecordID>387</EventRecordID><Correlation/><Execution ProcessID='496' ThreadID='532'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='PuaCount'>0</Data><Data Name='PuaPolicyId'>0xb8c4</Data></EventData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4907.windows.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4907</EventID><Version>0</Version><Level>0</Level><Task>13568</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2014-08-05T20:11:06.517550200Z'/><EventRecordID>1298</EventRecordID><Correlation/><Execution ProcessID='488' ThreadID='496'/><Channel>Security</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-9DV9ENFEJEG$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms</Data><Data Name='HandleId'>0x14</Data><Data Name='OldSd'></Data><Data Name='NewSd'>S:ARAI(AU;SAFA;0x1f0116;;;WD)</Data><Data Name='ProcessId'>0xa6c</Data><Data Name='ProcessName'>C:\Windows\System32\poqexec.exe</Data></EventData></Event></Events>

25
deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_ready.xml
Unescape View File

@ -0,0 +1,25 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-WindowsUpdateClient' Guid='{945A8954-C147-4ACD-923F-40C45405A658}'/><EventID>17</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>12</Opcode><Keywords>0x8000000000000014</Keywords><TimeCreated SystemTime='2014-08-05T20:06:51.410078100Z'/><EventRecordID>2944</EventRecordID><Correlation/><Execution ProcessID='744' ThreadID='288'/><Channel>System</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security UserID='S-1-5-18'/></System><UserData><updatelist xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'>
- Update for Windows Server 2012 R2 (KB2971203)
- Update for Windows Server 2012 R2 (KB2950153)
- Security Update for Windows Server 2012 R2 (KB2964736)
- Update for Windows Server 2012 R2 (KB2938066)
- Cumulative Security Update for Internet Explorer 11 for Windows Server 2012 R2 (KB2962872)
- Update for Windows Server 2012 R2 (KB2975061)
- Update for Windows Server 2012 R2 (KB2956575)
- Update for .NET Native on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2954879)
- Security Update for Windows Server 2012 R2 (KB2926765)
- Update for Windows Server 2012 R2 (KB2939087)
- Security Update for Windows Server 2012 R2 (KB2920189)
- Update for Windows Server 2012 R2 (KB2958262)
- Security Update for Windows Server 2012 R2 (KB2973351)
- Security Update for Windows Server 2012 R2 (KB2939576)
- Update for Windows Server 2012 R2 (KB2959626)
- Security Update for Windows Server 2012 R2 (KB2957189)
- Security Update for Microsoft .NET Framework 4.5.1 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2931366)
- Windows Malicious Software Removal Tool for Windows 8, 8.1 and Windows Server 2012, 2012 R2 x64 Edition - July 2014 (KB890830)
- Security Update for Windows Server 2012 R2 (KB2964718)
- Security Update for Windows Server 2012 R2 (KB2973201)
- Security Update for Windows Server 2012 R2 (KB2965788)
- Update for Windows Server 2012 R2 (KB2966804)
- Update for Windows Server 2012 R2 (KB2955164)
- Security Update for Windows Server 2012 R2 (KB2961072)</updatelist></UserData></Event></Events>

1
deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_success.xml
Unescape View File

@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-WindowsUpdateClient' Guid='{945A8954-C147-4ACD-923F-40C45405A658}'/><EventID>19</EventID><Version>1</Version><Level>4</Level><Task>1</Task><Opcode>13</Opcode><Keywords>0x8000000000000018</Keywords><TimeCreated SystemTime='2014-08-05T20:08:13.256059100Z'/><EventRecordID>2956</EventRecordID><Correlation/><Execution ProcessID='744' ThreadID='288'/><Channel>System</Channel><Computer>WIN-9DV9ENFEJEG</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='updateTitle'>Update for Windows Server 2012 R2 (KB2958262)</Data><Data Name='updateGuid'>{1DE3F386-F36C-4E64-8098-D01B8BEA37CF}</Data><Data Name='updateRevisionNumber'>200</Data><Data Name='serviceGuid'>{9482F4B4-E343-43B6-B170-9A65BC822C77}</Data></EventData></Event></Events>

2
deployment-apps/TA-microsoft-windows/samples/audit_types.list
Unescape View File

@ -0,0 +1,2 @@
Success
Failure

7
deployment-apps/TA-microsoft-windows/samples/sample.DhcpSrvLog
Unescape View File

@ -0,0 +1,7 @@
ID,Date,Time,Description,IPAddress,HostName,MAC Address
10,07/21/06,19:42:47,,172.168.15.10,winfish,01:00:00:00:00:00
11,07/21/06,19:42:47,,172.168.15.12,storefront,02:00:00:00:00:00
13,07/21/06,19:42:47,,172.168.15.13,bugsbunny,03:00:00:00:00:00
12,07/21/06,19:42:47,,172.168.15.10,winfish,01:00:00:00:00:00
16,07/21/06,19:42:47,,172.168.15.12,storefront,02:00:00:00:00:00
17,07/21/06,19:42:47,,172.168.15.13,bugsbunny,03:00:00:00:00:00

25
deployment-apps/TA-microsoft-windows/samples/sample.win_installed_apps
Unescape View File

@ -0,0 +1,25 @@
05/19/2011 10:48:34
Installed application enumerated from "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{163025bb-ef60-4329-9384-9aeb595a0179}"
AuthorizedCDFPrefix=
Comments=The IT Search Engine
Contact=Contact Support at http://www.splunk.com/page/submit_issue
DisplayVersion=108.1.32730
HelpLink=http://www.splunk.com/page/submit_issue
HelpTelephone=
InstallDate=20110318
InstallLocation=C:\Program Files\Splunk\
InstallSource=C:\Users\David\Desktop\
ModifyPath=MsiExec.exe /I{163025bb-ef60-4329-9384-9aeb595a0179}
Publisher=Splunk, Inc.
Readme=C:\Program Files\Splunk\README.txt
Size=
EstimatedSize=0x1c991
UninstallString=MsiExec.exe /I{163025bb-ef60-4329-9384-9aeb595a0179}
URLInfoAbout=http://www.splunk.com
URLUpdateInfo=http://www.splunk.com/download
VersionMajor=0x6c
VersionMinor=0x1
WindowsInstaller=0x1
Version=0x6c017fda
Language=0x409
DisplayName=Splunk

1
deployment-apps/TA-microsoft-windows/samples/sample.win_listening_ports
Unescape View File

@ -0,0 +1 @@
04/14/2011 19:42:27 transport=TCP dest_ip=[0.0.0.0] dest_port=443 pid=476

40
deployment-apps/TA-microsoft-windows/samples/sample.winregistry
Unescape View File

@ -0,0 +1,40 @@
09/09/2010 23:36:32.0128
event_status="(0)The operation completed successfully."
pid=1300
process_image="\Device\HarddiskVolume1\Windows\System32\spoolsv.exe"
registry_type="CreateKey"
key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers\DAVID-PC\Printers\{676235CD-B656-42D5-B737-49856E97D072}\PrinterDriverData"
data_type="REG_NONE"
data=""
09/09/2010 23:36:31.0800
event_status="(0)The operation completed successfully."
pid=1300
process_image="\Device\HarddiskVolume1\Windows\System32\spoolsv.exe"
registry_type="SetValue"
key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers\DAVID-PC\Printers\{676235CD-B656-42D5-B737-49856E97D072}\DsKeyUpdateForeground"
data_type="REG_DWORD"
data="0x00000003(3)"
09/09/2010 23:36:29.0519
event_status="(-1073741790)Access is denied."
pid=2940
process_image="\Device\HarddiskVolume1\Program Files\VMware\VMware Tools\TPAutoConnect.exe"
registry_type="CreateKey"
key_path="\REGISTRY\MACHINE\SOFTWARE\ThinPrint\TPVMW321-2169411598-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\iexplore"
data_type="REG_NONE"
data=""
09/09/2010 23:28:36.0860
event_status="(0)The operation completed successfully."
pid=1836
process_image="\Device\HarddiskVolume1\Program Files\Windows Media Player\wmpnetwk.exe"
registry_type="DeleteKey"
key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\982BF570-9638-D16C-DA56-63BCFA515AD3\DeviceCompatFlags"
data_type="REG_NONE"
data=""
09/09/2010 23:23:44.0542
event_status="(0)The operation completed successfully."
pid=4032
process_image="\Device\HarddiskVolume1\Windows\regedit.exe"
registry_type="RenameKey"
key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\cookies"
data_type="REG_NONE"
data=""

72
deployment-apps/TA-microsoft-windows/samples/server2k8.WindowsUpdateLog
Unescape View File

@ -0,0 +1,72 @@
2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {79ADCB2A-E5A4-4D87-84E4-38E53410C65A} 2010-06-16 18:47:44:234-0700 1 190 101 {5A12AB6D-696D-430B-92DD-25FC9A78E777} 109 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979559)
2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {7AAFCF20-54AA-4C47-AE76-D50AC35C6CF8} 2010-06-16 18:47:44:234-0700 1 190 101 {5332AD75-1EE5-49A7-B962-A52CDCB5381B} 106 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381)
2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {BD9FD786-D33E-40EC-9EAD-004CE249A210} 2010-06-16 18:47:44:219-0700 1 190 101 {94094676-871B-4543-96DE-DC72EA75CDBE} 105 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB980218)
2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {E61ED1F2-63C6-4F6D-A350-6AF9C2E73B10} 2010-06-16 18:47:44:203-0700 1 190 101 {2A523F8D-80C9-410B-8E38-BEE4836A6537} 107 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195)
2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {29353A5A-EA08-43AF-A0C3-50C3060FD915} 2010-06-16 18:47:44:188-0700 1 190 101 {13C557C8-6E62-4C86-ADD4-37C9735D05DE} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632)
2010-06-16 18:48:43:165 992 a4c Report REPORT EVENT: {DBE3C1FD-3849-4851-9C08-22CCC04D5E6B} 2010-06-16 18:47:44:188-0700 1 190 101 {EFE89ED6-0EC3-498B-A703-5B35D0EB261C} 105 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB975562)
2010-06-16 18:48:43:165 992 a4c Report REPORT EVENT: {09576D5E-7485-4D1A-96D0-3EC0DEC0730E} 2010-06-16 18:47:44:172-0700 1 190 101 {681D30E8-9897-4E29-BBA1-FFBD1115B526} 103 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911)
2010-06-16 18:48:43:165 992 a4c Report REPORT EVENT: {C808B3E7-81FE-4AF3-8544-04F9222A4277} 2010-06-16 18:47:44:141-0700 1 190 101 {5C4E80F2-C99C-4F20-B7A7-E6AF2A20EA7A} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535)
2010-06-16 18:42:31:865 1000 b00 Report REPORT EVENT: {FE882D48-9534-4F7E-9880-2993F61499C4} 2010-06-16 18:37:44:091-0700 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Security Update for Windows Server 2008 x64 Edition (KB980218) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632) - Security Update for Windows Server 2008 x64 Edition (KB975562) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB9825
2010-06-16 18:35:22:743 1000 5dc Report REPORT EVENT: {43DA0C73-108E-4863-9F5D-033D0A84F7CF} 2010-06-16 18:35:17:729-0700 1 190 101 {104EB8DD-8924-46BE-8441-25C407114986} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - June 2010 (KB890830)
2010-06-16 18:33:37:759 1000 5dc Report REPORT EVENT: {CBA3BAF6-B5FD-4D19-A5D3-468207CCF88A} 2010-06-16 18:33:32:744-0700 1 190 101 {1ABDADA5-F2D7-4099-9AE7-0812C3E40A72} 101 240006 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978542)
2010-06-16 18:33:24:653 1000 5dc Report REPORT EVENT: {97AB8A73-AAAA-46FA-9E5B-B99F85B98B18} 2010-06-16 18:30:56:241-0700 1 190 101 {48D29613-FB99-4F1B-8ED0-AA122F54FFDE} 104 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979482)
2010-06-16 18:33:24:653 1000 5dc Report REPORT EVENT: {C5231FB6-8FFD-4A76-820C-8C2DD8E006D3} 2010-06-16 18:30:52:101-0700 1 190 101 {60767E01-93EF-4226-A7F3-2C2DE1CE016E} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB981793)
2010-06-14 08:09:46:015 1000 218 Report REPORT EVENT: {E5EBE6CA-90F5-43BE-BAAA-4F80C40ABADF} 2010-06-14 08:09:42:718-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Security Update for Windows Server 2008 x64 Edition (KB980218) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632) - Security Update for Windows Server 2008 x64 Edition (KB975562) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB9825
2010-06-14 08:09:46:015 1000 218 Report REPORT EVENT: {F3D6877B-A2FD-467B-8294-A80B41BF0D47} 2010-06-14 08:09:41:577-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Security Update for Windows Server 2008 x64 Edition (KB980218) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535)
2010-06-14 08:09:46:015 1000 218 Report REPORT EVENT: {49D393A6-D19F-4035-9682-66F41AC18EC7} 2010-06-14 08:09:41:015-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Security Update for Windows Server 2008 x64 Edition (KB980218) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535)
2010-06-14 08:09:36:578 1000 218 Report REPORT EVENT: {284300E5-E053-4A07-B559-31AB62F4225E} 2010-06-14 08:09:33:171-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535)
2010-06-14 08:09:36:578 1000 218 Report REPORT EVENT: {5FFE4517-B11E-481F-B4AA-83A9246592FE} 2010-06-14 08:09:29:781-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911)
2010-06-14 08:09:11:703 1000 218 Report REPORT EVENT: {1A21691C-C677-4455-8F87-1A2FC4FAA399} 2010-06-14 08:09:06:703-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911)
2010-06-14 08:09:06:875 1000 218 Report REPORT EVENT: {2D612129-372F-4625-A87B-129247D91417} 2010-06-14 08:09:03:610-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911)
2010-06-14 08:09:06:875 1000 218 Report REPORT EVENT: {AB09170F-683E-4D1E-B057-35AFDC0B53C9} 2010-06-14 08:09:03:516-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830)
2010-06-14 08:09:06:875 1000 218 Report REPORT EVENT: {760700C1-617C-4325-B25C-1393029DF771} 2010-06-14 08:09:01:875-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830)
2010-06-14 08:08:58:172 1000 218 Report REPORT EVENT: {4D342AE6-81AF-41FE-B7F9-E06A0BDCBD20} 2010-06-14 08:08:53:188-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542)
2010-06-14 08:08:23:002 1000 218 Report REPORT EVENT: {B288D33F-BC8A-453C-BEF5-102B7096B0ED} 2010-06-14 08:08:18:002-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542)
2010-06-14 08:07:56:548 1000 218 Report REPORT EVENT: {898853CF-B9F6-4CB2-8BAB-935659C6E30B} 2010-06-14 08:06:51:895-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, June 15, 2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB978542)
2010-06-14 08:03:21:998 1000 218 Report REPORT EVENT: {F3BD6618-BFF9-42BB-A1D8-0894DBD3211E} 2010-06-14 08:01:02:332-0700 1 190 101 {1ABDADA5-F2D7-4099-9AE7-0812C3E40A72} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978542)
2010-06-14 08:03:21:998 1000 218 Report REPORT EVENT: {15876081-DBB0-4D59-84FD-40A55F45200C} 2010-06-14 08:00:25:224-0700 1 190 101 {4FAC5B5F-19C1-467C-A26D-5CA7712D3494} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - May 2010 (KB890830)
2010-05-11 14:36:08:529 1000 4f8 Report REPORT EVENT: {303F0E1B-0292-4908-86C3-B14892B8C294} 2010-05-11 14:36:03:607-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, May 12, 2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - May 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978542)
2010-05-11 14:34:12:923 1000 4f8 Report REPORT EVENT: {CA86BA76-103B-4BBF-A2EC-BB34F1C66C22} 2010-05-11 14:34:08:033-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, May 12, 2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - May 2010 (KB890830)
2010-05-11 12:50:06:546 984 878 Report REPORT EVENT: {A4AF26FB-0475-4E41-A542-D3176BDFF2DB} 2010-05-11 12:48:04:046-0700 1 190 101 {06E723E4-CBE2-4EF5-8DBF-3BBCC8584960} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB973917)
2010-05-11 12:50:06:546 984 878 Report REPORT EVENT: {DE0C737D-1AF1-4C9E-BDC3-CF529061EF70} 2010-05-11 12:48:03:953-0700 1 190 101 {38829BE4-0F12-4502-B5E4-D640A3CF4B78} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB980182)
2010-05-11 12:50:06:515 984 878 Report REPORT EVENT: {198290A1-80A9-4562-B537-5638FF959E05} 2010-05-11 12:48:03:953-0700 1 190 101 {D526370A-65A0-4D88-A935-64893E66BEC4} 103 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB981332)
2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {1B5B7CAC-1507-4E07-942B-55A4B46C7FDE} 2010-05-11 12:48:03:953-0700 1 190 101 {A7C58B11-FC3E-4B50-A5A3-7037CFB38764} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979683)
2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {66566F17-EDD3-4364-AF57-089DA1772037} 2010-05-11 12:48:03:921-0700 1 190 101 {FDA2974B-C8C0-42B2-A60B-E56C76B6E6EF} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979309)
2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {23B47B49-5C8E-403C-862D-5BC49762A766} 2010-05-11 12:48:03:890-0700 1 190 101 {A4CD7882-E067-4ED4-8713-16F845085BBE} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB980232)
2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {AA9AF2A0-C29D-47EE-8DFA-2E581A1BD4D0} 2010-05-11 12:48:03:875-0700 1 190 101 {C54B88AA-A639-470E-B505-FD0C46865393} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978601)
2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {64ABBAF4-4872-40E4-98C9-8DE6F2E7CB0D} 2010-05-11 12:48:03:875-0700 1 190 101 {D35216C1-66AA-45A7-B182-6B375789E2CD} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978338)
2010-05-11 12:43:11:448 976 710 Report REPORT EVENT: {4C703373-B930-496D-A783-AD68777A01EE} 2010-05-11 12:40:57:449-0700 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979683) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Security Update for Windows Server 2008 x64 Edition (KB980232) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601) - Security Update for Windows Server 2008 x64 Edition (KB978338)
2010-05-11 12:40:03:630 976 a58 Report REPORT EVENT: {41161CCC-026F-4F01-B281-3C8565513289} 2010-05-11 12:40:03:567-0700 1 190 101 {E4AB408F-0208-4BB8-9782-C1D895DC4F78} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - April 2010 (KB890830)
2010-04-14 04:20:37:369 976 464 Report REPORT EVENT: {4647FA59-C41B-45BE-B229-191180266B51} 2010-04-14 04:20:32:384-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, April 15, 2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979683) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Security Update for Windows Server 2008 x64 Edition (KB980232) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601) - Security Update for Windows Server 2008 x64 Edition (KB978338)
2010-04-14 04:20:31:666 976 464 Report REPORT EVENT: {955E6D76-5F46-4B98-A948-8A7E73193AE2} 2010-04-14 04:20:28:822-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, April 15, 2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Security Update for Windows Server 2008 x64 Edition (KB980232) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601) - Security Update for Windows Server 2008 x64 Edition (KB978338)
2010-04-14 04:20:31:666 976 464 Report REPORT EVENT: {A6C06AEF-A34E-43E5-9008-B10CE1E9596A} 2010-04-14 04:20:28:072-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, April 15, 2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601) - Security Update for Windows Server 2008 x64 Edition (KB978338)
2010-04-14 04:20:31:666 976 464 Report REPORT EVENT: {AC8420D8-4834-45A6-BAFA-FC89699437D2} 2010-04-14 04:20:26:541-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, April 15, 2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601)
2010-04-14 04:19:40:462 976 464 Report REPORT EVENT: {E15B21BD-7DCA-4905-B9EE-9FB173DE5BD0} 2010-04-14 04:19:36:166-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, April 15, 2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830)
2010-04-14 04:19:40:462 976 464 Report REPORT EVENT: {28BDB1E5-D652-4BA8-8241-C9E95D3ED68E} 2010-04-14 04:19:36:025-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, April 15, 2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309)
2010-04-14 04:19:03:087 976 464 Report REPORT EVENT: {5DDE0553-8DE0-4F57-8CAD-0D00948BFB0A} 2010-04-14 04:18:58:150-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, April 15, 2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB979309)
2010-04-14 04:18:06:634 976 464 Report REPORT EVENT: {E473CEEC-A328-483B-89E5-8FE8BA21D5DA} 2010-04-14 04:11:11:257-0700 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB980302) - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) - Update for Windows Server 2008 x64 Edition (KB973917) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB980182)
2010-04-14 04:10:45:179 976 464 Report REPORT EVENT: {67F2CC5D-D3EF-4D38-8E6D-5867CB5CF727} 2010-04-14 04:08:37:476-0700 1 190 101 {055A2DB4-D7D0-488C-8102-106A2F3DC434} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - March 2010 (KB890830)
2010-04-14 04:10:45:179 976 464 Report REPORT EVENT: {587EA1F5-47CE-4306-9377-487961D8AD94} 2010-04-14 04:05:45:304-0700 1 190 101 {C1307437-88DB-47C7-961F-79794798F83F} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB980302)
2010-04-05 14:30:20:043 976 9c4 Report REPORT EVENT: {38912DE8-A85C-4805-99B5-483173E6AB40} 2010-04-05 14:30:15:278-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, April 06, 2010 at 3:00 AM: - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB980302) - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) - Update for Windows Server 2008 x64 Edition (KB973917) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB980182)
2010-04-05 14:30:20:043 976 9c4 Report REPORT EVENT: {1963927F-F6EF-40D3-B376-798132443FA6} 2010-04-05 14:30:15:043-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, April 06, 2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) - Update for Windows Server 2008 x64 Edition (KB973917) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB980182)
2010-04-05 14:27:32:250 976 9c4 Report REPORT EVENT: {1C976668-F03C-40DD-BAAE-F1A17196C642} 2010-04-05 14:27:27:172-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, April 06, 2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) - Update for Windows Server 2008 x64 Edition (KB973917)
2010-04-05 14:27:25:907 976 9c4 Report REPORT EVENT: {1C34811E-FEF8-44CF-B880-43A0CE0F4124} 2010-04-05 14:27:20:938-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, April 06, 2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830)
2010-03-04 09:25:36:117 976 464 Report REPORT EVENT: {C9A94429-436B-4EBA-A86E-4873B6A820A9} 2010-03-04 09:24:38:085-0800 1 190 101 {0FF84F82-ECE3-4714-9313-13517E9BDD2F} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB975929)
2010-03-04 05:07:08:864 360 be8 Report REPORT EVENT: {B344761D-3738-47A0-9DB1-8BB314EED644} 2010-03-04 05:02:59:752-0800 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Update for Windows Server 2008 x64 Edition (KB979306) - Update for Rights Management Services Client for Windows Server 2008 x64 Edition (KB979099) - Update for Windows Server 2008 x64 Edition (KB976662) - Update for Windows Server 2008 x64 Edition (KB975929)
2010-03-04 05:07:08:864 360 be8 Report REPORT EVENT: {62CA6F5B-32D4-4A19-B968-B807645B14F2} 2010-03-04 05:01:37:251-0800 1 190 101 {BD962A37-FBD1-4765-851C-B9AE4D0CE758} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB976662)
2010-03-04 05:07:08:864 360 be8 Report REPORT EVENT: {4CA2C4D3-33E1-4D2D-8B5D-510876508F5F} 2010-03-04 05:01:31:173-0800 1 190 101 {6E6CDC1F-8BB9-41CF-9AF3-44053752B7E9} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Rights Management Services Client for Windows Server 2008 x64 Edition (KB979099)
2010-03-04 05:07:08:864 360 be8 Report REPORT EVENT: {6A82AFE7-8A12-4543-BA68-B55B6B740D2D} 2010-03-04 05:00:31:094-0800 1 190 101 {2A8FD60C-D83D-42B1-BCF2-77D0843E97B9} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB979306)
2010-03-02 08:57:57:960 360 90c Report REPORT EVENT: {C830E8CA-9621-4D7D-A464-1E414444946E} 2010-03-02 08:57:54:038-0800 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, March 03, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB979306) - Update for Rights Management Services Client for Windows Server 2008 x64 Edition (KB979099) - Update for Windows Server 2008 x64 Edition (KB976662) - Update for Windows Server 2008 x64 Edition (KB975929)
2010-03-02 08:57:57:960 360 90c Report REPORT EVENT: {16DE031E-8C26-4CDB-BFE4-C8BB72CBCF58} 2010-03-02 08:57:52:960-0800 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, March 03, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB979306) - Update for Rights Management Services Client for Windows Server 2008 x64 Edition (KB979099) - Update for Windows Server 2008 x64 Edition (KB975929)
2010-03-02 08:57:46:147 360 90c Report REPORT EVENT: {F17C6159-02D6-4321-879C-C6E79AB5CCC7} 2010-03-02 08:57:41:163-0800 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, March 03, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB979306) - Update for Windows Server 2008 x64 Edition (KB975929)
2010-03-02 08:57:10:318 360 90c Report REPORT EVENT: {94442B66-AE2D-43EC-838C-406160F2C0DD} 2010-03-02 08:57:00:303-0800 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, March 03, 2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB975929)
2010-02-18 16:41:59:598 360 b34 Report REPORT EVENT: {7F1D2AD1-5461-48F1-97E2-A96AF919098C} 2010-02-18 16:41:54:614-0800 1 190 101 {2894BC0E-468D-4924-B3A9-62433D8EEEC1} 103 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB974145)
2010-02-18 16:41:59:598 360 b34 Report REPORT EVENT: {F7D791B3-1B88-49F4-A7ED-93692D0B4144} 2010-02-18 16:41:54:598-0800 1 190 101 {C8852319-F9CE-4ABC-88C1-4147BABDCCC1} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB978506)
2010-02-18 16:41:59:598 360 b34 Report REPORT EVENT: {BB1F8B5A-AA6C-40C3-8377-82E38C7C565C} 2010-02-18 16:41:54:598-0800 1 190 101 {7BCAA235-DEF2-414E-9CA0-18DC03D24DF0} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB971468)
2010-02-18 16:41:59:598 360 b34 Report REPORT EVENT: {3CC2261C-D94E-4A32-82AF-2B011BD21B11} 2010-02-18 16:41:54:598-0800 1 190 101 {3D7E1949-2F56-4447-A3F1-92E14DEA38FC} 104 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB978207)
2010-02-18 16:41:55:192 360 b34 Report REPORT EVENT: {5D5E24C2-34CA-45F3-BDB8-7C8F66876DD7} 2010-02-18 16:41:54:567-0800 1 190 101 {A5767053-D87A-488E-8B61-47E4A7A9462C} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB975560)
2010-02-18 16:41:55:192 360 b34 Report REPORT EVENT: {F6C05449-1E0A-4063-9F06-9512813877BA} 2010-02-18 16:41:54:567-0800 1 190 101 {F4FA9962-B4AF-4CB1-A31D-38150AEDF5DB} 104 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978251)
2010-02-18 16:41:55:192 360 b34 Report REPORT EVENT: {0C1A45B2-A1B4-4A81-AB23-80B35D796591} 2010-02-18 16:41:54:567-0800 1 190 101 {79680E7B-D9F8-4F16-B86D-2F2A9B3FC456} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB977165)
2010-02-18 16:41:55:192 360 b34 Report REPORT EVENT: {D5E62AF4-1D57-40E5-AFDD-256B9C44CA1E} 2010-02-18 16:41:54:552-0800 1 190 101 {D40A2EF5-550A-4853-AC31-F37F53149913} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB978262)
2010-02-18 16:26:30:574 276 570 Report REPORT EVENT: {40382407-4793-49F6-8DD1-C983F00DA540} 2010-02-18 16:22:04:290-0800 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Security Update for Windows Server 2008 x64 Edition (KB974145) - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB978506) - Security Update for Windows Server 2008 x64 Edition (KB971468) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB978207) - Security Update for Windows Server 2008 x64 Edition (KB975560) - Security Update for Windows Server 2008 x64 Edition (KB978251) - Security Update for Windows Server 2008 x64 Edition (KB977165) - Windows Malicious Software Removal Tool x64 - February 2010 (KB890830) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB978262)
2010-02-18 16:26:30:574 276 570 Report REPORT EVENT: {F6748A4E-52EA-49D3-8742-1F19B44542C2} 2010-02-18 16:21:36:317-0800 1 190 101 {51D4C9AC-5D5F-44B9-9CAB-2408BCD7B81B} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - February 2010 (KB890830)

320
deployment-apps/TA-microsoft-windows/splunkbase.manifest
Unescape View File

@ -0,0 +1,320 @@
{
"version": "1.0",
"date": "2022-11-14T11:59:06.107321276Z",
"hashAlgorithm": "SHA-256",
"app": {
"id": 3228,
"version": "1.0",
"files": [
{
"path": "README.txt",
"hash": "78adb8389991391bdfbf5ec025233929751169a85d9cba83058b4c3e16dd09e6"
},
{
"path": "default/app.conf",
"hash": "bb96a4d5ab1732f8cfc045f288f645bccb8ccdc302de0b0d53e28d1c914c3a40"
},
{
"path": "default/eventgen.conf",
"hash": "313180f9bc739388f9d06f235bdc9e0fb4a924e6a807616b8edad6d08212e1d2"
},
{
"path": "default/eventtypes.conf",
"hash": "03fa3732172e90b89518bab44512fae12e658d446d9ddb698551cd50536a631b"
},
{
"path": "default/inputs.conf.example",
"hash": "f82cb4d5f5fed83576df73e685a02b3963bc43517f336951a187e6e403a22649"
},
{
"path": "default/props.conf",
"hash": "a59fd21926f32ac0af17312c0703471d01457b72aabf460ada8afb11f9fc24e7"
},
{
"path": "default/tags.conf",
"hash": "faf8670fa9d885941f6013fc5dc8f24e6dcca34a8b3bb57a257da4d290a0c95c"
},
{
"path": "default/transforms.conf",
"hash": "325b921959d1b6670f23ca8d8666eb72b8ffaacef90f0fbcb665d50923dbb8a0"
},
{
"path": "lookups/windows_msdhcp_id.csv",
"hash": "1fc2bfb3baa0a49836c8bd5a9a6b3f96d098aa9838691e466b4f16111161a45b"
},
{
"path": "lookups/windows_object_category.csv",
"hash": "6e1c80f7606afcb2cc09a85ca24da58eec76175471a72ae7005c92ad6a2068b9"
},
{
"path": "lookups/windows_service_startmode.csv",
"hash": "cfe085d97dd9719a5c7b57d6f5b3c23eb69fcfa082d6caafcfd7b9832412d1ac"
},
{
"path": "lookups/windows_service_status.csv",
"hash": "729bfed26977d92c15641b16ebc49586c030127bc09d30a135b943dd60c89344"
},
{
"path": "lookups/windows_status.csv",
"hash": "98f62611b8ae183f3023e551b7859aa7afcfa2145d3d2dc5b25261087e04d28b"
},
{
"path": "lookups/windows_timesync_action.csv",
"hash": "6c2102b47e3047d94147884522c587377d339fcc23b105f4c6aa0f22ea36f224"
},
{
"path": "lookups/windows_vendor_action.csv",
"hash": "59d54f20ca8ec9c37264ee667494344fa06ad5c23e4e381b6a572ec9c1e3f18c"
},
{
"path": "lookups/windowsupdatelog_status.csv",
"hash": "49a11187d1d05f8d9e08472f4ca005f0b8137c3e2f4cce4d35b6d5b20458e4c3"
},
{
"path": "lookups/wineventlog_app.csv",
"hash": "cc29dbca9e0fb3c05ec19b37210791ad3fdb6fd6f812ab9204175d17ae7de098"
},
{
"path": "lookups/wineventlog_security_signature_id.csv",
"hash": "424bc664f49392397e1c1b893c8b6226c46941803737ffbe1f86d8cbbf58df69"
},
{
"path": "lookups/wineventlog_security_signature_sub_id.csv",
"hash": "af99d09e81745d729c037398e6951a5c8c1ad3d75d0765e5cc396c47360c05ef"
},
{
"path": "lookups/wineventlog_sourcetype_vendor_product.csv",
"hash": "b57a46af06604f965586665b65f89580cea69ec1026e0c4d7469cb65b9dc01ab"
},
{
"path": "lookups/wineventlog_vendor_severity_id.csv",
"hash": "41836e4c99c60ba26eb95bb13b80db53dbce94c0088b5fc6d9f3d169200af899"
},
{
"path": "metadata/default.meta",
"hash": "339a3f925347e42129a9305ee7426ec400734ef0fb851cb19914c9eaf180a66b"
},
{
"path": "samples/AppPopup.26.windows",
"hash": "70c8d5213b2fe32edbef3dbd55def501b141290165fde31395b7444edebbcebb"
},
{
"path": "samples/CPUTime.perfmon",
"hash": "053efbad6d3acc332b6e56a7b705b0aa6db6fc4f2c0acdacdf17eff2674f1d19"
},
{
"path": "samples/FreeDiskSpace.perfmon",
"hash": "8813af107b95a4d9eeb1f3edfdc925722d070aa062dbded963bcf4758ab5ed4c"
},
{
"path": "samples/LSASRV.40961.windows",
"hash": "260f36dd25a4a86ad71075c0c9b3af99ab8c9de4f0613264c9869bcf429a0482"
},
{
"path": "samples/LocalNetwork.perfmon",
"hash": "816a0c730e893c32b5541a006adeb252283bde9a1b5f1aaae275735da099cd72"
},
{
"path": "samples/Memory.perfmon",
"hash": "cf4b6af4fd48f3d986ebe2f3e7b25bf05a824079e0f9f8045f5814502389f221"
},
{
"path": "samples/SCM.7036.windows",
"hash": "b7b83911fdf57804cc8cbabdc834a992b2eca99ae1582f992149f863b0de8192"
},
{
"path": "samples/Security.1102.windows",
"hash": "f1642973de7a946cb0cdca18045130635a04340fc4ed4dcdedd9c040049886a6"
},
{
"path": "samples/Security.4672.windows",
"hash": "286beacd86dc1582b4858029cfeabb5a5ee8bce7ece1e2e23d552b91f37c102f"
},
{
"path": "samples/Security.4673.windows",
"hash": "9934fb181419d9e2e295d97f7b7947d8d9d5ec5301d46eeba4891b33070701d7"
},
{
"path": "samples/Security.4688.windows",
"hash": "9569a939a92db843b8d43c3726a64f4230f2b4b1bfc544d6f5c7930ec21d556f"
},
{
"path": "samples/Security.4689.windows",
"hash": "341cfc42541c3a8c77f152394688fd01c03c11269eba907b42efaa84271829e5"
},
{
"path": "samples/Security.4717.windows",
"hash": "e3d241b8702b7e87d4080269feb4f100d25f899d2dfc876bb1925654886e2a9d"
},
{
"path": "samples/Security.4718.windows",
"hash": "2120b8ca879ccb0141245bdda1bf62d935dc5bd439c0c7103509b523fdac107e"
},
{
"path": "samples/Security.4726.windows",
"hash": "66de6836fb51ec7adef0ed315ff8bc8f93d195962c515318a8f480d00f77d0fb"
},
{
"path": "samples/Security.4743.windows",
"hash": "37239ddc25d3875927cdd030ad7f0132ce82b6f540cb30dde733fe0f2fa217a5"
},
{
"path": "samples/W32Time.17.windows",
"hash": "5ccc5c79d915a23f203903f00fd85963dd6ec9a800cbf61374390f94115795af"
},
{
"path": "samples/W32Time.29.windows",
"hash": "49e538547d47e48c9b4cfc63d496548245269a4078c39586652c257528127990"
},
{
"path": "samples/W32Time.35.windows",
"hash": "1a747b129ad214d5173feecc1e7b948f929aa471aae7c0123df6a203a780c029"
},
{
"path": "samples/WinHostMon-OperatingSystem",
"hash": "35e895178fc87c5f47a925479179b6dd9bf16989b29d351f37f94d2fbe8e6f41"
},
{
"path": "samples/WinHostMon-Processor",
"hash": "8637250f72637ea1b8ca090da63e4dd5aca4b5a67dba459913ad2d49ab1fc2a8"
},
{
"path": "samples/WindowsUpdateClient.19.windows",
"hash": "d7235bdb690dd16c521a5358cc19865ef9ff0f47b183fc1de9a582e54111cfbc"
},
{
"path": "samples/XmlSecurity.4608.windows.xml",
"hash": "dcf929d3d9fd81e21fccd19d1162a374fd64e27e1b1d0017a2a0d6ad20661915"
},
{
"path": "samples/XmlSecurity.4616.windows.xml",
"hash": "56a93755306532b4f70955ec9aabc1b575df95729789e8051a82f4d0847bcf01"
},
{
"path": "samples/XmlSecurity.4624.windows.xml",
"hash": "51bbfd2b257eeab6ce0c0e772a8b33561a11721e0e7b6a585ac434d68edd19c7"
},
{
"path": "samples/XmlSecurity.4625.windows.xml",
"hash": "5f858bf803b721cf9353392e530a2db452c7687a221675d958bfb87c4e3d240f"
},
{
"path": "samples/XmlSecurity.4634.windows.xml",
"hash": "17f452534e056ae6249eae40fd472a2915e839eaeda4fdc32df8e4a1ee7f2fd9"
},
{
"path": "samples/XmlSecurity.4647.windows.xml",
"hash": "4a7db02076f286f7d7224e3d8daba28d27bf2178923dc349d8b072d685bf267b"
},
{
"path": "samples/XmlSecurity.4648.windows.xml",
"hash": "22c24df61a30bc5945da817f756d55c0a40481abdf3d96b6323b47cae64c1071"
},
{
"path": "samples/XmlSecurity.4672.windows.xml",
"hash": "7ae4a61bd4671ce380476e6b4d82edd6e47dc36713715b15a1aa8ea2005423f9"
},
{
"path": "samples/XmlSecurity.4720.windows.xml",
"hash": "39b73be3aa4ed536ed2bc0d75c9fa1f33472b70f86baab963a04ee76ce051047"
},
{
"path": "samples/XmlSecurity.4722.windows.xml",
"hash": "1acdd2df3aeeb60f42488e2753bceaa2fa83c64e63431c0447fd42a6f167e9c2"
},
{
"path": "samples/XmlSecurity.4724.windows.xml",
"hash": "0433a5aea1ff3b6d6851c6b6eaed9d55bad03528c6d445c43ac74eddf65bec6c"
},
{
"path": "samples/XmlSecurity.4728.windows.xml",
"hash": "256275198e67afc593e40b2310e135c80c65518c99d144fca0b0115de06428c8"
},
{
"path": "samples/XmlSecurity.4732.windows.xml",
"hash": "62edccf12ef5fbdfc33705af33802c5a8a31e8d5cd5117f9a0a9854366eb603c"
},
{
"path": "samples/XmlSecurity.4735.windows.xml",
"hash": "526dffc3d8ae22d677869b675fed42abc81129b103061bacee2850bf2f0c9b7c"
},
{
"path": "samples/XmlSecurity.4738.windows.xml",
"hash": "5361837ce56b4858e673c1bf93308aa0372b2d2bf4bd8b5b112ee4a8bfb7bfc4"
},
{
"path": "samples/XmlSecurity.4776.windows.xml",
"hash": "35f2ccc218105821de506274f674f132b6d0c87b6ab6828a24929de7f94144a8"
},
{
"path": "samples/XmlSecurity.4781.windows.xml",
"hash": "57d163f8f4d29492643e400c171cb851d223d95dac5ac0acd40e104ccb1d6e55"
},
{
"path": "samples/XmlSecurity.4797.windows.xml",
"hash": "004f220c437194a2043fd884d6d53b8feb96f089764c98153a87b04d32f7a24b"
},
{
"path": "samples/XmlSecurity.4902.windows.xml",
"hash": "3da56e945ab738f81df630bb96c4cf0f6e1506e10a1127882de12f42b454ebc9"
},
{
"path": "samples/XmlSecurity.4907.windows.xml",
"hash": "4547d6ae9303fbe2c3d64c5bae8106101c07eaf57d9449afcef54081bb37e051"
},
{
"path": "samples/XmlSystem.update_ready.xml",
"hash": "31b7abcd7183328d7a3ba287a22bbc577489c061848ec8102c0bf37cfafe46bb"
},
{
"path": "samples/XmlSystem.update_success.xml",
"hash": "4089d7fe41b329c85957080fd27d9e9b6a967ada4a5f0c9860279e53af7226f9"
},
{
"path": "samples/audit_types.list",
"hash": "4b80d07cb0ba034ab90e670498f171af1dc4d0e6edbca93a70a43da8d97f3143"
},
{
"path": "samples/sample.DhcpSrvLog",
"hash": "7d57e2987235c9966aa738e7d5bfc31ed713b33d8e6dd74af346337aafe47bb8"
},
{
"path": "samples/sample.win_installed_apps",
"hash": "bc6c82176c18b1c4d4d1ce52270fcf061e83dd95518a3cf0555ec0395d5f85ad"
},
{
"path": "samples/sample.win_listening_ports",
"hash": "fee5d98d7f4b515f57e951a36e0352685bda666349966e7150e33593c34c1373"
},
{
"path": "samples/sample.winregistry",
"hash": "9c964b50c6bc615e514f92ee8d28129a2e5fd1dcb7e3d89152316c94c85e2e57"
},
{
"path": "samples/server2k8.WindowsUpdateLog",
"hash": "ff57295beec95936a315a1ee17b9f01785b56d1c08e9d6925d3a7c2bb448892e"
}
]
},
"products": [
{
"platform": "splunk",
"product": "enterprise",
"versions": [
"7.0",
"7.1"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
}
]
}
Write Preview
Loading…
Cancel
Save