admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add

Browse Source
master
admingit 2 years ago
parent 0438e12642
commit d1d852b671
32 changed files with 2721 additions and 0 deletions
Show Stats Download Patch File Download Diff File

235
deployment-apps/splunk_wineventcode_secanalysis/appserver/static/home.css
Unescape View File

@ -0,0 +1,235 @@
.panel-body {
background: #f2f4f5;
}
.floatleft {
position: relative;
float: left;
}
.floatright {
position: relative;
float: right;
}
.clearboth {
clear: both;
}
#ListOfPageGuides {
display:none;
flex-direction: row;
flex-wrap: nowrap;
justify-content: space-around;
}
#ListOfPageGuidesFirstEntry {
display:flex;
}
#ListOfPageGuidesFirstEntry .PageGuide {
width: 318px;
margin: 5px;
border:1px solid #e1e6eb;
background:white;
min-height:200px;
overflow: hidden;
clear: both;
position: relative;
display: inline-block;
}
#ListOfPageGuidesFirstEntry .PageGuide.lastSelected {
border:1px solid orange;
}
#ListOfPageGuidesFirstEntry .PageGuideImg {
font-size: 75px;
color: rgb(92, 192, 92);
display: inline-block;
width: 60px;
flex: 0 0 auto;
vertical-align: super;
height: 0.6575em;
padding: 20px;
margin-top: 20px;
}
#ListOfPageGuidesFirstEntry .PageGuideDescription {
display: inline-block;
width: 70%;
vertical-align: middle;
margin-left: 20px;
text-align: left;
min-height: 200px;
}
.BodyStyles {
margin: 0;
padding: 0;
width: 100%;
height: 80px;
display: table;
}
.active .BodyStyles {
/* background-color:rgb(236, 248, 255) */
}
.activated a:not(.active) {
background: rgba(255, 255, 255, 0.0);
}
.PageGuide {
width: auto;
margin: 5px;
border:1px solid #DCE1E6;
background:white;
min-height:80px;
overflow: hidden;
clear: both;
position: relative;
display: flex;
flex-grow: 1;
flex-basis: 260px;
transition: height 0.2s,width 0.2s,min-width 0.2s,max-width 0.2s,margin 0.2s,box-shadow 0.2s,border-color 0.2s;
box-shadow: 0 1px 2px rgba(0,0,0,0.15);
}
.PageGuide2 {
width: auto;
border:1px solid #e1e6eb;
background:white;
min-height:80px;
margin: 5px;
overflow: hidden;
clear: both;
position: relative;
display: flex;
transition: height 0.2s,width 0.2s,min-width 0.2s,max-width 0.2s,margin 0.2s,box-shadow 0.2s,border-color 0.2s;
box-shadow: 0 1px 2px rgba(0,0,0,0.15);
}
.PageGuide:hover,.PageGuide2:hover {
box-shadow: 0 1px 2px rgba(0,0,0,0.15);
background-color:rgb(236, 248, 255);
text-decoration:none;
}
#ListOfPageGuidesFirstEntry .PageGuide:hover {
box-shadow: 0 4px 8px rgba(0,0,0,0.4);
text-decoration:none;
}
.PageGuide h2,.PageGuide2 h2 {
line-height: 20px;
color:#006eaa !important;
}
.HeadingStyles a:link {
text-decoration: none;
}
.PageGuideImg {
font-size: 75px;
color: rgb(92, 192, 92);
display: inline-block;
width: 80px;
flex: 0 0 auto;
vertical-align: middle;
height: 0.6575em;
display:none;
}
.PageGuideDescription {
display: table-cell;
text-align: center;
vertical-align: middle;
height: 100%;
}
#PageGuideDrilldown ul,.PageGuideDescription ul, .tooltip ul {
list-style-position: outside;
}
.tooltip ul {
list-style-position: outside;
margin: 10px 0 10px 10px;
}
.tooltip {
font-weight:normal !important;
}
.tooltip .tooltip-inner{
text-align: left;
width:220px;
max-width:220px;
}
#PageGuideDrilldown {
display: flex;
flex-direction: row;
flex-wrap: nowrap;
justify-content: space-around;
margin-top: 50px;
}
#PageGuideDrillDownTitle {
display:none;
}
#PageGuideContent {
background: white;
min-height: 400px;
padding: 5px;
margin: 5px;
display:none;
}
.DrillDownBox {
display:none;
flex-grow: 1;
flex-basis: 260px;
width: auto;
overflow: hidden;
clear: both;
position: relative;
}
.ContentBox {
display:none;
padding: 0 10px 0 10px;
}
#DemoModeSwitch {
text-align: right;
}
.UseCase {
display: inline-block;
width: 480px;
height: 225px;
border: solid gray 1px;
/*margin: 15px;*/
overflow: hidden;
clear: both;
position: relative;
}
.UseCase h2 {
line-height: 20px;
}
.UseCaseImg {
width: 150px;
height: 150px;
top: 0px;
position: absolute;
float: left;
vertical-align: top;
margin-top: 15px;
margin-right: 10px;
line-height: 150px;
text-align: center;
}
.UseCaseDescription {
/*display: block;*/
position: absolute;
left: 145px;
top: 0;
width: 320px;
height: 225px;
overflow: hidden;
}

1
deployment-apps/splunk_wineventcode_secanalysis/bin/README
Unescape View File

@ -0,0 +1 @@
This is where you put any scripts you want to add to this app.

20
deployment-apps/splunk_wineventcode_secanalysis/default/app.conf
Unescape View File

@ -0,0 +1,20 @@
#
# Splunk app configuration file
#
[install]
is_configured = 0
build = 1000
[package]
id = splunk_wineventcode_secanalysis
check_for_updates = true
[ui]
is_visible = 1
label = Windows Event Code Security Analysis
[launcher]
author = James Brodsky
description = Various analytics to help you decide what Windows Event Codes you should collect for security purposes
version = 1.5.1

22
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/nav/default.xml
Unescape View File

@ -0,0 +1,22 @@
<nav search_view="search">
<view name="start" default='true' />
<collection label="Table Analysis">
<view name="recommended_events_table_dma" />
<view name="other_events_table_dma" />
</collection>
<collection label="Treemap Analysis">
<view name="recommended_events_treemap_dma" />
<view name="other_events_treemap_dma" />
</collection>
<collection label="Individual Analyzers">
<view name="individual_event_code_analysis" />
<view name="individual_host_analysis" />
</collection>
<collection label="Raw Data Analyzers (deprecated)">
<view name="recommended_events_table" />
<view name="recommended_events_treemap" />
<view name="other_events_table" />
<view name="other_events_treemap" />
</collection>
<view name="search" />
</nav>

1
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/README
Unescape View File

@ -0,0 +1 @@
Add all the views that your app needs in this directory

61
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/all_lookups.xml
Unescape View File

@ -0,0 +1,61 @@
<dashboard version="1.1">
<label>All Lookups</label>
<row>
<panel>
<title>WindowsLogonTypes.csv</title>
<table>
<search>
<query>|inputlookup WindowsLogonTypes</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>logon_failure_lookup.csv</title>
<table>
<search>
<query>| inputlookup logon_failure_lookup</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>WindowsEventCodes.csv</title>
<table>
<search>
<query>|inputlookup WindowsEventCodes</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>

27
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/attck_details.xml
Unescape View File

@ -0,0 +1,27 @@
<form version="1.1">
<label>ATT&amp;CK Details</label>
<fieldset submitButton="false">
<input type="text" token="EventCode" searchWhenChanged="true">
<label>Event Code</label>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|inputlookup WindowsEventCodes | search EventCode=$EventCode$ | fields - ec_guidance_cim_tagged | rex mode=sed field="ATT&amp;CK_Technique" "s/\|/\n/g" | rex mode=sed field="ATT&amp;CK_Tactic" "s/\|/\n/g" | table EventCode,"Event Log",EventDescription,ATT&amp;CK_* | rename EventCode as "Event Code",EventDescription as "Event Description"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

215
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/individual_event_code_analysis.xml
Unescape View File

@ -0,0 +1,215 @@
<form version="1.1">
<label>Individual Event Code Analysis</label>
<search id="baseSearch">
<query>
($index_token$) (sourcetype=$sourcetype_sel$) EventCode=$ec_token$
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
<choice value="*">ALL</choice>
<default>*</default>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="select">Select or provide wildcard</choice>
<default>select</default>
</input>
<input type="text" token="indexwc_token">
<label>Index Wildcard</label>
<prefix>index=</prefix>
<default>wildcard_pattern</default>
</input>
<input type="text" token="ec_token">
<label>Event Code</label>
<default>4688</default>
</input>
<input type="radio" token="sourcetype_sel" searchWhenChanged="true">
<label>Sourcetype</label>
<choice value="wineventlog*">wineventlog</choice>
<choice value="xmlwineventlog*">xmlwineventlog</choice>
<choice value="*eventlog*">wineventlog AND xmlwineventlog</choice>
<default>wineventlog*</default>
<initialValue>wineventlog*</initialValue>
</input>
</fieldset>
<row>
<panel>
<chart>
<search base="baseSearch">
<query>| timechart count by host</query>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">search?q=($index_token$)%20(sourcetype=$sourcetype_sel$)%20host=$click.name2$%20EventCode=$ec_token$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<single>
<search base="baseSearch">
<query>| stats dc(host) as hosts</query>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">HOSTS WITH THIS EVENT CODE</option>
</single>
</panel>
<panel>
<single>
<search>
<query>|inputlookup WindowsEventCodes | search EventCode=$ec_token$ | eval cim=if(ec_guidance_cim_tagged=1,"YES","NO") | table cim</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">TAGGED SOMEWHERE IN CIM?</option>
</single>
</panel>
<panel>
<single>
<search base="baseSearch">
<query>| eval rawlen=len(_raw) | stats sum(rawlen) as bytes| eval MB=bytes/1024/1024 | fields MB</query>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">MB SEEN FROM THIS EVENT IN TIME SELECTED</option>
</single>
</panel>
<panel>
<single>
<search base="baseSearch">
<query>|eval rawlen=len(_raw) | stats sum(rawlen) as bytes,dc(host) as totalhosts| eval MB=bytes/1024/1024| eval perhost=MB/totalhosts | fields perhost</query>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">AVG MB SEEN PER HOST IN TIME SELECTED</option>
</single>
</panel>
<panel>
<single>
<search>
<query>|inputlookup WindowsEventCodes | search EventCode=$ec_token$ | rename ATT&amp;CK as AT | eval ATTACK=if(AT=1,"YES","NO") | table ATTACK</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">MITRE ATT&amp;CK FRAMEWORK?</option>
</single>
</panel>
<panel>
<single>
<search>
<query>|inputlookup WindowsEventCodes | search EventCode=$ec_token$ | rename duplicate_possible as ISDUPE | eval ISDUPERESPONSE=if(ISDUPE=1,"YES","NO") | table ISDUPERESPONSE</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">POSSIBLE DUPLICATE?</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>|inputlookup WindowsEventCodes | search EventCode=$ec_token$ | fields - ec_guidance_cim_tagged |addtotals ec_guidance* | table EventCode,"Event Log",EventDescription,Total | sort -Total | rename Total as "Number of Recommendations",EventCode as "Event Code",EventDescription as "Event Description"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<table>
<search base="baseSearch">
<query>| stats dc(host) as "Number of Hosts",count as "Number of Events",values(source) as source values(index) as indexes by sourcetype</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>|inputlookup WindowsEventCodes | search EventCode=$ec_token$ | fields ec_*| fields - ec_guidance_cim_tagged,ec_guidance_other | addcoltotals ec_* | tail 1| rename ec_guidance_asd as "ASD",ec_guidance_fortuna as "Andrea Fortuna",ec_guidance_gough as "Michael Gough",ec_guidance_lombardi as "Mike Lombardi",ec_guidance_ms as Microsoft, ec_guidance_jpcert as "JP-CERT",ec_guidance_huntersforge_ossem as "Hunters Forge OSSEM", ec_guidance_nsa as NSA,ec_guidance_sans_forensics as "SANS Forensics Guidance",ec_guidance_uba as "Splunk UBA",ec_guidance_gsaml as "Golden SAML" |transpose |rename column as Authority| rename "row 1" as "Recommend" | eval "Recommends?"=if(Recommend==1,"YES","NO") | fields - Recommend</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="Recommends?">
<colorPalette type="map">{"NO":#AF575A,"YES":#53A051}</colorPalette>
</format>
</table>
</panel>
</row>
</form>

139
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/individual_host_analysis.xml
Unescape View File

@ -0,0 +1,139 @@
<form version="1.1">
<label>Individual Host Analysis</label>
<search id="baseSearch">
<query>
($index_token$) (sourcetype=$sourcetype_sel$) host=$selectedhost$ EventCode&gt;0| fields *
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
<choice value="*">ALL</choice>
<default>*</default>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="select">Select or provide wildcard</choice>
<default>select</default>
</input>
<input type="text" token="indexwc_token">
<label>Index Wildcard</label>
<prefix>index=</prefix>
<default>wildcard_pattern</default>
</input>
<input type="text" token="selectedhost">
<label>Host</label>
<default>*</default>
</input>
<input type="radio" token="sourcetype_sel" searchWhenChanged="true">
<label>Sourcetype</label>
<choice value="wineventlog*">wineventlog</choice>
<choice value="xmlwineventlog*">xmlwineventlog</choice>
<default>xmlwineventlog*</default>
<initialValue>xmlwineventlog*</initialValue>
</input>
</fieldset>
<row>
<panel>
<chart>
<search base="baseSearch">
<query>| timechart count by EventCode usenull=f</query>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">search?q=($index_token$)%20(sourcetype=$sourcetype_sel$)%20host=$selectedhost$%20EventCode=$click.name2$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<search base="baseSearch">
<query>| eval rawlen=len(_raw)| lookup WindowsEventCodes EventCode | stats sum(rawlen) as bytes,values(ec_guidance*) as ec_guidance*, count, values(sourcetype) as sourcetype, values(EventDescription) as EventDescription by EventCode | fields - ec_guidance_cim_tagged | addtotals ec_guidance* as totec | eval MB=bytes/1024/1024 | fields - bytes,ec_guidance* | eval "Recommended?"=if(Total&gt;0,"YES","NO") | fields - Total | sort - MB</query>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="number" field="MB"></format>
<format type="color" field="Recommended?">
<colorPalette type="map">{"YES":#53A051,"NO":#DC4E41}</colorPalette>
</format>
<drilldown>
<link target="_blank">/app/splunk_wineventcode_secanalysis/individual_event_code_analysis?form.ec_token=$click.value2$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<single>
<search base="baseSearch">
<query> | stats dc(EventCode) as EventCode</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="underLabel">DIFFERENT EVENT CODES SEEN IN TIME SELECTED</option>
</single>
</panel>
<panel>
<single>
<search base="baseSearch">
<query> | eval rawlen=len(_raw) | stats sum(rawlen) as bytes| eval MB=bytes/1024/1024 | fields MB</query>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">MB SEEN FROM THIS HOST IN TIME SELECTED</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<search base="baseSearch">
<query>| stats count as "Number of Events",values(source) as source values(index) as indexes by sourcetype</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

305
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/lookup_overview.xml
Unescape View File

@ -0,0 +1,305 @@
<form hideFilters="true" version="1.1">
<label>Lookup Overview</label>
<description>Select one or more Authorities using the filter</description>
<fieldset submitButton="false">
<input type="multiselect" token="authority_token" searchWhenChanged="true">
<label>Authority</label>
<choice value="ec_guidance_fortuna=1">Andrea Fortuna</choice>
<choice value="ec_guidance_asd=1">ASD</choice>
<choice value="ec_guidance_huntersforge_ossem=1">Huntersforge OSSEM</choice>
<choice value="ec_guidance_jpcert=1">JP-CERT</choice>
<choice value="ec_guidance_gough=1">Michael Gough</choice>
<choice value="ec_guidance_ms=1">Microsoft AD</choice>
<choice value="ec_guidance_lombardi=1">Mike Lombardi</choice>
<choice value="ec_guidance_nsa=1">NSA</choice>
<choice value="ec_guidance_sans_forensics=1">SANS Forensic</choice>
<choice value="ec_guidance_uba=1">Splunk UBA</choice>
<choice value="ec_guidance_gsaml=1">Golden SAML</choice>
<choice value="ec_guidance_jscu=1">JSCU-NL</choice>
<choice value="ec_guidance_mdecrevoisier=1">Michel de CREVOISIER</choice>
<choice value="ec_guidance_other=1">Other</choice>
<delimiter> OR </delimiter>
<change>
<eval token="numselected">mvcount(split($authority_token$,"OR"))</eval>
</change>
<initialValue>ec_guidance_ms=1,ec_guidance_gough=1,ec_guidance_sans_forensics=1,ec_guidance_fortuna=1,ec_guidance_lombardi=1,ec_guidance_nsa=1,ec_guidance_huntersforge_ossem=1,ec_guidance_jpcert=1,ec_guidance_jscu=1,ec_guidance_mdecrevoisier=1,ec_guidance_other=1</initialValue>
<default>ec_guidance_gough=1</default>
</input>
</fieldset>
<row>
<panel>
<html tokens="true">
<h3>
<b>Current Filter: $numselected$ Authorities</b>
</h3>
<p>
$authority_token$
</p>
</html>
</panel>
</row>
<row>
<panel>
<title>Number of Event Codes Total in Lookup</title>
<single>
<search>
<query>|inputlookup WindowsEventCodes | stats count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="underLabel">EVENT CODES IN LOOKUP</option>
<option name="useColors">0</option>
</single>
</panel>
<panel>
<title>Number of Event Codes Selected ($numselected$ selected)</title>
<single>
<search>
<query>|inputlookup WindowsEventCodes | search ec_guidance*=0 OR ($authority_token$) | stats count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">EVENT CODES SELECTED</option>
<option name="useColors">0</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Top 10 Event Log Sources ($numselected$ selected)</title>
<table>
<search>
<query>|inputlookup WindowsEventCodes |search ec_guidance*=0 OR ($authority_token$)| top "Event Log"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
<html>This table displays, for the current selected authorities, what event codes are recommended from those authorities and what event sources they come from.</html>
</panel>
<panel>
<title>Codes Ranked by Weight ($numselected$ selected)</title>
<table>
<search>
<query>|inputlookup WindowsEventCodes | search ec_guidance*=0 OR ($authority_token$)| fields - ec_guidance_cim_tagged |addtotals ec_guidance* | table EventCode,"Event Log",EventDescription,Total | sort -Total | rename EventCode as "Event Code",EventDescription as "Event Description"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">/app/splunk_wineventcode_secanalysis/individual_event_code_analysis?form.ec_token=$click.value2$</link>
</drilldown>
</table>
<html>This table displays, for the current selected authorities, what event codes are recommended from those authorities and how many sources (in total) suggest that event code should be collected.</html>
</panel>
<panel>
<title>Codes Ranked by ATT&amp;CK Technique Quantity ($numselected$ selected)</title>
<table>
<search>
<query>|inputlookup WindowsEventCodes | search ec_guidance*=0 OR ($authority_token$) | fields - ec_guidance_cim_tagged | rename "ATT&amp;CK_Technique" as "attack_technique" "ATT&amp;CK_Tactic" as "attack_tactic" |addtotals ec_guidance* | eval atech_count=mvcount(split(attack_technique,"|")) | eval atac_count=mvcount(split(attack_tactic,"|")) | table EventCode,"Event Log",EventDescription,atech_count | sort -atech_count | rename EventCode as "Event Code",EventDescription as "Event Description",atech_count as "Technique Count"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">/app/splunk_wineventcode_secanalysis/attck_details?form.EventCode=$click.value2$</link>
</drilldown>
</table>
<html>This table displays, for the current selected authorities, how many MITRE ATT&amp;CK techniques are supported by each event code. Drill down on the event code to see details of the techniques and tactics (according to de CREVOISIER mapping.)</html>
</panel>
</row>
<row>
<panel>
<title>Security/System/Application Breakdown ($numselected$ selected)</title>
<chart>
<search>
<query>|inputlookup WindowsEventCodes | search ec_guidance*=0 OR ($authority_token$) |search ("Event Log"="System" OR "Event Log"="Application" OR "Event Log"="Security") | stats count by "Event Log"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Count of Codes by Authority ($numselected$ selected)</title>
<table>
<search>
<query>|inputlookup WindowsEventCodes |search ec_guidance*=0 OR ($authority_token$)| fields ec_*| fields - ec_guidance_cim_tagged,ec_guidance_other | addcoltotals ec_* | tail 1| rename ec_guidance_asd as "ASD",ec_guidance_fortuna as "Andrea Fortuna",ec_guidance_jpcert as "JP-CERT",ec_guidance_gough as "Michael Gough",ec_guidance_lombardi as "Mike Lombardi",ec_guidance_ms as "Microsoft AD", ec_guidance_nsa as NSA,ec_guidance_huntersforge_ossem as "Hunters Forge",ec_guidance_sans_forensics as "SANS Forensics Guidance", ec_guidance_uba as "Splunk UBA", ec_guidance_gsaml as "Golden SAML", ec_guidance_jscu as "JSCU-NL",ec_guidance_mdecrevoisier as "Michel de CREVOISIER" |transpose |rename column as Category| sort - "row 1" | rename "row 1" as "Total EventCodes" | lookup recommenders_lookup.csv Category | search Category !=ec_guidance*</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">$click.value2|n$</link>
</drilldown>
</table>
<html>This table displays, for the current selected authorities, what overlap exists with other authorities. In otherwords "for my currently selected authorities, what other authorities recommend how many of the same event codes?</html>
</panel>
</row>
<row>
<panel>
<html>
<h3>
<a href="https://docs.google.com/spreadsheets/d/1ow7YRDEDJs67kcKMZZ66_5z1ipJry9QrsDQkjQvizJM/edit#gid=0">Huntersforge Google Sheet with ATT&amp;CK Mapping</a>
</h3>
</html>
</panel>
</row>
<row>
<panel>
<title>Huntersforge OSSEM ATT&amp;CK Mapping from above sheet ($numselected$ selected)</title>
<table>
<search>
<query>|inputlookup WindowsEventCodes |search ec_guidance*=0 OR ($authority_token$) | search ATT&amp;CK=1 | fields - ec_guidance_cim_tagged | stats values(EventDescription) as "Event Description", values("Event Log") as "Event Log" values(ec_guidance*) as ec_guidance* by EventCode | addtotals ec_guidance* | rename ec_guidance_asd as "ASD",ec_guidance_fortuna as "Andrea Fortuna",ec_guidance_gough as "Michael Gough",ec_guidance_lombardi as "Mike Lombardi",ec_guidance_ms as Microsoft, ec_guidance_nsa as NSA,ec_guidance_sans_forensics as "SANS Forensics Guidance",ec_guidance_jpcert as "JP-CERT", ec_guidance_huntersforge_ossem as "Hunters Forge OSSEM",ec_guidance_other as "OTHER",ec_guidance_uba as "Splunk UBA",ec_guidance_gsaml as "Golden SAML",ec_guidance_jscu as "JSCU-NL",ec_guidance_mdecrevoisier as "Michel de CREVOISIER" | sort - Total</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="Total">
<option name="precision">0</option>
</format>
<format type="color" field="Total">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="ASD">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="Andrea Fortuna">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="Michael Gough">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="Microsoft">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="Mike Lombardi">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="NSA">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="Hunters Forge OSSEM">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="JP-CERT">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="OTHER">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="SANS Forensics Guidance">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="Splunk UBA">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="Golden SAML">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="JSCU-NL">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="Michel de CREVOISIER">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
</table>
<html>This table displays, for the current selected authorities, what MITRE ATT&amp;CK mappings exist for that event code (according to Huntersforge OSSEM mapping.)</html>
</panel>
</row>
</form>

76
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/other_events_table.xml
Unescape View File

@ -0,0 +1,76 @@
<form version="1.1">
<label>Other Events Table</label>
<description>Which events exist in my data that are NOT recommended by any authorities?</description>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="minhost_token" searchWhenChanged="true">
<label>At Least This Many Hosts</label>
<default>1</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
<choice value="*">ALL</choice>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>($index_token$) (sourcetype=wineventlog*) ($source_token$)
| stats dc(host) as NumHosts, values(source) as Source by EventCode
| inputlookup append=t WindowsEventCodes
| stats values(*) as * by EventCode
| addtotals ec_*
| rename Total as "NumRecommenders"
| fillnull value="0" NumHosts,NumRecommenders
| fillnull value="Not in Data" Source
| fillnull value="Not in Lookup"
| fields - ec*
| sort - NumHosts
| search ((NumRecommenders=0 AND NumHosts&gt;=$minhost_token$))</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">/app/splunk_wineventcode_secanalysis/individual_event_code_analysis?form.ec_token=$click.value2$</link>
</drilldown>
</table>
</panel>
</row>
</form>

83
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/other_events_table_dma.xml
Unescape View File

@ -0,0 +1,83 @@
<form version="1.1">
<label>Other Events Table</label>
<description>Which events exist in my data that are NOT recommended by any authorities? (Uses Event Signatures DM)</description>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
<input type="text" token="minhost_token" searchWhenChanged="true">
<label>At Least This Many Hosts</label>
<default>1</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
<choice value="*">ALL</choice>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="select">Select or provide wildcard</choice>
<default>select</default>
</input>
<input type="text" token="indexwc_token">
<label>Index Wildcard</label>
<prefix>index=</prefix>
<default>wildcard_pattern</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|tstats summariesonly=true dc(host) as NumHosts values(source) as Source count from datamodel=Event_Signatures where (($index_token$ OR $indexwc_token$) AND ($source_token$)) by Signatures.signature_id | rename Signatures.signature_id as EventCode
| inputlookup append=t WindowsEventCodes
| stats values(*) as * by EventCode
| addtotals ec_*
| rename Total as "NumRecommenders"
| fillnull value="0" NumHosts,NumRecommenders
| fillnull value="Not in Data" Source
| fillnull value="Not in Lookup"
| fields - ec*
| sort - NumHosts
| search ((NumRecommenders=0 AND NumHosts&gt;=$minhost_token$))</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">/app/splunk_wineventcode_secanalysis/individual_event_code_analysis?form.ec_token=$click.value2$</link>
</drilldown>
</table>
</panel>
</row>
</form>

78
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/other_events_treemap.xml
Unescape View File

@ -0,0 +1,78 @@
<form version="1.1">
<label>Other Events Treemap</label>
<description>Which events are not recommended for security, but we are collecting them anyway?</description>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="minhost_token" searchWhenChanged="true">
<label>At Least This Many Hosts</label>
<default>1</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
<choice value="*">ALL</choice>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
</fieldset>
<row>
<panel>
<viz type="treemap_app.treemap">
<search>
<query>($index_token$) (source=WinEventLog* OR source=XmlWinEvent*) ($source_token$)
| stats dc(host) as NumHosts, values(source) as Source,count by EventCode
| inputlookup append=t WindowsEventCodes
| stats values(*) as * by EventCode
| addtotals ec_*
| rename Total as "NumRecommenders"
| fillnull value="0" NumHosts,NumRecommenders
| fillnull value="Not in Lookup"
| fields - ec*
| sort - NumHosts
| rename Source as Level1, EventCode as Level2, count as eventcount
| search ((NumRecommenders=0) AND (NumHosts&gt;=$minhost_token$))
| table Level1,Level2,eventcount</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="refresh.display">progressbar</option>
<option name="treemap_app.treemap.colorMode">categorical</option>
<option name="treemap_app.treemap.maxCategories">500</option>
<option name="treemap_app.treemap.maxColor">#3fc77a</option>
<option name="treemap_app.treemap.minColor">#d93f3c</option>
<option name="treemap_app.treemap.numOfBins">6</option>
<option name="treemap_app.treemap.showLabels">true</option>
<option name="treemap_app.treemap.showLegend">false</option>
<option name="treemap_app.treemap.showTooltip">true</option>
<option name="treemap_app.treemap.useColors">true</option>
<option name="treemap_app.treemap.useZoom">true</option>
</viz>
</panel>
</row>
</form>

84
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/other_events_treemap_dma.xml
Unescape View File

@ -0,0 +1,84 @@
<form version="1.1">
<label>Other Events Treemap</label>
<description>Which events are not recommended for security, but we are collecting them anyway? (Uses Event Signatures DM)</description>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
<input type="text" token="minhost_token" searchWhenChanged="true">
<label>At Least This Many Hosts</label>
<default>1</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
<choice value="*">ALL</choice>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="select">Select or provide wildcard</choice>
<default>select</default>
</input>
<input type="text" token="indexwc_token">
<label>Index Wildcard</label>
<prefix>index=</prefix>
<default>wildcard_pattern</default>
</input>
</fieldset>
<row>
<panel>
<viz type="treemap_app.treemap">
<search>
<query>|tstats summariesonly=true dc(host) as NumHosts values(source) as Source count from datamodel=Event_Signatures where ($index_token$ AND ($source_token$)) by Signatures.signature_id | rename Signatures.signature_id as EventCode
| inputlookup append=t WindowsEventCodes
| stats values(*) as * by EventCode
| addtotals ec_*
| rename Total as "NumRecommenders"
| fillnull value="0" NumHosts,NumRecommenders
| fillnull value="Not in Lookup"
| fields - ec*
| sort - NumHosts
| rename Source as Level1, EventCode as Level2, count as eventcount
| search ((NumRecommenders=0) AND (NumHosts&gt;=$minhost_token$))
| table Level1,Level2,eventcount</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="refresh.display">progressbar</option>
<option name="treemap_app.treemap.colorMode">categorical</option>
<option name="treemap_app.treemap.maxCategories">500</option>
<option name="treemap_app.treemap.maxColor">#3fc77a</option>
<option name="treemap_app.treemap.minColor">#d93f3c</option>
<option name="treemap_app.treemap.numOfBins">6</option>
<option name="treemap_app.treemap.showLabels">true</option>
<option name="treemap_app.treemap.showLegend">false</option>
<option name="treemap_app.treemap.showTooltip">true</option>
<option name="treemap_app.treemap.useColors">true</option>
<option name="treemap_app.treemap.useZoom">true</option>
</viz>
</panel>
</row>
</form>

82
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/recommended_events_table.xml
Unescape View File

@ -0,0 +1,82 @@
<form version="1.1">
<label>Recommended Events Table</label>
<description>Which events exist in my data that are recommended by various authorities to collect?</description>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="minrec_token" searchWhenChanged="true">
<label>At Least This Many Authorities</label>
<default>3</default>
</input>
<input type="text" token="minhost_token" searchWhenChanged="true">
<label>At Least This Many Hosts</label>
<default>1</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
<choice value="*">ALL</choice>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>($index_token$) (source=WinEventLog* OR source=XmlWinEvent*) ($source_token$)
| stats dc(host) as NumHosts, values(source) as Source by EventCode
| inputlookup append=t WindowsEventCodes
| stats values(*) as * by EventCode
| addtotals ec_*
| eval Total=Total-1
| rename Total as "NumRecommenders"
| fillnull value="0" NumHosts,NumRecommenders
| fillnull value="Not in Data" Source
| fillnull value="Not in Lookup"
| fields - ec*
| sort - NumHosts
| search ((NumRecommenders&gt;$minrec_token$) AND (NumHosts&gt;=$minhost_token$))</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">/app/splunk_wineventcode_secanalysis/individual_event_code_analysis?form.ec_token=$click.value2$</link>
</drilldown>
</table>
</panel>
</row>
</form>

87
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/recommended_events_table_dma.xml
Unescape View File

@ -0,0 +1,87 @@
<form version="1.1">
<label>Recommended Events Table</label>
<description>Which events exist in my data that are recommended by various authorities to collect? (Uses Event Signatures DM)</description>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
<input type="text" token="minrec_token" searchWhenChanged="true">
<label>At Least This Many Authorities</label>
<default>3</default>
</input>
<input type="text" token="minhost_token" searchWhenChanged="true">
<label>At Least This Many Hosts</label>
<default>1</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="select">Select or provide wildcard</choice>
<default>select</default>
</input>
<input type="text" token="indexwc_token">
<label>Index Wildcard</label>
<prefix>index=</prefix>
<default>wildcard_pattern</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|tstats summariesonly=true dc(host) as NumHosts values(source) as Source count from datamodel=Event_Signatures where (($index_token$ OR $indexwc_token$) AND ($source_token$)) by Signatures.signature_id | rename Signatures.signature_id as EventCode
| inputlookup append=t WindowsEventCodes
| stats values(*) as * by EventCode
| addtotals ec_*
| eval Total=Total-1
| rename Total as "NumRecommenders"
| fillnull value="0" NumHosts,NumRecommenders
| fillnull value="Not in Data" Source
| fillnull value="Not in Lookup"
| fields - ec*
| sort - NumHosts
| search ((NumRecommenders&gt;$minrec_token$) AND (NumHosts&gt;=$minhost_token$))</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">/app/splunk_wineventcode_secanalysis/individual_event_code_analysis?form.ec_token=$click.value2$</link>
</drilldown>
</table>
</panel>
</row>
</form>

87
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/recommended_events_treemap.xml
Unescape View File

@ -0,0 +1,87 @@
<form version="1.1">
<label>Recommended Events Treemap</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="minrec_token" searchWhenChanged="true">
<label>At Least This Many Recommenders</label>
<default>3</default>
</input>
<input type="text" token="minhost_token" searchWhenChanged="true">
<label>At Least This Many Hosts</label>
<default>1</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
<choice value="*">ALL</choice>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
<input type="radio" token="viz_option" searchWhenChanged="true">
<label>Visualization Option</label>
<choice value="table Level1,Level2,NumHosts,eventcount">By Hosts</choice>
<choice value="table Level1,Level2,NumRecommenders,eventcount">By Recommenders</choice>
</input>
</fieldset>
<row>
<panel>
<viz type="treemap_app.treemap">
<search>
<query>($index_token$) (source=WinEventLog* OR source=XmlWinEvent*) ($source_token$)
| stats dc(host) as NumHosts, values(source) as Source,count by EventCode
| inputlookup append=t WindowsEventCodes
| stats values(*) as * by EventCode
| addtotals ec_*
| eval Total=Total-1
| rename Total as "NumRecommenders"
| fillnull value="0" NumHosts,NumRecommenders
| fillnull value="Not in Lookup"
| fields - ec*
| sort - NumHosts
| rename Source as Level1, EventCode as Level2, count as eventcount
| search ((NumRecommenders&gt;$minrec_token$) AND (NumHosts&gt;=$minhost_token$))
| $viz_option$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="refresh.display">progressbar</option>
<option name="treemap_app.treemap.colorMode">categorical</option>
<option name="treemap_app.treemap.maxCategories">500</option>
<option name="treemap_app.treemap.maxColor">#3fc77a</option>
<option name="treemap_app.treemap.minColor">#d93f3c</option>
<option name="treemap_app.treemap.numOfBins">6</option>
<option name="treemap_app.treemap.showLabels">true</option>
<option name="treemap_app.treemap.showLegend">false</option>
<option name="treemap_app.treemap.showTooltip">true</option>
<option name="treemap_app.treemap.useColors">true</option>
<option name="treemap_app.treemap.useZoom">true</option>
</viz>
</panel>
</row>
</form>

94
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/recommended_events_treemap_dma.xml
Unescape View File

@ -0,0 +1,94 @@
<form version="1.1">
<label>Recommended Events Treemap</label>
<description>Which events exist in my data that are recommended by various authorities to collect? (Uses Event Signatures DM)</description>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
<input type="text" token="minrec_token" searchWhenChanged="true">
<label>At Least This Many Recommenders</label>
<default>3</default>
</input>
<input type="text" token="minhost_token" searchWhenChanged="true">
<label>At Least This Many Hosts</label>
<default>1</default>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| metadata type=sources index=* |stats count by source | search (source=WinEventLog* OR source=XmlWinEvent*)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<valuePrefix>source="</valuePrefix>
<delimiter> OR </delimiter>
<valueSuffix>"</valueSuffix>
<choice value="*">ALL</choice>
</input>
<input type="multiselect" token="index_token">
<label>Indexes</label>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| tstats values(sourcetype) where index=* group by index | table index</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="select">Select or provide wildcard</choice>
<default>select</default>
</input>
<input type="text" token="indexwc_token">
<label>Index Wildcard</label>
<prefix>index=</prefix>
<default>wildcard_pattern</default>
</input>
<input type="radio" token="viz_option" searchWhenChanged="true">
<label>Visualization Option</label>
<choice value="table Level1,Level2,NumHosts,eventcount">By Hosts</choice>
<choice value="table Level1,Level2,NumRecommenders,eventcount">By Recommenders</choice>
</input>
</fieldset>
<row>
<panel>
<viz type="treemap_app.treemap">
<search>
<query>|tstats summariesonly=true dc(host) as NumHosts values(source) as Source count from datamodel=Event_Signatures where (($index_token$ OR $indexwc_token$) AND ($source_token$)) by Signatures.signature_id | rename Signatures.signature_id as EventCode
| inputlookup append=t WindowsEventCodes
| stats values(*) as * by EventCode
| addtotals ec_*
| eval Total=Total-1
| rename Total as "NumRecommenders"
| fillnull value="0" NumHosts,NumRecommenders
| fillnull value="Not in Lookup"
| fields - ec*
| sort - NumHosts
| rename Source as Level1, EventCode as Level2, count as eventcount
| search ((NumRecommenders&gt;$minrec_token$) AND (NumHosts&gt;=$minhost_token$))
| $viz_option$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="refresh.display">progressbar</option>
<option name="treemap_app.treemap.colorMode">categorical</option>
<option name="treemap_app.treemap.maxCategories">500</option>
<option name="treemap_app.treemap.maxColor">#3fc77a</option>
<option name="treemap_app.treemap.minColor">#d93f3c</option>
<option name="treemap_app.treemap.numOfBins">6</option>
<option name="treemap_app.treemap.showLabels">true</option>
<option name="treemap_app.treemap.showLegend">false</option>
<option name="treemap_app.treemap.showTooltip">true</option>
<option name="treemap_app.treemap.useColors">true</option>
<option name="treemap_app.treemap.useZoom">true</option>
</viz>
</panel>
</row>
</form>

203
deployment-apps/splunk_wineventcode_secanalysis/default/data/ui/views/start.xml
Unescape View File

@ -0,0 +1,203 @@
<dashboard version="1.1">
<label>Windows Event Code Security Analysis</label>
<row>
<panel>
<html>
<style>
#ListOfPageGuidesFirstEntry{
text-size-adjust: 100%;
font-family: Splunk Platform Sans,Proxima Nova,Roboto,Droid,Helvetica Neue,Helvetica,Arial,sans-serif;
font-size: 14px;
font-weight: 400;
line-height: 20px;
color: #3c444d;
display: flex;
}
.CardStyles {
text-size-adjust: 100%;
font-family: Splunk Platform Sans,Proxima Nova,Roboto,Droid,Helvetica Neue,Helvetica,Arial,sans-serif;
font-size: 14px;
font-weight: 400;
line-height: 20px;
text-decoration: none;
cursor: pointer;
color: #006eaa;
flex-grow: 1;
flex-basis: 260px;
transition: height 0.2s,width 0.2s,min-width 0.2s,max-width 0.2s,margin 0.2s,box-shadow 0.2s,border-color 0.2s;
box-shadow: 0 1px 2px rgba(0,0,0,0.15);
width: 318px;
margin: 5px;
border: 1px solid #e1e6eb;
background: white;
min-height: 200px;
overflow: hidden;
clear: both;
position: relative;
display: inline-block;
}
.BodyStyles {
text-size-adjust: 100%;
font-family: Splunk Platform Sans,Proxima Nova,Roboto,Droid,Helvetica Neue,Helvetica,Arial,sans-serif;
font-size: 14px;
font-weight: 400;
line-height: 20px;
cursor: pointer;
color: #3c444d;
margin: 0;
padding: 0;
width: 100%;
height: 80px;
display: table;
}
.PageGuideImg {
text-size-adjust: 100%;
font-family: Splunk Platform Sans,Proxima Nova,Roboto,Droid,Helvetica Neue,Helvetica,Arial,sans-serif;
font-weight: 400;
line-height: 20px;
cursor: pointer;
font-size: 50px;
margin-left: 10px;
color: rgb(92, 192, 92);
display: inline-block;
width: 60px;
text-align: center;
flex: 0 0 auto;
vertical-align: super;
height: 0.6575em;
}
.PageGuideDescription {
text-size-adjust: 100%;
font-family: Splunk Platform Sans,Proxima Nova,Roboto,Droid,Helvetica Neue,Helvetica,Arial,sans-serif;
font-size: 14px;
font-weight: 400;
line-height: 20px;
cursor: pointer;
color: #3c444d;
height: 100%;
display: inline-block;
width: 70%;
vertical-align: middle;
margin-left: 20px;
text-align: left;
min-height: 200px;
}
.HeadingStyles {
text-size-adjust: 100%;
cursor: pointer;
text-align: left;
font-family: inherit;
text-transform: none;
text-rendering: optimizelegibility;
font-size: 16px;
margin: 10px 0;
font-weight: bolder !important;
line-height: 20px;
color: #3c444d !important;
}
.ParagraphStyles {
text-size-adjust: 100%;
font-family: Splunk Platform Sans,Proxima Nova,Roboto,Droid,Helvetica Neue,Helvetica,Arial,sans-serif;
font-size: 14px;
font-weight: 400;
line-height: 20px;
cursor: pointer;
text-align: left;
margin: 0 0 10px;
color: #3c444d;
padding: 0;
}
</style>
<div id="ListOfPageGuidesFirstEntry">
<a href="../splunk_wineventcode_secanalysis/lookup_overview?form.authority_token=ec_guidance_ms%3D1&amp;form.authority_token=ec_guidance_gough%3D1&amp;form.authority_token=ec_guidance_sans_forensics%3D1&amp;form.authority_token=ec_guidance_nsa%3D1&amp;hideFilters=false" class="PageGuide CardStyles" title="">
<div class="BodyStyles">
<div class="PageGuideImg">
<i class="icon-list"/>
</div>
<div class="PageGuideDescription" data-id="content">
<h2 class="HeadingStyles">Lookup Overview</h2>
<p class="ParagraphStyles">
<ul>
<li>View summarized recommendations from Authorities</li>
<li>Analyze all details in the lookup via filters</li>
<li>Drill to details in your data</li>
</ul>
</p>
</div>
</div>
</a>
<a href="../splunk_wineventcode_secanalysis/recommended_events_table_dma?form.field1.earliest=1564617600&amp;form.field1.latest=1567296000&amp;form.minrec_token=3&amp;form.minhost_token=1&amp;form.source_token=WinEventLog%3ASecurity&amp;form.index_token=main" class="PageGuide CardStyles">
<div class="BodyStyles">
<div class="PageGuideImg">
<i class="icon-table"/>
</div>
<div class="PageGuideDescription" data-id="education">
<h2 class="HeadingStyles">Table Analysis</h2>
<p class="ParagraphStyles">
<ul>
<li>View your event code data in tables</li>
<li>Filter on various Authorities</li>
<li>Select Indexes and Sourcetypes</li>
<li>Drill to details for each event code</li>
</ul>
</p>
</div>
</div>
</a>
<a href="../splunk_wineventcode_secanalysis/individual_host_analysis?form.field1.earliest=1564617600&amp;form.field1.latest=1567296000&amp;form.minrec_token=3&amp;form.minhost_token=1&amp;form.source_token=WinEventLog%3ASecurity&amp;form.index_token=main" class="PageGuide CardStyles">
<div class="BodyStyles">
<div class="PageGuideImg">
<i class="icon-list"/>
</div>
<div class="PageGuideDescription" data-id="education">
<h2 class="HeadingStyles">Host Analysis</h2>
<p class="ParagraphStyles">
<ul>
<li>View event code details for a single host</li>
<li>Select Indexes and Sourcetypes</li>
<li>Drill to details for each event code</li>
</ul>
</p>
</div>
</div>
</a>
<a href="../splunk_wineventcode_secanalysis/recommended_events_treemap_dma?form.field1.earliest=1564617600&amp;form.field1.latest=1567296000&amp;form.minrec_token=3&amp;form.minhost_token=1&amp;form.source_token=WinEventLog%3ASecurity&amp;form.index_token=main&amp;form.viz_option=table%20Level1%2CLevel2%2CNumHosts%2Ceventcount" class="PageGuide CardStyles lastSelected">
<div class="BodyStyles">
<div class="PageGuideImg">
<i class="icon-bar-stacked-100"/>
</div>
<div class="PageGuideDescription" data-id="productionalize">
<h2 class="HeadingStyles">Treemap Analysis</h2>
<p class="ParagraphStyles">
<ul>
<li>Visualize recommended events in a treemap</li>
<li>Select Indexes and Sourcetypes</li>
<li>View by # of Recommending Sources</li>
</ul>
</p>
</div>
</div>
</a>
</div>
</html>
</panel>
</row>
<row>
<panel>
<html>
<h2>
<b>About This App</b>
</h2>
<p>
This app allows a Splunk admin or security analyst to make better decisions about which Windows Event Codes are most important for traditional security use cases such as security investigation, incident response, and advanced threat hunting. Recommendations from 13 different security researchers/organizations/sources have been included in the app via a lookup table, encompassing <b>592</b> different events, most of which are from the Windows Security event log. (7 events are included but have no authority mapping.) Start with the Lookup Overview above to get a feel for the event codes and recommendations, and drill down on any event codes to see the details of that event code in your Splunk instance. You may also interact with your Windows Event Code data in a tabular (Table Analysis) and graphical (Treemap Analysis) format. Finally, you can pick individual hosts and see which Event Codes are being collected from that host, and compare those codes against recommendations and ingest levels.
</p>
<p>The most recently added guidance to this app is some MITRE ATT&amp;CK mapping from security researcher Michel de CREVOISIER <a href="https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack">found here</a>. As of December 2022 these mappings were added, as well as expanding the ATT&amp;CK mapping from Hunters to include Michel's work. You may drill down from a panel on the Lookup Overview to see the Techniques and Tactics that de CREVOISIER mapped to the event code chosen.</p>
<p>As of June 2020 (v1.2) this app requires that you install and configure <a href="https://splunkbase.splunk.com/app/1621/">CIM 4.14+</a> so that the Event Signatures datamodel can be used. Note that <a href="https://splunkbase.splunk.com/app/742/">Windows TA 8.0+</a> provides support for this datamodel.</p>
</html>
</panel>
</row>
</dashboard>

11
deployment-apps/splunk_wineventcode_secanalysis/default/props.conf
Unescape View File

@ -0,0 +1,11 @@
[WinEventLog]
[source::WinEventLog:Security]
LOOKUP-AUTOLOOKUP-wineventcode = WindowsEventCodes EventCode OUTPUTNEW
LOOKUP-AUTOLOOKUP-WindowsLogonTypes = WindowsLogonTypes Logon_Type OUTPUTNEW
[XmlWinEventLog]
[source::XmlWinEventLog:Security]
LOOKUP-AUTOLOOKUP-wineventcode-xml = WindowsEventCodes EventCode OUTPUTNEW
LOOKUP-AUTOLOOKUP-WindowsLogonTypes-xml = WindowsLogonTypes Logon_Type OUTPUTNEW

17
deployment-apps/splunk_wineventcode_secanalysis/default/transforms.conf
Unescape View File

@ -0,0 +1,17 @@
[default]
[WindowsEventCodes]
case_sensitive_match = 1
batch_index_query = 0
filename = WindowsEventCodes.csv
[WindowsLogonTypes]
case_sensitive_match = 1
batch_index_query = 0
filename = WindowsLogonTypes.csv
[logon_failure_lookup]
filename = logon_failure_lookup.csv
[recommenders_lookup]
filename = recommenders_lookup.csv

593
deployment-apps/splunk_wineventcode_secanalysis/lookups/WindowsEventCodes.csv
Unescape View File

@ -0,0 +1,593 @@
ATT&CK,Category,Level,Event Log,EventCode,EventDescription,Subcategory,ec_guidance_cim_tagged,ec_guidance_fortuna,ec_guidance_gough,ec_guidance_ms,ec_guidance_nsa,ec_guidance_other,ec_guidance_lombardi,ec_guidance_huntersforge_ossem,ec_guidance_jpcert,ec_guidance_sans_forensics,ec_guidance_asd,ec_guidance_uba,ec_guidance_gsaml,ec_guidance_jscu,ec_guidance_mdecrevoisier,observed_volume,duplicate_possible,ATT&CK_Tactic,ATT&CK_Technique
1,System or Sysmon,Information,System or Sysmon,1,System Time Changed or Sysmon Process Start,System Integrity,0,0,0,0,1,0,0,0,1,0,0,0,0,1,1,In Development,1,TA0002-Execution|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access,T1047-Windows Management Instrumentation|T1546-Image File Execution Options Injection|T1574-DLL side-loading|T1027-Obfuscated Files or Information|T1003-Credential dumping
1,System or Sysmon,Information,System or Sysmon,2,Update Packages Installed,Software and Service Installation,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,In Development,1,,
1,Sysmon,Information,Sysmon,3,Network connection,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,In Development,1,TA0002-Execution,T1047-Windows Management Instrumentation
0,Sysmon,Information,Sysmon,4,Sysmon service state changed,Sysmon,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,In Development,1,,
1,Sysmon,Information,Sysmon,5,Process Terminated,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,In Development,1,,
1,System or Sysmon,Information,System or Sysmon,6,New Kernel Filter Driver or Driver Loaded,Software and Service Installation,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,1,,
1,Sysmon,Information,Sysmon,7,Image Loaded,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,In Development,1,TA0002-Execution,T1047-Windows Management Instrumentation
1,Sysmon,Information,Sysmon,8,Create Remote Thread,Sysmon,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,In Development,1,,
1,Sysmon,Information,Sysmon,9,Raw access read,Sysmon,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,In Development,1,,
1,Sysmon,Information,Sysmon,10,Process Access,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,In Development,1,TA0002-Execution|TA0006-Credential Access,T1047-Windows Management Instrumentation|T1003-Credential dumping
1,Microsoft-Windows-CAPI2/Operational,Information or Sysmon,Microsoft-Windows-CAPI2/Operational or Sysmon,11,Cert Trust Chain Build Failed or File Create,Microsoft Cryptography API,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,In Development,1,TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access,T1546-Image File Execution Options Injection|T1112-Modify registry|T1003-Credential dumping
1,System or Sysmon,Information,System or Sysmon,12,Windows Startup or Registry Object Create or Delete,Boot Events,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,In Development,1,TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access,T1547-Boot or Logon Autostart Execution|T1546-Image File Execution Options Injection|T1553- Subvert Trust Controls|T1003-Credential dumping
1,System or Sysmon,Information,System or Sysmon,13,Windows Shutdown or Registry Value Set,Boot Events,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,In Development,1,TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0009-Collection,T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1546-Image File Execution Options Injection|T1112-Modify registry|T1553- Subvert Trust Controls|T1003-Credential dumping|T1125-Video capture
1,Sysmon,Information,Sysmon,14,Registry Key and Value Rename,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Sysmon,Information,Sysmon,15,File Create Stream Hash,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,In Development,1,,
1,Sysmon,Information,Sysmon,17,Pipe Event Created,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,In Development,1,,
1,System or Sysmon,Information,System or Sysmon,18,Windows Update Ready or Pipe Event Connected,Update,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,In Development,1,,
1,System or Sysmon,Information,System or Sysmon,19,Windows Update Installed or WmiEventFilter activity Detected,Update,1,0,1,0,1,0,0,0,0,0,0,0,0,1,1,In Development,1,TA0003-Persistence,T1546-Event Triggered Execution
1,Microsoft-Windows-WindowsUpdateClient/Operational or Sysmon,Error,Microsoft-Windows-WindowsUpdateClient/Operational or Sysmon,20,Windows Update Failed or WmiEventConsumer activity detected,Windows Update Errors,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,In Development,1,TA0003-Persistence,T1546-Event Triggered Execution
1,Sysmon,Information,Sysmon,21,WmiEventConsumerToFilter activity Detected,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,In Development,0,TA0003-Persistence,T1546-Event Triggered Execution
0,Sysmon,Information,Sysmon,22,DNS Event,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Sysmon,Information,Sysmon,23,File Delete,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Sysmon,Information,Sysmon,24,Clipboard Event,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Microsoft-Windows-WindowsUpdateClient/Operational,Error,Microsoft-Windows-WindowsUpdateClient/Operational,24,Windows Update Failed,Windows Update Errors,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,In Development,1,,
0,Microsoft-Windows-WindowsUpdateClient/Operational,Error,Application,25,Windows Update Failed,Windows Update Errors,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Microsoft-Windows-WindowsUpdateClient/Operational,Error,Microsoft-Windows-WindowsUpdateClient/Operational,31,Windows Update Failed,Windows Update Errors,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WindowsUpdateClient/Operational,Error,Microsoft-Windows-WindowsUpdateClient/Operational,34,Windows Update Failed,Windows Update Errors,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-EventCollector,Information,Microsoft-Windows-EventCollector,42,EMET,EMET,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,In Development,0,,
0,Microsoft-Windows-USB-USBHUB3-Analytic,Information,Microsoft-Windows-USB-USBHUB3-Analytic,43,New Device Information,External Media Detection,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Microsoft-Windows-Bits-Client,Information,Microsoft-Windows-Bits-Client,60,Bits Client,Bits Client,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0003-Persistence,T1197-BITS jobs
1,Microsoft-Windows-CAPI2/Operational,Information,Microsoft-Windows-CAPI2/Operational,70,Private Key Accessed,Microsoft Cryptography API,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0006-Credential Access,T1552.004-Unsecured Credentials-Private Keys
0,Microsoft-Windows-Windows-Remote-Management-Operational,Information,Microsoft-Windows-Windows-Remote-Management-Operational,80,Processing of a request,,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows-Remote-Management-Operational,Information,Microsoft-Windows-Windows-Remote-Management-Operational,81,Sending the request for operation Get to destination host and port,,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-CAPI2/Operational,Information,Microsoft-Windows-CAPI2/Operational,90,X.509 Object,Microsoft Cryptography API,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Security,Information,System,104,The Application or System log was cleared,Clearing Event Logs,0,0,1,0,1,0,0,0,1,0,1,0,0,1,1,Low,1,TA0005-Defense Evasion,T1070.001-Clear Windows event logs
0,Microsoft-Windows-TaskScheduler/Operational,Information,Microsoft-Windows-TaskScheduler/Operational,106,New Task Registered,Task Scheduler Activities,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-TaskScheduler/Operational,Information,Microsoft-Windows-TaskScheduler/Operational,129,Created,Task Scheduler,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows-Remote-Management-Operational,Information,Microsoft-Windows-Windows-Remote-Management-Operational,132,WSMan operation Identify completed successfully,,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-TaskScheduler/Operational,Information,Microsoft-Windows-TaskScheduler/Operational,141,Deleted,Task Scheduler,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-TaskScheduler/Operational,Information,Microsoft-Windows-TaskScheduler/Operational,142,Task Disabled,Task Scheduler Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows-Remote-Management-Operational,Information,Microsoft-Windows-Windows-Remote-Management-Operational,143,Received the response from Network layer),,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows-Remote-Management-Operational,Information,Microsoft-Windows-Windows-Remote-Management-Operational,166,The chosen authentication mechanism is Negotiate,,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Powershell,Information,Powershell,169,Remote Connection,PowerShell Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-TaskScheduler/Operational,Information,Microsoft-Windows-TaskScheduler/Operational,200,Task Launched,Task Scheduler Activities,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,In Development,0,,
0,Microsoft-Windows-TaskScheduler/Operational,Information,Microsoft-Windows-TaskScheduler/Operational,201,The operation has been completed,Task Scheduler Activities,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,In Development,0,,
0,System,Warning,System,219,Failed Kernel Driver Loading,System Integrity,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Sysmon,Information,Sysmon,255,Sysmon Error,Sysmon,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Microsoft-Windows-DNSServer/Analytical,Information,Microsoft-Windows-DNSServer/Analytical,256,DNS Request/Response,DNS/Directory Services,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-DNSServer/Analytical,Information,Microsoft-Windows-DNSServer/Analytical,257,DNS Request/Response,DNS/Directory Services,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-LSA/Operational,Information,Microsoft-Windows-LSA/Operational,300,Group Assigned to new Session,Account Usage,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-ADFS/Audit,Informational,Microsoft-Windows-AD FS/Admin,307,The Federation Service configuration was changed,ADFS Audit,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,Low,1,,
1,Microsoft-Windows-Kernel-PnP/Device Configuration,Information,Microsoft-Windows-Kernel-PnP/Device Configuration,400,New Mass Storage Installation,External Media Detection,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion,T1027-Obfuscated Files or Information
0,Microsoft-Windows-Kernel-PnP/Device Configuration,Information,Microsoft-Windows-Kernel-PnP/Device Configuration,410,New Mass Storage Installation,External Media Detection,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-ApplicationExperience-Program-Telemetry,Information,Microsoft-Windows-ApplicationExperience-Program-Telemetry,500,Compatibility fix applied,,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-ADFS/Audit,Informational,Microsoft-Windows-AD FS/Admin,510,Long Text,ADFS Audit,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,Low,0,,
0,Microsoft-Windows-EventCollector,Information,Security,521,Windows events can't forward to Security log,EventCollector,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,Low,0,,
1,Powershell,Information,Powershell,800,Get-MessageTrackingLog cmdlet,PowerShell Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,High,1,TA0002-Execution|TA0003-Persistence|TA0005-Defensive Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0040-Impact,T1059.001-PowerShell|T1197-BITS jobs|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1562.001-Impair Defenses-Disable or Modify tool|T1562.004-Impair Defenses-Disable or Modify System Firewall|T1003-Credential dumping|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1482-Domain Trust Discovery|T1021.003-Distributed Component Object Model (DCOM)|T1021.004-Remote Service SSH|T1490-Inhibit System Recovery
0,Application,Warning,Application,865,SRP Block,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Application,Warning,Application,866,SRP Block,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Application,Warning,Application,867,SRP Block,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Application,Warning,Application,868,SRP Block,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Application,Warning,Application,882,SRP Block,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Application-Experience/Program-Inventory,Information,Microsoft-Windows-Application-Experience/Program-Inventory,903,New Application Installation,Software and Service Installation,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Application-Experience/Program-Inventory,Information,Microsoft-Windows-Application-Experience/Program-Inventory,904,New Application Installation,Software and Service Installation,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Application-Experience/Program-Inventory,Information,Microsoft-Windows-Application-Experience/Program-Inventory,905,Updated Application,Software and Service Installation,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Application-Experience/Program-Inventory,Information,Microsoft-Windows-Application-Experience/Program-Inventory,906,Updated Application,Software and Service Installation,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Application-Experience/Program-Inventory,Information,Microsoft-Windows-Application-Experience/Program-Inventory,907,Removed Application,Software and Service Installation,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Application-Experience/Program-Inventory,Information,Microsoft-Windows-Application-Experience/Program-Inventory,908,Removed Application,Software and Service Installation,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1000,An antimalware scan started.,Windows Defender Activities,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1001,An antimalware scan finished.,Windows Defender Activities,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,In Development,1,,
0,Microsoft-Windows-Windows Defender/Operational,Error,Microsoft-Windows-Windows Defender/Operational,1002,An antimalware scan was stopped before it finished.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Microsoft-Windows-Windows Defender/Operational,Error,Microsoft-Windows-Windows Defender/Operational,1005,An antimalware scan failed.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Warning,Microsoft-Windows-Windows Defender/Operational,1006,The antimalware engine found malware or other potentially unwanted software.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-CertificateServicesClient-Lifecycle/Operational,Informational,Microsoft-Windows-CertificateServicesClient-Lifecycle/Operational,1007,Certificate Exported,Certificate Services Activities,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,Low,1,,
0,Microsoft-Windows-Windows Defender/Operational,Error,Microsoft-Windows-Windows Defender/Operational,1008,"The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.",Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1009,The antimalware platform restored an item from quarantine.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Microsoft-Windows-Windows Defender/Operational,Error,Microsoft-Windows-Windows Defender/Operational,1010,The antimalware platform could not restore an item from quarantine.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Application,Information,Application,1022,New MSI File Installed,Software and Service Installation,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Application,Information,Application,1023,New MSI File Installed,Software and Service Installation,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-TerminalServices-RDPClient/Operational,Information,Microsoft-Windows-TerminalServices-RDPClient/Operational,1024,Outbound TS Connect Attempt,Network Policy Server,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Application,Information,Application,1033,New MSI File Installed,Software and Service Installation,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Windows Installer,Information,Installer,1034,Windows Installer removed the product,Installer,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,User32,Warning,User32,1074,Shutdown Initiate Failed,Boot Events,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Security,Information,Security,1100,Event Log Service Shutdown,Clearing Event Logs,1,1,0,0,1,0,0,0,0,0,1,0,0,1,0,Low,0,,
0,Security,Error,Security,1101,Audit events have been dropped by the transport,Windows Audit,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Security,Information,Security,1102,The audit log was cleared,Clearing Event Logs,1,1,1,0,1,0,0,0,0,0,1,1,0,1,1,Low,0,TA0005-Defense Evasion,T1070.001-Clear Windows event logs
0,Security,Information,Security,1104,The security log is now full,Windows Audit,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Security,Information,Security,1105,Event log automatic backup,Windows Audit,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Security,Information,Security,1108,The event logging service encountered an error,Windows Audit,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Warning,Microsoft-Windows-Windows Defender/Operational,1116,Detected Malware,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1117,Malware Removed,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1118,Malware Removal Error,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Error,Microsoft-Windows-Windows Defender/Operational,1119,Malware Removal Fatal Error,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1125,Event when Network protection fires in Audit-mode.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1126,Event when Network protection fires in Block-mode.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Microsoft-Windows-GroupPolicy,Error,System,1129,Group Policy Application Failed due to Connectivity,Group Policy Errors,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-ADFS/Audit,Informational,Microsoft-Windows-AD FS/Admin,1200,Application Token Success,ADFS Audit,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,High,0,,
0,Microsoft-Windows-ADFS/Audit,Informational,Microsoft-Windows-AD FS/Admin,1202,Fresh Credential Validation Success,ADFS Audit,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,High,0,,
0,Application,Error,Application,1511,Temp Profile Logon,Account Usage,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Application,Error,Application,1518,Create Profile Failed,Account Usage,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Error,Microsoft-Windows-Windows Defender/Operational,2001,The antimalware definition update failed.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Error,Microsoft-Windows-Windows Defender/Operational,2003,The antimalware engine update failed.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,1,,
0,Microsoft-Windows-Windows Defender/Operational,Warning,Microsoft-Windows-Windows Defender/Operational,2004,There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,1,,
0,Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,Error,Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,2009,Firewall Failed to load Group Policy,Windows Firewall,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,Information,Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,2033,Firewall Rules Deleted,Windows Firewall,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-CodeIntegrity/Operational,"Warning, Error",Microsoft-Windows-CodeIntegrity/Operational,3001,Code Integrity Check,Kernel Driver Signing,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Error,Microsoft-Windows-Windows Defender/Operational,3002,Real-Time Protection failed,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,1,,
0,Microsoft-Windows-CodeIntegrity/Operational,"Warning, Error",Microsoft-Windows-CodeIntegrity/Operational,3003,Code Integrity Check,Kernel Driver Signing,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-CodeIntegrity/Operational,"Warning, Error",Microsoft-Windows-CodeIntegrity/Operational,3004,Code Integrity Check,Kernel Driver Signing,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-DNS-Client/Operational,Information,Microsoft-Windows-DNS-Client/Operational,3008,DNS Query Complete,DNS/Directory Services,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Microsoft-Windows-CodeIntegrity/Operational,"Warning, Error",Microsoft-Windows-CodeIntegrity/Operational,3010,Code Integrity Check,Kernel Driver Signing,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-DNS-Client/Operational,Information,Microsoft-Windows-DNS-Client/Operational,3020,DNS Response Complete,DNS/Directory Services,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-CodeIntegrity/Operational,"Warning, Error",Microsoft-Windows-CodeIntegrity/Operational,3023,Code Integrity Check,Kernel Driver Signing,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Powershell,Information,Microsoft-Windows-Powershell/Operational,4100,System Error,Executing Pipeline,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Powershell,Information,Microsoft-Windows-Powershell/Operational,4101,Executing Pipeline,Powershell,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,High,0,,
0,Powershell,Information,Microsoft-Windows-Powershell/Operational,4102,Executing Pipeline,Powershell,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,High,0,,
1,Powershell,Information,Microsoft-Windows-Powershell/Operational,4103,Module Logging,Powershell,0,0,1,0,1,0,0,0,0,0,1,1,0,0,1,High,0,TA0002-Execution|TA0003-Persistence|TA0005-Defensive Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0040-Impact,T1059.001-PowerShell|T1197-BITS jobs|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1562.001-Impair Defenses-Disable or Modify tool|T1562.004-Impair Defenses-Disable or Modify System Firewall|T1003-Credential dumping|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1482-Domain Trust Discovery|T1021.003-Distributed Component Object Model (DCOM)|T1021.004-Remote Service SSH|T1490-Inhibit System Recovery
1,Powershell,Information,Microsoft-Windows-Powershell/Operational,4104,Script Block Logging,Powershell,0,0,1,0,1,0,1,0,0,0,1,1,0,1,1,In Development,0,TA0002-Execution|TA0003-Persistence|TA0005-Defensive Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0040-Impact,T1059.001-PowerShell|T1197-BITS jobs|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1562.001-Impair Defenses-Disable or Modify tool|T1562.004-Impair Defenses-Disable or Modify System Firewall|T1003-Credential dumping|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1482-Domain Trust Discovery|T1021.003-Distributed Component Object Model (DCOM)|T1021.004-Remote Service SSH|T1490-Inhibit System Recovery
0,Powershell,Information,Microsoft-Windows-Powershell/Operational,4105,Exception Raised,PowerShell Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Powershell,Information,Microsoft-Windows-Powershell/Operational,4106,Exception Raised,PowerShell Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,4608,Windows is starting up.,Security State Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,4609,Windows is shutting down.,Security State Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,4610,An authentication package has been loaded by the Local Security Authority.,Security System Extension,1,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,System,Information,System,4611,A trusted logon process has been registered with the Local Security Authority.,Security System Extension,1,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,System,Information,System,4612,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.",System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,4614,A notification package has been loaded by the Security Account Manager.,Security System Extension,1,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,System,Information,System,4615,Invalid use of LPC port.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,System,Information,System,4616,The system time was changed.,Security State Change,0,1,0,1,0,0,0,0,0,0,0,0,0,1,1,In Development,0,TA0005-Defense Evasion,T1070.006-Timestomp
0,System,Information,System,4618,A monitored security event pattern has occurred.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,System,Information,System,4621,Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.,Security State Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,System,Information,System,4622,A security package has been loaded by the Local Security Authority.,Security System Extension,0,1,0,1,0,0,0,0,0,0,0,0,0,1,1,In Development,0,TA0003-Persistence,T1547-Boot or Logon Autostart Execution
1,Logon/Logoff,Information,Security,4624,An account was successfully logged on.,Logon,1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,High,0,TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement,T1134-Access Token Manipulation|T1027-Obfuscated Files or Information|T1112-Modify registry|T1558-Steal or Forge Kerberos Tickets|T1046-Network Service Scanning|T1069-Permission Groups Discovery|T1087-Account discovery|T1550-Use Alternate Authentication Material
1,Logon/Logoff,Information,Security,4625,An account failed to log on.,Logon,1,1,1,1,1,0,1,1,0,1,1,1,0,1,1,Medium,1,TA0001-Initial Access|TA0006-Credential Access,T1078-Valid Accounts|T1110.xxx-Brut force
0,Logon/Logoff,Information,Security,4626,User/Device claims information.,Logon,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4627,Group membership information.,Group Membership,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
1,Logon/Logoff,Information,Security,4634,An account was logged off.,Logoff,1,1,0,1,1,0,1,0,1,0,1,1,0,1,1,High,0,TA0004-Privilege Escalation,
0,Logon/Logoff,Information,Security,4646,IKE DoS-Prevention mode started,IPsec Main Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4647,User initiated logoff,Logoff,1,1,0,1,0,0,0,0,0,1,0,0,0,1,0,In Development,0,,
1,Logon/Logoff,Information,Security,4648,A logon was attempted using explicit credentials.,Logon,1,1,1,1,1,0,0,1,1,0,1,0,0,1,1,In Development,0,TA0004-Privilege Escalation|TA0008-Lateral Movement,T1134-Access Token Manipulation|T1574-DLL side-loading|T1021.002-SMB Windows Admin Shares
0,Logon/Logoff,Information,Security,4649,A replay attack was detected.,Other Logon/Logoff Events,0,1,0,1,0,0,1,0,0,0,0,1,0,1,0,In Development,0,,
0,Logon/Logoff,Information,Security,4650,An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.,IPsec Main Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4651,An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.,IPsec Main Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4652,An IPsec Main Mode negotiation failed.,IPsec Main Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4653,An IPsec Main Mode negotiation failed.,IPsec Main Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4654,An IPsec Quick Mode negotiation failed.,IPsec Quick Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4655,An IPsec Main Mode security association ended.,IPsec Main Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,4656,A handle to an object was requested.,Handle Manipulation,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,In Development,0,TA0004-Privilege Escalation|TA0006-Credential Access|TA0008-Lateral Movement,T1546-Image File Execution Options Injection|T1003-Credential dumping|T1021.006-Windows Remote Management
1,Object Access,Information,Security,4657,A registry value was modified.,Registry,0,1,1,1,1,0,1,1,0,0,0,1,0,1,0,In Development,0,,
1,Object Access,Information,Security,4658,The handle to an object was closed.,Handle Manipulation,1,1,0,1,0,0,0,1,1,0,0,0,0,0,1,In Development,0,TA0006-Credential Access,T1003-Credential dumping
0,Object Access,Information,Security,4659,A handle to an object was requested with intent to delete.,SAM,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,4660,An object was deleted.,SAM,0,1,0,1,0,0,0,1,1,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,4661,A handle to an object was requested.,SAM,0,1,0,1,0,0,0,1,0,0,0,0,0,0,1,In Development,0,TA0006-Credential Access|TA0007-Discovery,T1003-Credential dumping|T1069-Permission Groups Discovery|T1201-Password Policy Discovery
1,DS Access,Information,Security,4662,An operation was performed on an object.,Directory Service Access,0,1,1,1,0,0,0,1,0,0,0,0,0,0,1,In Development,0,TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0007-Discovery,T1098.xxx-Account manipulation|T1484.001-Domain Policy Modification-Group Policy Modification|T1207-Rogue domain controller|T1003-Credential dumping|T1555-Credentials from Password Stores|T1069-Permission Groups Discovery|T1087-Account discovery
1,Object Access,Information,Security,4663,An attempt was made to access an object.,Kernel,0,1,1,1,0,0,0,1,1,0,0,0,0,1,1,High,0,TA0006-Credential Access,T1003-Credential dumping
1,Object Access,Information,Security,4664,An attempt was made to create a hard link.,File System,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4665,An attempt was made to create an application client context.,Application Generated,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4666,An application attempted an operation:,Application Generated,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4667,An application client context was deleted.,Application Generated,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4668,An application was initialized.,Application Generated,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Policy Change,Information,Security,4670,Permissions on an object were changed.,Subcategory (special),0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion,T1112-Modify registry
0,Object Access,Information,Security,4671,An application attempted to access a blocked ordinal through the TBS.,Other Object Access Events,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Privilege Use,Information,Security,4672,Special privileges assigned to new logon.,Sensitive Privilege Use / Non Sensitive Privilege Use,1,0,1,1,1,0,0,0,1,0,0,0,0,1,0,High,0,,
1,Privilege Use,Information,Security,4673,A privileged service was called.,Sensitive Privilege Use / Non Sensitive Privilege Use,1,0,1,1,0,0,0,1,1,0,0,0,0,1,1,In Development,0,TA0004-Privilege Escalation,T1068-Exploitation for Privilege Escalation
1,Privilege Use,Information,Security,4674,An operation was attempted on a privileged object.,Sensitive Privilege Use / Non Sensitive Privilege Use,1,0,0,1,0,0,0,1,0,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion|TA0006-Credential Access|TA0008-Lateral Movement,T1027-Obfuscated Files or Information|T1112-Modify registry|T1003-Credential dumping|T1021.003-Distributed Component Object Model (DCOM)
0,Logon/Logoff,Information,Security,4675,SIDs were filtered.,Logon,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Detailed Tracking,Information,Security,4688,A new process has been created.,Process Creation,1,0,1,1,1,0,1,1,1,0,1,0,0,1,1,High,0,TA0002-Execution|TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0011-Command and Control|TA0040-Impact,T1047-Windows Management Instrumentation|T1053.005-Scheduled Task|T1059.001-PowerShell|T1059.003-Windows Command Shell|T1204-User execution|T1098.xxx-Account manipulation|T1136-Create account|T1197-BITS jobs|T1505.001-SQL Stored Procedures|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1134-Access Token Manipulation|T1546-Image File Execution Options Injection|T1574-DLL side-loading|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1140-Deobfuscate-Decode Files or Information|T1562.001-Impair Defenses-Disable or Modify tool|T1562.002-Disable Windows Event Logging|T1564-Hide artifacts|T1003-Credential dumping|T1040-Traffic sniffing|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1135.xxx-Network Share Discovery|T1201-Password Policy Discovery|T1021.001-Remote Desktop Protocol|T1021.002-SMB Windows Admin Shares|T1021.003-Distributed Component Object Model (DCOM)|T1572-Protocol tunneling|T1490-Inhibit System Recovery
1,Detailed Tracking,Information,Security,4689,A process has exited.,Process Termination,1,0,0,1,1,0,1,1,1,0,1,0,0,1,0,High,0,,
0,Object Access,Information,Security,4690,An attempt was made to duplicate a handle to an object.,Handle Manipulation,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4691,Indirect access to an object was requested.,Other Object Access Events,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Detailed Tracking,Information,Security,4692,Backup of data protection master key was attempted.,DPAPI Activity,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Detailed Tracking,Information,Security,4693,Recovery of data protection master key was attempted.,DPAPI Activity,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Detailed Tracking,Information,Security,4694,Protection of auditable protected data was attempted.,DPAPI Activity,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Detailed Tracking,Information,Security,4695,Unprotection of auditable protected data was attempted.,DPAPI Activity,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Detailed Tracking,Information,Security,4696,A primary token was assigned to process.,Process Creation,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,System,Information,Security,4697,A service was installed in the system.,Security System Extension,0,0,0,1,0,0,0,1,0,0,1,0,0,1,1,Low,0,TA0003-Persistence|TA0008-Lateral Movement,T1543.003-Create or Modify System Process-Windows Service|T1021.002-SMB Windows Admin Shares
1,Object Access,Information,Security,4698,A scheduled task was created.,Other Object Access Events,0,0,1,1,0,0,1,1,1,0,1,0,0,1,1,Low,0,TA0002-Execution,T1053.005-Scheduled Task
1,Object Access,Information,Security,4699,A scheduled task was deleted.,Other Object Access Events,0,0,0,1,0,0,0,1,0,0,1,0,0,1,1,Low,0,TA0002-Execution,T1053.005-Scheduled Task
1,Object Access,Information,Security,4700,A scheduled task was enabled.,Other Object Access Events,0,1,0,1,0,0,0,1,0,0,1,0,0,1,0,Low,0,,
1,Object Access,Information,Security,4701,A scheduled task was disabled.,Other Object Access Events,0,1,0,1,0,0,0,1,0,0,1,0,0,1,0,Low,0,,
1,Object Access,Information,Security,4702,A scheduled task was updated.,Other Object Access Events,0,1,1,1,0,0,0,1,0,0,1,0,0,1,0,Low,0,,
0,Policy Change,Information,Security,4703,A user right was adjusted.,Authorization Policy Change,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Policy Change,Information,Security,4704,A user right was assigned.,Authorization Policy Change,0,1,0,1,1,0,0,0,0,0,0,1,0,0,1,In Development,0,TA0004-Privilege Escalation,T1134-Access Token Manipulation
1,Policy Change,Information,Security,4705,A user right was removed.,Authorization Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0004-Privilege Escalation,T1134-Access Token Manipulation
0,Policy Change,Information,Security,4706,A new trust was created to a domain.,Authorization Policy Change,0,1,0,1,1,0,0,0,0,0,0,1,0,1,0,In Development,0,,
0,Policy Change,Information,Security,4707,A trust to a domain was removed.,Authorization Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4709,IPsec Services was started.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4710,IPsec Services was disabled.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4711,PAStore Engine Event,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4712,IPsec Services encountered a potentially serious failure.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4713,Kerberos policy was changed.,Authentication Policy Change,0,1,0,1,1,0,0,0,0,0,0,1,0,1,0,In Development,0,,
0,Policy Change,Information,Security,4714,Encrypted data recovery policy was changed.,Authorization Policy Change,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4715,The audit policy (SACL) on an object was changed.,Audit Policy Change,1,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
0,Policy Change,Information,Security,4716,Trusted domain information was modified.,Authentication Policy Change,0,1,0,1,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
1,Policy Change,Information,Security,4717,System security access was granted to an account.,Authentication Policy Change,1,1,0,1,0,0,0,1,0,0,0,0,0,1,1,In Development,0,TA0004-Privilege Escalation,T1134-Access Token Manipulation
1,Policy Change,Information,Security,4718,System security access was removed from an account.,Authentication Policy Change,1,1,0,1,0,0,0,1,0,0,0,1,0,0,1,In Development,0,TA0004-Privilege Escalation,T1134-Access Token Manipulation
1,Policy Change,Information,Security,4719,System audit policy was changed.,Audit Policy Change,1,1,1,1,1,0,1,0,0,0,1,1,0,1,1,In Development,0,TA0005-Defense Evasion,T1562.002-Disable Windows Event Logging
1,Account Management,Information,Security,4720,A user account was created.,User Account Management,1,1,0,1,1,0,0,1,1,1,1,0,0,1,1,In Development,0,TA0003-Persistence,T1136-Create account
1,Account Management,Information,Security,4722,A user account was enabled.,User Account Management,1,1,0,1,1,0,0,1,0,1,0,0,0,1,1,In Development,0,TA0003-Persistence,T1136-Create account
1,Account Management,Information,Security,4723,An attempt was made to change an account's password.,User Account Management,1,1,0,1,0,0,0,1,0,1,0,0,0,1,1,In Development,0,TA0003-Persistence,T1098.xxx-Account manipulation
1,Account Management,Information,Security,4724,An attempt was made to reset an account's password.,User Account Management,1,1,0,1,0,0,0,1,0,1,0,0,0,1,1,In Development,0,TA0003-Persistence,T1098.xxx-Account manipulation
1,Account Management,Information,Security,4725,A user account was disabled.,User Account Management,1,1,0,1,1,0,0,1,0,1,0,0,0,1,0,In Development,0,,
1,Account Management,Information,Security,4726,A user account was deleted.,User Account Management,1,1,0,1,1,0,0,1,0,1,0,0,0,1,1,In Development,0,TA0003-Persistence,T1136-Create account
0,Account Management,Information,Security,4727,A security-enabled global group was created.,Security Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
1,Account Management,Information,Security,4728,A member was added to a security-enabled global group.,Security Group Management,0,1,0,1,1,0,0,0,0,1,0,1,0,1,1,In Development,0,TA0003-Persistence,T1098.xxx-Account manipulation|T1136-Create account
0,Account Management,Information,Security,4729,A member was removed from a security-enabled global group.,Security Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
0,Account Management,Information,Security,4730,A security-enabled global group was deleted.,Security Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
1,Account Management,Information,Security,4731,A security-enabled local group was created.,Security Group Management,0,1,0,1,1,0,0,1,0,0,0,1,0,1,0,In Development,0,,
1,Account Management,Information,Security,4732,A member was added to a security-enabled local group.,Security Group Management,0,1,0,1,1,0,0,1,0,1,0,1,0,1,1,In Development,0,TA0003-Persistence,T1098.xxx-Account manipulation
1,Account Management,Information,Security,4733,A member was removed from a security-enabled local group.,Security Group Management,0,1,0,1,1,0,0,1,0,0,0,1,0,1,1,In Development,0,TA0003-Persistence,T1098.xxx-Account manipulation
1,Account Management,Information,Security,4734,A security-enabled local group was deleted.,Security Group Management,0,1,0,1,0,0,0,1,0,0,0,1,0,1,0,In Development,0,,
1,Account Management,Information,Security,4735,A security-enabled local group was changed.,Security Group Management,0,1,0,1,1,0,0,1,0,0,0,1,0,1,0,In Development,0,,
0,Account Management,Information,Security,4737,A security-enabled global group was changed.,Security Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
1,Account Management,Information,Security,4738,A user account was changed.,User Account Management,1,1,0,1,0,0,0,1,0,1,0,0,0,1,1,In Development,0,TA0003-Persistence,T1098.xxx-Account manipulation
1,Policy Change,Information,Security,4739,Domain Policy was changed.,Authentication Policy Change,1,1,0,1,0,0,0,0,0,0,1,0,0,1,1,In Development,0,TA0005-Defense Evasion,T1562.002-Disable Windows Event Logging
1,Account Management,Information,Security,4740,A user account was locked out.,User Account Management,1,1,0,1,1,0,0,1,0,1,1,0,0,1,0,In Development,0,,
1,Account Management,Information,Security,4741,A computer account was created.,Computer Account Management,1,1,0,1,1,0,0,1,0,0,0,0,0,1,1,In Development,0,TA0003-Persistence,T1136-Create account
1,Account Management,Information,Security,4742,A computer account was changed.,Computer Account Management,1,1,0,1,0,0,0,1,0,0,0,0,0,1,1,In Development,0,TA0003-Persistence,T1098.xxx-Account manipulation|T1136-Create account
1,Account Management,Information,Security,4743,A computer account was deleted.,Computer Account Management,1,1,0,1,0,0,0,1,0,0,0,0,0,1,1,In Development,0,TA0003-Persistence,T1136-Create account
0,Account Management,Information,Security,4744,A security-disabled local group was created.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Account Management,Information,Security,4745,A security-disabled local group was changed.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Account Management,Information,Security,4746,A member was added to a security-disabled local group.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Account Management,Information,Security,4747,A member was removed from a security-disabled local group.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Account Management,Information,Security,4748,A security-disabled local group was deleted.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Account Management,Information,Security,4749,A security-disabled global group was created.,Distribution Group Management,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
1,Account Management,Information,Security,4750,A security-disabled global group was changed.,Distribution Group Management,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,In Development,0,,
1,Account Management,Information,Security,4751,A member was added to a security-disabled global group.,Distribution Group Management,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4752,A member was removed from a security-disabled global group.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Account Management,Information,Security,4753,A security-disabled global group was deleted.,Distribution Group Management,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4754,A security-enabled universal group was created.,Security Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
0,Account Management,Information,Security,4755,A security-enabled universal group was changed.,Security Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
1,Account Management,Information,Security,4756,A member was added to a security-enabled universal group.,Security Group Management,0,1,0,1,1,0,0,0,0,1,0,1,0,1,1,In Development,1,TA0003-Persistence,T1098.xxx-Account manipulation
0,Account Management,Information,Security,4757,A member was removed from a security-enabled universal group.,Security Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
0,Account Management,Information,Security,4758,A security-enabled universal group was deleted.,Security Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
0,Account Management,Information,Security,4759,A security-disabled universal group was created.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Account Management,Information,Security,4760,A security-disabled universal group was changed.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Account Management,Information,Security,4761,A member was added to a security-disabled universal group.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Account Management,Information,Security,4762,A member was removed from a security-disabled universal group.,Distribution Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4763,A security-disabled universal group was deleted.,Distribution Group Management,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
1,Account Management,Information,Security,4764,A group's type was changed.,Security Group Management,0,1,0,1,0,0,0,1,0,0,1,0,0,1,0,In Development,0,,
0,Account Management,Information,Security,4765,SID History was added to an account.,User Account Management,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4766,An attempt to add SID History to an account failed.,User Account Management,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Account Management,Information,Security,4767,A user account was unlocked.,User Account Management,1,1,0,1,1,0,0,1,0,1,1,1,0,1,0,In Development,0,,
1,Account Logon,Information,Security,4768,A Kerberos authentication ticket (TGT) was requested.,Kerberos Authentication Service,1,1,0,1,0,0,0,1,0,0,0,1,0,1,1,In Development,0,TA0006-Credential Access,T1110.xxx-Brut force|T1558-Steal or Forge Kerberos Tickets
1,Account Logon,Information,Security,4769,A Kerberos service ticket was requested.,Kerberos Service Ticket Operations,1,1,1,1,1,0,0,1,1,0,0,1,1,1,1,High,0,TA0006-Credential Access|TA0007-Discovery,T1558-Steal or Forge Kerberos Tickets|T1087-Account discovery
1,Account Logon,Information,Security,4770,A Kerberos service ticket was renewed.,Kerberos Service Ticket Operations,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
1,Account Logon,Information,Security,4771,Kerberos pre-authentication failed.,Kerberos Authentication Service,1,1,1,1,0,0,0,1,0,0,0,0,0,1,1,In Development,0,TA0006-Credential Access,T1110.xxx-Brut force
0,Account Logon,Information,Security,4772,A Kerberos authentication ticket request failed.,Kerberos Authentication Service,1,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
1,Account Logon,Information,Security,4773,A Kerberos service ticket request failed.,Kerberos Authentication Service,1,1,0,1,1,0,0,1,0,0,0,0,0,0,0,In Development,0,,
0,Account Logon,Information,Security,4774,An account was mapped for logon.,Credential Validation,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Logon,Information,Security,4775,An account could not be mapped for logon.,Credential Validation,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Account Logon,Information,Security,4776,The domain controller attempted to validate the credentials for an account.,Credential Validation,1,1,0,1,1,0,0,1,0,0,0,1,0,0,0,In Development,0,,
0,Account Logon,Information,Security,4777,The domain controller failed to validate the credentials for an account.,Credential Validation,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Logon/Logoff,Information,Security,4778,A session was reconnected to a Window Station.,Other Logon/Logoff Events,1,1,0,1,1,0,0,1,0,1,0,0,0,1,1,In Development,0,TA0008-Lateral Movement,T1021.001-Remote Desktop Protocol
1,Logon/Logoff,Information,Security,4779,A session was disconnected from a Window Station.,Other Logon/Logoff Events,1,1,0,1,1,0,0,1,0,1,0,0,0,1,1,In Development,0,TA0008-Lateral Movement,T1021.001-Remote Desktop Protocol
0,Account Management,Information,Security,4780,The ACL was set on accounts which are members of administrators groups.,User Account Management,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
1,Account Management,Information,Security,4781,The name of an account was changed:,User Account Management,0,1,0,1,1,0,0,1,0,1,0,1,0,1,1,In Development,0,TA0003-Persistence,T1098.xxx-Account manipulation
0,Account Management,Information,Security,4782,The password hash an account was accessed.,Other Account Management Events,0,1,0,1,1,0,0,0,0,0,0,1,0,1,0,In Development,0,,
0,Account Management,Information,Security,4783,A basic application group was created.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4784,A basic application group was changed.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4785,A member was added to a basic application group.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4786,A member was removed from a basic application group.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4787,A non-member was added to a basic application group.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4788,A non-member was removed from a basic application group.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4789,A basic application group was deleted.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4790,An LDAP query group was created.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4791,A basic application group was changed.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4792,An LDAP query group was deleted.,Application Group Management,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Management,Information,Security,4793,The Password Policy Checking API was called.,Other Account Management Events,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Account Management,Information,Security,4794,An attempt was made to set the Directory Services Restore Mode.,User Account Management,0,1,0,1,0,0,0,0,0,0,0,0,0,1,1,In Development,0,TA0006-Credential Access,T1003-Credential dumping
0,Account Management,Information,Security,4797,An attempt was made to query the existence of a blank password for an account.,User Account Management,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
1,Account Management,Information,Security,4798,A user's local group membership was enumerated.,User Account Management,0,1,0,1,0,0,0,1,0,0,0,1,0,1,0,In Development,0,,
1,Account Management,Information,Security,4799,A security-enabled local group membership was enumerated.,Security Group Management,0,1,0,1,0,0,0,1,0,0,0,1,0,1,1,In Development,0,TA0007-Discovery,T1069-Permission Groups Discovery
1,Logon/Logoff,Information,Security,4800,The workstation was locked.,Other Logon/Logoff Events,0,1,0,1,0,0,1,1,0,1,0,1,0,0,0,In Development,0,,
1,Logon/Logoff,Information,Security,4801,The workstation was unlocked.,Other Logon/Logoff Events,0,1,0,1,0,0,1,1,0,1,0,1,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4802,The screen saver was invoked.,Other Logon/Logoff Events,0,1,0,1,0,0,1,0,0,1,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4803,The screen saver was dismissed.,Other Logon/Logoff Events,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,In Development,0,,
0,System,Information,Security,4816,RPC detected an integrity violation while decrypting an incoming message.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4817,Auditing settings on an object were changed.,Audit Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Object Access,Information,Security,4818,Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy,Central Access Policy Staging,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4819,Central Access Policies on the machine have been changed.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Logon,Information,Security,4820,A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.,Kerberos Authentication Service,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Account Logon,Information,Security,4821,"A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.",Kerberos Service Ticket Operations,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Logon,Information,Security,4822,NTLM authentication failed because the account was a member of the Protected User group.,Credential Validation,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Logon,Information,Security,4823,NTLM authentication failed because access control restrictions are required.,Credential Validation,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Account Logon,Information,Security,4824,Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.,Kerberos Authentication Service,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Logon/Logoff,Information,Security,4825,A user was denied the access to Remote Desktop.,Other Logon/Logoff Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0008-Lateral Movement,T1021.001-Remote Desktop Protocol
0,Policy Change,Information,Security,4826,Boot Configuration Data loaded.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Account Management,Information,Security,4830,SID History was removed from an account.,User Account Management,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4864,A namespace collision was detected.,Authentication Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4865,A trusted forest information entry was added.,Authentication Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Policy Change,Information,Security,4866,A trusted forest information entry was removed.,Authentication Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Policy Change,Information,Security,4867,A trusted forest information entry was modified.,Authentication Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Object Access,Information,Security,4868,The certificate manager denied a pending certificate request.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4869,Certificate Services received a resubmitted certificate request.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4870,Certificate Services revoked a certificate.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4871,Certificate Services received a request to publish the certificate revocation list (CRL).,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4872,Certificate Services published the certificate revocation list (CRL).,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4873,A certificate request extension changed.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4874,One or more certificate request attributes changed.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4875,Certificate Services received a request to shut down.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4876,Certificate Services backup started.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4877,Certificate Services backup completed.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4878,Certificate Services restore started.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4879,Certificate Services restore completed.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4880,Certificate Services started.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4881,Certificate Services stopped.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4882,The security permissions for Certificate Services changed.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4883,Certificate Services retrieved an archived key.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4884,Certificate Services imported a certificate into its database.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4885,The audit filter for Certificate Services changed.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4886,Certificate Services received a certificate request.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4887,Certificate Services approved a certificate request and issued a certificate.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4888,Certificate Services denied a certificate request.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4889,Certificate Services set the status of a certificate request to pending.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4890,The certificate manager settings for Certificate Services changed.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4891,A configuration entry changed in Certificate Services.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4892,A property of Certificate Services changed.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4893,Certificate Services archived a key.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4894,Certificate Services imported and archived a key.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4895,Certificate Services published the CA certificate to Active Directory Domain Services.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4896,One or more rows have been deleted from the certificate database.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4897,Role separation enabled,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4898,Certificate Services loaded a template.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4899,A Certificate Services template was updated.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4900,Certificate Services template security was updated.,Certification Services,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4902,The Per-user audit policy table was created.,Audit Policy Change,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4904,An attempt was made to register a security event source.,Audit Policy Change,0,1,0,1,0,0,0,0,0,0,1,0,0,1,0,In Development,0,,
0,Policy Change,Information,Security,4905,An attempt was made to unregister a security event source.,Audit Policy Change,0,1,0,1,0,0,0,0,0,0,1,0,0,1,0,In Development,0,,
0,Policy Change,Information,Security,4906,The CrashOnAuditFail value has changed.,Audit Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Policy Change,Information,Security,4907,Auditing settings on object were changed.,Audit Policy Change,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,In Development,0,,
1,Policy Change,Information,Security,4908,Special Groups Logon table modified.,Audit Policy Change,0,1,0,1,0,0,0,0,0,0,1,0,0,1,1,In Development,0,TA0005-Defense Evasion,T1562.002-Disable Windows Event Logging
0,Policy Change,Information,Security,4909,The local policy settings for the TBS were changed.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4910,The group policy settings for the TBS were changed.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4911,Resource attributes of the object were changed.,Authorization Policy Change,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4912,Per User Audit Policy was changed.,Audit Policy Change,1,1,0,1,0,0,1,0,0,0,1,0,0,1,0,In Development,0,,
0,Policy Change,Information,Security,4913,Central Access Policy on the object was changed.,Authorization Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4928,An Active Directory replica source naming context was established.,Detailed Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4929,An Active Directory replica source naming context was removed.,Detailed Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4930,An Active Directory replica source naming context was modified.,Detailed Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4931,An Active Directory replica destination naming context was modified.,Detailed Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4932,Synchronization of a replica of an Active Directory naming context has begun.,Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4933,Synchronization of a replica of an Active Directory naming context has ended.,Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4934,Attributes of an Active Directory object were replicated.,Detailed Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4935,Replication failure begins.,Detailed Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4936,Replication failure ends.,Detailed Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,4937,A lingering object was removed from a replica.,Detailed Directory Service Replication,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4944,The following policy was active when the Windows Firewall started.,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4945,A rule was listed when the Windows Firewall started.,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4946,A change has been made to Windows Firewall exception list. A rule was added.,MPSSVC Rule-Level Policy Change,1,1,0,1,0,0,0,0,1,0,0,1,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4947,A change has been made to Windows Firewall exception list. A rule was modified.,MPSSVC Rule-Level Policy Change,1,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4948,A change has been made to Windows Firewall exception list. A rule was deleted.,MPSSVC Rule-Level Policy Change,1,1,0,1,0,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4949,Windows Firewall settings were restored to the default values.,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Policy Change,Information,Security,4950,A Windows Firewall setting has changed.,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,1,0,0,1,In Development,0,TA0005-Defense Evasion,T1562.004-Impair Defenses-Disable or Modify System Firewall
0,Policy Change,Information,Security,4951,A rule has been ignored because its major version number was not recognized by Windows Firewall.,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4952,Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4953,A rule has been ignored by Windows Firewall because it could not parse the rule.,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4954,Windows Firewall Group Policy settings have changed. The new settings have been applied.,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4956,Windows Firewall has changed the active profile.,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4957,Windows Firewall did not apply the following rule:,MPSSVC Rule-Level Policy Change,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,4958,Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:,MPSSVC Rule-Level Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,4960,"IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.",IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,4961,"IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.",IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,4962,IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.,IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,4963,IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.,IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Logon/Logoff,Information,Security,4964,Special groups have been assigned to a new logon.,Special Logon,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion,T1078.002-Valid accounts-Domain accounts
0,System,Information,Security,4965,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.",IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4976,"During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",IPsec Main Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4977,"During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",IPsec Quick Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4978,"During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",IPsec Extended Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4979,IPsec Main Mode and Extended Mode security associations were established.,IPsec Extended Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4980,IPsec Main Mode and Extended Mode security associations were established.,IPsec Extended Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4981,IPsec Main Mode and Extended Mode security associations were established.,IPsec Extended Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4982,IPsec Main Mode and Extended Mode security associations were established.,IPsec Extended Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4983,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,IPsec Extended Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,4984,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,IPsec Extended Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,4985,The state of a transaction has changed.,File System,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Error,Microsoft-Windows-Windows Defender/Operational,5008,Unexpected Error,Windows Defender Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,5024,The Windows Firewall Service has started successfully.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,System,Information,System,5025,The Windows Firewall Service has been stopped.,Other System Events,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,5027,The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,5028,The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,5029,The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,5030,The Windows Firewall Service failed to start.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,System,Information,System,5031,The Windows Firewall Service blocked an application from accepting incoming connections on the network.,Filtering Platform Connection,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,5032,Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,5033,The Windows Firewall Driver has started successfully.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,System,Information,System,5034,The Windows Firewall Driver has been stopped.,Other System Events,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,5035,The Windows Firewall Driver failed to start.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,5037,The Windows Firewall Driver detected critical runtime error. Terminating.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Security,Information,Security,5038,Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.,System Integrity,0,1,0,1,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Object Access,Information,Security,5039,A registry key was virtualized.,Registry,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5040,A change has been made to IPsec settings. An Authentication Set was added.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5041,A change has been made to IPsec settings. An Authentication Set was modified.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5042,A change has been made to IPsec settings. An Authentication Set was deleted.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5043,A change has been made to IPsec settings. A Connection Security Rule was added.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5044,A change has been made to IPsec settings. A Connection Security Rule was modified.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5045,A change has been made to IPsec settings. A Connection Security Rule was deleted.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5046,A change has been made to IPsec settings. A Crypto Set was added.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5047,A change has been made to IPsec settings. A Crypto Set was modified.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5048,A change has been made to IPsec settings. A Crypto Set was deleted.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,5049,An IPsec Security Association was deleted.,IPsec Main Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5050,An attempt to programmatically disable the Windows Firewall was rejected because this API is not supported on Windows Vista.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5051,A file was virtualized.,File System,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5056,A cryptographic self test was performed.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5057,A cryptographic primitive operation failed.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5058,Key file operation.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5059,Key migration operation.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5060,Verification operation failed.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5061,Cryptographic operation.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5062,A kernel-mode cryptographic self test was performed.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5063,A cryptographic provider operation was attempted.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5064,A cryptographic context operation was attempted.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5065,A cryptographic context modification was attempted.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5066,A cryptographic function operation was attempted.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5067,A cryptographic function modification was attempted.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5068,A cryptographic function provider operation was attempted.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5069,A cryptographic function property operation was attempted.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5070,A cryptographic function property modification was attempted.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5071,Key access denied by Microsoft key distribution service.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5120,OCSP Responder Service Started.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5121,OCSP Responder Service Stopped.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5122,A Configuration entry changed in the OCSP Responder Service.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5123,A configuration entry changed in the OCSP Responder Service.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,5124,A security setting was updated on OCSP Responder Service.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion,T1222.001-File and Directory Permissions Modification
0,Object Access,Information,Security,5125,A request was submitted to OCSP Responder Service.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5126,Signing Certificate was automatically updated by the OCSP Responder Service.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5127,The OCSP Revocation Provider successfully updated the revocation information.,Certification Services,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,DS Access,Information,Security,5136,A directory service object was modified.,Directory Service Changes,0,1,0,1,1,0,0,1,0,0,0,0,0,0,1,In Development,0,TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion,T1098.xxx-Account manipulation|T1546-Event Triggered Execution|T1484.001-Domain Policy Modification-Group Policy Modification|T1222.001-File and Directory Permissions Modification
1,DS Access,Information,Security,5137,A directory service object was created.,Directory Service Changes,0,1,0,1,1,0,0,1,0,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion,T1207-Rogue domain controller
1,DS Access,Information,Security,5138,A directory service object was undeleted.,Directory Service Changes,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,In Development,0,,
1,DS Access,Information,Security,5139,A directory service object was moved.,Directory Service Changes,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,5140,A network share object was accessed.,File Share,0,1,1,1,1,0,1,1,1,0,1,0,0,1,1,In Development,0,TA0007-Discovery|TA0008-Lateral Movement,T1135.xxx-Network Share Discovery|T1021.002-SMB Windows Admin Shares
1,DS Access,Information,Security,5141,A directory service object was deleted.,Directory Service Changes,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,5142,A network share object was added.,File Share,0,1,0,1,1,0,0,1,1,0,1,0,0,1,1,In Development,0,TA0008-Lateral Movement,T1021.002-SMB Windows Admin Shares
1,Object Access,Information,Security,5143,A network share object was modified.,File Share,0,1,0,1,0,0,0,1,0,0,1,0,0,0,1,In Development,0,TA0005-Defense Evasion|TA0008-Lateral Movement,T1222.001-File and Directory Permissions Modification|T1021.002-SMB Windows Admin Shares
1,Object Access,Information,Security,5144,A network share object was deleted.,File Share,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,5145,A network share object was checked to see whether the client can be granted desired access.,Detailed File Share,0,1,1,1,1,0,0,1,1,0,0,1,0,0,1,In Development,0,TA0002-Execution|TA0003-Persistence|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement,T1047-Windows Management Instrumentation|T1053.005-Scheduled Task|T1204-User execution|T1098.xxx-Account manipulation|T1003-Credential dumping|T1555-Credentials from Password Stores|T1557-Man in the middle|T1018-Remote System Discovery|T1135.xxx-Network Share Discovery|T1021.002-SMB Windows Admin Shares
0,Object Access,Information,Security,5146,The Windows Filtering Platform has blocked a packet.,Filtering Platform Packet Drop,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,High,0,,
0,Object Access,Information,Security,5147,A more restrictive Windows Filtering Platform filter has blocked a packet.,Filtering Platform Packet Drop,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5148,The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.,Other Object Access Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5149,The DoS attack has subsided and normal processing is being resumed.,Other Object Access Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5150,The Windows Filtering Platform has blocked a packet.,Filtering Platform Connection,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5151,A more restrictive Windows Filtering Platform filter has blocked a packet.,Filtering Platform Connection,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5152,The Windows Filtering Platform blocked a packet.,Filtering Platform Packet Drop,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5153,A more restrictive Windows Filtering Platform filter has blocked a packet.,Filtering Platform Packet Drop,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,5154,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,Filtering Platform Connection,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,5155,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,Filtering Platform Connection,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,5156,The Windows Filtering Platform has allowed a connection.,Filtering Platform Connection,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,High,0,,
1,Object Access,Information,Security,5157,The Windows Filtering Platform has blocked a connection.,Filtering Platform Connection,0,1,1,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,5158,The Windows Filtering Platform has permitted a bind to a local port.,Filtering Platform Connection,0,1,0,1,0,0,1,1,0,0,0,0,0,0,0,In Development,0,,
1,Object Access,Information,Security,5159,The Windows Filtering Platform has blocked a bind to a local port.,Filtering Platform Connection,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5168,Spn check for SMB/SMB2 failed.,File Share,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,5169,A directory service object was modified.,Directory Service Access,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,DS Access,Information,Security,5170,A directory service object was modified during a background cleanup task,Directory Service Access,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Account Management,Information,Security,5376,Credential Manager credentials were backed up.,User Account Management,0,1,0,1,1,0,0,0,0,0,0,0,0,1,1,In Development,0,TA0005-Defense Evasion,T1555.004-Windows Credential Manager
0,Account Management,Information,Security,5377,Credential Manager credentials were restored from a backup.,User Account Management,0,1,0,1,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Logon/Logoff,Information,Security,5378,The requested credentials delegation was disallowed by policy.,Other Logon/Logoff Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Account Management,Information,Security,5379,Credential Manager credentials were read.,User Account Management,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion,T1555.004-Windows Credential Manager
0,Vault,Information,Security,5380,Vault Find Credential,Vault,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Vault,Information,Security,5381,Vault credentials were read,Vault,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion,T1555.004-Windows Credential Manager
1,Vault,Information,Security,5382,Vault credentials were read,Vault,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion,T1555.004-Windows Credential Manager
0,Policy Change,Information,Security,5440,The following callout was present when the Windows Filtering Platform Base Filtering Engine started.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5441,The following filter was present when the Windows Filtering Platform Base Filtering Engine started.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5442,The following provider was present when the Windows Filtering Platform Base Filtering Engine started.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5443,The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5444,The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5446,A Windows Filtering Platform callout has been changed.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,Policy Change,Information,Security,5447,A Windows Filtering Platform filter has been changed.,Other Policy Change Events,0,1,0,1,0,0,0,0,1,0,0,0,0,0,1,In Development,0,TA0005-Defense Evasion,T1562.004-Impair Defenses-Disable or Modify System Firewall
0,Policy Change,Information,Security,5448,A Windows Filtering Platform provider has been changed.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5449,A Windows Filtering Platform provider context has been changed.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5450,A Windows Filtering Platform sub-layer has been changed.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,5451,An IPsec Quick Mode security association was established.,IPsec Quick Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,5452,An IPsec Quick Mode security association ended.,IPsec Quick Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,5453,An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.,IPsec Main Mode,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5456,PAStore Engine applied Active Directory storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5457,PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5458,PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5459,PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5460,PAStore Engine applied local registry storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5461,PAStore Engine failed to apply local registry storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5462,PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5463,PAStore Engine polled for changes to the active IPsec policy and detected no changes.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5464,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.",Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5465,PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5466,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.",Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5467,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.",Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5468,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.",Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5471,PAStore Engine loaded local storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5472,PAStore Engine failed to load local storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5473,PAStore Engine loaded directory storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5474,PAStore Engine failed to load directory storage IPsec policy on the computer.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,5477,PAStore Engine failed to add quick mode filter.,Filtering Platform Policy Change,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5478,IPsec Services has started successfully.,IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5479,IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5480,IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5483,IPsec Services failed to initialize RPC server. IPsec Services could not be started.,IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5484,IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,Security,5485,IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,IPsec Driver,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Wireless 802.1X Auth,Information,Security,5632,A request was made to authenticate to a wireless network.,Other Logon/Logoff Events,0,1,0,1,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Logon/Logoff,Information,Security,5633,A request was made to authenticate to a wired network.,Other Logon/Logoff Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Detailed Tracking,Information,Security,5712,A Remote Procedure Call (RPC) was attempted.,RPC Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,WMI Operational,Information,Microsoft-Windows-WMI-Activity/Operational,5857,Windows WMI Activity,WMI,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,In Development,0,,
0,WMI Operational,Information,Microsoft-Windows-WMI-Activity/Operational,5859,Windows WMI Activity,WMI,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,In Development,0,,
0,WMI Operational,Information,Microsoft-Windows-WMI-Activity/Operational,5860,Windows WMI Activity,WMI,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,In Development,0,,
1,WMI Operational,Information,Microsoft-Windows-WMI-Activity/Operational,5861,Windows WMI Activity,WMI,0,0,1,0,0,1,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Object Access,Information,Security,5888,An object in the COM+ Catalog was modified.,Other Object Access Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5889,An object was deleted from the COM+ Catalog.,Other Object Access Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Object Access,Information,Security,5890,An object was added to the COM+ Catalog.,Other Object Access Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Information,Security,6144,Security policy in the group policy objects has been applied successfully.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Policy Change,Error,Security,6145,One or more errors occurred while processing security policy in the group policy objects.,Other Policy Change Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,6272,Network Policy Server granted access to a user.,Network Policy Server,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,6273,Network Policy Server denied access to a user.,Network Policy Server,0,1,0,1,1,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,6274,Network Policy Server discarded the request for a user.,Network Policy Server,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,6275,Network Policy Server discarded the accounting request for a user.,Network Policy Server,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,6276,Network Policy Server quarantined a user.,Network Policy Server,0,1,0,1,1,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,6277,Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.,Network Policy Server,0,1,0,1,1,0,0,0,0,0,0,1,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,6278,Network Policy Server granted full access to a user because the host met the defined health policy.,Network Policy Server,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,6279,Network Policy Server locked the user account due to repeated failed authentication attempts.,Network Policy Server,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Logon/Logoff,Information,Security,6280,Network Policy Server unlocked the user account.,Network Policy Server,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Security,Information,Security,6281,Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error,System Integrity,0,1,1,1,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,System,Information,System,6400,BranchCache: Received an incorrectly formatted response while discovering availability of content.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6401,BranchCache: Received invalid data from a peer. Data discarded.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6402,BranchCache: The message to the hosted cache offering it data is incorrectly formatted.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6403,BranchCache: The hosted cache sent an incorrectly formatted response to the client.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6404,BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6405,BranchCache: %2 instance(s) of event id %1 occurred.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6406,%1 registered to Windows Firewall to control filtering for the following: %2,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6407,(blank),Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,6408,Registered product %1 failed and Windows Firewall is now controlling the filtering for %2,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6409,BranchCache: A service connection point object could not be parsed.,Other System Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6410,Code integrity determined that a file does not meet the security requirements to load into a process.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,In Development,0,,
1,System,Information,System,6416,A new external device was recognized by the System,Plug and Play Events,0,1,1,1,0,0,0,0,0,0,0,1,0,1,1,In Development,0,TA0004-Privilege Escalation,T1574-DLL side-loading
0,System,Information,System,6417,The FIPS mode crypto selftests succeeded.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,6418,The FIPS mode crypto selftests failed.,System Integrity,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6419,A request was made to disable a device,Plug and Play Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6420,A device was disabled.,Plug and Play Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6421,A request was made to enable a device.,Plug and Play Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6422,A device was enabled.,Plug and Play Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6423,The installation of this device is forbidden by system policy,Plug and Play Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Information,System,6424,"The installation of this device was allowed, after having previously been forbidden by policy.",Plug and Play Events,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,System,Error,System,7000,The service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.,Service,0,0,1,0,1,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0002-Execution,T1569.002-Service execution
1,System,Error,System,7009,Service Control Manager - A timeout was reached,Service,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,In Development,0,TA0002-Execution,T1569.002-Service execution
0,System,Error,System,7022,The service hung on starting,Service,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,7023,Windows Service Fails or Crashes,System or Service Failures,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,7024,The service terminated with service-specific error,Service,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,7026,Windows Service Fails or Crashes,System or Service Failures,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,7030,Service Creation Error,Service,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,In Development,0,,
0,System,Error,System,7031,Service Crashed,Service,0,0,0,0,1,0,1,0,0,0,0,0,0,1,0,In Development,0,,
0,System,Error,System,7032,Windows Service Fails or Crashes,System or Service Failures,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,System,Error,System,7034,Service Crashed,Service,0,0,1,0,1,0,1,0,0,0,0,0,0,1,0,In Development,0,,
0,System,Information,System,7035,Service sent a request to stop or start,Service,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
1,System,Information,System,7036,Service was started or stopped,Service,0,0,1,0,0,0,0,0,1,0,0,0,0,0,1,In Development,0,TA0003-Persistence,T1543.003-Create or Modify System Process-Windows Service
1,System,Information,System,7040,Service configured to interact with desktop,Service,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,In Development,0,,
1,System,Information,System,7045,New Windows Service,Service,0,0,1,0,1,0,1,0,1,1,1,0,0,0,1,Low,0,TA0002-Execution|TA0003-Persistence,T1569.002-Service execution|T1543.003-Create or Modify System Process-Windows Service
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Information,Microsoft-Windows-WLAN-AutoConfig/Operational,8000,Starting a Wireless Connection,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Information,Microsoft-Windows-WLAN-AutoConfig/Operational,8001,Successfully connected to a wireless connection,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Applocker,Information,Microsoft-Windows-AppLocker/EXE and DLL,8002,AppLocker Block,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Applocker,Error,Microsoft-Windows-AppLocker/EXE and DLL,8003,AppLocker Block,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,In Development,1,,
0,Applocker,Warning,Microsoft-Windows-AppLocker/EXE and DLL,8004,AppLocker Block,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,In Development,0,,
0,Applocker,Information,Microsoft-Windows-AppLocker/MSI and Script,8005,Script or Installer ran,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Applocker,Error,Microsoft-Windows-AppLocker/MSI and Script,8006,AppLocker Warning,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,In Development,0,,
0,Applocker,Warning,Microsoft-Windows-AppLocker/MSI and Script,8007,AppLocker Warning,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Information,Microsoft-Windows-WLAN-AutoConfig/Operational,8011,Starting a Wireless Connection,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Applocker,Information,Microsoft-Windows-AppLocker/Packaged app-Deployment,8020,Application Ran,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Applocker,Information,Microsoft-Windows-AppLocker/Packaged app-Execution,8021,Application Ran,Application Whitelisting,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,In Development,0,,
0,Applocker,Information,Microsoft-Windows-AppLocker/Packaged app-Execution,8022,Application Ran,Application Whitelisting,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,In Development,0,,
0,Applocker,Information,Microsoft-Windows-AppLocker/Packaged app-Execution,8023,Application Installed,Application Whitelisting,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,In Development,0,,
0,Applocker,Information,Microsoft-Windows-AppLocker/Packaged app-Deployment,8024,Application Installed,Application Whitelisting,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,In Development,0,,
0,Applocker,Information,Microsoft-Windows-AppLocker/Packaged app-Deployment,8025,Application Installed,Application Whitelisting,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,In Development,0,,
0,Audit,Information,System,8191,Highest System-Defined Audit Message Value,Windows Audit,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Security,Information,VSSAudit,8222,Shadow copy has been created,VSSAudit,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-NetworkProfile/Operational,Information,Microsoft-Windows-NetworkProfile/Operational,10000,Network Connection and Disconnection Status,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-NetworkProfile/Operational,Information,Microsoft-Windows-NetworkProfile/Operational,10001,Network Connection and Disconnection Status,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Information,Microsoft-Windows-WLAN-AutoConfig/Operational,11000,Wireless association status,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Information,Microsoft-Windows-WLAN-AutoConfig/Operational,11001,Wireless association status,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Information,Microsoft-Windows-WLAN-AutoConfig/Operational,11004,"Wireless Security Started Stopped, Successful or Failed",Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Information,Microsoft-Windows-WLAN-AutoConfig/Operational,11005,"Wireless Security Started Stopped, Successful or Failed",Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Error,Microsoft-Windows-WLAN-AutoConfig/Operational,11006,"Wireless Security Started Stopped, Successful or Failed",Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Error,Microsoft-Windows-WLAN-AutoConfig/Operational,11010,"Wireless Security Started Stopped, Successful or Failed",Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Information,Microsoft-Windows-WLAN-AutoConfig/Operational,12011,Wireless Authentication Started and Failed,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Information,Microsoft-Windows-WLAN-AutoConfig/Operational,12012,Wireless Authentication Started and Failed,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Error,Microsoft-Windows-WLAN-AutoConfig/Operational,12013,Wireless Authentication Started and Failed,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-WLAN-AutoConfig/Operational,Error,Microsoft-Windows-WLAN-AutoConfig/Operational,11002,Wireless association status,Mobile Device Activities,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-User-PnP,Information,Microsoft-Windows-User-PnP,20001,Driver Management concluded the process to install driver,,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-MPRMSG,Success,Remote Access,20250,RADIUS User assigned IP,Network Policy,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-MPRMSG,Success,Remote Access,20274,RADIUS User Authenticated,Network Policy,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-MPRMSG,Success,Remote Access,20275,RADIUS User Disconnected,Network Policy,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,In Development,0,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,5007,Event when settings are changed,Windows Defender Activities,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,High,1,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1124,Audit Controlled folder access event,Windows Defender Activities,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,High,1,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1123,Blocked Controlled folder access event,Windows Defender Activities,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,In Development,1,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1127,Blocked Controlled folder access sector write block event,Windows Defender Activities,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,1,,
0,Microsoft-Windows-Windows Defender/Operational,Information,Microsoft-Windows-Windows Defender/Operational,1128,Audited Controlled folder access sector write block event,Windows Defender Activities,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,In Development,1,,
1 ATT&CK Category Level Event Log EventCode EventDescription Subcategory ec_guidance_cim_tagged ec_guidance_fortuna ec_guidance_gough ec_guidance_ms ec_guidance_nsa ec_guidance_other ec_guidance_lombardi ec_guidance_huntersforge_ossem ec_guidance_jpcert ec_guidance_sans_forensics ec_guidance_asd ec_guidance_uba ec_guidance_gsaml ec_guidance_jscu ec_guidance_mdecrevoisier observed_volume duplicate_possible ATT&CK_Tactic ATT&CK_Technique
2 1 System or Sysmon Information System or Sysmon 1 System Time Changed or Sysmon Process Start System Integrity 0 0 0 0 1 0 0 0 1 0 0 0 0 1 1 In Development 1 TA0002-Execution|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access T1047-Windows Management Instrumentation|T1546-Image File Execution Options Injection|T1574-DLL side-loading|T1027-Obfuscated Files or Information|T1003-Credential dumping
3 1 System or Sysmon Information System or Sysmon 2 Update Packages Installed Software and Service Installation 0 0 0 0 1 0 0 0 1 0 0 0 0 1 0 In Development 1
4 1 Sysmon Information Sysmon 3 Network connection Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 In Development 1 TA0002-Execution T1047-Windows Management Instrumentation
5 0 Sysmon Information Sysmon 4 Sysmon service state changed Sysmon 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 In Development 1
6 1 Sysmon Information Sysmon 5 Process Terminated Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 In Development 1
7 1 System or Sysmon Information System or Sysmon 6 New Kernel Filter Driver or Driver Loaded Software and Service Installation 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 1
8 1 Sysmon Information Sysmon 7 Image Loaded Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 In Development 1 TA0002-Execution T1047-Windows Management Instrumentation
9 1 Sysmon Information Sysmon 8 Create Remote Thread Sysmon 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 In Development 1
10 1 Sysmon Information Sysmon 9 Raw access read Sysmon 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 In Development 1
11 1 Sysmon Information Sysmon 10 Process Access Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 In Development 1 TA0002-Execution|TA0006-Credential Access T1047-Windows Management Instrumentation|T1003-Credential dumping
12 1 Microsoft-Windows-CAPI2/Operational Information or Sysmon Microsoft-Windows-CAPI2/Operational or Sysmon 11 Cert Trust Chain Build Failed or File Create Microsoft Cryptography API 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 In Development 1 TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access T1546-Image File Execution Options Injection|T1112-Modify registry|T1003-Credential dumping
13 1 System or Sysmon Information System or Sysmon 12 Windows Startup or Registry Object Create or Delete Boot Events 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 In Development 1 TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access T1547-Boot or Logon Autostart Execution|T1546-Image File Execution Options Injection|T1553- Subvert Trust Controls|T1003-Credential dumping
14 1 System or Sysmon Information System or Sysmon 13 Windows Shutdown or Registry Value Set Boot Events 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 In Development 1 TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0009-Collection T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1546-Image File Execution Options Injection|T1112-Modify registry|T1553- Subvert Trust Controls|T1003-Credential dumping|T1125-Video capture
15 1 Sysmon Information Sysmon 14 Registry Key and Value Rename Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 In Development 1
16 0 Sysmon Information Sysmon 15 File Create Stream Hash Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 In Development 1
17 1 Sysmon Information Sysmon 17 Pipe Event Created Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 In Development 1
18 1 System or Sysmon Information System or Sysmon 18 Windows Update Ready or Pipe Event Connected Update 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 In Development 1
19 1 System or Sysmon Information System or Sysmon 19 Windows Update Installed or WmiEventFilter activity Detected Update 1 0 1 0 1 0 0 0 0 0 0 0 0 1 1 In Development 1 TA0003-Persistence T1546-Event Triggered Execution
20 1 Microsoft-Windows-WindowsUpdateClient/Operational or Sysmon Error Microsoft-Windows-WindowsUpdateClient/Operational or Sysmon 20 Windows Update Failed or WmiEventConsumer activity detected Windows Update Errors 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 In Development 1 TA0003-Persistence T1546-Event Triggered Execution
21 1 Sysmon Information Sysmon 21 WmiEventConsumerToFilter activity Detected Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 In Development 0 TA0003-Persistence T1546-Event Triggered Execution
22 0 Sysmon Information Sysmon 22 DNS Event Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 In Development 0
23 0 Sysmon Information Sysmon 23 File Delete Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 In Development 0
24 0 Sysmon Information Sysmon 24 Clipboard Event Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 In Development 1
25 0 Microsoft-Windows-WindowsUpdateClient/Operational Error Microsoft-Windows-WindowsUpdateClient/Operational 24 Windows Update Failed Windows Update Errors 0 0 0 0 1 0 0 0 1 0 0 0 0 1 0 In Development 1
26 0 Microsoft-Windows-WindowsUpdateClient/Operational Error Application 25 Windows Update Failed Windows Update Errors 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 1
27 0 Microsoft-Windows-WindowsUpdateClient/Operational Error Microsoft-Windows-WindowsUpdateClient/Operational 31 Windows Update Failed Windows Update Errors 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
28 0 Microsoft-Windows-WindowsUpdateClient/Operational Error Microsoft-Windows-WindowsUpdateClient/Operational 34 Windows Update Failed Windows Update Errors 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
29 0 Microsoft-Windows-EventCollector Information Microsoft-Windows-EventCollector 42 EMET EMET 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 In Development 0
30 0 Microsoft-Windows-USB-USBHUB3-Analytic Information Microsoft-Windows-USB-USBHUB3-Analytic 43 New Device Information External Media Detection 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
31 1 Microsoft-Windows-Bits-Client Information Microsoft-Windows-Bits-Client 60 Bits Client Bits Client 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0003-Persistence T1197-BITS jobs
32 1 Microsoft-Windows-CAPI2/Operational Information Microsoft-Windows-CAPI2/Operational 70 Private Key Accessed Microsoft Cryptography API 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0006-Credential Access T1552.004-Unsecured Credentials-Private Keys
33 0 Microsoft-Windows-Windows-Remote-Management-Operational Information Microsoft-Windows-Windows-Remote-Management-Operational 80 Processing of a request 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
34 0 Microsoft-Windows-Windows-Remote-Management-Operational Information Microsoft-Windows-Windows-Remote-Management-Operational 81 Sending the request for operation Get to destination host and port 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
35 0 Microsoft-Windows-CAPI2/Operational Information Microsoft-Windows-CAPI2/Operational 90 X.509 Object Microsoft Cryptography API 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
36 1 Security Information System 104 The Application or System log was cleared Clearing Event Logs 0 0 1 0 1 0 0 0 1 0 1 0 0 1 1 Low 1 TA0005-Defense Evasion T1070.001-Clear Windows event logs
37 0 Microsoft-Windows-TaskScheduler/Operational Information Microsoft-Windows-TaskScheduler/Operational 106 New Task Registered Task Scheduler Activities 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 In Development 0
38 0 Microsoft-Windows-TaskScheduler/Operational Information Microsoft-Windows-TaskScheduler/Operational 129 Created Task Scheduler 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 In Development 0
39 0 Microsoft-Windows-Windows-Remote-Management-Operational Information Microsoft-Windows-Windows-Remote-Management-Operational 132 WSMan operation Identify completed successfully 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
40 0 Microsoft-Windows-TaskScheduler/Operational Information Microsoft-Windows-TaskScheduler/Operational 141 Deleted Task Scheduler 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
41 0 Microsoft-Windows-TaskScheduler/Operational Information Microsoft-Windows-TaskScheduler/Operational 142 Task Disabled Task Scheduler Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
42 0 Microsoft-Windows-Windows-Remote-Management-Operational Information Microsoft-Windows-Windows-Remote-Management-Operational 143 Received the response from Network layer) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
43 0 Microsoft-Windows-Windows-Remote-Management-Operational Information Microsoft-Windows-Windows-Remote-Management-Operational 166 The chosen authentication mechanism is Negotiate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
44 0 Powershell Information Powershell 169 Remote Connection PowerShell Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
45 0 Microsoft-Windows-TaskScheduler/Operational Information Microsoft-Windows-TaskScheduler/Operational 200 Task Launched Task Scheduler Activities 0 0 0 0 1 0 0 0 1 0 0 0 0 1 0 In Development 0
46 0 Microsoft-Windows-TaskScheduler/Operational Information Microsoft-Windows-TaskScheduler/Operational 201 The operation has been completed Task Scheduler Activities 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 In Development 0
47 0 System Warning System 219 Failed Kernel Driver Loading System Integrity 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
48 0 Sysmon Information Sysmon 255 Sysmon Error Sysmon 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 In Development 0
49 0 Microsoft-Windows-DNSServer/Analytical Information Microsoft-Windows-DNSServer/Analytical 256 DNS Request/Response DNS/Directory Services 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
50 0 Microsoft-Windows-DNSServer/Analytical Information Microsoft-Windows-DNSServer/Analytical 257 DNS Request/Response DNS/Directory Services 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
51 0 Microsoft-Windows-LSA/Operational Information Microsoft-Windows-LSA/Operational 300 Group Assigned to new Session Account Usage 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
52 0 Microsoft-Windows-ADFS/Audit Informational Microsoft-Windows-AD FS/Admin 307 The Federation Service configuration was changed ADFS Audit 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 Low 1
53 1 Microsoft-Windows-Kernel-PnP/Device Configuration Information Microsoft-Windows-Kernel-PnP/Device Configuration 400 New Mass Storage Installation External Media Detection 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion T1027-Obfuscated Files or Information
54 0 Microsoft-Windows-Kernel-PnP/Device Configuration Information Microsoft-Windows-Kernel-PnP/Device Configuration 410 New Mass Storage Installation External Media Detection 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
55 0 Microsoft-Windows-ApplicationExperience-Program-Telemetry Information Microsoft-Windows-ApplicationExperience-Program-Telemetry 500 Compatibility fix applied 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 In Development 0
56 0 Microsoft-Windows-ADFS/Audit Informational Microsoft-Windows-AD FS/Admin 510 Long Text ADFS Audit 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 Low 0
57 0 Microsoft-Windows-EventCollector Information Security 521 Windows events can't forward to Security log EventCollector 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 Low 0
58 1 Powershell Information Powershell 800 Get-MessageTrackingLog cmdlet PowerShell Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 High 1 TA0002-Execution|TA0003-Persistence|TA0005-Defensive Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0040-Impact T1059.001-PowerShell|T1197-BITS jobs|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1562.001-Impair Defenses-Disable or Modify tool|T1562.004-Impair Defenses-Disable or Modify System Firewall|T1003-Credential dumping|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1482-Domain Trust Discovery|T1021.003-Distributed Component Object Model (DCOM)|T1021.004-Remote Service SSH|T1490-Inhibit System Recovery
59 0 Application Warning Application 865 SRP Block Application Whitelisting 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
60 0 Application Warning Application 866 SRP Block Application Whitelisting 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
61 0 Application Warning Application 867 SRP Block Application Whitelisting 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
62 0 Application Warning Application 868 SRP Block Application Whitelisting 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
63 0 Application Warning Application 882 SRP Block Application Whitelisting 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
64 0 Microsoft-Windows-Application-Experience/Program-Inventory Information Microsoft-Windows-Application-Experience/Program-Inventory 903 New Application Installation Software and Service Installation 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
65 0 Microsoft-Windows-Application-Experience/Program-Inventory Information Microsoft-Windows-Application-Experience/Program-Inventory 904 New Application Installation Software and Service Installation 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
66 0 Microsoft-Windows-Application-Experience/Program-Inventory Information Microsoft-Windows-Application-Experience/Program-Inventory 905 Updated Application Software and Service Installation 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
67 0 Microsoft-Windows-Application-Experience/Program-Inventory Information Microsoft-Windows-Application-Experience/Program-Inventory 906 Updated Application Software and Service Installation 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
68 0 Microsoft-Windows-Application-Experience/Program-Inventory Information Microsoft-Windows-Application-Experience/Program-Inventory 907 Removed Application Software and Service Installation 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
69 0 Microsoft-Windows-Application-Experience/Program-Inventory Information Microsoft-Windows-Application-Experience/Program-Inventory 908 Removed Application Software and Service Installation 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
70 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1000 An antimalware scan started. Windows Defender Activities 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 In Development 1
71 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1001 An antimalware scan finished. Windows Defender Activities 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 In Development 1
72 0 Microsoft-Windows-Windows Defender/Operational Error Microsoft-Windows-Windows Defender/Operational 1002 An antimalware scan was stopped before it finished. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 1
73 0 Microsoft-Windows-Windows Defender/Operational Error Microsoft-Windows-Windows Defender/Operational 1005 An antimalware scan failed. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
74 0 Microsoft-Windows-Windows Defender/Operational Warning Microsoft-Windows-Windows Defender/Operational 1006 The antimalware engine found malware or other potentially unwanted software. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
75 0 Microsoft-Windows-CertificateServicesClient-Lifecycle/Operational Informational Microsoft-Windows-CertificateServicesClient-Lifecycle/Operational 1007 Certificate Exported Certificate Services Activities 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 Low 1
76 0 Microsoft-Windows-Windows Defender/Operational Error Microsoft-Windows-Windows Defender/Operational 1008 The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
77 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1009 The antimalware platform restored an item from quarantine. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 1
78 0 Microsoft-Windows-Windows Defender/Operational Error Microsoft-Windows-Windows Defender/Operational 1010 The antimalware platform could not restore an item from quarantine. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
79 0 Application Information Application 1022 New MSI File Installed Software and Service Installation 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
80 0 Application Information Application 1023 New MSI File Installed Software and Service Installation 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
81 0 Microsoft-Windows-TerminalServices-RDPClient/Operational Information Microsoft-Windows-TerminalServices-RDPClient/Operational 1024 Outbound TS Connect Attempt Network Policy Server 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
82 0 Application Information Application 1033 New MSI File Installed Software and Service Installation 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
83 0 Windows Installer Information Installer 1034 Windows Installer removed the product Installer 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
84 0 User32 Warning User32 1074 Shutdown Initiate Failed Boot Events 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
85 0 Security Information Security 1100 Event Log Service Shutdown Clearing Event Logs 1 1 0 0 1 0 0 0 0 0 1 0 0 1 0 Low 0
86 0 Security Error Security 1101 Audit events have been dropped by the transport Windows Audit 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
87 1 Security Information Security 1102 The audit log was cleared Clearing Event Logs 1 1 1 0 1 0 0 0 0 0 1 1 0 1 1 Low 0 TA0005-Defense Evasion T1070.001-Clear Windows event logs
88 0 Security Information Security 1104 The security log is now full Windows Audit 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
89 0 Security Information Security 1105 Event log automatic backup Windows Audit 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
90 0 Security Information Security 1108 The event logging service encountered an error Windows Audit 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
91 0 Microsoft-Windows-Windows Defender/Operational Warning Microsoft-Windows-Windows Defender/Operational 1116 Detected Malware Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
92 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1117 Malware Removed Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
93 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1118 Malware Removal Error Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
94 0 Microsoft-Windows-Windows Defender/Operational Error Microsoft-Windows-Windows Defender/Operational 1119 Malware Removal Fatal Error Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
95 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1125 Event when Network protection fires in Audit-mode. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 1
96 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1126 Event when Network protection fires in Block-mode. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 1
97 0 Microsoft-Windows-GroupPolicy Error System 1129 Group Policy Application Failed due to Connectivity Group Policy Errors 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
98 0 Microsoft-Windows-ADFS/Audit Informational Microsoft-Windows-AD FS/Admin 1200 Application Token Success ADFS Audit 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 High 0
99 0 Microsoft-Windows-ADFS/Audit Informational Microsoft-Windows-AD FS/Admin 1202 Fresh Credential Validation Success ADFS Audit 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 High 0
100 0 Application Error Application 1511 Temp Profile Logon Account Usage 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
101 0 Application Error Application 1518 Create Profile Failed Account Usage 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
102 0 Microsoft-Windows-Windows Defender/Operational Error Microsoft-Windows-Windows Defender/Operational 2001 The antimalware definition update failed. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
103 0 Microsoft-Windows-Windows Defender/Operational Error Microsoft-Windows-Windows Defender/Operational 2003 The antimalware engine update failed. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 1
104 0 Microsoft-Windows-Windows Defender/Operational Warning Microsoft-Windows-Windows Defender/Operational 2004 There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions. Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 1
105 0 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Error Microsoft-Windows-Windows Firewall With Advanced Security/Firewall 2009 Firewall Failed to load Group Policy Windows Firewall 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
106 0 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Information Microsoft-Windows-Windows Firewall With Advanced Security/Firewall 2033 Firewall Rules Deleted Windows Firewall 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
107 0 Microsoft-Windows-CodeIntegrity/Operational Warning, Error Microsoft-Windows-CodeIntegrity/Operational 3001 Code Integrity Check Kernel Driver Signing 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
108 0 Microsoft-Windows-Windows Defender/Operational Error Microsoft-Windows-Windows Defender/Operational 3002 Real-Time Protection failed Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 1
109 0 Microsoft-Windows-CodeIntegrity/Operational Warning, Error Microsoft-Windows-CodeIntegrity/Operational 3003 Code Integrity Check Kernel Driver Signing 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
110 0 Microsoft-Windows-CodeIntegrity/Operational Warning, Error Microsoft-Windows-CodeIntegrity/Operational 3004 Code Integrity Check Kernel Driver Signing 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
111 0 Microsoft-Windows-DNS-Client/Operational Information Microsoft-Windows-DNS-Client/Operational 3008 DNS Query Complete DNS/Directory Services 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
112 0 Microsoft-Windows-CodeIntegrity/Operational Warning, Error Microsoft-Windows-CodeIntegrity/Operational 3010 Code Integrity Check Kernel Driver Signing 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
113 0 Microsoft-Windows-DNS-Client/Operational Information Microsoft-Windows-DNS-Client/Operational 3020 DNS Response Complete DNS/Directory Services 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
114 0 Microsoft-Windows-CodeIntegrity/Operational Warning, Error Microsoft-Windows-CodeIntegrity/Operational 3023 Code Integrity Check Kernel Driver Signing 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
115 0 Powershell Information Microsoft-Windows-Powershell/Operational 4100 System Error Executing Pipeline 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
116 0 Powershell Information Microsoft-Windows-Powershell/Operational 4101 Executing Pipeline Powershell 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 High 0
117 0 Powershell Information Microsoft-Windows-Powershell/Operational 4102 Executing Pipeline Powershell 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 High 0
118 1 Powershell Information Microsoft-Windows-Powershell/Operational 4103 Module Logging Powershell 0 0 1 0 1 0 0 0 0 0 1 1 0 0 1 High 0 TA0002-Execution|TA0003-Persistence|TA0005-Defensive Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0040-Impact T1059.001-PowerShell|T1197-BITS jobs|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1562.001-Impair Defenses-Disable or Modify tool|T1562.004-Impair Defenses-Disable or Modify System Firewall|T1003-Credential dumping|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1482-Domain Trust Discovery|T1021.003-Distributed Component Object Model (DCOM)|T1021.004-Remote Service SSH|T1490-Inhibit System Recovery
119 1 Powershell Information Microsoft-Windows-Powershell/Operational 4104 Script Block Logging Powershell 0 0 1 0 1 0 1 0 0 0 1 1 0 1 1 In Development 0 TA0002-Execution|TA0003-Persistence|TA0005-Defensive Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0040-Impact T1059.001-PowerShell|T1197-BITS jobs|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1562.001-Impair Defenses-Disable or Modify tool|T1562.004-Impair Defenses-Disable or Modify System Firewall|T1003-Credential dumping|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1482-Domain Trust Discovery|T1021.003-Distributed Component Object Model (DCOM)|T1021.004-Remote Service SSH|T1490-Inhibit System Recovery
120 0 Powershell Information Microsoft-Windows-Powershell/Operational 4105 Exception Raised PowerShell Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
121 0 Powershell Information Microsoft-Windows-Powershell/Operational 4106 Exception Raised PowerShell Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
122 0 System Information System 4608 Windows is starting up. Security State Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
123 0 System Information System 4609 Windows is shutting down. Security State Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
124 0 System Information System 4610 An authentication package has been loaded by the Local Security Authority. Security System Extension 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
125 0 System Information System 4611 A trusted logon process has been registered with the Local Security Authority. Security System Extension 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
126 0 System Information System 4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
127 0 System Information System 4614 A notification package has been loaded by the Security Account Manager. Security System Extension 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
128 0 System Information System 4615 Invalid use of LPC port. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
129 1 System Information System 4616 The system time was changed. Security State Change 0 1 0 1 0 0 0 0 0 0 0 0 0 1 1 In Development 0 TA0005-Defense Evasion T1070.006-Timestomp
130 0 System Information System 4618 A monitored security event pattern has occurred. System Integrity 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
131 0 System Information System 4621 Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. Security State Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
132 1 System Information System 4622 A security package has been loaded by the Local Security Authority. Security System Extension 0 1 0 1 0 0 0 0 0 0 0 0 0 1 1 In Development 0 TA0003-Persistence T1547-Boot or Logon Autostart Execution
133 1 Logon/Logoff Information Security 4624 An account was successfully logged on. Logon 1 1 1 1 1 0 1 1 1 1 1 1 0 1 1 High 0 TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement T1134-Access Token Manipulation|T1027-Obfuscated Files or Information|T1112-Modify registry|T1558-Steal or Forge Kerberos Tickets|T1046-Network Service Scanning|T1069-Permission Groups Discovery|T1087-Account discovery|T1550-Use Alternate Authentication Material
134 1 Logon/Logoff Information Security 4625 An account failed to log on. Logon 1 1 1 1 1 0 1 1 0 1 1 1 0 1 1 Medium 1 TA0001-Initial Access|TA0006-Credential Access T1078-Valid Accounts|T1110.xxx-Brut force
135 0 Logon/Logoff Information Security 4626 User/Device claims information. Logon 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
136 0 Logon/Logoff Information Security 4627 Group membership information. Group Membership 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
137 1 Logon/Logoff Information Security 4634 An account was logged off. Logoff 1 1 0 1 1 0 1 0 1 0 1 1 0 1 1 High 0 TA0004-Privilege Escalation
138 0 Logon/Logoff Information Security 4646 IKE DoS-Prevention mode started IPsec Main Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
139 0 Logon/Logoff Information Security 4647 User initiated logoff Logoff 1 1 0 1 0 0 0 0 0 1 0 0 0 1 0 In Development 0
140 1 Logon/Logoff Information Security 4648 A logon was attempted using explicit credentials. Logon 1 1 1 1 1 0 0 1 1 0 1 0 0 1 1 In Development 0 TA0004-Privilege Escalation|TA0008-Lateral Movement T1134-Access Token Manipulation|T1574-DLL side-loading|T1021.002-SMB Windows Admin Shares
141 0 Logon/Logoff Information Security 4649 A replay attack was detected. Other Logon/Logoff Events 0 1 0 1 0 0 1 0 0 0 0 1 0 1 0 In Development 0
142 0 Logon/Logoff Information Security 4650 An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. IPsec Main Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
143 0 Logon/Logoff Information Security 4651 An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. IPsec Main Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
144 0 Logon/Logoff Information Security 4652 An IPsec Main Mode negotiation failed. IPsec Main Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
145 0 Logon/Logoff Information Security 4653 An IPsec Main Mode negotiation failed. IPsec Main Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
146 0 Logon/Logoff Information Security 4654 An IPsec Quick Mode negotiation failed. IPsec Quick Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
147 0 Logon/Logoff Information Security 4655 An IPsec Main Mode security association ended. IPsec Main Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
148 1 Object Access Information Security 4656 A handle to an object was requested. Handle Manipulation 1 1 1 1 0 0 0 1 1 0 0 0 0 0 1 In Development 0 TA0004-Privilege Escalation|TA0006-Credential Access|TA0008-Lateral Movement T1546-Image File Execution Options Injection|T1003-Credential dumping|T1021.006-Windows Remote Management
149 1 Object Access Information Security 4657 A registry value was modified. Registry 0 1 1 1 1 0 1 1 0 0 0 1 0 1 0 In Development 0
150 1 Object Access Information Security 4658 The handle to an object was closed. Handle Manipulation 1 1 0 1 0 0 0 1 1 0 0 0 0 0 1 In Development 0 TA0006-Credential Access T1003-Credential dumping
151 0 Object Access Information Security 4659 A handle to an object was requested with intent to delete. SAM 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
152 1 Object Access Information Security 4660 An object was deleted. SAM 0 1 0 1 0 0 0 1 1 0 0 0 0 0 0 In Development 0
153 1 Object Access Information Security 4661 A handle to an object was requested. SAM 0 1 0 1 0 0 0 1 0 0 0 0 0 0 1 In Development 0 TA0006-Credential Access|TA0007-Discovery T1003-Credential dumping|T1069-Permission Groups Discovery|T1201-Password Policy Discovery
154 1 DS Access Information Security 4662 An operation was performed on an object. Directory Service Access 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 In Development 0 TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0007-Discovery T1098.xxx-Account manipulation|T1484.001-Domain Policy Modification-Group Policy Modification|T1207-Rogue domain controller|T1003-Credential dumping|T1555-Credentials from Password Stores|T1069-Permission Groups Discovery|T1087-Account discovery
155 1 Object Access Information Security 4663 An attempt was made to access an object. Kernel 0 1 1 1 0 0 0 1 1 0 0 0 0 1 1 High 0 TA0006-Credential Access T1003-Credential dumping
156 1 Object Access Information Security 4664 An attempt was made to create a hard link. File System 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
157 0 Object Access Information Security 4665 An attempt was made to create an application client context. Application Generated 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
158 0 Object Access Information Security 4666 An application attempted an operation: Application Generated 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
159 0 Object Access Information Security 4667 An application client context was deleted. Application Generated 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
160 0 Object Access Information Security 4668 An application was initialized. Application Generated 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
161 1 Policy Change Information Security 4670 Permissions on an object were changed. Subcategory (special) 0 0 0 1 0 0 0 1 0 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion T1112-Modify registry
162 0 Object Access Information Security 4671 An application attempted to access a blocked ordinal through the TBS. Other Object Access Events 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
163 0 Privilege Use Information Security 4672 Special privileges assigned to new logon. Sensitive Privilege Use / Non Sensitive Privilege Use 1 0 1 1 1 0 0 0 1 0 0 0 0 1 0 High 0
164 1 Privilege Use Information Security 4673 A privileged service was called. Sensitive Privilege Use / Non Sensitive Privilege Use 1 0 1 1 0 0 0 1 1 0 0 0 0 1 1 In Development 0 TA0004-Privilege Escalation T1068-Exploitation for Privilege Escalation
165 1 Privilege Use Information Security 4674 An operation was attempted on a privileged object. Sensitive Privilege Use / Non Sensitive Privilege Use 1 0 0 1 0 0 0 1 0 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion|TA0006-Credential Access|TA0008-Lateral Movement T1027-Obfuscated Files or Information|T1112-Modify registry|T1003-Credential dumping|T1021.003-Distributed Component Object Model (DCOM)
166 0 Logon/Logoff Information Security 4675 SIDs were filtered. Logon 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
167 1 Detailed Tracking Information Security 4688 A new process has been created. Process Creation 1 0 1 1 1 0 1 1 1 0 1 0 0 1 1 High 0 TA0002-Execution|TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0011-Command and Control|TA0040-Impact T1047-Windows Management Instrumentation|T1053.005-Scheduled Task|T1059.001-PowerShell|T1059.003-Windows Command Shell|T1204-User execution|T1098.xxx-Account manipulation|T1136-Create account|T1197-BITS jobs|T1505.001-SQL Stored Procedures|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1134-Access Token Manipulation|T1546-Image File Execution Options Injection|T1574-DLL side-loading|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1140-Deobfuscate-Decode Files or Information|T1562.001-Impair Defenses-Disable or Modify tool|T1562.002-Disable Windows Event Logging|T1564-Hide artifacts|T1003-Credential dumping|T1040-Traffic sniffing|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1135.xxx-Network Share Discovery|T1201-Password Policy Discovery|T1021.001-Remote Desktop Protocol|T1021.002-SMB Windows Admin Shares|T1021.003-Distributed Component Object Model (DCOM)|T1572-Protocol tunneling|T1490-Inhibit System Recovery
168 1 Detailed Tracking Information Security 4689 A process has exited. Process Termination 1 0 0 1 1 0 1 1 1 0 1 0 0 1 0 High 0
169 0 Object Access Information Security 4690 An attempt was made to duplicate a handle to an object. Handle Manipulation 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
170 0 Object Access Information Security 4691 Indirect access to an object was requested. Other Object Access Events 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
171 0 Detailed Tracking Information Security 4692 Backup of data protection master key was attempted. DPAPI Activity 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
172 0 Detailed Tracking Information Security 4693 Recovery of data protection master key was attempted. DPAPI Activity 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
173 0 Detailed Tracking Information Security 4694 Protection of auditable protected data was attempted. DPAPI Activity 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
174 0 Detailed Tracking Information Security 4695 Unprotection of auditable protected data was attempted. DPAPI Activity 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
175 0 Detailed Tracking Information Security 4696 A primary token was assigned to process. Process Creation 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
176 1 System Information Security 4697 A service was installed in the system. Security System Extension 0 0 0 1 0 0 0 1 0 0 1 0 0 1 1 Low 0 TA0003-Persistence|TA0008-Lateral Movement T1543.003-Create or Modify System Process-Windows Service|T1021.002-SMB Windows Admin Shares
177 1 Object Access Information Security 4698 A scheduled task was created. Other Object Access Events 0 0 1 1 0 0 1 1 1 0 1 0 0 1 1 Low 0 TA0002-Execution T1053.005-Scheduled Task
178 1 Object Access Information Security 4699 A scheduled task was deleted. Other Object Access Events 0 0 0 1 0 0 0 1 0 0 1 0 0 1 1 Low 0 TA0002-Execution T1053.005-Scheduled Task
179 1 Object Access Information Security 4700 A scheduled task was enabled. Other Object Access Events 0 1 0 1 0 0 0 1 0 0 1 0 0 1 0 Low 0
180 1 Object Access Information Security 4701 A scheduled task was disabled. Other Object Access Events 0 1 0 1 0 0 0 1 0 0 1 0 0 1 0 Low 0
181 1 Object Access Information Security 4702 A scheduled task was updated. Other Object Access Events 0 1 1 1 0 0 0 1 0 0 1 0 0 1 0 Low 0
182 0 Policy Change Information Security 4703 A user right was adjusted. Authorization Policy Change 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
183 1 Policy Change Information Security 4704 A user right was assigned. Authorization Policy Change 0 1 0 1 1 0 0 0 0 0 0 1 0 0 1 In Development 0 TA0004-Privilege Escalation T1134-Access Token Manipulation
184 1 Policy Change Information Security 4705 A user right was removed. Authorization Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0004-Privilege Escalation T1134-Access Token Manipulation
185 0 Policy Change Information Security 4706 A new trust was created to a domain. Authorization Policy Change 0 1 0 1 1 0 0 0 0 0 0 1 0 1 0 In Development 0
186 0 Policy Change Information Security 4707 A trust to a domain was removed. Authorization Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
187 0 Policy Change Information Security 4709 IPsec Services was started. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
188 0 Policy Change Information Security 4710 IPsec Services was disabled. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
189 0 Policy Change Information Security 4711 PAStore Engine Event Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
190 0 Policy Change Information Security 4712 IPsec Services encountered a potentially serious failure. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
191 0 Policy Change Information Security 4713 Kerberos policy was changed. Authentication Policy Change 0 1 0 1 1 0 0 0 0 0 0 1 0 1 0 In Development 0
192 0 Policy Change Information Security 4714 Encrypted data recovery policy was changed. Authorization Policy Change 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
193 0 Policy Change Information Security 4715 The audit policy (SACL) on an object was changed. Audit Policy Change 1 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
194 0 Policy Change Information Security 4716 Trusted domain information was modified. Authentication Policy Change 0 1 0 1 1 0 0 0 0 0 0 0 0 1 0 In Development 0
195 1 Policy Change Information Security 4717 System security access was granted to an account. Authentication Policy Change 1 1 0 1 0 0 0 1 0 0 0 0 0 1 1 In Development 0 TA0004-Privilege Escalation T1134-Access Token Manipulation
196 1 Policy Change Information Security 4718 System security access was removed from an account. Authentication Policy Change 1 1 0 1 0 0 0 1 0 0 0 1 0 0 1 In Development 0 TA0004-Privilege Escalation T1134-Access Token Manipulation
197 1 Policy Change Information Security 4719 System audit policy was changed. Audit Policy Change 1 1 1 1 1 0 1 0 0 0 1 1 0 1 1 In Development 0 TA0005-Defense Evasion T1562.002-Disable Windows Event Logging
198 1 Account Management Information Security 4720 A user account was created. User Account Management 1 1 0 1 1 0 0 1 1 1 1 0 0 1 1 In Development 0 TA0003-Persistence T1136-Create account
199 1 Account Management Information Security 4722 A user account was enabled. User Account Management 1 1 0 1 1 0 0 1 0 1 0 0 0 1 1 In Development 0 TA0003-Persistence T1136-Create account
200 1 Account Management Information Security 4723 An attempt was made to change an account's password. User Account Management 1 1 0 1 0 0 0 1 0 1 0 0 0 1 1 In Development 0 TA0003-Persistence T1098.xxx-Account manipulation
201 1 Account Management Information Security 4724 An attempt was made to reset an account's password. User Account Management 1 1 0 1 0 0 0 1 0 1 0 0 0 1 1 In Development 0 TA0003-Persistence T1098.xxx-Account manipulation
202 1 Account Management Information Security 4725 A user account was disabled. User Account Management 1 1 0 1 1 0 0 1 0 1 0 0 0 1 0 In Development 0
203 1 Account Management Information Security 4726 A user account was deleted. User Account Management 1 1 0 1 1 0 0 1 0 1 0 0 0 1 1 In Development 0 TA0003-Persistence T1136-Create account
204 0 Account Management Information Security 4727 A security-enabled global group was created. Security Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
205 1 Account Management Information Security 4728 A member was added to a security-enabled global group. Security Group Management 0 1 0 1 1 0 0 0 0 1 0 1 0 1 1 In Development 0 TA0003-Persistence T1098.xxx-Account manipulation|T1136-Create account
206 0 Account Management Information Security 4729 A member was removed from a security-enabled global group. Security Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
207 0 Account Management Information Security 4730 A security-enabled global group was deleted. Security Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
208 1 Account Management Information Security 4731 A security-enabled local group was created. Security Group Management 0 1 0 1 1 0 0 1 0 0 0 1 0 1 0 In Development 0
209 1 Account Management Information Security 4732 A member was added to a security-enabled local group. Security Group Management 0 1 0 1 1 0 0 1 0 1 0 1 0 1 1 In Development 0 TA0003-Persistence T1098.xxx-Account manipulation
210 1 Account Management Information Security 4733 A member was removed from a security-enabled local group. Security Group Management 0 1 0 1 1 0 0 1 0 0 0 1 0 1 1 In Development 0 TA0003-Persistence T1098.xxx-Account manipulation
211 1 Account Management Information Security 4734 A security-enabled local group was deleted. Security Group Management 0 1 0 1 0 0 0 1 0 0 0 1 0 1 0 In Development 0
212 1 Account Management Information Security 4735 A security-enabled local group was changed. Security Group Management 0 1 0 1 1 0 0 1 0 0 0 1 0 1 0 In Development 0
213 0 Account Management Information Security 4737 A security-enabled global group was changed. Security Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
214 1 Account Management Information Security 4738 A user account was changed. User Account Management 1 1 0 1 0 0 0 1 0 1 0 0 0 1 1 In Development 0 TA0003-Persistence T1098.xxx-Account manipulation
215 1 Policy Change Information Security 4739 Domain Policy was changed. Authentication Policy Change 1 1 0 1 0 0 0 0 0 0 1 0 0 1 1 In Development 0 TA0005-Defense Evasion T1562.002-Disable Windows Event Logging
216 1 Account Management Information Security 4740 A user account was locked out. User Account Management 1 1 0 1 1 0 0 1 0 1 1 0 0 1 0 In Development 0
217 1 Account Management Information Security 4741 A computer account was created. Computer Account Management 1 1 0 1 1 0 0 1 0 0 0 0 0 1 1 In Development 0 TA0003-Persistence T1136-Create account
218 1 Account Management Information Security 4742 A computer account was changed. Computer Account Management 1 1 0 1 0 0 0 1 0 0 0 0 0 1 1 In Development 0 TA0003-Persistence T1098.xxx-Account manipulation|T1136-Create account
219 1 Account Management Information Security 4743 A computer account was deleted. Computer Account Management 1 1 0 1 0 0 0 1 0 0 0 0 0 1 1 In Development 0 TA0003-Persistence T1136-Create account
220 0 Account Management Information Security 4744 A security-disabled local group was created. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
221 0 Account Management Information Security 4745 A security-disabled local group was changed. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
222 0 Account Management Information Security 4746 A member was added to a security-disabled local group. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
223 0 Account Management Information Security 4747 A member was removed from a security-disabled local group. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
224 0 Account Management Information Security 4748 A security-disabled local group was deleted. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
225 1 Account Management Information Security 4749 A security-disabled global group was created. Distribution Group Management 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
226 1 Account Management Information Security 4750 A security-disabled global group was changed. Distribution Group Management 0 1 0 1 0 0 0 1 0 0 0 1 0 0 0 In Development 0
227 1 Account Management Information Security 4751 A member was added to a security-disabled global group. Distribution Group Management 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
228 0 Account Management Information Security 4752 A member was removed from a security-disabled global group. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
229 1 Account Management Information Security 4753 A security-disabled global group was deleted. Distribution Group Management 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
230 0 Account Management Information Security 4754 A security-enabled universal group was created. Security Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
231 0 Account Management Information Security 4755 A security-enabled universal group was changed. Security Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
232 1 Account Management Information Security 4756 A member was added to a security-enabled universal group. Security Group Management 0 1 0 1 1 0 0 0 0 1 0 1 0 1 1 In Development 1 TA0003-Persistence T1098.xxx-Account manipulation
233 0 Account Management Information Security 4757 A member was removed from a security-enabled universal group. Security Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
234 0 Account Management Information Security 4758 A security-enabled universal group was deleted. Security Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
235 0 Account Management Information Security 4759 A security-disabled universal group was created. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
236 0 Account Management Information Security 4760 A security-disabled universal group was changed. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
237 0 Account Management Information Security 4761 A member was added to a security-disabled universal group. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
238 0 Account Management Information Security 4762 A member was removed from a security-disabled universal group. Distribution Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
239 0 Account Management Information Security 4763 A security-disabled universal group was deleted. Distribution Group Management 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 In Development 0
240 1 Account Management Information Security 4764 A group's type was changed. Security Group Management 0 1 0 1 0 0 0 1 0 0 1 0 0 1 0 In Development 0
241 0 Account Management Information Security 4765 SID History was added to an account. User Account Management 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
242 0 Account Management Information Security 4766 An attempt to add SID History to an account failed. User Account Management 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
243 1 Account Management Information Security 4767 A user account was unlocked. User Account Management 1 1 0 1 1 0 0 1 0 1 1 1 0 1 0 In Development 0
244 1 Account Logon Information Security 4768 A Kerberos authentication ticket (TGT) was requested. Kerberos Authentication Service 1 1 0 1 0 0 0 1 0 0 0 1 0 1 1 In Development 0 TA0006-Credential Access T1110.xxx-Brut force|T1558-Steal or Forge Kerberos Tickets
245 1 Account Logon Information Security 4769 A Kerberos service ticket was requested. Kerberos Service Ticket Operations 1 1 1 1 1 0 0 1 1 0 0 1 1 1 1 High 0 TA0006-Credential Access|TA0007-Discovery T1558-Steal or Forge Kerberos Tickets|T1087-Account discovery
246 1 Account Logon Information Security 4770 A Kerberos service ticket was renewed. Kerberos Service Ticket Operations 1 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
247 1 Account Logon Information Security 4771 Kerberos pre-authentication failed. Kerberos Authentication Service 1 1 1 1 0 0 0 1 0 0 0 0 0 1 1 In Development 0 TA0006-Credential Access T1110.xxx-Brut force
248 0 Account Logon Information Security 4772 A Kerberos authentication ticket request failed. Kerberos Authentication Service 1 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
249 1 Account Logon Information Security 4773 A Kerberos service ticket request failed. Kerberos Authentication Service 1 1 0 1 1 0 0 1 0 0 0 0 0 0 0 In Development 0
250 0 Account Logon Information Security 4774 An account was mapped for logon. Credential Validation 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
251 0 Account Logon Information Security 4775 An account could not be mapped for logon. Credential Validation 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
252 1 Account Logon Information Security 4776 The domain controller attempted to validate the credentials for an account. Credential Validation 1 1 0 1 1 0 0 1 0 0 0 1 0 0 0 In Development 0
253 0 Account Logon Information Security 4777 The domain controller failed to validate the credentials for an account. Credential Validation 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
254 1 Logon/Logoff Information Security 4778 A session was reconnected to a Window Station. Other Logon/Logoff Events 1 1 0 1 1 0 0 1 0 1 0 0 0 1 1 In Development 0 TA0008-Lateral Movement T1021.001-Remote Desktop Protocol
255 1 Logon/Logoff Information Security 4779 A session was disconnected from a Window Station. Other Logon/Logoff Events 1 1 0 1 1 0 0 1 0 1 0 0 0 1 1 In Development 0 TA0008-Lateral Movement T1021.001-Remote Desktop Protocol
256 0 Account Management Information Security 4780 The ACL was set on accounts which are members of administrators groups. User Account Management 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
257 1 Account Management Information Security 4781 The name of an account was changed: User Account Management 0 1 0 1 1 0 0 1 0 1 0 1 0 1 1 In Development 0 TA0003-Persistence T1098.xxx-Account manipulation
258 0 Account Management Information Security 4782 The password hash an account was accessed. Other Account Management Events 0 1 0 1 1 0 0 0 0 0 0 1 0 1 0 In Development 0
259 0 Account Management Information Security 4783 A basic application group was created. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
260 0 Account Management Information Security 4784 A basic application group was changed. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
261 0 Account Management Information Security 4785 A member was added to a basic application group. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
262 0 Account Management Information Security 4786 A member was removed from a basic application group. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
263 0 Account Management Information Security 4787 A non-member was added to a basic application group. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
264 0 Account Management Information Security 4788 A non-member was removed from a basic application group. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
265 0 Account Management Information Security 4789 A basic application group was deleted. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
266 0 Account Management Information Security 4790 An LDAP query group was created. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
267 0 Account Management Information Security 4791 A basic application group was changed. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
268 0 Account Management Information Security 4792 An LDAP query group was deleted. Application Group Management 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
269 0 Account Management Information Security 4793 The Password Policy Checking API was called. Other Account Management Events 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
270 1 Account Management Information Security 4794 An attempt was made to set the Directory Services Restore Mode. User Account Management 0 1 0 1 0 0 0 0 0 0 0 0 0 1 1 In Development 0 TA0006-Credential Access T1003-Credential dumping
271 0 Account Management Information Security 4797 An attempt was made to query the existence of a blank password for an account. User Account Management 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
272 1 Account Management Information Security 4798 A user's local group membership was enumerated. User Account Management 0 1 0 1 0 0 0 1 0 0 0 1 0 1 0 In Development 0
273 1 Account Management Information Security 4799 A security-enabled local group membership was enumerated. Security Group Management 0 1 0 1 0 0 0 1 0 0 0 1 0 1 1 In Development 0 TA0007-Discovery T1069-Permission Groups Discovery
274 1 Logon/Logoff Information Security 4800 The workstation was locked. Other Logon/Logoff Events 0 1 0 1 0 0 1 1 0 1 0 1 0 0 0 In Development 0
275 1 Logon/Logoff Information Security 4801 The workstation was unlocked. Other Logon/Logoff Events 0 1 0 1 0 0 1 1 0 1 0 1 0 0 0 In Development 0
276 0 Logon/Logoff Information Security 4802 The screen saver was invoked. Other Logon/Logoff Events 0 1 0 1 0 0 1 0 0 1 0 0 0 0 0 In Development 0
277 0 Logon/Logoff Information Security 4803 The screen saver was dismissed. Other Logon/Logoff Events 0 1 0 1 0 0 0 0 0 1 0 0 0 0 0 In Development 0
278 0 System Information Security 4816 RPC detected an integrity violation while decrypting an incoming message. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
279 0 Policy Change Information Security 4817 Auditing settings on an object were changed. Audit Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
280 0 Object Access Information Security 4818 Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Central Access Policy Staging 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
281 0 Policy Change Information Security 4819 Central Access Policies on the machine have been changed. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
282 0 Account Logon Information Security 4820 A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions. Kerberos Authentication Service 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
283 0 Account Logon Information Security 4821 A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions. Kerberos Service Ticket Operations 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
284 0 Account Logon Information Security 4822 NTLM authentication failed because the account was a member of the Protected User group. Credential Validation 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
285 0 Account Logon Information Security 4823 NTLM authentication failed because access control restrictions are required. Credential Validation 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
286 0 Account Logon Information Security 4824 Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group. Kerberos Authentication Service 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
287 1 Logon/Logoff Information Security 4825 A user was denied the access to Remote Desktop. Other Logon/Logoff Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0008-Lateral Movement T1021.001-Remote Desktop Protocol
288 0 Policy Change Information Security 4826 Boot Configuration Data loaded. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
289 0 Account Management Information Security 4830 SID History was removed from an account. User Account Management 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
290 0 Policy Change Information Security 4864 A namespace collision was detected. Authentication Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
291 0 Policy Change Information Security 4865 A trusted forest information entry was added. Authentication Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
292 0 Policy Change Information Security 4866 A trusted forest information entry was removed. Authentication Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
293 0 Policy Change Information Security 4867 A trusted forest information entry was modified. Authentication Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
294 0 Object Access Information Security 4868 The certificate manager denied a pending certificate request. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
295 0 Object Access Information Security 4869 Certificate Services received a resubmitted certificate request. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
296 0 Object Access Information Security 4870 Certificate Services revoked a certificate. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
297 0 Object Access Information Security 4871 Certificate Services received a request to publish the certificate revocation list (CRL). Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
298 0 Object Access Information Security 4872 Certificate Services published the certificate revocation list (CRL). Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
299 0 Object Access Information Security 4873 A certificate request extension changed. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
300 0 Object Access Information Security 4874 One or more certificate request attributes changed. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
301 0 Object Access Information Security 4875 Certificate Services received a request to shut down. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
302 0 Object Access Information Security 4876 Certificate Services backup started. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
303 0 Object Access Information Security 4877 Certificate Services backup completed. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
304 0 Object Access Information Security 4878 Certificate Services restore started. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
305 0 Object Access Information Security 4879 Certificate Services restore completed. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
306 0 Object Access Information Security 4880 Certificate Services started. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
307 0 Object Access Information Security 4881 Certificate Services stopped. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
308 0 Object Access Information Security 4882 The security permissions for Certificate Services changed. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
309 0 Object Access Information Security 4883 Certificate Services retrieved an archived key. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
310 0 Object Access Information Security 4884 Certificate Services imported a certificate into its database. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
311 0 Object Access Information Security 4885 The audit filter for Certificate Services changed. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
312 0 Object Access Information Security 4886 Certificate Services received a certificate request. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
313 0 Object Access Information Security 4887 Certificate Services approved a certificate request and issued a certificate. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
314 0 Object Access Information Security 4888 Certificate Services denied a certificate request. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
315 0 Object Access Information Security 4889 Certificate Services set the status of a certificate request to pending. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
316 0 Object Access Information Security 4890 The certificate manager settings for Certificate Services changed. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
317 0 Object Access Information Security 4891 A configuration entry changed in Certificate Services. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
318 0 Object Access Information Security 4892 A property of Certificate Services changed. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
319 0 Object Access Information Security 4893 Certificate Services archived a key. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
320 0 Object Access Information Security 4894 Certificate Services imported and archived a key. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
321 0 Object Access Information Security 4895 Certificate Services published the CA certificate to Active Directory Domain Services. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
322 0 Object Access Information Security 4896 One or more rows have been deleted from the certificate database. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
323 0 Object Access Information Security 4897 Role separation enabled Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
324 0 Object Access Information Security 4898 Certificate Services loaded a template. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
325 0 Object Access Information Security 4899 A Certificate Services template was updated. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
326 0 Object Access Information Security 4900 Certificate Services template security was updated. Certification Services 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
327 0 Policy Change Information Security 4902 The Per-user audit policy table was created. Audit Policy Change 0 1 0 1 0 0 0 0 0 0 1 0 0 0 0 In Development 0
328 0 Policy Change Information Security 4904 An attempt was made to register a security event source. Audit Policy Change 0 1 0 1 0 0 0 0 0 0 1 0 0 1 0 In Development 0
329 0 Policy Change Information Security 4905 An attempt was made to unregister a security event source. Audit Policy Change 0 1 0 1 0 0 0 0 0 0 1 0 0 1 0 In Development 0
330 0 Policy Change Information Security 4906 The CrashOnAuditFail value has changed. Audit Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
331 0 Policy Change Information Security 4907 Auditing settings on object were changed. Audit Policy Change 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 In Development 0
332 1 Policy Change Information Security 4908 Special Groups Logon table modified. Audit Policy Change 0 1 0 1 0 0 0 0 0 0 1 0 0 1 1 In Development 0 TA0005-Defense Evasion T1562.002-Disable Windows Event Logging
333 0 Policy Change Information Security 4909 The local policy settings for the TBS were changed. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
334 0 Policy Change Information Security 4910 The group policy settings for the TBS were changed. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
335 0 Policy Change Information Security 4911 Resource attributes of the object were changed. Authorization Policy Change 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
336 0 Policy Change Information Security 4912 Per User Audit Policy was changed. Audit Policy Change 1 1 0 1 0 0 1 0 0 0 1 0 0 1 0 In Development 0
337 0 Policy Change Information Security 4913 Central Access Policy on the object was changed. Authorization Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
338 0 DS Access Information Security 4928 An Active Directory replica source naming context was established. Detailed Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
339 0 DS Access Information Security 4929 An Active Directory replica source naming context was removed. Detailed Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
340 0 DS Access Information Security 4930 An Active Directory replica source naming context was modified. Detailed Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
341 0 DS Access Information Security 4931 An Active Directory replica destination naming context was modified. Detailed Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
342 0 DS Access Information Security 4932 Synchronization of a replica of an Active Directory naming context has begun. Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
343 0 DS Access Information Security 4933 Synchronization of a replica of an Active Directory naming context has ended. Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
344 0 DS Access Information Security 4934 Attributes of an Active Directory object were replicated. Detailed Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
345 0 DS Access Information Security 4935 Replication failure begins. Detailed Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
346 0 DS Access Information Security 4936 Replication failure ends. Detailed Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
347 0 DS Access Information Security 4937 A lingering object was removed from a replica. Detailed Directory Service Replication 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
348 0 Policy Change Information Security 4944 The following policy was active when the Windows Firewall started. MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
349 0 Policy Change Information Security 4945 A rule was listed when the Windows Firewall started. MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
350 0 Policy Change Information Security 4946 A change has been made to Windows Firewall exception list. A rule was added. MPSSVC Rule-Level Policy Change 1 1 0 1 0 0 0 0 1 0 0 1 0 0 0 In Development 0
351 0 Policy Change Information Security 4947 A change has been made to Windows Firewall exception list. A rule was modified. MPSSVC Rule-Level Policy Change 1 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
352 0 Policy Change Information Security 4948 A change has been made to Windows Firewall exception list. A rule was deleted. MPSSVC Rule-Level Policy Change 1 1 0 1 0 0 0 0 0 0 0 1 0 0 0 In Development 0
353 0 Policy Change Information Security 4949 Windows Firewall settings were restored to the default values. MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
354 1 Policy Change Information Security 4950 A Windows Firewall setting has changed. MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 1 0 0 1 In Development 0 TA0005-Defense Evasion T1562.004-Impair Defenses-Disable or Modify System Firewall
355 0 Policy Change Information Security 4951 A rule has been ignored because its major version number was not recognized by Windows Firewall. MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
356 0 Policy Change Information Security 4952 Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
357 0 Policy Change Information Security 4953 A rule has been ignored by Windows Firewall because it could not parse the rule. MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
358 0 Policy Change Information Security 4954 Windows Firewall Group Policy settings have changed. The new settings have been applied. MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
359 0 Policy Change Information Security 4956 Windows Firewall has changed the active profile. MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
360 0 Policy Change Information Security 4957 Windows Firewall did not apply the following rule: MPSSVC Rule-Level Policy Change 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
361 0 Policy Change Information Security 4958 Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: MPSSVC Rule-Level Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
362 0 System Information Security 4960 IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
363 0 System Information Security 4961 IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
364 0 System Information Security 4962 IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
365 0 System Information Security 4963 IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
366 1 Logon/Logoff Information Security 4964 Special groups have been assigned to a new logon. Special Logon 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion T1078.002-Valid accounts-Domain accounts
367 0 System Information Security 4965 IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
368 0 Logon/Logoff Information Security 4976 During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. IPsec Main Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
369 0 Logon/Logoff Information Security 4977 During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. IPsec Quick Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
370 0 Logon/Logoff Information Security 4978 During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. IPsec Extended Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
371 0 Logon/Logoff Information Security 4979 IPsec Main Mode and Extended Mode security associations were established. IPsec Extended Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
372 0 Logon/Logoff Information Security 4980 IPsec Main Mode and Extended Mode security associations were established. IPsec Extended Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
373 0 Logon/Logoff Information Security 4981 IPsec Main Mode and Extended Mode security associations were established. IPsec Extended Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
374 0 Logon/Logoff Information Security 4982 IPsec Main Mode and Extended Mode security associations were established. IPsec Extended Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
375 0 Logon/Logoff Information Security 4983 An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. IPsec Extended Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
376 0 Logon/Logoff Information Security 4984 An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. IPsec Extended Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
377 0 Object Access Information Security 4985 The state of a transaction has changed. File System 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
378 0 Microsoft-Windows-Windows Defender/Operational Error Microsoft-Windows-Windows Defender/Operational 5008 Unexpected Error Windows Defender Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
379 0 System Information System 5024 The Windows Firewall Service has started successfully. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
380 1 System Information System 5025 The Windows Firewall Service has been stopped. Other System Events 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
381 0 System Error System 5027 The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
382 0 System Error System 5028 The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
383 0 System Error System 5029 The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
384 0 System Error System 5030 The Windows Firewall Service failed to start. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
385 1 System Information System 5031 The Windows Firewall Service blocked an application from accepting incoming connections on the network. Filtering Platform Connection 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
386 0 System Information System 5032 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
387 0 System Information System 5033 The Windows Firewall Driver has started successfully. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
388 1 System Information System 5034 The Windows Firewall Driver has been stopped. Other System Events 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
389 0 System Error System 5035 The Windows Firewall Driver failed to start. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
390 0 System Error System 5037 The Windows Firewall Driver detected critical runtime error. Terminating. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
391 0 Security Information Security 5038 Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. System Integrity 0 1 0 1 1 0 0 0 0 0 0 0 0 1 0 In Development 0
392 0 Object Access Information Security 5039 A registry key was virtualized. Registry 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
393 0 Policy Change Information Security 5040 A change has been made to IPsec settings. An Authentication Set was added. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
394 0 Policy Change Information Security 5041 A change has been made to IPsec settings. An Authentication Set was modified. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
395 0 Policy Change Information Security 5042 A change has been made to IPsec settings. An Authentication Set was deleted. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
396 0 Policy Change Information Security 5043 A change has been made to IPsec settings. A Connection Security Rule was added. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
397 0 Policy Change Information Security 5044 A change has been made to IPsec settings. A Connection Security Rule was modified. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
398 0 Policy Change Information Security 5045 A change has been made to IPsec settings. A Connection Security Rule was deleted. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
399 0 Policy Change Information Security 5046 A change has been made to IPsec settings. A Crypto Set was added. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
400 0 Policy Change Information Security 5047 A change has been made to IPsec settings. A Crypto Set was modified. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
401 0 Policy Change Information Security 5048 A change has been made to IPsec settings. A Crypto Set was deleted. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
402 0 Logon/Logoff Information Security 5049 An IPsec Security Association was deleted. IPsec Main Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
403 0 System Information Security 5050 An attempt to programmatically disable the Windows Firewall was rejected because this API is not supported on Windows Vista. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
404 0 Object Access Information Security 5051 A file was virtualized. File System 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
405 0 System Information Security 5056 A cryptographic self test was performed. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
406 0 System Information Security 5057 A cryptographic primitive operation failed. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
407 0 System Information Security 5058 Key file operation. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
408 0 System Information Security 5059 Key migration operation. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
409 0 System Information Security 5060 Verification operation failed. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
410 0 System Information Security 5061 Cryptographic operation. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
411 0 System Information Security 5062 A kernel-mode cryptographic self test was performed. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
412 0 Policy Change Information Security 5063 A cryptographic provider operation was attempted. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
413 0 Policy Change Information Security 5064 A cryptographic context operation was attempted. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
414 0 Policy Change Information Security 5065 A cryptographic context modification was attempted. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
415 0 Policy Change Information Security 5066 A cryptographic function operation was attempted. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
416 0 Policy Change Information Security 5067 A cryptographic function modification was attempted. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
417 0 Policy Change Information Security 5068 A cryptographic function provider operation was attempted. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
418 0 Policy Change Information Security 5069 A cryptographic function property operation was attempted. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
419 0 Policy Change Information Security 5070 A cryptographic function property modification was attempted. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
420 0 System Information Security 5071 Key access denied by Microsoft key distribution service. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
421 0 Object Access Information Security 5120 OCSP Responder Service Started. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
422 0 Object Access Information Security 5121 OCSP Responder Service Stopped. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
423 0 Object Access Information Security 5122 A Configuration entry changed in the OCSP Responder Service. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
424 0 Object Access Information Security 5123 A configuration entry changed in the OCSP Responder Service. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
425 1 Object Access Information Security 5124 A security setting was updated on OCSP Responder Service. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification
426 0 Object Access Information Security 5125 A request was submitted to OCSP Responder Service. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
427 0 Object Access Information Security 5126 Signing Certificate was automatically updated by the OCSP Responder Service. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
428 0 Object Access Information Security 5127 The OCSP Revocation Provider successfully updated the revocation information. Certification Services 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
429 1 DS Access Information Security 5136 A directory service object was modified. Directory Service Changes 0 1 0 1 1 0 0 1 0 0 0 0 0 0 1 In Development 0 TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion T1098.xxx-Account manipulation|T1546-Event Triggered Execution|T1484.001-Domain Policy Modification-Group Policy Modification|T1222.001-File and Directory Permissions Modification
430 1 DS Access Information Security 5137 A directory service object was created. Directory Service Changes 0 1 0 1 1 0 0 1 0 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion T1207-Rogue domain controller
431 1 DS Access Information Security 5138 A directory service object was undeleted. Directory Service Changes 0 1 0 1 1 0 0 1 0 0 0 0 0 0 0 In Development 0
432 1 DS Access Information Security 5139 A directory service object was moved. Directory Service Changes 0 1 0 1 1 0 0 1 0 0 0 0 0 0 0 In Development 0
433 1 Object Access Information Security 5140 A network share object was accessed. File Share 0 1 1 1 1 0 1 1 1 0 1 0 0 1 1 In Development 0 TA0007-Discovery|TA0008-Lateral Movement T1135.xxx-Network Share Discovery|T1021.002-SMB Windows Admin Shares
434 1 DS Access Information Security 5141 A directory service object was deleted. Directory Service Changes 0 1 0 1 1 0 0 1 0 0 0 0 0 0 0 In Development 0
435 1 Object Access Information Security 5142 A network share object was added. File Share 0 1 0 1 1 0 0 1 1 0 1 0 0 1 1 In Development 0 TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares
436 1 Object Access Information Security 5143 A network share object was modified. File Share 0 1 0 1 0 0 0 1 0 0 1 0 0 0 1 In Development 0 TA0005-Defense Evasion|TA0008-Lateral Movement T1222.001-File and Directory Permissions Modification|T1021.002-SMB Windows Admin Shares
437 1 Object Access Information Security 5144 A network share object was deleted. File Share 0 1 0 1 1 0 0 1 1 0 1 0 0 0 0 In Development 0
438 1 Object Access Information Security 5145 A network share object was checked to see whether the client can be granted desired access. Detailed File Share 0 1 1 1 1 0 0 1 1 0 0 1 0 0 1 In Development 0 TA0002-Execution|TA0003-Persistence|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement T1047-Windows Management Instrumentation|T1053.005-Scheduled Task|T1204-User execution|T1098.xxx-Account manipulation|T1003-Credential dumping|T1555-Credentials from Password Stores|T1557-Man in the middle|T1018-Remote System Discovery|T1135.xxx-Network Share Discovery|T1021.002-SMB Windows Admin Shares
439 0 Object Access Information Security 5146 The Windows Filtering Platform has blocked a packet. Filtering Platform Packet Drop 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 High 0
440 0 Object Access Information Security 5147 A more restrictive Windows Filtering Platform filter has blocked a packet. Filtering Platform Packet Drop 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
441 0 Object Access Information Security 5148 The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. Other Object Access Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
442 0 Object Access Information Security 5149 The DoS attack has subsided and normal processing is being resumed. Other Object Access Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
443 0 Object Access Information Security 5150 The Windows Filtering Platform has blocked a packet. Filtering Platform Connection 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
444 0 Object Access Information Security 5151 A more restrictive Windows Filtering Platform filter has blocked a packet. Filtering Platform Connection 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
445 0 Object Access Information Security 5152 The Windows Filtering Platform blocked a packet. Filtering Platform Packet Drop 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
446 0 Object Access Information Security 5153 A more restrictive Windows Filtering Platform filter has blocked a packet. Filtering Platform Packet Drop 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
447 1 Object Access Information Security 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. Filtering Platform Connection 0 1 1 1 0 0 0 1 1 0 0 0 0 0 0 In Development 0
448 1 Object Access Information Security 5155 The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. Filtering Platform Connection 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
449 1 Object Access Information Security 5156 The Windows Filtering Platform has allowed a connection. Filtering Platform Connection 0 1 1 1 0 0 1 1 1 0 0 0 0 0 0 High 0
450 1 Object Access Information Security 5157 The Windows Filtering Platform has blocked a connection. Filtering Platform Connection 0 1 1 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
451 1 Object Access Information Security 5158 The Windows Filtering Platform has permitted a bind to a local port. Filtering Platform Connection 0 1 0 1 0 0 1 1 0 0 0 0 0 0 0 In Development 0
452 1 Object Access Information Security 5159 The Windows Filtering Platform has blocked a bind to a local port. Filtering Platform Connection 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 In Development 0
453 0 Object Access Information Security 5168 Spn check for SMB/SMB2 failed. File Share 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
454 0 DS Access Information Security 5169 A directory service object was modified. Directory Service Access 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
455 0 DS Access Information Security 5170 A directory service object was modified during a background cleanup task Directory Service Access 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
456 1 Account Management Information Security 5376 Credential Manager credentials were backed up. User Account Management 0 1 0 1 1 0 0 0 0 0 0 0 0 1 1 In Development 0 TA0005-Defense Evasion T1555.004-Windows Credential Manager
457 0 Account Management Information Security 5377 Credential Manager credentials were restored from a backup. User Account Management 0 1 0 1 1 0 0 0 0 0 0 0 0 1 0 In Development 0
458 0 Logon/Logoff Information Security 5378 The requested credentials delegation was disallowed by policy. Other Logon/Logoff Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
459 1 Account Management Information Security 5379 Credential Manager credentials were read. User Account Management 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion T1555.004-Windows Credential Manager
460 0 Vault Information Security 5380 Vault Find Credential Vault 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
461 1 Vault Information Security 5381 Vault credentials were read Vault 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion T1555.004-Windows Credential Manager
462 1 Vault Information Security 5382 Vault credentials were read Vault 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion T1555.004-Windows Credential Manager
463 0 Policy Change Information Security 5440 The following callout was present when the Windows Filtering Platform Base Filtering Engine started. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
464 0 Policy Change Information Security 5441 The following filter was present when the Windows Filtering Platform Base Filtering Engine started. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
465 0 Policy Change Information Security 5442 The following provider was present when the Windows Filtering Platform Base Filtering Engine started. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
466 0 Policy Change Information Security 5443 The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
467 0 Policy Change Information Security 5444 The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
468 0 Policy Change Information Security 5446 A Windows Filtering Platform callout has been changed. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
469 1 Policy Change Information Security 5447 A Windows Filtering Platform filter has been changed. Other Policy Change Events 0 1 0 1 0 0 0 0 1 0 0 0 0 0 1 In Development 0 TA0005-Defense Evasion T1562.004-Impair Defenses-Disable or Modify System Firewall
470 0 Policy Change Information Security 5448 A Windows Filtering Platform provider has been changed. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
471 0 Policy Change Information Security 5449 A Windows Filtering Platform provider context has been changed. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
472 0 Policy Change Information Security 5450 A Windows Filtering Platform sub-layer has been changed. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
473 0 Logon/Logoff Information Security 5451 An IPsec Quick Mode security association was established. IPsec Quick Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
474 0 Logon/Logoff Information Security 5452 An IPsec Quick Mode security association ended. IPsec Quick Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
475 0 Logon/Logoff Information Security 5453 An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. IPsec Main Mode 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
476 0 Policy Change Information Security 5456 PAStore Engine applied Active Directory storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
477 0 Policy Change Information Security 5457 PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
478 0 Policy Change Information Security 5458 PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
479 0 Policy Change Information Security 5459 PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
480 0 Policy Change Information Security 5460 PAStore Engine applied local registry storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
481 0 Policy Change Information Security 5461 PAStore Engine failed to apply local registry storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
482 0 Policy Change Information Security 5462 PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
483 0 Policy Change Information Security 5463 PAStore Engine polled for changes to the active IPsec policy and detected no changes. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
484 0 Policy Change Information Security 5464 PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
485 0 Policy Change Information Security 5465 PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
486 0 Policy Change Information Security 5466 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
487 0 Policy Change Information Security 5467 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
488 0 Policy Change Information Security 5468 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
489 0 Policy Change Information Security 5471 PAStore Engine loaded local storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
490 0 Policy Change Information Security 5472 PAStore Engine failed to load local storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
491 0 Policy Change Information Security 5473 PAStore Engine loaded directory storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
492 0 Policy Change Information Security 5474 PAStore Engine failed to load directory storage IPsec policy on the computer. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
493 0 Policy Change Information Security 5477 PAStore Engine failed to add quick mode filter. Filtering Platform Policy Change 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
494 0 System Information Security 5478 IPsec Services has started successfully. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
495 0 System Information Security 5479 IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
496 0 System Information Security 5480 IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
497 0 System Information Security 5483 IPsec Services failed to initialize RPC server. IPsec Services could not be started. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
498 0 System Information Security 5484 IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
499 0 System Information Security 5485 IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. IPsec Driver 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
500 0 Wireless 802.1X Auth Information Security 5632 A request was made to authenticate to a wireless network. Other Logon/Logoff Events 0 1 0 1 1 0 0 0 0 0 0 0 0 1 0 In Development 0
501 0 Logon/Logoff Information Security 5633 A request was made to authenticate to a wired network. Other Logon/Logoff Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
502 0 Detailed Tracking Information Security 5712 A Remote Procedure Call (RPC) was attempted. RPC Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
503 0 WMI Operational Information Microsoft-Windows-WMI-Activity/Operational 5857 Windows WMI Activity WMI 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 In Development 0
504 0 WMI Operational Information Microsoft-Windows-WMI-Activity/Operational 5859 Windows WMI Activity WMI 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 In Development 0
505 0 WMI Operational Information Microsoft-Windows-WMI-Activity/Operational 5860 Windows WMI Activity WMI 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 In Development 0
506 1 WMI Operational Information Microsoft-Windows-WMI-Activity/Operational 5861 Windows WMI Activity WMI 0 0 1 0 0 1 0 0 0 0 0 0 0 1 0 In Development 0
507 0 Object Access Information Security 5888 An object in the COM+ Catalog was modified. Other Object Access Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
508 0 Object Access Information Security 5889 An object was deleted from the COM+ Catalog. Other Object Access Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
509 0 Object Access Information Security 5890 An object was added to the COM+ Catalog. Other Object Access Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
510 0 Policy Change Information Security 6144 Security policy in the group policy objects has been applied successfully. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
511 0 Policy Change Error Security 6145 One or more errors occurred while processing security policy in the group policy objects. Other Policy Change Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
512 0 Logon/Logoff Information Security 6272 Network Policy Server granted access to a user. Network Policy Server 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
513 0 Logon/Logoff Information Security 6273 Network Policy Server denied access to a user. Network Policy Server 0 1 0 1 1 0 0 0 0 0 0 1 0 0 0 In Development 0
514 0 Logon/Logoff Information Security 6274 Network Policy Server discarded the request for a user. Network Policy Server 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
515 0 Logon/Logoff Information Security 6275 Network Policy Server discarded the accounting request for a user. Network Policy Server 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
516 0 Logon/Logoff Information Security 6276 Network Policy Server quarantined a user. Network Policy Server 0 1 0 1 1 0 0 0 0 0 0 1 0 0 0 In Development 0
517 0 Logon/Logoff Information Security 6277 Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. Network Policy Server 0 1 0 1 1 0 0 0 0 0 0 1 0 0 0 In Development 0
518 0 Logon/Logoff Information Security 6278 Network Policy Server granted full access to a user because the host met the defined health policy. Network Policy Server 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
519 0 Logon/Logoff Information Security 6279 Network Policy Server locked the user account due to repeated failed authentication attempts. Network Policy Server 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
520 0 Logon/Logoff Information Security 6280 Network Policy Server unlocked the user account. Network Policy Server 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 In Development 0
521 0 Security Information Security 6281 Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error System Integrity 0 1 1 1 1 0 0 0 0 0 0 0 0 1 0 In Development 0
522 0 System Information System 6400 BranchCache: Received an incorrectly formatted response while discovering availability of content. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
523 0 System Information System 6401 BranchCache: Received invalid data from a peer. Data discarded. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
524 0 System Information System 6402 BranchCache: The message to the hosted cache offering it data is incorrectly formatted. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
525 0 System Information System 6403 BranchCache: The hosted cache sent an incorrectly formatted response to the client. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
526 0 System Information System 6404 BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
527 0 System Information System 6405 BranchCache: %2 instance(s) of event id %1 occurred. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
528 0 System Information System 6406 %1 registered to Windows Firewall to control filtering for the following: %2 Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
529 0 System Information System 6407 (blank) Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
530 0 System Error System 6408 Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
531 0 System Information System 6409 BranchCache: A service connection point object could not be parsed. Other System Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
532 0 System Information System 6410 Code integrity determined that a file does not meet the security requirements to load into a process. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 In Development 0
533 1 System Information System 6416 A new external device was recognized by the System Plug and Play Events 0 1 1 1 0 0 0 0 0 0 0 1 0 1 1 In Development 0 TA0004-Privilege Escalation T1574-DLL side-loading
534 0 System Information System 6417 The FIPS mode crypto selftests succeeded. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
535 0 System Error System 6418 The FIPS mode crypto selftests failed. System Integrity 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
536 0 System Information System 6419 A request was made to disable a device Plug and Play Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
537 0 System Information System 6420 A device was disabled. Plug and Play Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
538 0 System Information System 6421 A request was made to enable a device. Plug and Play Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
539 0 System Information System 6422 A device was enabled. Plug and Play Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
540 0 System Information System 6423 The installation of this device is forbidden by system policy Plug and Play Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
541 0 System Information System 6424 The installation of this device was allowed, after having previously been forbidden by policy. Plug and Play Events 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 In Development 0
542 1 System Error System 7000 The service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. Service 0 0 1 0 1 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0002-Execution T1569.002-Service execution
543 1 System Error System 7009 Service Control Manager - A timeout was reached Service 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 In Development 0 TA0002-Execution T1569.002-Service execution
544 0 System Error System 7022 The service hung on starting Service 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
545 0 System Error System 7023 Windows Service Fails or Crashes System or Service Failures 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
546 0 System Error System 7024 The service terminated with service-specific error Service 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
547 0 System Error System 7026 Windows Service Fails or Crashes System or Service Failures 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
548 0 System Error System 7030 Service Creation Error Service 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 In Development 0
549 0 System Error System 7031 Service Crashed Service 0 0 0 0 1 0 1 0 0 0 0 0 0 1 0 In Development 0
550 0 System Error System 7032 Windows Service Fails or Crashes System or Service Failures 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
551 0 System Error System 7034 Service Crashed Service 0 0 1 0 1 0 1 0 0 0 0 0 0 1 0 In Development 0
552 0 System Information System 7035 Service sent a request to stop or start Service 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
553 1 System Information System 7036 Service was started or stopped Service 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 In Development 0 TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service
554 1 System Information System 7040 Service configured to interact with desktop Service 0 0 1 0 0 0 1 0 0 0 0 0 0 1 0 In Development 0
555 1 System Information System 7045 New Windows Service Service 0 0 1 0 1 0 1 0 1 1 1 0 0 0 1 Low 0 TA0002-Execution|TA0003-Persistence T1569.002-Service execution|T1543.003-Create or Modify System Process-Windows Service
556 0 Microsoft-Windows-WLAN-AutoConfig/Operational Information Microsoft-Windows-WLAN-AutoConfig/Operational 8000 Starting a Wireless Connection Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
557 0 Microsoft-Windows-WLAN-AutoConfig/Operational Information Microsoft-Windows-WLAN-AutoConfig/Operational 8001 Successfully connected to a wireless connection Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
558 0 Applocker Information Microsoft-Windows-AppLocker/EXE and DLL 8002 AppLocker Block Application Whitelisting 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 1
559 0 Applocker Error Microsoft-Windows-AppLocker/EXE and DLL 8003 AppLocker Block Application Whitelisting 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0 In Development 1
560 0 Applocker Warning Microsoft-Windows-AppLocker/EXE and DLL 8004 AppLocker Block Application Whitelisting 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0 In Development 0
561 0 Applocker Information Microsoft-Windows-AppLocker/MSI and Script 8005 Script or Installer ran Application Whitelisting 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
562 0 Applocker Error Microsoft-Windows-AppLocker/MSI and Script 8006 AppLocker Warning Application Whitelisting 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0 In Development 0
563 0 Applocker Warning Microsoft-Windows-AppLocker/MSI and Script 8007 AppLocker Warning Application Whitelisting 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0 In Development 0
564 0 Microsoft-Windows-WLAN-AutoConfig/Operational Information Microsoft-Windows-WLAN-AutoConfig/Operational 8011 Starting a Wireless Connection Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
565 0 Applocker Information Microsoft-Windows-AppLocker/Packaged app-Deployment 8020 Application Ran Application Whitelisting 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
566 0 Applocker Information Microsoft-Windows-AppLocker/Packaged app-Execution 8021 Application Ran Application Whitelisting 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 In Development 0
567 0 Applocker Information Microsoft-Windows-AppLocker/Packaged app-Execution 8022 Application Ran Application Whitelisting 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 In Development 0
568 0 Applocker Information Microsoft-Windows-AppLocker/Packaged app-Execution 8023 Application Installed Application Whitelisting 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 In Development 0
569 0 Applocker Information Microsoft-Windows-AppLocker/Packaged app-Deployment 8024 Application Installed Application Whitelisting 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 In Development 0
570 0 Applocker Information Microsoft-Windows-AppLocker/Packaged app-Deployment 8025 Application Installed Application Whitelisting 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 In Development 0
571 0 Audit Information System 8191 Highest System-Defined Audit Message Value Windows Audit 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 0
572 0 Security Information VSSAudit 8222 Shadow copy has been created VSSAudit 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 In Development 0
573 0 Microsoft-Windows-NetworkProfile/Operational Information Microsoft-Windows-NetworkProfile/Operational 10000 Network Connection and Disconnection Status Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
574 0 Microsoft-Windows-NetworkProfile/Operational Information Microsoft-Windows-NetworkProfile/Operational 10001 Network Connection and Disconnection Status Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
575 0 Microsoft-Windows-WLAN-AutoConfig/Operational Information Microsoft-Windows-WLAN-AutoConfig/Operational 11000 Wireless association status Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
576 0 Microsoft-Windows-WLAN-AutoConfig/Operational Information Microsoft-Windows-WLAN-AutoConfig/Operational 11001 Wireless association status Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
577 0 Microsoft-Windows-WLAN-AutoConfig/Operational Information Microsoft-Windows-WLAN-AutoConfig/Operational 11004 Wireless Security Started Stopped, Successful or Failed Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
578 0 Microsoft-Windows-WLAN-AutoConfig/Operational Information Microsoft-Windows-WLAN-AutoConfig/Operational 11005 Wireless Security Started Stopped, Successful or Failed Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
579 0 Microsoft-Windows-WLAN-AutoConfig/Operational Error Microsoft-Windows-WLAN-AutoConfig/Operational 11006 Wireless Security Started Stopped, Successful or Failed Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
580 0 Microsoft-Windows-WLAN-AutoConfig/Operational Error Microsoft-Windows-WLAN-AutoConfig/Operational 11010 Wireless Security Started Stopped, Successful or Failed Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
581 0 Microsoft-Windows-WLAN-AutoConfig/Operational Information Microsoft-Windows-WLAN-AutoConfig/Operational 12011 Wireless Authentication Started and Failed Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
582 0 Microsoft-Windows-WLAN-AutoConfig/Operational Information Microsoft-Windows-WLAN-AutoConfig/Operational 12012 Wireless Authentication Started and Failed Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
583 0 Microsoft-Windows-WLAN-AutoConfig/Operational Error Microsoft-Windows-WLAN-AutoConfig/Operational 12013 Wireless Authentication Started and Failed Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
584 0 Microsoft-Windows-WLAN-AutoConfig/Operational Error Microsoft-Windows-WLAN-AutoConfig/Operational 11002 Wireless association status Mobile Device Activities 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
585 0 Microsoft-Windows-User-PnP Information Microsoft-Windows-User-PnP 20001 Driver Management concluded the process to install driver 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 In Development 0
586 0 Microsoft-Windows-MPRMSG Success Remote Access 20250 RADIUS User assigned IP Network Policy 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
587 0 Microsoft-Windows-MPRMSG Success Remote Access 20274 RADIUS User Authenticated Network Policy 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
588 0 Microsoft-Windows-MPRMSG Success Remote Access 20275 RADIUS User Disconnected Network Policy 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 In Development 0
589 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 5007 Event when settings are changed Windows Defender Activities 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 High 1
590 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1124 Audit Controlled folder access event Windows Defender Activities 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 High 1
591 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1123 Blocked Controlled folder access event Windows Defender Activities 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 In Development 1
592 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1127 Blocked Controlled folder access sector write block event Windows Defender Activities 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 1
593 0 Microsoft-Windows-Windows Defender/Operational Information Microsoft-Windows-Windows Defender/Operational 1128 Audited Controlled folder access sector write block event Windows Defender Activities 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 In Development 1

11
deployment-apps/splunk_wineventcode_secanalysis/lookups/WindowsLogonTypes.csv
Unescape View File

@ -0,0 +1,11 @@
Logon_Type,Logon_Type_Description,Logon_Type_Comment
0,SystemInternalLogin,
2,Interactive,Hands On Keyboard
3,Network,
4,Batch,Associated with Scheduled Task
5,Service,
7,Unlock,
8,NetworkClearText,
9,RunAs,
10,RDP,
11,CachedInteractive,
1 Logon_Type Logon_Type_Description Logon_Type_Comment
2 0 SystemInternalLogin
3 2 Interactive Hands On Keyboard
4 3 Network
5 4 Batch Associated with Scheduled Task
6 5 Service
7 7 Unlock
8 8 NetworkClearText
9 9 RunAs
10 10 RDP
11 11 CachedInteractive

22
deployment-apps/splunk_wineventcode_secanalysis/lookups/logon_failure_lookup.csv
Unescape View File

@ -0,0 +1,22 @@
Error_Code,"Failure Reason"
0xC000005E,"There are currently no logon servers available to service the logon request."
0xC0000064,"User logon with misspelled or bad user account."
0xC000006A,"User logon with misspelled or bad password."
0xC000006D,"This is either due to a bad username or authentication information."
0xC000006E,"Unknown user name or bad password."
0xC000006F,"User logon outside authorized hours."
0xC0000070,"User logon from unauthorized workstation."
0xC0000071,"User logon with expired password."
0xC0000072,"User logon to account disabled by administrator."
0xC00000DC,"Indicates the Sam Server was in the wrong state to perform the desired operation."
0xC0000133,"Clocks between DC and other computer too far out of sync."
0xC000015B,"The user has not been granted the requested logon type (aka logon right) at this machine."
0xC000018C,"The logon request failed because the trust relationship between the primary domain and the trusted domain failed."
0xC0000192,"An attempt was made to logon," but the Netlogon service was not started."
0xC0000193,"User logon with expired account."
0xC0000224,"User is required to change password at next logon."
0xC0000225,"Evidently a bug in Windows and not a risk."
0xC0000234,"User logon with account locked."
0xC00002EE,"Failure Reason: An Error occurred during Logon."
0xC0000413,"Logon Failure: The machine you are logging onto is protected by an authentication firewall." The specified account is not allowed to authenticate to the machine."
0x0,"Status OK."
Can't render this file because it contains an unexpected character in line 15 and column 42.

14
deployment-apps/splunk_wineventcode_secanalysis/lookups/recommenders_lookup.csv
Unescape View File

@ -0,0 +1,14 @@
Category,URL
Andrea Fortuna,https://www.andreafortuna.org/2019/06/12/windows-security-event-logs-my-own-cheatsheet/
Mike Lombardi,https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1511904841.pdf
NSA,https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events
Microsoft AD,https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
SANS Forensics Guidance,https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/
Michael Gough,https://www.malwarearchaeology.com/cheat-sheets
Hunters Forge,https://github.com/hunters-forge/OSSEM/tree/master/attack_data_sources
JP-CERT,https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
ASD,https://www.cyber.gov.au/acsc/view-all-content/publications/windows-event-logging-and-forwarding
Splunk UBA,https://docs.splunk.com/Documentation/UBA/latest/GetDataIn/WindowsEvents
Sygnia Golden SAML,https://www.sygnia.co/golden-saml-advisory
JSCU-NL,https://github.com/JSCU-NL/logging-essentials
Michel de CREVOISIER,https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack
1 Category URL
2 Andrea Fortuna https://www.andreafortuna.org/2019/06/12/windows-security-event-logs-my-own-cheatsheet/
3 Mike Lombardi https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1511904841.pdf
4 NSA https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events
5 Microsoft AD https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
6 SANS Forensics Guidance https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/
7 Michael Gough https://www.malwarearchaeology.com/cheat-sheets
8 Hunters Forge https://github.com/hunters-forge/OSSEM/tree/master/attack_data_sources
9 JP-CERT https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
10 ASD https://www.cyber.gov.au/acsc/view-all-content/publications/windows-event-logging-and-forwarding
11 Splunk UBA https://docs.splunk.com/Documentation/UBA/latest/GetDataIn/WindowsEvents
12 Sygnia Golden SAML https://www.sygnia.co/golden-saml-advisory
13 JSCU-NL https://github.com/JSCU-NL/logging-essentials
14 Michel de CREVOISIER https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack

17
deployment-apps/splunk_wineventcode_secanalysis/metadata/default.meta
Unescape View File

@ -0,0 +1,17 @@
# Application-level permissions
[]
access = read : [ * ], write : [ admin, sc_admin ]
export = system
### VIEWS
[views]
export = none
[nav/default]
export = none
### VIEWSTATES: even normal users should be able to create shared viewstates
[viewstates]
access = read : [ * ], write : [ * ]

136
deployment-apps/splunk_wineventcode_secanalysis/splunkbase.manifest
Unescape View File

@ -0,0 +1,136 @@
{
"version": "1.0",
"date": "2023-01-06T19:47:37.808573625Z",
"hashAlgorithm": "SHA-256",
"app": {
"id": 6722,
"version": "1.5.1",
"files": [
{
"path": "metadata/default.meta",
"hash": "f64db5e6590aa3dce65051c5c04e88e4759f54b46180516526486c2da24e7108"
},
{
"path": "appserver/static/home.css",
"hash": "852d8445c4b5902f2ca695fcb0e102559cf662c614a01a4f1ad34a1ad62152f5"
},
{
"path": "static/appIcon.png",
"hash": "addfb6b6ad00c90aa84979499f07603a54287f08efcdb2d9786033e050935e79"
},
{
"path": "static/appIcon_2x.png",
"hash": "2f114961ffdf1df52cef647ae6553382711bd45281f73b53d18d6cff1815f4c7"
},
{
"path": "static/appIconAlt.png",
"hash": "addfb6b6ad00c90aa84979499f07603a54287f08efcdb2d9786033e050935e79"
},
{
"path": "static/appLogo_2x.png",
"hash": "99fa6f964590df6989725137a84a7c81db5adf542003b62543d3f37bf2579315"
},
{
"path": "static/appIconAlt_2x.png",
"hash": "2f114961ffdf1df52cef647ae6553382711bd45281f73b53d18d6cff1815f4c7"
},
{
"path": "default/app.conf",
"hash": "91803ed1f9fd17255d016ea8844e118ad6f871c5027a9d8401eaa7810781e8d2"
},
{
"path": "default/props.conf",
"hash": "b3638eb957f480cbe88045e7cdc1ac6b79eff36af56172740a35dc670f366837"
},
{
"path": "default/transforms.conf",
"hash": "b2cf9bb597874ac823cc7c69f2d29ed73971853135addb2408aa1e1234ec27d7"
},
{
"path": "default/data/ui/views/lookup_overview.xml",
"hash": "254ae6285a19d5d16f12b975e96e8c22de6fbacc3043251dc506495af9834d3a"
},
{
"path": "default/data/ui/views/recommended_events_treemap.xml",
"hash": "2803322790153b2a241fe20e3f837b06a1b3db12d330e8cdef52b81693ddc14d"
},
{
"path": "default/data/ui/views/individual_event_code_analysis.xml",
"hash": "3e01f2ac1adb4b74f0859c9554695db04df437a51db76ed12f7cc46002591d7a"
},
{
"path": "default/data/ui/views/README",
"hash": "4ccd9dc2dca5bd634f7c07ad1749e4e63a7969c84e2eff83517256f7c884cd29"
},
{
"path": "default/data/ui/views/recommended_events_treemap_dma.xml",
"hash": "1a0fd47120d5e442b285c780c9e86517e97eaad4b029101fcd0ed50d3af17340"
},
{
"path": "default/data/ui/views/other_events_treemap.xml",
"hash": "e3dc01266a27b0cf4fc91c683e63c46737397f88da720c70183332275311ed59"
},
{
"path": "default/data/ui/views/individual_host_analysis.xml",
"hash": "7be8ac40e7c0cb50936c2374c1a4dfefd25e9a2a5ffcb956098e10703078f5cb"
},
{
"path": "default/data/ui/views/other_events_table.xml",
"hash": "3f536b6843ae0d74c3d587e1d193d8a5251d15c9fb8c312a4b9504cdb8b72883"
},
{
"path": "default/data/ui/views/other_events_table_dma.xml",
"hash": "de2c6c9ef31920afe1004711f340ffb0b6770c4fb100f222d767b7cd3aac2133"
},
{
"path": "default/data/ui/views/recommended_events_table.xml",
"hash": "cc676eff325590783d4e9435d8642e0c85a9362e6df051181f556cf974cae308"
},
{
"path": "default/data/ui/views/other_events_treemap_dma.xml",
"hash": "2dd2bfae2a7c263f36e1b7dec6032d6f14d852039c932ec79004312f79bf8e8d"
},
{
"path": "default/data/ui/views/all_lookups.xml",
"hash": "23e55d44fb63714a6a2d129ceefa5095725701f81a233115b54c494bf3289ada"
},
{
"path": "default/data/ui/views/recommended_events_table_dma.xml",
"hash": "f1c8df47a5a0f8db92ec9c8bc38ec3028fb8ea48001ec75473d28dc03e9250b1"
},
{
"path": "default/data/ui/views/start.xml",
"hash": "5564d42795e3b376388471b7dce9d15924c0a50170e237f05a0291ae612387da"
},
{
"path": "default/data/ui/views/attck_details.xml",
"hash": "22e05a06c788fa4948a3d6823eff3726f5c797be29a944231211a6c0cc9d4d7e"
},
{
"path": "default/data/ui/nav/default.xml",
"hash": "0e2f55cf43723a05c50e36325d1ee64911f1d0414ae917495a79323febdf4373"
},
{
"path": "bin/README",
"hash": "597cdad620bec4e52e0e8adc3cad99de9b3ce45da0dd18e4159e1009c976e957"
},
{
"path": "lookups/logon_failure_lookup.csv",
"hash": "0986a086b02fe5f87080526feba8300d59930a0c149aaa666ef724fc69b5c475"
},
{
"path": "lookups/WindowsLogonTypes.csv",
"hash": "62f0a74981b4fef35792a4027e659ecc4ca7e954123a34adeed25c70569edd38"
},
{
"path": "lookups/recommenders_lookup.csv",
"hash": "e715c0327d17560dff63485aa8e0b4c9597c96cd805228058f8583dfb6a5a8ea"
},
{
"path": "lookups/WindowsEventCodes.csv",
"hash": "68113e4ce0595ab8005ca7ebb6cc1bfd55c49289f58395696d7fdb217783cd66"
}
]
},
"products": null
}

BIN
deployment-apps/splunk_wineventcode_secanalysis/static/appIcon.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

BIN
deployment-apps/splunk_wineventcode_secanalysis/static/appIconAlt.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

BIN
deployment-apps/splunk_wineventcode_secanalysis/static/appIconAlt_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.4 KiB

BIN
deployment-apps/splunk_wineventcode_secanalysis/static/appIcon_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.4 KiB

BIN
deployment-apps/splunk_wineventcode_secanalysis/static/appLogo_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

Write Preview
Loading…
Cancel
Save