admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9ab7639020'
${ noResults }
Deploiement_Server/deployment-apps/splunk_wineventcode_secanal.../lookups/WindowsEventCodes.csv

114 KiB
Raw Blame History

1ATT&CKCategoryLevelEvent LogEventCodeEventDescriptionSubcategoryec_guidance_cim_taggedec_guidance_fortunaec_guidance_goughec_guidance_msec_guidance_nsaec_guidance_otherec_guidance_lombardiec_guidance_huntersforge_ossemec_guidance_jpcertec_guidance_sans_forensicsec_guidance_asdec_guidance_ubaec_guidance_gsamlec_guidance_jscuec_guidance_mdecrevoisierobserved_volumeduplicate_possibleATT&CK_TacticATT&CK_Technique
21System or SysmonInformationSystem or Sysmon1System Time Changed or Sysmon Process StartSystem Integrity000010001000011In Development1TA0002-Execution|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential AccessT1047-Windows Management Instrumentation|T1546-Image File Execution Options Injection|T1574-DLL side-loading|T1027-Obfuscated Files or Information|T1003-Credential dumping
31System or SysmonInformationSystem or Sysmon2Update Packages InstalledSoftware and Service Installation000010001000010In Development1
41SysmonInformationSysmon3Network connectionSysmon000000000000011In Development1TA0002-ExecutionT1047-Windows Management Instrumentation
50SysmonInformationSysmon4Sysmon service state changedSysmon000000001000010In Development1
61SysmonInformationSysmon5Process TerminatedSysmon000000000000010In Development1
71System or SysmonInformationSystem or Sysmon6New Kernel Filter Driver or Driver LoadedSoftware and Service Installation000010000000010In Development1
81SysmonInformationSysmon7Image LoadedSysmon000000000000011In Development1TA0002-ExecutionT1047-Windows Management Instrumentation
91SysmonInformationSysmon8Create Remote ThreadSysmon000000001000010In Development1
101SysmonInformationSysmon9Raw access readSysmon000000001000010In Development1
111SysmonInformationSysmon10Process AccessSysmon000000000000011In Development1TA0002-Execution|TA0006-Credential AccessT1047-Windows Management Instrumentation|T1003-Credential dumping
121Microsoft-Windows-CAPI2/OperationalInformation or SysmonMicrosoft-Windows-CAPI2/Operational or Sysmon11Cert Trust Chain Build Failed or File CreateMicrosoft Cryptography API000010000000011In Development1TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential AccessT1546-Image File Execution Options Injection|T1112-Modify registry|T1003-Credential dumping
131System or SysmonInformationSystem or Sysmon12Windows Startup or Registry Object Create or DeleteBoot Events000010000000011In Development1TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential AccessT1547-Boot or Logon Autostart Execution|T1546-Image File Execution Options Injection|T1553- Subvert Trust Controls|T1003-Credential dumping
141System or SysmonInformationSystem or Sysmon13Windows Shutdown or Registry Value SetBoot Events000010000000011In Development1TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0009-CollectionT1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1546-Image File Execution Options Injection|T1112-Modify registry|T1553- Subvert Trust Controls|T1003-Credential dumping|T1125-Video capture
151SysmonInformationSysmon14Registry Key and Value RenameSysmon000000000000010In Development1
160SysmonInformationSysmon15File Create Stream HashSysmon000000000000010In Development1
171SysmonInformationSysmon17Pipe Event CreatedSysmon000000000000010In Development1
181System or SysmonInformationSystem or Sysmon18Windows Update Ready or Pipe Event ConnectedUpdate101000000000010In Development1
191System or SysmonInformationSystem or Sysmon19Windows Update Installed or WmiEventFilter activity DetectedUpdate101010000000011In Development1TA0003-PersistenceT1546-Event Triggered Execution
201Microsoft-Windows-WindowsUpdateClient/Operational or SysmonErrorMicrosoft-Windows-WindowsUpdateClient/Operational or Sysmon20Windows Update Failed or WmiEventConsumer activity detectedWindows Update Errors000010000000011In Development1TA0003-PersistenceT1546-Event Triggered Execution
211SysmonInformationSysmon21WmiEventConsumerToFilter activity DetectedSysmon000000000000011In Development0TA0003-PersistenceT1546-Event Triggered Execution
220SysmonInformationSysmon22DNS EventSysmon000000000000010In Development0
230SysmonInformationSysmon23File DeleteSysmon000000000000010In Development0
240SysmonInformationSysmon24Clipboard EventSysmon000000000000010In Development1
250Microsoft-Windows-WindowsUpdateClient/OperationalErrorMicrosoft-Windows-WindowsUpdateClient/Operational24Windows Update FailedWindows Update Errors000010001000010In Development1
260Microsoft-Windows-WindowsUpdateClient/OperationalErrorApplication25Windows Update FailedWindows Update Errors000010000000010In Development1
270Microsoft-Windows-WindowsUpdateClient/OperationalErrorMicrosoft-Windows-WindowsUpdateClient/Operational31Windows Update FailedWindows Update Errors000010000000000In Development0
280Microsoft-Windows-WindowsUpdateClient/OperationalErrorMicrosoft-Windows-WindowsUpdateClient/Operational34Windows Update FailedWindows Update Errors000010000000000In Development0
290Microsoft-Windows-EventCollectorInformationMicrosoft-Windows-EventCollector42EMETEMET000000000010000In Development0
300Microsoft-Windows-USB-USBHUB3-AnalyticInformationMicrosoft-Windows-USB-USBHUB3-Analytic43New Device InformationExternal Media Detection000010000000000In Development0
311Microsoft-Windows-Bits-ClientInformationMicrosoft-Windows-Bits-Client60Bits ClientBits Client000000000000001In Development0TA0003-PersistenceT1197-BITS jobs
321Microsoft-Windows-CAPI2/OperationalInformationMicrosoft-Windows-CAPI2/Operational70Private Key AccessedMicrosoft Cryptography API000010000000001In Development0TA0006-Credential AccessT1552.004-Unsecured Credentials-Private Keys
330Microsoft-Windows-Windows-Remote-Management-OperationalInformationMicrosoft-Windows-Windows-Remote-Management-Operational80Processing of a request000000000000000In Development0
340Microsoft-Windows-Windows-Remote-Management-OperationalInformationMicrosoft-Windows-Windows-Remote-Management-Operational81Sending the request for operation Get to destination host and port000000000000000In Development0
350Microsoft-Windows-CAPI2/OperationalInformationMicrosoft-Windows-CAPI2/Operational90X.509 ObjectMicrosoft Cryptography API000010000000000In Development0
361SecurityInformationSystem104The Application or System log was clearedClearing Event Logs001010001010011Low1TA0005-Defense EvasionT1070.001-Clear Windows event logs
370Microsoft-Windows-TaskScheduler/OperationalInformationMicrosoft-Windows-TaskScheduler/Operational106New Task RegisteredTask Scheduler Activities000010001000000In Development0
380Microsoft-Windows-TaskScheduler/OperationalInformationMicrosoft-Windows-TaskScheduler/Operational129CreatedTask Scheduler001000001000000In Development0
390Microsoft-Windows-Windows-Remote-Management-OperationalInformationMicrosoft-Windows-Windows-Remote-Management-Operational132WSMan operation Identify completed successfully000000000000000In Development0
400Microsoft-Windows-TaskScheduler/OperationalInformationMicrosoft-Windows-TaskScheduler/Operational141DeletedTask Scheduler001010000000000In Development0
410Microsoft-Windows-TaskScheduler/OperationalInformationMicrosoft-Windows-TaskScheduler/Operational142Task DisabledTask Scheduler Activities000010000000000In Development0
420Microsoft-Windows-Windows-Remote-Management-OperationalInformationMicrosoft-Windows-Windows-Remote-Management-Operational143Received the response from Network layer)000000000000000In Development0
430Microsoft-Windows-Windows-Remote-Management-OperationalInformationMicrosoft-Windows-Windows-Remote-Management-Operational166The chosen authentication mechanism is Negotiate000000000000000In Development0
440PowershellInformationPowershell169Remote ConnectionPowerShell Activities000010000000000In Development0
450Microsoft-Windows-TaskScheduler/OperationalInformationMicrosoft-Windows-TaskScheduler/Operational200Task LaunchedTask Scheduler Activities000010001000010In Development0
460Microsoft-Windows-TaskScheduler/OperationalInformationMicrosoft-Windows-TaskScheduler/Operational201The operation has been completedTask Scheduler Activities000000001000010In Development0
470SystemWarningSystem219Failed Kernel Driver LoadingSystem Integrity000010000000000In Development0
480SysmonInformationSysmon255Sysmon ErrorSysmon000000000000010In Development0
490Microsoft-Windows-DNSServer/AnalyticalInformationMicrosoft-Windows-DNSServer/Analytical256DNS Request/ResponseDNS/Directory Services000010000000000In Development0
500Microsoft-Windows-DNSServer/AnalyticalInformationMicrosoft-Windows-DNSServer/Analytical257DNS Request/ResponseDNS/Directory Services000010000000000In Development0
510Microsoft-Windows-LSA/OperationalInformationMicrosoft-Windows-LSA/Operational300Group Assigned to new SessionAccount Usage000010000000000In Development0
520Microsoft-Windows-ADFS/AuditInformationalMicrosoft-Windows-AD FS/Admin307The Federation Service configuration was changedADFS Audit000000000000100Low1
531Microsoft-Windows-Kernel-PnP/Device ConfigurationInformationMicrosoft-Windows-Kernel-PnP/Device Configuration400New Mass Storage InstallationExternal Media Detection000010000000001In Development0TA0005-Defense EvasionT1027-Obfuscated Files or Information
540Microsoft-Windows-Kernel-PnP/Device ConfigurationInformationMicrosoft-Windows-Kernel-PnP/Device Configuration410New Mass Storage InstallationExternal Media Detection000010000000000In Development0
550Microsoft-Windows-ApplicationExperience-Program-TelemetryInformationMicrosoft-Windows-ApplicationExperience-Program-Telemetry500Compatibility fix applied000000001000000In Development0
560Microsoft-Windows-ADFS/AuditInformationalMicrosoft-Windows-AD FS/Admin510Long TextADFS Audit000000000000100Low0
570Microsoft-Windows-EventCollectorInformationSecurity521Windows events can't forward to Security logEventCollector000000000010000Low0
581PowershellInformationPowershell800Get-MessageTrackingLog cmdletPowerShell Activities000010000000001High1TA0002-Execution|TA0003-Persistence|TA0005-Defensive Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0040-ImpactT1059.001-PowerShell|T1197-BITS jobs|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1562.001-Impair Defenses-Disable or Modify tool|T1562.004-Impair Defenses-Disable or Modify System Firewall|T1003-Credential dumping|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1482-Domain Trust Discovery|T1021.003-Distributed Component Object Model (DCOM)|T1021.004-Remote Service SSH|T1490-Inhibit System Recovery
590ApplicationWarningApplication865SRP BlockApplication Whitelisting000010000000000In Development0
600ApplicationWarningApplication866SRP BlockApplication Whitelisting000010000000000In Development0
610ApplicationWarningApplication867SRP BlockApplication Whitelisting000010000000000In Development0
620ApplicationWarningApplication868SRP BlockApplication Whitelisting000010000000000In Development0
630ApplicationWarningApplication882SRP BlockApplication Whitelisting000010000000000In Development0
640Microsoft-Windows-Application-Experience/Program-InventoryInformationMicrosoft-Windows-Application-Experience/Program-Inventory903New Application InstallationSoftware and Service Installation000010000000000In Development0
650Microsoft-Windows-Application-Experience/Program-InventoryInformationMicrosoft-Windows-Application-Experience/Program-Inventory904New Application InstallationSoftware and Service Installation000010000000000In Development0
660Microsoft-Windows-Application-Experience/Program-InventoryInformationMicrosoft-Windows-Application-Experience/Program-Inventory905Updated ApplicationSoftware and Service Installation000010000000000In Development0
670Microsoft-Windows-Application-Experience/Program-InventoryInformationMicrosoft-Windows-Application-Experience/Program-Inventory906Updated ApplicationSoftware and Service Installation000010000000000In Development0
680Microsoft-Windows-Application-Experience/Program-InventoryInformationMicrosoft-Windows-Application-Experience/Program-Inventory907Removed ApplicationSoftware and Service Installation000010000000000In Development0
690Microsoft-Windows-Application-Experience/Program-InventoryInformationMicrosoft-Windows-Application-Experience/Program-Inventory908Removed ApplicationSoftware and Service Installation000010000000000In Development0
700Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1000An antimalware scan started.Windows Defender Activities001000000000010In Development1
710Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1001An antimalware scan finished.Windows Defender Activities001000000000000In Development1
720Microsoft-Windows-Windows Defender/OperationalErrorMicrosoft-Windows-Windows Defender/Operational1002An antimalware scan was stopped before it finished.Windows Defender Activities000010000000010In Development1
730Microsoft-Windows-Windows Defender/OperationalErrorMicrosoft-Windows-Windows Defender/Operational1005An antimalware scan failed.Windows Defender Activities000010000000000In Development0
740Microsoft-Windows-Windows Defender/OperationalWarningMicrosoft-Windows-Windows Defender/Operational1006The antimalware engine found malware or other potentially unwanted software.Windows Defender Activities000010000000000In Development0
750Microsoft-Windows-CertificateServicesClient-Lifecycle/OperationalInformationalMicrosoft-Windows-CertificateServicesClient-Lifecycle/Operational1007Certificate ExportedCertificate Services Activities000000000000100Low1
760Microsoft-Windows-Windows Defender/OperationalErrorMicrosoft-Windows-Windows Defender/Operational1008The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.Windows Defender Activities000010000000010In Development0
770Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1009The antimalware platform restored an item from quarantine.Windows Defender Activities000010000000010In Development1
780Microsoft-Windows-Windows Defender/OperationalErrorMicrosoft-Windows-Windows Defender/Operational1010The antimalware platform could not restore an item from quarantine.Windows Defender Activities000010000000010In Development0
790ApplicationInformationApplication1022New MSI File InstalledSoftware and Service Installation000010000000000In Development0
800ApplicationInformationApplication1023New MSI File InstalledSoftware and Service Installation000010000000000In Development0
810Microsoft-Windows-TerminalServices-RDPClient/OperationalInformationMicrosoft-Windows-TerminalServices-RDPClient/Operational1024Outbound TS Connect AttemptNetwork Policy Server000010000000010In Development0
820ApplicationInformationApplication1033New MSI File InstalledSoftware and Service Installation001010000000000In Development0
830Windows InstallerInformationInstaller1034Windows Installer removed the productInstaller001000000000000In Development0
840User32WarningUser321074Shutdown Initiate FailedBoot Events000010000000010In Development0
850SecurityInformationSecurity1100Event Log Service ShutdownClearing Event Logs110010000010010Low0
860SecurityErrorSecurity1101Audit events have been dropped by the transportWindows Audit110000000000000In Development0
871SecurityInformationSecurity1102The audit log was clearedClearing Event Logs111010000011011Low0TA0005-Defense EvasionT1070.001-Clear Windows event logs
880SecurityInformationSecurity1104The security log is now fullWindows Audit110000000000000In Development0
890SecurityInformationSecurity1105Event log automatic backupWindows Audit110000000000000In Development0
900SecurityInformationSecurity1108The event logging service encountered an errorWindows Audit110000000000000In Development0
910Microsoft-Windows-Windows Defender/OperationalWarningMicrosoft-Windows-Windows Defender/Operational1116Detected MalwareWindows Defender Activities000010000000000In Development0
920Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1117Malware RemovedWindows Defender Activities000010000000000In Development0
930Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1118Malware Removal ErrorWindows Defender Activities000010000000010In Development0
940Microsoft-Windows-Windows Defender/OperationalErrorMicrosoft-Windows-Windows Defender/Operational1119Malware Removal Fatal ErrorWindows Defender Activities000010000000010In Development0
950Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1125Event when Network protection fires in Audit-mode.Windows Defender Activities000010000000010In Development1
960Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1126Event when Network protection fires in Block-mode.Windows Defender Activities000010000000010In Development1
970Microsoft-Windows-GroupPolicyErrorSystem1129Group Policy Application Failed due to ConnectivityGroup Policy Errors000010000000000In Development0
980Microsoft-Windows-ADFS/AuditInformationalMicrosoft-Windows-AD FS/Admin1200Application Token SuccessADFS Audit000000000000100High0
990Microsoft-Windows-ADFS/AuditInformationalMicrosoft-Windows-AD FS/Admin1202Fresh Credential Validation SuccessADFS Audit000000000000100High0
1000ApplicationErrorApplication1511Temp Profile LogonAccount Usage000010000000000In Development0
1010ApplicationErrorApplication1518Create Profile FailedAccount Usage000010000000000In Development0
1020Microsoft-Windows-Windows Defender/OperationalErrorMicrosoft-Windows-Windows Defender/Operational2001The antimalware definition update failed.Windows Defender Activities000010000000000In Development0
1030Microsoft-Windows-Windows Defender/OperationalErrorMicrosoft-Windows-Windows Defender/Operational2003The antimalware engine update failed.Windows Defender Activities000010000000000In Development1
1040Microsoft-Windows-Windows Defender/OperationalWarningMicrosoft-Windows-Windows Defender/Operational2004There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.Windows Defender Activities000010000000000In Development1
1050Microsoft-Windows-Windows Firewall With Advanced Security/FirewallErrorMicrosoft-Windows-Windows Firewall With Advanced Security/Firewall2009Firewall Failed to load Group PolicyWindows Firewall000010000000000In Development0
1060Microsoft-Windows-Windows Firewall With Advanced Security/FirewallInformationMicrosoft-Windows-Windows Firewall With Advanced Security/Firewall2033Firewall Rules DeletedWindows Firewall000010000000000In Development0
1070Microsoft-Windows-CodeIntegrity/OperationalWarning, ErrorMicrosoft-Windows-CodeIntegrity/Operational3001Code Integrity CheckKernel Driver Signing000010000000000In Development0
1080Microsoft-Windows-Windows Defender/OperationalErrorMicrosoft-Windows-Windows Defender/Operational3002Real-Time Protection failedWindows Defender Activities000010000000000In Development1
1090Microsoft-Windows-CodeIntegrity/OperationalWarning, ErrorMicrosoft-Windows-CodeIntegrity/Operational3003Code Integrity CheckKernel Driver Signing000010000000000In Development0
1100Microsoft-Windows-CodeIntegrity/OperationalWarning, ErrorMicrosoft-Windows-CodeIntegrity/Operational3004Code Integrity CheckKernel Driver Signing000010000000000In Development0
1110Microsoft-Windows-DNS-Client/OperationalInformationMicrosoft-Windows-DNS-Client/Operational3008DNS Query CompleteDNS/Directory Services000010000000010In Development0
1120Microsoft-Windows-CodeIntegrity/OperationalWarning, ErrorMicrosoft-Windows-CodeIntegrity/Operational3010Code Integrity CheckKernel Driver Signing000010000000000In Development0
1130Microsoft-Windows-DNS-Client/OperationalInformationMicrosoft-Windows-DNS-Client/Operational3020DNS Response CompleteDNS/Directory Services000010000000000In Development0
1140Microsoft-Windows-CodeIntegrity/OperationalWarning, ErrorMicrosoft-Windows-CodeIntegrity/Operational3023Code Integrity CheckKernel Driver Signing000010000000000In Development0
1150PowershellInformationMicrosoft-Windows-Powershell/Operational4100System ErrorExecuting Pipeline001000000000000In Development0
1160PowershellInformationMicrosoft-Windows-Powershell/Operational4101Executing PipelinePowershell001000000000000High0
1170PowershellInformationMicrosoft-Windows-Powershell/Operational4102Executing PipelinePowershell001000000000000High0
1181PowershellInformationMicrosoft-Windows-Powershell/Operational4103Module LoggingPowershell001010000011001High0TA0002-Execution|TA0003-Persistence|TA0005-Defensive Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0040-ImpactT1059.001-PowerShell|T1197-BITS jobs|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1562.001-Impair Defenses-Disable or Modify tool|T1562.004-Impair Defenses-Disable or Modify System Firewall|T1003-Credential dumping|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1482-Domain Trust Discovery|T1021.003-Distributed Component Object Model (DCOM)|T1021.004-Remote Service SSH|T1490-Inhibit System Recovery
1191PowershellInformationMicrosoft-Windows-Powershell/Operational4104Script Block LoggingPowershell001010100011011In Development0TA0002-Execution|TA0003-Persistence|TA0005-Defensive Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0040-ImpactT1059.001-PowerShell|T1197-BITS jobs|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1562.001-Impair Defenses-Disable or Modify tool|T1562.004-Impair Defenses-Disable or Modify System Firewall|T1003-Credential dumping|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1482-Domain Trust Discovery|T1021.003-Distributed Component Object Model (DCOM)|T1021.004-Remote Service SSH|T1490-Inhibit System Recovery
1200PowershellInformationMicrosoft-Windows-Powershell/Operational4105Exception RaisedPowerShell Activities000010000000000In Development0
1210PowershellInformationMicrosoft-Windows-Powershell/Operational4106Exception RaisedPowerShell Activities000010000000000In Development0
1220SystemInformationSystem4608Windows is starting up.Security State Change010100000000000In Development0
1230SystemInformationSystem4609Windows is shutting down.Security State Change010100000000000In Development0
1240SystemInformationSystem4610An authentication package has been loaded by the Local Security Authority.Security System Extension110100000000010In Development0
1250SystemInformationSystem4611A trusted logon process has been registered with the Local Security Authority.Security System Extension110100000000010In Development0
1260SystemInformationSystem4612Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.System Integrity010100000000000In Development0
1270SystemInformationSystem4614A notification package has been loaded by the Security Account Manager.Security System Extension110100000000010In Development0
1280SystemInformationSystem4615Invalid use of LPC port.System Integrity010100000000000In Development0
1291SystemInformationSystem4616The system time was changed.Security State Change010100000000011In Development0TA0005-Defense EvasionT1070.006-Timestomp
1300SystemInformationSystem4618A monitored security event pattern has occurred.System Integrity010100000001000In Development0
1310SystemInformationSystem4621Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.Security State Change010100000000000In Development0
1321SystemInformationSystem4622A security package has been loaded by the Local Security Authority.Security System Extension010100000000011In Development0TA0003-PersistenceT1547-Boot or Logon Autostart Execution
1331Logon/LogoffInformationSecurity4624An account was successfully logged on.Logon111110111111011High0TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral MovementT1134-Access Token Manipulation|T1027-Obfuscated Files or Information|T1112-Modify registry|T1558-Steal or Forge Kerberos Tickets|T1046-Network Service Scanning|T1069-Permission Groups Discovery|T1087-Account discovery|T1550-Use Alternate Authentication Material
1341Logon/LogoffInformationSecurity4625An account failed to log on.Logon111110110111011Medium1TA0001-Initial Access|TA0006-Credential AccessT1078-Valid Accounts|T1110.xxx-Brut force
1350Logon/LogoffInformationSecurity4626User/Device claims information.Logon010100000000000In Development0
1360Logon/LogoffInformationSecurity4627Group membership information.Group Membership010100000001010In Development0
1371Logon/LogoffInformationSecurity4634An account was logged off.Logoff110110101011011High0TA0004-Privilege Escalation
1380Logon/LogoffInformationSecurity4646IKE DoS-Prevention mode startedIPsec Main Mode010100000000000In Development0
1390Logon/LogoffInformationSecurity4647User initiated logoffLogoff110100000100010In Development0
1401Logon/LogoffInformationSecurity4648A logon was attempted using explicit credentials.Logon111110011010011In Development0TA0004-Privilege Escalation|TA0008-Lateral MovementT1134-Access Token Manipulation|T1574-DLL side-loading|T1021.002-SMB Windows Admin Shares
1410Logon/LogoffInformationSecurity4649A replay attack was detected.Other Logon/Logoff Events010100100001010In Development0
1420Logon/LogoffInformationSecurity4650An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.IPsec Main Mode010100000000000In Development0
1430Logon/LogoffInformationSecurity4651An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.IPsec Main Mode010100000000000In Development0
1440Logon/LogoffInformationSecurity4652An IPsec Main Mode negotiation failed.IPsec Main Mode010100000000000In Development0
1450Logon/LogoffInformationSecurity4653An IPsec Main Mode negotiation failed.IPsec Main Mode010100000000000In Development0
1460Logon/LogoffInformationSecurity4654An IPsec Quick Mode negotiation failed.IPsec Quick Mode010100000000000In Development0
1470Logon/LogoffInformationSecurity4655An IPsec Main Mode security association ended.IPsec Main Mode010100000000000In Development0
1481Object AccessInformationSecurity4656A handle to an object was requested.Handle Manipulation111100011000001In Development0TA0004-Privilege Escalation|TA0006-Credential Access|TA0008-Lateral MovementT1546-Image File Execution Options Injection|T1003-Credential dumping|T1021.006-Windows Remote Management
1491Object AccessInformationSecurity4657A registry value was modified.Registry011110110001010In Development0
1501Object AccessInformationSecurity4658The handle to an object was closed.Handle Manipulation110100011000001In Development0TA0006-Credential AccessT1003-Credential dumping
1510Object AccessInformationSecurity4659A handle to an object was requested with intent to delete.SAM010100000000000In Development0
1521Object AccessInformationSecurity4660An object was deleted.SAM010100011000000In Development0
1531Object AccessInformationSecurity4661A handle to an object was requested.SAM010100010000001In Development0TA0006-Credential Access|TA0007-DiscoveryT1003-Credential dumping|T1069-Permission Groups Discovery|T1201-Password Policy Discovery
1541DS AccessInformationSecurity4662An operation was performed on an object.Directory Service Access011100010000001In Development0TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0007-DiscoveryT1098.xxx-Account manipulation|T1484.001-Domain Policy Modification-Group Policy Modification|T1207-Rogue domain controller|T1003-Credential dumping|T1555-Credentials from Password Stores|T1069-Permission Groups Discovery|T1087-Account discovery
1551Object AccessInformationSecurity4663An attempt was made to access an object.Kernel011100011000011High0TA0006-Credential AccessT1003-Credential dumping
1561Object AccessInformationSecurity4664An attempt was made to create a hard link.File System010100010000000In Development0
1570Object AccessInformationSecurity4665An attempt was made to create an application client context.Application Generated010100000000000In Development0
1580Object AccessInformationSecurity4666An application attempted an operation:Application Generated010100000000000In Development0
1590Object AccessInformationSecurity4667An application client context was deleted.Application Generated010100000000000In Development0
1600Object AccessInformationSecurity4668An application was initialized.Application Generated010100000000000In Development0
1611Policy ChangeInformationSecurity4670Permissions on an object were changed.Subcategory (special)000100010000001In Development0TA0005-Defense EvasionT1112-Modify registry
1620Object AccessInformationSecurity4671An application attempted to access a blocked ordinal through the TBS.Other Object Access Events000100000000000In Development0
1630Privilege UseInformationSecurity4672Special privileges assigned to new logon.Sensitive Privilege Use / Non Sensitive Privilege Use101110001000010High0
1641Privilege UseInformationSecurity4673A privileged service was called.Sensitive Privilege Use / Non Sensitive Privilege Use101100011000011In Development0TA0004-Privilege EscalationT1068-Exploitation for Privilege Escalation
1651Privilege UseInformationSecurity4674An operation was attempted on a privileged object.Sensitive Privilege Use / Non Sensitive Privilege Use100100010000001In Development0TA0005-Defense Evasion|TA0006-Credential Access|TA0008-Lateral MovementT1027-Obfuscated Files or Information|T1112-Modify registry|T1003-Credential dumping|T1021.003-Distributed Component Object Model (DCOM)
1660Logon/LogoffInformationSecurity4675SIDs were filtered.Logon000100000000000In Development0
1671Detailed TrackingInformationSecurity4688A new process has been created.Process Creation101110111010011High0TA0002-Execution|TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense Evasion|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral Movement|TA0011-Command and Control|TA0040-ImpactT1047-Windows Management Instrumentation|T1053.005-Scheduled Task|T1059.001-PowerShell|T1059.003-Windows Command Shell|T1204-User execution|T1098.xxx-Account manipulation|T1136-Create account|T1197-BITS jobs|T1505.001-SQL Stored Procedures|T1543.003-Create or Modify System Process-Windows Service|T1546-Event Triggered Execution|T1574-Hijack Execution Flow|T1134-Access Token Manipulation|T1546-Image File Execution Options Injection|T1574-DLL side-loading|T1027-Obfuscated Files or Information|T1070.001-Clear Windows event logs|T1112-Modify registry|T1140-Deobfuscate-Decode Files or Information|T1562.001-Impair Defenses-Disable or Modify tool|T1562.002-Disable Windows Event Logging|T1564-Hide artifacts|T1003-Credential dumping|T1040-Traffic sniffing|T1016-System Network Configuration Discovery|T1069-Permission Groups Discovery|T1087-Account discovery|T1135.xxx-Network Share Discovery|T1201-Password Policy Discovery|T1021.001-Remote Desktop Protocol|T1021.002-SMB Windows Admin Shares|T1021.003-Distributed Component Object Model (DCOM)|T1572-Protocol tunneling|T1490-Inhibit System Recovery
1681Detailed TrackingInformationSecurity4689A process has exited.Process Termination100110111010010High0
1690Object AccessInformationSecurity4690An attempt was made to duplicate a handle to an object.Handle Manipulation000100000000000In Development0
1700Object AccessInformationSecurity4691Indirect access to an object was requested.Other Object Access Events000100000001000In Development0
1710Detailed TrackingInformationSecurity4692Backup of data protection master key was attempted.DPAPI Activity000100000001000In Development0
1720Detailed TrackingInformationSecurity4693Recovery of data protection master key was attempted.DPAPI Activity000100000001000In Development0
1730Detailed TrackingInformationSecurity4694Protection of auditable protected data was attempted.DPAPI Activity000100000000000In Development0
1740Detailed TrackingInformationSecurity4695Unprotection of auditable protected data was attempted.DPAPI Activity000100000001000In Development0
1750Detailed TrackingInformationSecurity4696A primary token was assigned to process.Process Creation100100000000000In Development0
1761SystemInformationSecurity4697A service was installed in the system.Security System Extension000100010010011Low0TA0003-Persistence|TA0008-Lateral MovementT1543.003-Create or Modify System Process-Windows Service|T1021.002-SMB Windows Admin Shares
1771Object AccessInformationSecurity4698A scheduled task was created.Other Object Access Events001100111010011Low0TA0002-ExecutionT1053.005-Scheduled Task
1781Object AccessInformationSecurity4699A scheduled task was deleted.Other Object Access Events000100010010011Low0TA0002-ExecutionT1053.005-Scheduled Task
1791Object AccessInformationSecurity4700A scheduled task was enabled.Other Object Access Events010100010010010Low0
1801Object AccessInformationSecurity4701A scheduled task was disabled.Other Object Access Events010100010010010Low0
1811Object AccessInformationSecurity4702A scheduled task was updated.Other Object Access Events011100010010010Low0
1820Policy ChangeInformationSecurity4703A user right was adjusted.Authorization Policy Change011100000000000In Development0
1831Policy ChangeInformationSecurity4704A user right was assigned.Authorization Policy Change010110000001001In Development0TA0004-Privilege EscalationT1134-Access Token Manipulation
1841Policy ChangeInformationSecurity4705A user right was removed.Authorization Policy Change010100000000001In Development0TA0004-Privilege EscalationT1134-Access Token Manipulation
1850Policy ChangeInformationSecurity4706A new trust was created to a domain.Authorization Policy Change010110000001010In Development0
1860Policy ChangeInformationSecurity4707A trust to a domain was removed.Authorization Policy Change010100000000000In Development0
1870Policy ChangeInformationSecurity4709IPsec Services was started.Filtering Platform Policy Change010100000000000In Development0
1880Policy ChangeInformationSecurity4710IPsec Services was disabled.Filtering Platform Policy Change010100000000000In Development0
1890Policy ChangeInformationSecurity4711PAStore Engine EventFiltering Platform Policy Change010100000000000In Development0
1900Policy ChangeInformationSecurity4712IPsec Services encountered a potentially serious failure.Filtering Platform Policy Change010100000000000In Development0
1910Policy ChangeInformationSecurity4713Kerberos policy was changed.Authentication Policy Change010110000001010In Development0
1920Policy ChangeInformationSecurity4714Encrypted data recovery policy was changed.Authorization Policy Change010110000000000In Development0
1930Policy ChangeInformationSecurity4715The audit policy (SACL) on an object was changed.Audit Policy Change110100000001010In Development0
1940Policy ChangeInformationSecurity4716Trusted domain information was modified.Authentication Policy Change010110000000010In Development0
1951Policy ChangeInformationSecurity4717System security access was granted to an account.Authentication Policy Change110100010000011In Development0TA0004-Privilege EscalationT1134-Access Token Manipulation
1961Policy ChangeInformationSecurity4718System security access was removed from an account.Authentication Policy Change110100010001001In Development0TA0004-Privilege EscalationT1134-Access Token Manipulation
1971Policy ChangeInformationSecurity4719System audit policy was changed.Audit Policy Change111110100011011In Development0TA0005-Defense EvasionT1562.002-Disable Windows Event Logging
1981Account ManagementInformationSecurity4720A user account was created.User Account Management110110011110011In Development0TA0003-PersistenceT1136-Create account
1991Account ManagementInformationSecurity4722A user account was enabled.User Account Management110110010100011In Development0TA0003-PersistenceT1136-Create account
2001Account ManagementInformationSecurity4723An attempt was made to change an account's password.User Account Management110100010100011In Development0TA0003-PersistenceT1098.xxx-Account manipulation
2011Account ManagementInformationSecurity4724An attempt was made to reset an account's password.User Account Management110100010100011In Development0TA0003-PersistenceT1098.xxx-Account manipulation
2021Account ManagementInformationSecurity4725A user account was disabled.User Account Management110110010100010In Development0
2031Account ManagementInformationSecurity4726A user account was deleted.User Account Management110110010100011In Development0TA0003-PersistenceT1136-Create account
2040Account ManagementInformationSecurity4727A security-enabled global group was created.Security Group Management010100000001010In Development0
2051Account ManagementInformationSecurity4728A member was added to a security-enabled global group.Security Group Management010110000101011In Development0TA0003-PersistenceT1098.xxx-Account manipulation|T1136-Create account
2060Account ManagementInformationSecurity4729A member was removed from a security-enabled global group.Security Group Management010100000001010In Development0
2070Account ManagementInformationSecurity4730A security-enabled global group was deleted.Security Group Management010100000001010In Development0
2081Account ManagementInformationSecurity4731A security-enabled local group was created.Security Group Management010110010001010In Development0
2091Account ManagementInformationSecurity4732A member was added to a security-enabled local group.Security Group Management010110010101011In Development0TA0003-PersistenceT1098.xxx-Account manipulation
2101Account ManagementInformationSecurity4733A member was removed from a security-enabled local group.Security Group Management010110010001011In Development0TA0003-PersistenceT1098.xxx-Account manipulation
2111Account ManagementInformationSecurity4734A security-enabled local group was deleted.Security Group Management010100010001010In Development0
2121Account ManagementInformationSecurity4735A security-enabled local group was changed.Security Group Management010110010001010In Development0
2130Account ManagementInformationSecurity4737A security-enabled global group was changed.Security Group Management010100000001010In Development0
2141Account ManagementInformationSecurity4738A user account was changed.User Account Management110100010100011In Development0TA0003-PersistenceT1098.xxx-Account manipulation
2151Policy ChangeInformationSecurity4739Domain Policy was changed.Authentication Policy Change110100000010011In Development0TA0005-Defense EvasionT1562.002-Disable Windows Event Logging
2161Account ManagementInformationSecurity4740A user account was locked out.User Account Management110110010110010In Development0
2171Account ManagementInformationSecurity4741A computer account was created.Computer Account Management110110010000011In Development0TA0003-PersistenceT1136-Create account
2181Account ManagementInformationSecurity4742A computer account was changed.Computer Account Management110100010000011In Development0TA0003-PersistenceT1098.xxx-Account manipulation|T1136-Create account
2191Account ManagementInformationSecurity4743A computer account was deleted.Computer Account Management110100010000011In Development0TA0003-PersistenceT1136-Create account
2200Account ManagementInformationSecurity4744A security-disabled local group was created.Distribution Group Management010100000001000In Development0
2210Account ManagementInformationSecurity4745A security-disabled local group was changed.Distribution Group Management010100000001000In Development0
2220Account ManagementInformationSecurity4746A member was added to a security-disabled local group.Distribution Group Management010100000001000In Development0
2230Account ManagementInformationSecurity4747A member was removed from a security-disabled local group.Distribution Group Management010100000001000In Development0
2240Account ManagementInformationSecurity4748A security-disabled local group was deleted.Distribution Group Management010100000000000In Development0
2251Account ManagementInformationSecurity4749A security-disabled global group was created.Distribution Group Management010100010000000In Development0
2261Account ManagementInformationSecurity4750A security-disabled global group was changed.Distribution Group Management010100010001000In Development0
2271Account ManagementInformationSecurity4751A member was added to a security-disabled global group.Distribution Group Management010100010000000In Development0
2280Account ManagementInformationSecurity4752A member was removed from a security-disabled global group.Distribution Group Management010100000000000In Development0
2291Account ManagementInformationSecurity4753A security-disabled global group was deleted.Distribution Group Management010100010000000In Development0
2300Account ManagementInformationSecurity4754A security-enabled universal group was created.Security Group Management010100000001010In Development0
2310Account ManagementInformationSecurity4755A security-enabled universal group was changed.Security Group Management010100000001010In Development0
2321Account ManagementInformationSecurity4756A member was added to a security-enabled universal group.Security Group Management010110000101011In Development1TA0003-PersistenceT1098.xxx-Account manipulation
2330Account ManagementInformationSecurity4757A member was removed from a security-enabled universal group.Security Group Management010100000001010In Development0
2340Account ManagementInformationSecurity4758A security-enabled universal group was deleted.Security Group Management010100000001010In Development0
2350Account ManagementInformationSecurity4759A security-disabled universal group was created.Distribution Group Management010100000001000In Development0
2360Account ManagementInformationSecurity4760A security-disabled universal group was changed.Distribution Group Management010100000001000In Development0
2370Account ManagementInformationSecurity4761A member was added to a security-disabled universal group.Distribution Group Management010100000001000In Development0
2380Account ManagementInformationSecurity4762A member was removed from a security-disabled universal group.Distribution Group Management010100000000000In Development0
2390Account ManagementInformationSecurity4763A security-disabled universal group was deleted.Distribution Group Management010000000001000In Development0
2401Account ManagementInformationSecurity4764A group's type was changed.Security Group Management010100010010010In Development0
2410Account ManagementInformationSecurity4765SID History was added to an account.User Account Management010110000000000In Development0
2420Account ManagementInformationSecurity4766An attempt to add SID History to an account failed.User Account Management010110000000000In Development0
2431Account ManagementInformationSecurity4767A user account was unlocked.User Account Management110110010111010In Development0
2441Account LogonInformationSecurity4768A Kerberos authentication ticket (TGT) was requested.Kerberos Authentication Service110100010001011In Development0TA0006-Credential AccessT1110.xxx-Brut force|T1558-Steal or Forge Kerberos Tickets
2451Account LogonInformationSecurity4769A Kerberos service ticket was requested.Kerberos Service Ticket Operations111110011001111High0TA0006-Credential Access|TA0007-DiscoveryT1558-Steal or Forge Kerberos Tickets|T1087-Account discovery
2461Account LogonInformationSecurity4770A Kerberos service ticket was renewed.Kerberos Service Ticket Operations110100010000000In Development0
2471Account LogonInformationSecurity4771Kerberos pre-authentication failed.Kerberos Authentication Service111100010000011In Development0TA0006-Credential AccessT1110.xxx-Brut force
2480Account LogonInformationSecurity4772A Kerberos authentication ticket request failed.Kerberos Authentication Service110100000001000In Development0
2491Account LogonInformationSecurity4773A Kerberos service ticket request failed.Kerberos Authentication Service110110010000000In Development0
2500Account LogonInformationSecurity4774An account was mapped for logon.Credential Validation110100000000000In Development0
2510Account LogonInformationSecurity4775An account could not be mapped for logon.Credential Validation110100000000000In Development0
2521Account LogonInformationSecurity4776The domain controller attempted to validate the credentials for an account.Credential Validation110110010001000In Development0
2530Account LogonInformationSecurity4777The domain controller failed to validate the credentials for an account.Credential Validation110100000000000In Development0
2541Logon/LogoffInformationSecurity4778A session was reconnected to a Window Station.Other Logon/Logoff Events110110010100011In Development0TA0008-Lateral MovementT1021.001-Remote Desktop Protocol
2551Logon/LogoffInformationSecurity4779A session was disconnected from a Window Station.Other Logon/Logoff Events110110010100011In Development0TA0008-Lateral MovementT1021.001-Remote Desktop Protocol
2560Account ManagementInformationSecurity4780The ACL was set on accounts which are members of administrators groups.User Account Management010100000000010In Development0
2571Account ManagementInformationSecurity4781The name of an account was changed:User Account Management010110010101011In Development0TA0003-PersistenceT1098.xxx-Account manipulation
2580Account ManagementInformationSecurity4782The password hash an account was accessed.Other Account Management Events010110000001010In Development0
2590Account ManagementInformationSecurity4783A basic application group was created.Application Group Management010100000000000In Development0
2600Account ManagementInformationSecurity4784A basic application group was changed.Application Group Management010100000000000In Development0
2610Account ManagementInformationSecurity4785A member was added to a basic application group.Application Group Management010100000000000In Development0
2620Account ManagementInformationSecurity4786A member was removed from a basic application group.Application Group Management010100000000000In Development0
2630Account ManagementInformationSecurity4787A non-member was added to a basic application group.Application Group Management010100000000000In Development0
2640Account ManagementInformationSecurity4788A non-member was removed from a basic application group.Application Group Management010100000000000In Development0
2650Account ManagementInformationSecurity4789A basic application group was deleted.Application Group Management010100000000000In Development0
2660Account ManagementInformationSecurity4790An LDAP query group was created.Application Group Management010100000000000In Development0
2670Account ManagementInformationSecurity4791A basic application group was changed.Application Group Management010100000000000In Development0
2680Account ManagementInformationSecurity4792An LDAP query group was deleted.Application Group Management010100000000000In Development0
2690Account ManagementInformationSecurity4793The Password Policy Checking API was called.Other Account Management Events010110000000000In Development0
2701Account ManagementInformationSecurity4794An attempt was made to set the Directory Services Restore Mode.User Account Management010100000000011In Development0TA0006-Credential AccessT1003-Credential dumping
2710Account ManagementInformationSecurity4797An attempt was made to query the existence of a blank password for an account.User Account Management010100000001000In Development0
2721Account ManagementInformationSecurity4798A user's local group membership was enumerated.User Account Management010100010001010In Development0
2731Account ManagementInformationSecurity4799A security-enabled local group membership was enumerated.Security Group Management010100010001011In Development0TA0007-DiscoveryT1069-Permission Groups Discovery
2741Logon/LogoffInformationSecurity4800The workstation was locked.Other Logon/Logoff Events010100110101000In Development0
2751Logon/LogoffInformationSecurity4801The workstation was unlocked.Other Logon/Logoff Events010100110101000In Development0
2760Logon/LogoffInformationSecurity4802The screen saver was invoked.Other Logon/Logoff Events010100100100000In Development0
2770Logon/LogoffInformationSecurity4803The screen saver was dismissed.Other Logon/Logoff Events010100000100000In Development0
2780SystemInformationSecurity4816RPC detected an integrity violation while decrypting an incoming message.System Integrity010100000000000In Development0
2790Policy ChangeInformationSecurity4817Auditing settings on an object were changed.Audit Policy Change010100000000010In Development0
2800Object AccessInformationSecurity4818Proposed Central Access Policy does not grant the same access permissions as the current Central Access PolicyCentral Access Policy Staging010100000000000In Development0
2810Policy ChangeInformationSecurity4819Central Access Policies on the machine have been changed.Other Policy Change Events010100000000000In Development0
2820Account LogonInformationSecurity4820A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.Kerberos Authentication Service010100000001000In Development0
2830Account LogonInformationSecurity4821A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.Kerberos Service Ticket Operations010100000000000In Development0
2840Account LogonInformationSecurity4822NTLM authentication failed because the account was a member of the Protected User group.Credential Validation010100000000000In Development0
2850Account LogonInformationSecurity4823NTLM authentication failed because access control restrictions are required.Credential Validation010100000000000In Development0
2860Account LogonInformationSecurity4824Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.Kerberos Authentication Service010100000000000In Development0
2871Logon/LogoffInformationSecurity4825A user was denied the access to Remote Desktop.Other Logon/Logoff Events010100000000001In Development0TA0008-Lateral MovementT1021.001-Remote Desktop Protocol
2880Policy ChangeInformationSecurity4826Boot Configuration Data loaded.Other Policy Change Events010100000000010In Development0
2890Account ManagementInformationSecurity4830SID History was removed from an account.User Account Management010000000000000In Development0
2900Policy ChangeInformationSecurity4864A namespace collision was detected.Authentication Policy Change010100000000000In Development0
2910Policy ChangeInformationSecurity4865A trusted forest information entry was added.Authentication Policy Change010100000000010In Development0
2920Policy ChangeInformationSecurity4866A trusted forest information entry was removed.Authentication Policy Change010100000000010In Development0
2930Policy ChangeInformationSecurity4867A trusted forest information entry was modified.Authentication Policy Change010100000000010In Development0
2940Object AccessInformationSecurity4868The certificate manager denied a pending certificate request.Certification Services010100000000000In Development0
2950Object AccessInformationSecurity4869Certificate Services received a resubmitted certificate request.Certification Services010100000000000In Development0
2960Object AccessInformationSecurity4870Certificate Services revoked a certificate.Certification Services010110000000000In Development0
2970Object AccessInformationSecurity4871Certificate Services received a request to publish the certificate revocation list (CRL).Certification Services010100000000000In Development0
2980Object AccessInformationSecurity4872Certificate Services published the certificate revocation list (CRL).Certification Services010100000000000In Development0
2990Object AccessInformationSecurity4873A certificate request extension changed.Certification Services010110000000000In Development0
3000Object AccessInformationSecurity4874One or more certificate request attributes changed.Certification Services010110000000000In Development0
3010Object AccessInformationSecurity4875Certificate Services received a request to shut down.Certification Services010100000000000In Development0
3020Object AccessInformationSecurity4876Certificate Services backup started.Certification Services010100000000000In Development0
3030Object AccessInformationSecurity4877Certificate Services backup completed.Certification Services010100000000000In Development0
3040Object AccessInformationSecurity4878Certificate Services restore started.Certification Services010100000000000In Development0
3050Object AccessInformationSecurity4879Certificate Services restore completed.Certification Services010100000000000In Development0
3060Object AccessInformationSecurity4880Certificate Services started.Certification Services010110000000000In Development0
3070Object AccessInformationSecurity4881Certificate Services stopped.Certification Services010110000000000In Development0
3080Object AccessInformationSecurity4882The security permissions for Certificate Services changed.Certification Services010110000000000In Development0
3090Object AccessInformationSecurity4883Certificate Services retrieved an archived key.Certification Services010100000000000In Development0
3100Object AccessInformationSecurity4884Certificate Services imported a certificate into its database.Certification Services010100000000000In Development0
3110Object AccessInformationSecurity4885The audit filter for Certificate Services changed.Certification Services010110000000000In Development0
3120Object AccessInformationSecurity4886Certificate Services received a certificate request.Certification Services010110000000000In Development0
3130Object AccessInformationSecurity4887Certificate Services approved a certificate request and issued a certificate.Certification Services010110000000000In Development0
3140Object AccessInformationSecurity4888Certificate Services denied a certificate request.Certification Services010110000000000In Development0
3150Object AccessInformationSecurity4889Certificate Services set the status of a certificate request to pending.Certification Services010100000000000In Development0
3160Object AccessInformationSecurity4890The certificate manager settings for Certificate Services changed.Certification Services010110000000000In Development0
3170Object AccessInformationSecurity4891A configuration entry changed in Certificate Services.Certification Services010110000000000In Development0
3180Object AccessInformationSecurity4892A property of Certificate Services changed.Certification Services010110000000000In Development0
3190Object AccessInformationSecurity4893Certificate Services archived a key.Certification Services010100000000000In Development0
3200Object AccessInformationSecurity4894Certificate Services imported and archived a key.Certification Services010100000000000In Development0
3210Object AccessInformationSecurity4895Certificate Services published the CA certificate to Active Directory Domain Services.Certification Services010100000000000In Development0
3220Object AccessInformationSecurity4896One or more rows have been deleted from the certificate database.Certification Services010110000000000In Development0
3230Object AccessInformationSecurity4897Role separation enabledCertification Services010110000000000In Development0
3240Object AccessInformationSecurity4898Certificate Services loaded a template.Certification Services010110000000000In Development0
3250Object AccessInformationSecurity4899A Certificate Services template was updated.Certification Services010110000000000In Development0
3260Object AccessInformationSecurity4900Certificate Services template security was updated.Certification Services010110000000000In Development0
3270Policy ChangeInformationSecurity4902The Per-user audit policy table was created.Audit Policy Change010100000010000In Development0
3280Policy ChangeInformationSecurity4904An attempt was made to register a security event source.Audit Policy Change010100000010010In Development0
3290Policy ChangeInformationSecurity4905An attempt was made to unregister a security event source.Audit Policy Change010100000010010In Development0
3300Policy ChangeInformationSecurity4906The CrashOnAuditFail value has changed.Audit Policy Change010100000000010In Development0
3310Policy ChangeInformationSecurity4907Auditing settings on object were changed.Audit Policy Change010100000001010In Development0
3321Policy ChangeInformationSecurity4908Special Groups Logon table modified.Audit Policy Change010100000010011In Development0TA0005-Defense EvasionT1562.002-Disable Windows Event Logging
3330Policy ChangeInformationSecurity4909The local policy settings for the TBS were changed.Other Policy Change Events010100000000000In Development0
3340Policy ChangeInformationSecurity4910The group policy settings for the TBS were changed.Other Policy Change Events010100000000000In Development0
3350Policy ChangeInformationSecurity4911Resource attributes of the object were changed.Authorization Policy Change010100000001000In Development0
3360Policy ChangeInformationSecurity4912Per User Audit Policy was changed.Audit Policy Change110100100010010In Development0
3370Policy ChangeInformationSecurity4913Central Access Policy on the object was changed.Authorization Policy Change010100000000000In Development0
3380DS AccessInformationSecurity4928An Active Directory replica source naming context was established.Detailed Directory Service Replication010100000000000In Development0
3390DS AccessInformationSecurity4929An Active Directory replica source naming context was removed.Detailed Directory Service Replication010100000000000In Development0
3400DS AccessInformationSecurity4930An Active Directory replica source naming context was modified.Detailed Directory Service Replication010100000000000In Development0
3410DS AccessInformationSecurity4931An Active Directory replica destination naming context was modified.Detailed Directory Service Replication010100000000000In Development0
3420DS AccessInformationSecurity4932Synchronization of a replica of an Active Directory naming context has begun.Directory Service Replication010100000000000In Development0
3430DS AccessInformationSecurity4933Synchronization of a replica of an Active Directory naming context has ended.Directory Service Replication010100000000000In Development0
3440DS AccessInformationSecurity4934Attributes of an Active Directory object were replicated.Detailed Directory Service Replication010100000000000In Development0
3450DS AccessInformationSecurity4935Replication failure begins.Detailed Directory Service Replication010100000000000In Development0
3460DS AccessInformationSecurity4936Replication failure ends.Detailed Directory Service Replication010100000000000In Development0
3470DS AccessInformationSecurity4937A lingering object was removed from a replica.Detailed Directory Service Replication010100000000000In Development0
3480Policy ChangeInformationSecurity4944The following policy was active when the Windows Firewall started.MPSSVC Rule-Level Policy Change010100000000000In Development0
3490Policy ChangeInformationSecurity4945A rule was listed when the Windows Firewall started.MPSSVC Rule-Level Policy Change010100000000000In Development0
3500Policy ChangeInformationSecurity4946A change has been made to Windows Firewall exception list. A rule was added.MPSSVC Rule-Level Policy Change110100001001000In Development0
3510Policy ChangeInformationSecurity4947A change has been made to Windows Firewall exception list. A rule was modified.MPSSVC Rule-Level Policy Change110100000001000In Development0
3520Policy ChangeInformationSecurity4948A change has been made to Windows Firewall exception list. A rule was deleted.MPSSVC Rule-Level Policy Change110100000001000In Development0
3530Policy ChangeInformationSecurity4949Windows Firewall settings were restored to the default values.MPSSVC Rule-Level Policy Change010100000000000In Development0
3541Policy ChangeInformationSecurity4950A Windows Firewall setting has changed.MPSSVC Rule-Level Policy Change010100000001001In Development0TA0005-Defense EvasionT1562.004-Impair Defenses-Disable or Modify System Firewall
3550Policy ChangeInformationSecurity4951A rule has been ignored because its major version number was not recognized by Windows Firewall.MPSSVC Rule-Level Policy Change010100000000000In Development0
3560Policy ChangeInformationSecurity4952Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.MPSSVC Rule-Level Policy Change010100000000000In Development0
3570Policy ChangeInformationSecurity4953A rule has been ignored by Windows Firewall because it could not parse the rule.MPSSVC Rule-Level Policy Change010100000000000In Development0
3580Policy ChangeInformationSecurity4954Windows Firewall Group Policy settings have changed. The new settings have been applied.MPSSVC Rule-Level Policy Change010100000000000In Development0
3590Policy ChangeInformationSecurity4956Windows Firewall has changed the active profile.MPSSVC Rule-Level Policy Change010100000000000In Development0
3600Policy ChangeInformationSecurity4957Windows Firewall did not apply the following rule:MPSSVC Rule-Level Policy Change110100000000000In Development0
3610Policy ChangeInformationSecurity4958Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:MPSSVC Rule-Level Policy Change010100000000000In Development0
3620SystemInformationSecurity4960IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.IPsec Driver010100000000000In Development0
3630SystemInformationSecurity4961IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.IPsec Driver010100000000000In Development0
3640SystemInformationSecurity4962IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.IPsec Driver010100000000000In Development0
3650SystemInformationSecurity4963IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.IPsec Driver010100000000000In Development0
3661Logon/LogoffInformationSecurity4964Special groups have been assigned to a new logon.Special Logon010100000000001In Development0TA0005-Defense EvasionT1078.002-Valid accounts-Domain accounts
3670SystemInformationSecurity4965IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.IPsec Driver010100000000000In Development0
3680Logon/LogoffInformationSecurity4976During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.IPsec Main Mode010100000000000In Development0
3690Logon/LogoffInformationSecurity4977During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.IPsec Quick Mode010100000000000In Development0
3700Logon/LogoffInformationSecurity4978During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.IPsec Extended Mode010100000000000In Development0
3710Logon/LogoffInformationSecurity4979IPsec Main Mode and Extended Mode security associations were established.IPsec Extended Mode010100000000000In Development0
3720Logon/LogoffInformationSecurity4980IPsec Main Mode and Extended Mode security associations were established.IPsec Extended Mode010100000000000In Development0
3730Logon/LogoffInformationSecurity4981IPsec Main Mode and Extended Mode security associations were established.IPsec Extended Mode010100000000000In Development0
3740Logon/LogoffInformationSecurity4982IPsec Main Mode and Extended Mode security associations were established.IPsec Extended Mode010100000000000In Development0
3750Logon/LogoffInformationSecurity4983An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.IPsec Extended Mode010100000000000In Development0
3760Logon/LogoffInformationSecurity4984An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.IPsec Extended Mode010100000000000In Development0
3770Object AccessInformationSecurity4985The state of a transaction has changed.File System010100000000000In Development0
3780Microsoft-Windows-Windows Defender/OperationalErrorMicrosoft-Windows-Windows Defender/Operational5008Unexpected ErrorWindows Defender Activities000010000000000In Development0
3790SystemInformationSystem5024The Windows Firewall Service has started successfully.Other System Events010100000000000In Development0
3801SystemInformationSystem5025The Windows Firewall Service has been stopped.Other System Events010100010000000In Development0
3810SystemErrorSystem5027The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.Other System Events010100000000000In Development0
3820SystemErrorSystem5028The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.Other System Events010100000000000In Development0
3830SystemErrorSystem5029The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.Other System Events010100000000000In Development0
3840SystemErrorSystem5030The Windows Firewall Service failed to start.Other System Events010100000000000In Development0
3851SystemInformationSystem5031The Windows Firewall Service blocked an application from accepting incoming connections on the network.Filtering Platform Connection010100010000000In Development0
3860SystemInformationSystem5032Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.Other System Events010100000000000In Development0
3870SystemInformationSystem5033The Windows Firewall Driver has started successfully.Other System Events010100000000000In Development0
3881SystemInformationSystem5034The Windows Firewall Driver has been stopped.Other System Events010100010000000In Development0
3890SystemErrorSystem5035The Windows Firewall Driver failed to start.Other System Events010100000000000In Development0
3900SystemErrorSystem5037The Windows Firewall Driver detected critical runtime error. Terminating.Other System Events010100000000000In Development0
3910SecurityInformationSecurity5038Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.System Integrity010110000000010In Development0
3920Object AccessInformationSecurity5039A registry key was virtualized.Registry010100000000000In Development0
3930Policy ChangeInformationSecurity5040A change has been made to IPsec settings. An Authentication Set was added.Filtering Platform Policy Change010100000000000In Development0
3940Policy ChangeInformationSecurity5041A change has been made to IPsec settings. An Authentication Set was modified.Filtering Platform Policy Change010100000000000In Development0
3950Policy ChangeInformationSecurity5042A change has been made to IPsec settings. An Authentication Set was deleted.Filtering Platform Policy Change010100000000000In Development0
3960Policy ChangeInformationSecurity5043A change has been made to IPsec settings. A Connection Security Rule was added.Filtering Platform Policy Change010100000000000In Development0
3970Policy ChangeInformationSecurity5044A change has been made to IPsec settings. A Connection Security Rule was modified.Filtering Platform Policy Change010100000000000In Development0
3980Policy ChangeInformationSecurity5045A change has been made to IPsec settings. A Connection Security Rule was deleted.Filtering Platform Policy Change010100000000000In Development0
3990Policy ChangeInformationSecurity5046A change has been made to IPsec settings. A Crypto Set was added.Filtering Platform Policy Change010100000000000In Development0
4000Policy ChangeInformationSecurity5047A change has been made to IPsec settings. A Crypto Set was modified.Filtering Platform Policy Change010100000000000In Development0
4010Policy ChangeInformationSecurity5048A change has been made to IPsec settings. A Crypto Set was deleted.Filtering Platform Policy Change010100000000000In Development0
4020Logon/LogoffInformationSecurity5049An IPsec Security Association was deleted.IPsec Main Mode010100000000000In Development0
4030SystemInformationSecurity5050An attempt to programmatically disable the Windows Firewall was rejected because this API is not supported on Windows Vista.Other System Events010100000000000In Development0
4040Object AccessInformationSecurity5051A file was virtualized.File System010100000000000In Development0
4050SystemInformationSecurity5056A cryptographic self test was performed.System Integrity010100000000000In Development0
4060SystemInformationSecurity5057A cryptographic primitive operation failed.System Integrity010100000000000In Development0
4070SystemInformationSecurity5058Key file operation.Other System Events010100000000000In Development0
4080SystemInformationSecurity5059Key migration operation.Other System Events010100000000000In Development0
4090SystemInformationSecurity5060Verification operation failed.System Integrity010100000000000In Development0
4100SystemInformationSecurity5061Cryptographic operation.System Integrity010100000000000In Development0
4110SystemInformationSecurity5062A kernel-mode cryptographic self test was performed.System Integrity010100000000000In Development0
4120Policy ChangeInformationSecurity5063A cryptographic provider operation was attempted.Other Policy Change Events010100000000000In Development0
4130Policy ChangeInformationSecurity5064A cryptographic context operation was attempted.Other Policy Change Events010100000000000In Development0
4140Policy ChangeInformationSecurity5065A cryptographic context modification was attempted.Other Policy Change Events010100000000000In Development0
4150Policy ChangeInformationSecurity5066A cryptographic function operation was attempted.Other Policy Change Events010100000000000In Development0
4160Policy ChangeInformationSecurity5067A cryptographic function modification was attempted.Other Policy Change Events010100000000000In Development0
4170Policy ChangeInformationSecurity5068A cryptographic function provider operation was attempted.Other Policy Change Events010100000000000In Development0
4180Policy ChangeInformationSecurity5069A cryptographic function property operation was attempted.Other Policy Change Events010100000000000In Development0
4190Policy ChangeInformationSecurity5070A cryptographic function property modification was attempted.Other Policy Change Events010100000000000In Development0
4200SystemInformationSecurity5071Key access denied by Microsoft key distribution service.Other System Events010100000000000In Development0
4210Object AccessInformationSecurity5120OCSP Responder Service Started.Certification Services010100000000000In Development0
4220Object AccessInformationSecurity5121OCSP Responder Service Stopped.Certification Services010100000000000In Development0
4230Object AccessInformationSecurity5122A Configuration entry changed in the OCSP Responder Service.Certification Services010100000000000In Development0
4240Object AccessInformationSecurity5123A configuration entry changed in the OCSP Responder Service.Certification Services010100000000000In Development0
4251Object AccessInformationSecurity5124A security setting was updated on OCSP Responder Service.Certification Services010100000000001In Development0TA0005-Defense EvasionT1222.001-File and Directory Permissions Modification
4260Object AccessInformationSecurity5125A request was submitted to OCSP Responder Service.Certification Services010100000000000In Development0
4270Object AccessInformationSecurity5126Signing Certificate was automatically updated by the OCSP Responder Service.Certification Services010100000000000In Development0
4280Object AccessInformationSecurity5127The OCSP Revocation Provider successfully updated the revocation information.Certification Services010100000000000In Development0
4291DS AccessInformationSecurity5136A directory service object was modified.Directory Service Changes010110010000001In Development0TA0003-Persistence|TA0004-Privilege Escalation|TA0005-Defense EvasionT1098.xxx-Account manipulation|T1546-Event Triggered Execution|T1484.001-Domain Policy Modification-Group Policy Modification|T1222.001-File and Directory Permissions Modification
4301DS AccessInformationSecurity5137A directory service object was created.Directory Service Changes010110010000001In Development0TA0005-Defense EvasionT1207-Rogue domain controller
4311DS AccessInformationSecurity5138A directory service object was undeleted.Directory Service Changes010110010000000In Development0
4321DS AccessInformationSecurity5139A directory service object was moved.Directory Service Changes010110010000000In Development0
4331Object AccessInformationSecurity5140A network share object was accessed.File Share011110111010011In Development0TA0007-Discovery|TA0008-Lateral MovementT1135.xxx-Network Share Discovery|T1021.002-SMB Windows Admin Shares
4341DS AccessInformationSecurity5141A directory service object was deleted.Directory Service Changes010110010000000In Development0
4351Object AccessInformationSecurity5142A network share object was added.File Share010110011010011In Development0TA0008-Lateral MovementT1021.002-SMB Windows Admin Shares
4361Object AccessInformationSecurity5143A network share object was modified.File Share010100010010001In Development0TA0005-Defense Evasion|TA0008-Lateral MovementT1222.001-File and Directory Permissions Modification|T1021.002-SMB Windows Admin Shares
4371Object AccessInformationSecurity5144A network share object was deleted.File Share010110011010000In Development0
4381Object AccessInformationSecurity5145A network share object was checked to see whether the client can be granted desired access.Detailed File Share011110011001001In Development0TA0002-Execution|TA0003-Persistence|TA0006-Credential Access|TA0007-Discovery|TA0008-Lateral MovementT1047-Windows Management Instrumentation|T1053.005-Scheduled Task|T1204-User execution|T1098.xxx-Account manipulation|T1003-Credential dumping|T1555-Credentials from Password Stores|T1557-Man in the middle|T1018-Remote System Discovery|T1135.xxx-Network Share Discovery|T1021.002-SMB Windows Admin Shares
4390Object AccessInformationSecurity5146The Windows Filtering Platform has blocked a packet.Filtering Platform Packet Drop010100000000000High0
4400Object AccessInformationSecurity5147A more restrictive Windows Filtering Platform filter has blocked a packet.Filtering Platform Packet Drop010100000000000In Development0
4410Object AccessInformationSecurity5148The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.Other Object Access Events010100000000000In Development0
4420Object AccessInformationSecurity5149The DoS attack has subsided and normal processing is being resumed.Other Object Access Events010100000000000In Development0
4430Object AccessInformationSecurity5150The Windows Filtering Platform has blocked a packet.Filtering Platform Connection010100000000000In Development0
4440Object AccessInformationSecurity5151A more restrictive Windows Filtering Platform filter has blocked a packet.Filtering Platform Connection010100000000000In Development0
4450Object AccessInformationSecurity5152The Windows Filtering Platform blocked a packet.Filtering Platform Packet Drop011100000000000In Development0
4460Object AccessInformationSecurity5153A more restrictive Windows Filtering Platform filter has blocked a packet.Filtering Platform Packet Drop010100000000000In Development0
4471Object AccessInformationSecurity5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.Filtering Platform Connection011100011000000In Development0
4481Object AccessInformationSecurity5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.Filtering Platform Connection010100010000000In Development0
4491Object AccessInformationSecurity5156The Windows Filtering Platform has allowed a connection.Filtering Platform Connection011100111000000High0
4501Object AccessInformationSecurity5157The Windows Filtering Platform has blocked a connection.Filtering Platform Connection011100010000000In Development0
4511Object AccessInformationSecurity5158The Windows Filtering Platform has permitted a bind to a local port.Filtering Platform Connection010100110000000In Development0
4521Object AccessInformationSecurity5159The Windows Filtering Platform has blocked a bind to a local port.Filtering Platform Connection010100010000000In Development0
4530Object AccessInformationSecurity5168Spn check for SMB/SMB2 failed.File Share010100000000000In Development0
4540DS AccessInformationSecurity5169A directory service object was modified.Directory Service Access010100000000000In Development0
4550DS AccessInformationSecurity5170A directory service object was modified during a background cleanup taskDirectory Service Access010000000000000In Development0
4561Account ManagementInformationSecurity5376Credential Manager credentials were backed up.User Account Management010110000000011In Development0TA0005-Defense EvasionT1555.004-Windows Credential Manager
4570Account ManagementInformationSecurity5377Credential Manager credentials were restored from a backup.User Account Management010110000000010In Development0
4580Logon/LogoffInformationSecurity5378The requested credentials delegation was disallowed by policy.Other Logon/Logoff Events010100000000000In Development0
4591Account ManagementInformationSecurity5379Credential Manager credentials were read.User Account Management010000000000001In Development0TA0005-Defense EvasionT1555.004-Windows Credential Manager
4600VaultInformationSecurity5380Vault Find CredentialVault010000000000000In Development0
4611VaultInformationSecurity5381Vault credentials were readVault010000000000001In Development0TA0005-Defense EvasionT1555.004-Windows Credential Manager
4621VaultInformationSecurity5382Vault credentials were readVault010000000000001In Development0TA0005-Defense EvasionT1555.004-Windows Credential Manager
4630Policy ChangeInformationSecurity5440The following callout was present when the Windows Filtering Platform Base Filtering Engine started.Filtering Platform Policy Change010100000000000In Development0
4640Policy ChangeInformationSecurity5441The following filter was present when the Windows Filtering Platform Base Filtering Engine started.Filtering Platform Policy Change010100000000000In Development0
4650Policy ChangeInformationSecurity5442The following provider was present when the Windows Filtering Platform Base Filtering Engine started.Filtering Platform Policy Change010100000000000In Development0
4660Policy ChangeInformationSecurity5443The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.Filtering Platform Policy Change010100000000000In Development0
4670Policy ChangeInformationSecurity5444The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.Filtering Platform Policy Change010100000000000In Development0
4680Policy ChangeInformationSecurity5446A Windows Filtering Platform callout has been changed.Filtering Platform Policy Change010100000000000In Development0
4691Policy ChangeInformationSecurity5447A Windows Filtering Platform filter has been changed.Other Policy Change Events010100001000001In Development0TA0005-Defense EvasionT1562.004-Impair Defenses-Disable or Modify System Firewall
4700Policy ChangeInformationSecurity5448A Windows Filtering Platform provider has been changed.Filtering Platform Policy Change010100000000000In Development0
4710Policy ChangeInformationSecurity5449A Windows Filtering Platform provider context has been changed.Filtering Platform Policy Change010100000000000In Development0
4720Policy ChangeInformationSecurity5450A Windows Filtering Platform sub-layer has been changed.Filtering Platform Policy Change010100000000000In Development0
4730Logon/LogoffInformationSecurity5451An IPsec Quick Mode security association was established.IPsec Quick Mode010100000000000In Development0
4740Logon/LogoffInformationSecurity5452An IPsec Quick Mode security association ended.IPsec Quick Mode010100000000000In Development0
4750Logon/LogoffInformationSecurity5453An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.IPsec Main Mode010100000000000In Development0
4760Policy ChangeInformationSecurity5456PAStore Engine applied Active Directory storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4770Policy ChangeInformationSecurity5457PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4780Policy ChangeInformationSecurity5458PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4790Policy ChangeInformationSecurity5459PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4800Policy ChangeInformationSecurity5460PAStore Engine applied local registry storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4810Policy ChangeInformationSecurity5461PAStore Engine failed to apply local registry storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4820Policy ChangeInformationSecurity5462PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.Filtering Platform Policy Change010100000000000In Development0
4830Policy ChangeInformationSecurity5463PAStore Engine polled for changes to the active IPsec policy and detected no changes.Filtering Platform Policy Change010100000000000In Development0
4840Policy ChangeInformationSecurity5464PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.Filtering Platform Policy Change010100000000000In Development0
4850Policy ChangeInformationSecurity5465PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.Filtering Platform Policy Change010100000000000In Development0
4860Policy ChangeInformationSecurity5466PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.Filtering Platform Policy Change010100000000000In Development0
4870Policy ChangeInformationSecurity5467PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.Filtering Platform Policy Change010100000000000In Development0
4880Policy ChangeInformationSecurity5468PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.Filtering Platform Policy Change010100000000000In Development0
4890Policy ChangeInformationSecurity5471PAStore Engine loaded local storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4900Policy ChangeInformationSecurity5472PAStore Engine failed to load local storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4910Policy ChangeInformationSecurity5473PAStore Engine loaded directory storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4920Policy ChangeInformationSecurity5474PAStore Engine failed to load directory storage IPsec policy on the computer.Filtering Platform Policy Change010100000000000In Development0
4930Policy ChangeInformationSecurity5477PAStore Engine failed to add quick mode filter.Filtering Platform Policy Change010100000000000In Development0
4940SystemInformationSecurity5478IPsec Services has started successfully.IPsec Driver010100000000000In Development0
4950SystemInformationSecurity5479IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.IPsec Driver010100000000000In Development0
4960SystemInformationSecurity5480IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.IPsec Driver010100000000000In Development0
4970SystemInformationSecurity5483IPsec Services failed to initialize RPC server. IPsec Services could not be started.IPsec Driver010100000000000In Development0
4980SystemInformationSecurity5484IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.IPsec Driver010100000000000In Development0
4990SystemInformationSecurity5485IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.IPsec Driver010100000000000In Development0
5000Wireless 802.1X AuthInformationSecurity5632A request was made to authenticate to a wireless network.Other Logon/Logoff Events010110000000010In Development0
5010Logon/LogoffInformationSecurity5633A request was made to authenticate to a wired network.Other Logon/Logoff Events010100000000000In Development0
5020Detailed TrackingInformationSecurity5712A Remote Procedure Call (RPC) was attempted.RPC Events010100000000000In Development0
5030WMI OperationalInformationMicrosoft-Windows-WMI-Activity/Operational5857Windows WMI ActivityWMI000001000000010In Development0
5040WMI OperationalInformationMicrosoft-Windows-WMI-Activity/Operational5859Windows WMI ActivityWMI000001000000000In Development0
5050WMI OperationalInformationMicrosoft-Windows-WMI-Activity/Operational5860Windows WMI ActivityWMI000001000000010In Development0
5061WMI OperationalInformationMicrosoft-Windows-WMI-Activity/Operational5861Windows WMI ActivityWMI001001000000010In Development0
5070Object AccessInformationSecurity5888An object in the COM+ Catalog was modified.Other Object Access Events010100000000000In Development0
5080Object AccessInformationSecurity5889An object was deleted from the COM+ Catalog.Other Object Access Events010100000000000In Development0
5090Object AccessInformationSecurity5890An object was added to the COM+ Catalog.Other Object Access Events010100000000000In Development0
5100Policy ChangeInformationSecurity6144Security policy in the group policy objects has been applied successfully.Other Policy Change Events010100000000000In Development0
5110Policy ChangeErrorSecurity6145One or more errors occurred while processing security policy in the group policy objects.Other Policy Change Events010100000000000In Development0
5120Logon/LogoffInformationSecurity6272Network Policy Server granted access to a user.Network Policy Server010110000000000In Development0
5130Logon/LogoffInformationSecurity6273Network Policy Server denied access to a user.Network Policy Server010110000001000In Development0
5140Logon/LogoffInformationSecurity6274Network Policy Server discarded the request for a user.Network Policy Server010110000000000In Development0
5150Logon/LogoffInformationSecurity6275Network Policy Server discarded the accounting request for a user.Network Policy Server010110000000000In Development0
5160Logon/LogoffInformationSecurity6276Network Policy Server quarantined a user.Network Policy Server010110000001000In Development0
5170Logon/LogoffInformationSecurity6277Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.Network Policy Server010110000001000In Development0
5180Logon/LogoffInformationSecurity6278Network Policy Server granted full access to a user because the host met the defined health policy.Network Policy Server010110000000000In Development0
5190Logon/LogoffInformationSecurity6279Network Policy Server locked the user account due to repeated failed authentication attempts.Network Policy Server010110000000000In Development0
5200Logon/LogoffInformationSecurity6280Network Policy Server unlocked the user account.Network Policy Server010110000000000In Development0
5210SecurityInformationSecurity6281Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device errorSystem Integrity011110000000010In Development0
5220SystemInformationSystem6400BranchCache: Received an incorrectly formatted response while discovering availability of content.Other System Events010100000000000In Development0
5230SystemInformationSystem6401BranchCache: Received invalid data from a peer. Data discarded.Other System Events010100000000000In Development0
5240SystemInformationSystem6402BranchCache: The message to the hosted cache offering it data is incorrectly formatted.Other System Events010100000000000In Development0
5250SystemInformationSystem6403BranchCache: The hosted cache sent an incorrectly formatted response to the client.Other System Events010100000000000In Development0
5260SystemInformationSystem6404BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.Other System Events010100000000000In Development0
5270SystemInformationSystem6405BranchCache: %2 instance(s) of event id %1 occurred.Other System Events010100000000000In Development0
5280SystemInformationSystem6406%1 registered to Windows Firewall to control filtering for the following: %2Other System Events010100000000000In Development0
5290SystemInformationSystem6407(blank)Other System Events010100000000000In Development0
5300SystemErrorSystem6408Registered product %1 failed and Windows Firewall is now controlling the filtering for %2Other System Events010100000000000In Development0
5310SystemInformationSystem6409BranchCache: A service connection point object could not be parsed.Other System Events010100000000000In Development0
5320SystemInformationSystem6410Code integrity determined that a file does not meet the security requirements to load into a process.System Integrity010100000000010In Development0
5331SystemInformationSystem6416A new external device was recognized by the SystemPlug and Play Events011100000001011In Development0TA0004-Privilege EscalationT1574-DLL side-loading
5340SystemInformationSystem6417The FIPS mode crypto selftests succeeded.System Integrity010100000000000In Development0
5350SystemErrorSystem6418The FIPS mode crypto selftests failed.System Integrity010100000000000In Development0
5360SystemInformationSystem6419A request was made to disable a devicePlug and Play Events010100000000000In Development0
5370SystemInformationSystem6420A device was disabled.Plug and Play Events010100000000000In Development0
5380SystemInformationSystem6421A request was made to enable a device.Plug and Play Events010100000000000In Development0
5390SystemInformationSystem6422A device was enabled.Plug and Play Events010100000000000In Development0
5400SystemInformationSystem6423The installation of this device is forbidden by system policyPlug and Play Events010100000000000In Development0
5410SystemInformationSystem6424The installation of this device was allowed, after having previously been forbidden by policy.Plug and Play Events010100000000000In Development0
5421SystemErrorSystem7000The service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.Service001010000000001In Development0TA0002-ExecutionT1569.002-Service execution
5431SystemErrorSystem7009Service Control Manager - A timeout was reachedService001000000000001In Development0TA0002-ExecutionT1569.002-Service execution
5440SystemErrorSystem7022The service hung on startingService001010000000000In Development0
5450SystemErrorSystem7023Windows Service Fails or CrashesSystem or Service Failures000010000000000In Development0
5460SystemErrorSystem7024The service terminated with service-specific errorService001010000000000In Development0
5470SystemErrorSystem7026Windows Service Fails or CrashesSystem or Service Failures000010000000000In Development0
5480SystemErrorSystem7030Service Creation ErrorService000000000100000In Development0
5490SystemErrorSystem7031Service CrashedService000010100000010In Development0
5500SystemErrorSystem7032Windows Service Fails or CrashesSystem or Service Failures000010000000000In Development0
5510SystemErrorSystem7034Service CrashedService001010100000010In Development0
5520SystemInformationSystem7035Service sent a request to stop or startService001000000000000In Development0
5531SystemInformationSystem7036Service was started or stoppedService001000001000001In Development0TA0003-PersistenceT1543.003-Create or Modify System Process-Windows Service
5541SystemInformationSystem7040Service configured to interact with desktopService001000100000010In Development0
5551SystemInformationSystem7045New Windows ServiceService001010101110001Low0TA0002-Execution|TA0003-PersistenceT1569.002-Service execution|T1543.003-Create or Modify System Process-Windows Service
5560Microsoft-Windows-WLAN-AutoConfig/OperationalInformationMicrosoft-Windows-WLAN-AutoConfig/Operational8000Starting a Wireless ConnectionMobile Device Activities000010000000000In Development0
5570Microsoft-Windows-WLAN-AutoConfig/OperationalInformationMicrosoft-Windows-WLAN-AutoConfig/Operational8001Successfully connected to a wireless connectionMobile Device Activities000010000000000In Development0
5580ApplockerInformationMicrosoft-Windows-AppLocker/EXE and DLL8002AppLocker BlockApplication Whitelisting000010000000010In Development1
5590ApplockerErrorMicrosoft-Windows-AppLocker/EXE and DLL8003AppLocker BlockApplication Whitelisting000010000010010In Development1
5600ApplockerWarningMicrosoft-Windows-AppLocker/EXE and DLL8004AppLocker BlockApplication Whitelisting000010000010010In Development0
5610ApplockerInformationMicrosoft-Windows-AppLocker/MSI and Script8005Script or Installer ranApplication Whitelisting000010000000010In Development0
5620ApplockerErrorMicrosoft-Windows-AppLocker/MSI and Script8006AppLocker WarningApplication Whitelisting000010000010010In Development0
5630ApplockerWarningMicrosoft-Windows-AppLocker/MSI and Script8007AppLocker WarningApplication Whitelisting000010000010010In Development0
5640Microsoft-Windows-WLAN-AutoConfig/OperationalInformationMicrosoft-Windows-WLAN-AutoConfig/Operational8011Starting a Wireless ConnectionMobile Device Activities000010000000000In Development0
5650ApplockerInformationMicrosoft-Windows-AppLocker/Packaged app-Deployment8020Application RanApplication Whitelisting000010000000010In Development0
5660ApplockerInformationMicrosoft-Windows-AppLocker/Packaged app-Execution8021Application RanApplication Whitelisting000000000010000In Development0
5670ApplockerInformationMicrosoft-Windows-AppLocker/Packaged app-Execution8022Application RanApplication Whitelisting000000000010000In Development0
5680ApplockerInformationMicrosoft-Windows-AppLocker/Packaged app-Execution8023Application InstalledApplication Whitelisting000010000000010In Development0
5690ApplockerInformationMicrosoft-Windows-AppLocker/Packaged app-Deployment8024Application InstalledApplication Whitelisting000000000010000In Development0
5700ApplockerInformationMicrosoft-Windows-AppLocker/Packaged app-Deployment8025Application InstalledApplication Whitelisting000000000010000In Development0
5710AuditInformationSystem8191Highest System-Defined Audit Message ValueWindows Audit010000000000000In Development0
5720SecurityInformationVSSAudit8222Shadow copy has been createdVSSAudit000000001000000In Development0
5730Microsoft-Windows-NetworkProfile/OperationalInformationMicrosoft-Windows-NetworkProfile/Operational10000Network Connection and Disconnection StatusMobile Device Activities000010000000000In Development0
5740Microsoft-Windows-NetworkProfile/OperationalInformationMicrosoft-Windows-NetworkProfile/Operational10001Network Connection and Disconnection StatusMobile Device Activities000010000000000In Development0
5750Microsoft-Windows-WLAN-AutoConfig/OperationalInformationMicrosoft-Windows-WLAN-AutoConfig/Operational11000Wireless association statusMobile Device Activities000010000000000In Development0
5760Microsoft-Windows-WLAN-AutoConfig/OperationalInformationMicrosoft-Windows-WLAN-AutoConfig/Operational11001Wireless association statusMobile Device Activities000010000000000In Development0
5770Microsoft-Windows-WLAN-AutoConfig/OperationalInformationMicrosoft-Windows-WLAN-AutoConfig/Operational11004Wireless Security Started Stopped, Successful or FailedMobile Device Activities000010000000000In Development0
5780Microsoft-Windows-WLAN-AutoConfig/OperationalInformationMicrosoft-Windows-WLAN-AutoConfig/Operational11005Wireless Security Started Stopped, Successful or FailedMobile Device Activities000010000000000In Development0
5790Microsoft-Windows-WLAN-AutoConfig/OperationalErrorMicrosoft-Windows-WLAN-AutoConfig/Operational11006Wireless Security Started Stopped, Successful or FailedMobile Device Activities000010000000000In Development0
5800Microsoft-Windows-WLAN-AutoConfig/OperationalErrorMicrosoft-Windows-WLAN-AutoConfig/Operational11010Wireless Security Started Stopped, Successful or FailedMobile Device Activities000010000000000In Development0
5810Microsoft-Windows-WLAN-AutoConfig/OperationalInformationMicrosoft-Windows-WLAN-AutoConfig/Operational12011Wireless Authentication Started and FailedMobile Device Activities000010000000000In Development0
5820Microsoft-Windows-WLAN-AutoConfig/OperationalInformationMicrosoft-Windows-WLAN-AutoConfig/Operational12012Wireless Authentication Started and FailedMobile Device Activities000010000000000In Development0
5830Microsoft-Windows-WLAN-AutoConfig/OperationalErrorMicrosoft-Windows-WLAN-AutoConfig/Operational12013Wireless Authentication Started and FailedMobile Device Activities000010000000000In Development0
5840Microsoft-Windows-WLAN-AutoConfig/OperationalErrorMicrosoft-Windows-WLAN-AutoConfig/Operational11002Wireless association statusMobile Device Activities000010000000000In Development0
5850Microsoft-Windows-User-PnPInformationMicrosoft-Windows-User-PnP20001Driver Management concluded the process to install driver000000001000000In Development0
5860Microsoft-Windows-MPRMSGSuccessRemote Access20250RADIUS User assigned IPNetwork Policy000010000000000In Development0
5870Microsoft-Windows-MPRMSGSuccessRemote Access20274RADIUS User AuthenticatedNetwork Policy000010000000000In Development0
5880Microsoft-Windows-MPRMSGSuccessRemote Access20275RADIUS User DisconnectedNetwork Policy000010000000000In Development0
5890Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational5007Event when settings are changedWindows Defender Activities000000000000010High1
5900Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1124Audit Controlled folder access eventWindows Defender Activities000000000000010High1
5910Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1123Blocked Controlled folder access eventWindows Defender Activities000000000000010In Development1
5920Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1127Blocked Controlled folder access sector write block eventWindows Defender Activities000000000000000In Development1
5930Microsoft-Windows-Windows Defender/OperationalInformationMicrosoft-Windows-Windows Defender/Operational1128Audited Controlled folder access sector write block eventWindows Defender Activities000000000000000In Development1