admingit
/
Splunk_Deploiement
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

TA_Windows

Browse Source
masterdev
admingit 1 year ago
parent 34bae05b07
commit b36a5c1bbe
77 changed files with 13322 additions and 0 deletions
Show Stats Download Patch File Download Diff File

BIN
.DS_Store vendored
View File

Binary file not shown.

BIN
deployment-apps/Splunk_TA_windows/.DS_Store vendored
View File

Binary file not shown.

6
deployment-apps/Splunk_TA_windows/README/transforms.conf.spec
Unescape View File

@ -0,0 +1,6 @@
[user_account_control_property]
python.version = {default|python|python2|python3}
* For Splunk 8.0.x and Python scripts only, selects which Python version to use.
* Either "default" or "python" select the system-wide default Python version.
* Optional.
* Default: not set; uses the system-wide Python version.

68
deployment-apps/Splunk_TA_windows/THIRDPARTY
Unescape View File

@ -0,0 +1,68 @@
================================================================================
================================================================================
Third-Party Software for splunk-add-on-for-microsoft-windows
--------------------------------------------------------------------------------
The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-microsoft-windows. Any information relevant to third-party vendors listed below are collected using common, reasonable means.
Date generated: 2024-11-11
Revision ID: af23640882c3878b5f97c496e22f7c68f31eedba
================================================================================
================================================================================
================================================================================
Declared License
================================================================================
No declared license found for splunk-add-on-for-microsoft-windows
================================================================================
First Party Licenses
================================================================================
No licenses found
================================================================================
Dependencies
================================================================================
================================================================================
License
================================================================================
================================================================================
Copyrights
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Report Generated by FOSSA on 2024-11-11

2
deployment-apps/Splunk_TA_windows/VERSION
Unescape View File

@ -0,0 +1,2 @@
9.0.1
9.0.1

75
deployment-apps/Splunk_TA_windows/app.manifest
Unescape View File

@ -0,0 +1,75 @@
{
"dependencies": null,
"incompatibleApps": {
"Splunk_TA_microsoft_ad": "<=1.0.0",
"Splunk_TA_microsoft_dns": "<=1.0.1"
},
"info": {
"author": [
{
"name": "Splunk, Inc.",
"email": null,
"company": null
}
],
"classification": {
"categories": [
"IT Operations",
"Utilities",
"Security, Fraud & Compliance"
],
"developmentStatus": "Production/Stable",
"intendedAudience": "IT Professionals"
},
"commonInformationModels": {
"Application_State": "==4.15.0",
"Authentication": "==4.18.0",
"Change": "==4.18.0",
"Change_Analysis": "==4.15.0",
"Compute_Inventory": "==4.15.0",
"Endpoint": "==4.18.0",
"Event_Signatures": "==4.18.0",
"Network_Sessions": "==4.15.0",
"Performance": "==4.15.0",
"Updates": "==4.15.0",
"Vulnerabilities": "==4.15.0"
},
"description": "Splunk Add-on for Microsoft Windows",
"id": {
"group": null,
"name": "Splunk_TA_windows",
"version": "9.0.1"
},
"license": {
"name": null,
"text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"uri": null
},
"privacyPolicy": {
"name": null,
"text": null,
"uri": null
},
"releaseDate": null,
"releaseNotes": {
"name": "README",
"text": "./README.txt",
"uri": "http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes"
},
"title": "Splunk Add-on for Microsoft Windows"
},
"inputGroups": null,
"platformRequirements": null,
"schemaVersion": "2.0.0",
"supportedDeployments": [
"_standalone",
"_distributed",
"_search_head_clustering"
],
"targetWorkloads": [
"_search_heads",
"_forwarders",
"_indexers"
],
"tasks": null
}

BIN
deployment-apps/Splunk_TA_windows/appserver/static/appIcon.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
deployment-apps/Splunk_TA_windows/appserver/static/appLogo.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.7 KiB

89
deployment-apps/Splunk_TA_windows/bin/Invoke-MonitoredScript.ps1
Unescape View File

@ -0,0 +1,89 @@
<#
.SYNOPSIS
& .\Invoke-MonitoredScript.ps1 "MyScript.ps1"
.DESCRIPTION
Outputs additional Splunk events related to the running and
errors in the script.
#>
[CmdletBinding()]
param(
#Command to execute.
[Parameter(Position=0, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string] $Command,
# Splunk Sourcetype Prefix for generated events
[Parameter()]
[ValidateNotNull()]
[string] $SourceTypePrefix="Powershell:",
# Maximum number of errors to convert into events
[Parameter()]
[ValidateRange(0, 100)]
[int] $MaxErrorCount
)
$WrappedScriptExecutionSummary= New-Object -TypeName PSObject -Property (
[ordered]@{
SplunkSourceType="$($SourceTypePrefix)ScriptExecutionSummary";
Identity=[guid]::NewGuid().ToString();
InvocationLine=$MyInvocation.Line;
TerminatingError=$false; ErrorCount=0; Elapsed=""
})
$originalLocation = Get-Location
try
{
Set-Location (Split-Path -Parent $MyInvocation.MyCommand.Definition)
$ScriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
$Error.Clear()
Invoke-Expression $Command
}
catch
{
$WrappedScriptExecutionSummary.TerminatingError = $true;
}
finally
{
Set-Location $originalLocation
$WrappedScriptExecutionSummary.Elapsed = $ScriptStopWatch.Elapsed.ToString("hh\:mm\:ss\.fff")
$WrappedScriptExecutionSummary.ErrorCount = $Error.Count
if ($Error.Count -gt 0) {
$ei = $Error.Count - 1
if ($PSBoundParameters.ContainsKey('MaxErrorCount')) {
if ($MaxErrorCount -lt $Error.Count) {
$ei = $MaxErrorCount - 1
}
# Always emit terminating errors
if ($ei -eq -1 -and $WrappedScriptExecutionSummary.TerminatingError) {
$ei = 1
}
}
for(; $ei -ge 0; $ei--) {
$errorRecord = New-Object -TypeName PSObject -Property (
[ordered]@{
SplunkSourceType="$($SourceTypePrefix)ScriptExecutionErrorRecord";
ParentIdentity=$WrappedScriptExecutionSummary.Identity;
ErrorIndex=$ei;
ErrorMessage=$Error[$ei].ToString();
PositionMessage=$Error[$ei].InvocationInfo.PositionMessage;
CategoryInfo=$Error[$ei].CategoryInfo.ToString();
FullyQualifiedErrorId=$Error[$ei].FullyQualifiedErrorId
})
if ($Error[$ei].Exception -ne $null) {
Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name Exception -Value $Error[$ei].Exception.ToString()
if ($Error[$ei].Exception.InnerException -ne $null) {
Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name InnerException -Value $Error[$ei].Exception.InnerException.ToString()
}
}
Write-Output $errorRecord
}
}
Write-Output $WrappedScriptExecutionSummary
}

120
deployment-apps/Splunk_TA_windows/bin/log.py
Unescape View File

@ -0,0 +1,120 @@
#
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: LicenseRef-Splunk-8-2021
#
#
import logging
import logging.handlers as handlers
import os
import os.path as op
import time
try:
from splunk.clilib.bundle_paths import make_splunkhome_path
except ImportError:
from splunk.appserver.mrsparkle.lib.util import make_splunkhome_path
logging.Formatter.converter = time.gmtime
__LOG_FORMAT__ = (
"%(asctime)s +0000 log_level=%(levelname)s, pid=%(process)d, "
"tid=%(threadName)s, file=%(filename)s, "
"func_name=%(funcName)s, code_line_no=%(lineno)d | %(message)s"
)
class Log(object):
def __init__(self, namespace=None, default_level=logging.INFO):
self._loggers = {}
self._default_level = default_level
if namespace is None:
namespace = self._get_appname_from_path(op.abspath(__file__))
if namespace:
namespace = namespace.lower()
self._namespace = namespace
def get_logger(self, name, level=None, maxBytes=25000000, backupCount=5):
"""
Set up a default logger.
:param name: The log file name.
:param level: The logging level.
:param maxBytes: The maximum log file size before rollover.
:param backupCount: The number of log files to retain.
"""
# Strip ".py" from the log file name if auto-generated by a script.
if level is None:
level = self._default_level
name = self._get_log_name(name)
if name in self._loggers:
return self._loggers[name]
logger = logging.getLogger(name)
logfile = make_splunkhome_path(["var", "log", "splunk", name])
handler_exists = any(
[True for h in logger.handlers if h.baseFilename == logfile]
)
if not handler_exists:
file_handler = handlers.RotatingFileHandler(
logfile, mode="a", maxBytes=maxBytes, backupCount=backupCount
)
formatter = logging.Formatter(__LOG_FORMAT__)
file_handler.setFormatter(formatter)
logger.addHandler(file_handler)
logger.setLevel(level)
logger.propagate = False
self._loggers[name] = logger
return logger
def set_level(self, level, name=None):
"""
Change the log level of the logging
:param level: the level of the logging to be setLevel
:param name: the name of the logging to set, in case it is not set,
all the loggers will be affected
"""
if name is not None:
name = self._get_log_name(name)
logger = self._loggers.get(name)
if logger is not None:
logger.setLevel(level)
else:
self._default_level = level
for logger in self._loggers.values():
logger.setLevel(level)
def _get_log_name(self, name):
if name.endswith(".py"):
name = name.replace(".py", "")
if self._namespace:
name = "{}_{}.log".format(self._namespace, name)
else:
name = "{}.log".format(name)
return name
def _get_appname_from_path(self, absolute_path):
absolute_path = op.normpath(absolute_path)
parts = absolute_path.split(os.path.sep)
parts.reverse()
for key in ("apps", "slave-apps", "master-apps"):
try: # nosemgrep: gitlab.bandit.B112
idx = parts.index(key)
except ValueError:
continue
else:
try: # nosemgrep: gitlab.bandit.B110
if parts[idx + 1] == "etc":
return parts[idx - 1]
except IndexError:
pass
continue
# return None
return "-"

5
deployment-apps/Splunk_TA_windows/bin/netsh_address.bat
Unescape View File

@ -0,0 +1,5 @@
@echo off
REM --------------------------------------------------------
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
REM --------------------------------------------------------
netsh interface ip show address

58
deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-health.ps1
Unescape View File

@ -0,0 +1,58 @@
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
$ServerName = $env:ComputerName
$DomainController = Get-ADDomainController -Identity $ServerName
$Domain = Get-ADDomain -Identity $DomainController.Domain
$Forest = Get-ADForest -Identity $DomainController.Forest
$ReplicationSite = Get-ADReplicationSite -Identity $DomainController.Site
$Computer = Get-ADComputer -Identity $ServerName -Properties *
$RootDSE = Get-ADRootDSE -Server $ServerName
$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
$ISTG = ($DomainController.NTDSSettingsObjectDN -eq $ReplicationSite.InterSiteTopologyGenerator)
$SYSVOL = (Get-SMBShare SYSVOL -ErrorAction SilentlyContinue)
Try {
$DnsRegister = [System.Net.Dns]::GetHostByName($DomainController.HostName)
} Catch {
# The Catch will set $DnsRegister = $null if the GetHostByName fails for some reason
}
$SchemaVersion= Get-ADObject -Filter * -SearchScope Base -Properties objectVersion `
-SearchBase $RootDSE.schemaNamingContext
$DCWeight = (Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters").GetValue("LdapSrvWeight", $null)
if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
$DCWeight = 100
}
$FSMORoles = ($DomainController | Select -Expand OperationMasterRoles | %{ $_.ToString().Replace("Master","") } )
$SvcRunning = @(Get-Service $RequiredServices | ? Status -eq "Running" | select -expand Name)
$SvcStopped = @(Get-Service $RequiredServices | ? Status -ne "Running" | select -expand Name)
$ProcsOK = (($SvcStopped.Count -eq 0) -or ($SvcStopped.Count -eq 1 -and ($SvcStopped[0] -eq "ntfrs" -or $SvcStopped[0] -eq "dfsr")))
New-Object PSObject -Property @{
Server = $DomainController.Name
DomainDNSName = $DomainController.Domain
DomainNetBIOSName = $Domain.NetBIOSName
DomainLevel = $Domain.DomainMode
Site = $DomainController.Site
ForestName = $DomainController.Forest
ForestLevel = $Forest.ForestMode
Created = $Computer.whenCreated
Changed = $Computer.whenChanged
GlobalCatalog = $DomainController.IsGlobalCatalog
RODC = $DomainController.IsReadOnly
Enabled = $DomainController.Enabled
HighestUSN = $RootDSE.highestCommittedUSN
SchemaVersion = $SchemaVersion.objectVersion
DCWeight = $DCWeight
IsIntersiteTopologyGenerator = $ISTG
OperatingSystem = $DomainController.OperatingSystem
ServicePack = $DomainController.OperatingSystemServicePack
OSVersion = $DomainController.OperatingSystemVersion
FSMORoles = $FSMORoles -join " "
ServicesRunning = $SvcRunning -join ","
ServicesNotRunning = $SvcStopped -join ","
ProcsOK = $ProcsOK
SYSVOLShare = ($SYSVOL -ne $null)
DNSRegister = ($DnsRegister -ne $null)
}

17
deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-repl-stats.ps1
Unescape View File

@ -0,0 +1,17 @@
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{
$src_host = Get-ADObject -Filter * -SearchBase $_.Partner.Replace("CN=NTDS Settings,","") `
-SearchScope Base -Properties dNSHostName
New-Object PSObject -Property @{
LastAttemptedSync = $_.LastReplicationAttempt
LastSuccessfulSync = $_.LastReplicationSuccess
type = "ReplicationEvent"
usn = $_.LastChangeUsn
src_host = $src_host.dNSHostName
Result = $_.LastReplicationResult
transport = $_.IntersiteTransportType
naming_context = $_.Partition
}
}

74
deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-siteinfo.ps1
Unescape View File

@ -0,0 +1,74 @@
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
#
# Get the Information about this site
#
$ServerName = $env:ComputerName
$DC = Get-ADDomainController -Identity $ServerName
$Site = Get-ADReplicationSite -Identity $DC.Site
$Object = Get-ADObject -Filter * -SearchScope base -Properties * `
-SearchBase $Site.DistinguishedName
$Location = if ($Object.location -eq $null) { "" } else { $Object.location }
$ISTG = Get-ADDomainController -Filter `
'NTDSSettingsObjectDN -eq $Site.IntersiteTopologyGenerator'
$SiteLinks = Get-ADReplicationSiteLink -Filter 'SitesIncluded -eq $Site' -Properties *
$AdjacentSites = ($SiteLinks | Select -Expand SitesIncluded | `
Where-Object { $_ -ne $Site.DistinguishedName } | `
Sort-Object | Get-Unique | `
Foreach-Object { Get-ADReplicationSite $_ } )
$Subnets = Get-ADReplicationSubnet -Filter 'Site -eq $Site'
########################################################################
#
# SITE
#
$SiteInfo = @(
"Type=`"Site`""
"ForestName=`"$($DC.Forest)`""
"Site=`"$($Object.CN)`""
"Location=`"$Location`""
"IntersiteTopologyGenerator=`"$($ISTG.HostName)`""
)
$AdjacentSites | %{ $SiteLink += "AdjacentSite=`"$($_.Name)`"" }
$SiteLinks | %{ $SiteInfo += "SiteLink=`"$($_.Name)`"" }
$Subnets | %{ $SiteInfo += "Subnet=`"$($_.Name)`"" }
Write-Output ($SiteInfo -join " ")
#
########################################################################
#
# SITELINK
#
$SiteLinks | %{
# These values are not stored in the object unless you change them
$cost = if ($_.Cost -eq $null) { 100 } else { $_.Cost }
$options = if ($_.options -eq $null) { 0 } else { $_.options }
$replInterval = if ($_.replInterval -eq $null) { 180 * 60 } else { $_.replInterval * 60 }
$notifications = if ($options -band 0x01) { "True" } else { "False" }
$reciprocal = if ($options -band 0x02) { "True" } else { "False" }
$compression = if ($options -band 0x04) { "False" } else { "True" }
$SiteLink = @(
"Type=`"SiteLink`""
"ForestName=`"$($DC.Forest)`""
"Name=`"$($_.Name)`""
"Cost=`"$($_.Cost)`""
"DataCompressionEnabled=$compression"
"NotificationEnabled=$notifications"
"ReciprocalReplicationEnabled=$reciprocal"
"TransportType=$($_.InterSiteTransportProtocol)"
"ReplicationIntervalSecs=$replInterval"
)
Write-Output ($SiteLink -join " ")
}
$Subnets | Foreach-Object {
$Subnet = @(
"Type=`"Subnet`""
"ForestName=`"$($DC.Forest)`""
"Name=`"$($_.Name)`""
"Site=`"$($Site.Name)`""
"Location=`"$($_.Location)`""
)
Write-Output ($Subnet -join " ")
}

114
deployment-apps/Splunk_TA_windows/bin/powershell/dns-health.ps1
Unescape View File

@ -0,0 +1,114 @@
#
# Determine the health and statistics of this Microsoft DNS Server
#
$Output = New-Object System.Collections.ArrayList
$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
write-host -NoNewline ""$Date
# Name of Server
$ServerName = $env:ComputerName
write-host -NoNewline ""Server=`"$ServerName`"
#
# Windows Version and Build #
#
$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
$OS = $WindowsInfo.GetValue("ProductName")
$OSSP = $WindowsInfo.GetValue("CSDVersion")
$WinVer = $WindowsInfo.GetValue("CurrentVersion")
$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
$OSVER = "$WinVer ($WinBuild)"
write-host -NoNewline ""OperatingSystem=`"$OS`"
write-host -NoNewline ""ServicePack=`"$OSSP`"
write-host -NoNewline ""OSVersion=`"$OSVER`"
#
# Required Processes Running
# DNS Dnscache w32time
#
$RequiredServices = @( "DNS", "Dnscache", "w32time" )
$srvr = @()
$srvnr = @()
foreach ($srv in $RequiredServices) {
$status = (Get-Service $srv).Status
if ($status -eq "Running") {
$srvr += $srv
} else {
$srvnr += $srv
}
}
$ProcsOK = "False"
if ($srvnr.Count -eq 0) {
$ProcsOK = "True"
}
$ServicesRunning = [string]::join(',', $srvr)
$ServicesNotRunning = [string]::join(',', $srvnr)
write-host -NoNewline ""ServicesRunning=`"$ServicesRunning`" ServicesNotRunning=`"$ServicesNotRunning`" ProcsOK=`"$ProcsOK`"
#
# Settings for this DNS Server
#
$dnsInfo = Get-WmiObject -Namespace "root\MicrosoftDNS" -Class MicrosoftDNS_Server -ComputerName $ServerName
# See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682725(v=vs.85).aspx for details
write-host -NoNewline "" Name=`"$($dnsInfo.Name)`"
write-host -NoNewline "" Version=`"$($dnsInfo.Version)`"
write-host -NoNewline "" LogLevel=`"$($dnsInfo.LogLevel)`"
write-host -NoNewline "" LogFilePath=`"$($dnsInfo.LogFilePath)`"
write-host -NoNewline "" LogFileMaxSize=`"$($dnsInfo.LogFileMaxSize)`"
write-host -NoNewline "" LogIPFilterList=`"$($dnsInfo.LogIPFilterList)`"
write-host -NoNewline "" EventLogLevel=`"$($dnsInfo.EventLogLevel)`"
write-host -NoNewline "" RpcProtocol=`"$($dnsInfo.RpcProtocol)`"
write-host -NoNewline "" NameCheckFlag=`"$NameCheckFlag`"
write-host -NoNewline "" AddressAnswerLimit=`"$($dnsInfo.AddressAnswerLimit)`"
write-host -NoNewline "" RecursionRetry=`"$($dnsInfo.RecursionRetry)`"
write-host -NoNewline "" RecursionTimeout=`"$($dnsInfo.RecursionTimeout)`"
write-host -NoNewline "" DsPollingInterval=`"$($dnsInfo.DsPollingInterval)`"
write-host -NoNewline "" DsTombstoneInteval=`"$($dnsInfo.DsTombstoneInteval)`"
write-host -NoNewline "" MaxCacheTTL=`"$($dnsInfo.MaxCacheTTL)`"
write-host -NoNewline "" MaxNegativeCacheTTL=`"$($dnsInfo.MaxNegativeCacheTTL)`"
write-host -NoNewline "" SendPort=`"$($dnsInfo.SendPort)`"
write-host -NoNewline "" XfrConnectTimeout=`"$($dnsInfo.XfrConnectTimeout)`"
write-host -NoNewline "" BootMethod=`"$($dnsInfo.BootMethod)`"
write-host -NoNewline "" AllowUpdate=`"$($dnsInfo.AllowUpdate)`"
write-host -NoNewline "" UpdateOptions=`"$($dnsInfo.UpdateOptions)`"
write-host -NoNewline "" DsAvailable=`"$($dnsInfo.DsAvailable)`"
write-host -NoNewline "" DisableAutoReverseZones=`"$($dnsInfo.DisableAutoReverseZones)`"
write-host -NoNewline "" AutoCacheUpdate=`"$($dnsInfo.AutoCacheUpdate)`"
write-host -NoNewline "" NoRecursion=`"$($dnsInfo.NoRecursion)`"
write-host -NoNewline "" RoundRobin=`"$($dnsInfo.RoundRobin)`"
write-host -NoNewline "" LocalNetPriority=`"$($dnsInfo.LocalNetPriority)`"
write-host -NoNewline "" StrictFileParsing=`"$($dnsInfo.StrictFileParsing)`"
write-host -NoNewline "" LooseWildcarding=`"$($dnsInfo.LooseWildcarding)`"
write-host -NoNewline "" BindSecondaries=`"$($dnsInfo.BindSecondaries)`"
write-host -NoNewline "" WriteAuthorityNS=`"$($dnsInfo.WriteAuthorityNS)`"
write-host -NoNewline "" ForwardDelegations=`"$($dnsInfo.ForwardDelegations)`"
write-host -NoNewline "" SecureResponses=`"$($dnsInfo.SecureResponses)`"
write-host -NoNewline "" DisjointNets=`"$($dnsInfo.DisjointNets)`"
write-host -NoNewline "" AutoConfigFileZones=`"$($dnsInfo.AutoConfigFileZones)`"
write-host -NoNewline "" ScavengingInterval=`"$($dnsInfo.ScavengingInterval)`"
write-host -NoNewline "" DefaultRefreshInterval=`"$($dnsInfo.DefaultRefreshInterval)`"
write-host -NoNewline "" DefaultNoRefreshInterval=`"$($dnsInfo.DefaultNoRefreshInterval)`"
write-host -NoNewline "" DefaultAgingState=`"$($dnsInfo.DefaultAgingState)`"
write-host -NoNewline "" EDnsCacheTimeout=`"$($dnsInfo.EDnsCacheTimeout)`"
write-host -NoNewline "" EnableEDnsProbes=`"$($dnsInfo.EnableEDnsProbes)`"
write-host -NoNewline "" EnableDnsSec=`"$($dnsInfo.EnableDnsSec)`"
write-host -NoNewline "" ForwardingTimeout=`"$($dnsInfo.ForwardingTimeout)`"
write-host -NoNewline "" IsSlave=`"$($dnsInfo.IsSlave)`"
write-host -NoNewline "" EnableDirectoryPartitions=`"$($dnsInfo.EnableDirectoryPartitions)`"
write-host -NoNewline "" Started=`"$($dnsInfo.Started)`"
write-host -NoNewline "" StartMode=`"$($dnsInfo.StartMode)`"
write-host -NoNewline "" Status=`"$($dnsInfo.Status)`"
foreach ($ip in $dnsInfo.Forwarders) {
write-host -NoNewline "" Forwarder=`"$ip`"
}
foreach ($ip in $dnsInfo.ServerAddresses) {
write-host -NoNewline "" ServerAddress=`"$ip`"
}
foreach ($ip in $dnsInfo.ListenAddresses) {
write-host "" ListenAddress=`"$ip`"
}

79
deployment-apps/Splunk_TA_windows/bin/powershell/dns-zoneinfo.ps1
Unescape View File

@ -0,0 +1,79 @@
#
# DNS Zone Information
#
function Get-WmiCount($a) {
if ($a -eq $Null) {
$cnt = 0
} elseif ($a.GetType().Name -eq "ManagementObject") {
$cnt = 1
} else {
$cnt = $a.Length
}
$cnt
}
function Output-Zoneinfo($Zone) {
#$Output = New-Object System.Collections.ArrayList
$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
write-host -NoNewline $Date Zone=`"$($Zone.Name)`" Aging=`"$($Zone.Aging)`" AllowUpdate=`"$($Zone.AllowUpdate)`" AutoCreated=`"$($Zone.AutoCreated)`" AvailForScavengeTime=`"$($Zone.AvailForScavengeTime)`" Caption=`"$($Zone.Caption)`" ContainerName=`"$($Zone.ContainerName)`" DataFile=`"$($Zone.DataFile)`" DnsServerName=`"$($Zone.DnsServerName)`" DsIntegrated=`"$($Zone.DsIntegrated)`" ForwarderSlave=`"$($Zone.ForwarderSlave)`" ForwarderTimeout=`"$($Zone.ForwarderTimeout)`" LastSuccessfulSoaCheck=`"$($Zone.LastSuccessfulSoaCheck)`" LastSuccessfulXfr=`"$($Zone.LastSuccessfulXfr)`" NoRefreshInterval=`"$($Zone.NoRefreshInterval)`" Notify=`"$($Zone.Notify)`" Paused=`"$($Zone.Paused)`" RefreshInterval=`"$($Zone.RefreshInterval)`" Reverse=`"$($Zone.Reverse)`" SecureSecondaries=`"$($Zone.SecureSecondaries)`" Shutdown=`"$($Zone.Shutdown)`" Status=`"$($Zone.Status)`" UseWins=`"$($Zone.UseWins)`" ZoneType=`"$($Zone.ZoneType)`"
# Some information on the zone itself - # record by type and total
$ZoneName = $Zone.Name
$SOA = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SOAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$SOAlen = Get-WmiCount($SOA)
write-host -NoNewline ""SOA=$SOAlen
$NS = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_NSType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$NSlen = Get-WmiCount($NS)
write-host -NoNewline ""NS=$NSlen
$A = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$Alen = Get-WmiCount($A)
write-host -NoNewline ""A=$Alen
$AAAA = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AAAAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$AAAAlen = Get-WmiCount($AAAA)
write-host -NoNewline ""AAAA=$AAAAlen
$CNAME= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_CNAMEType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$CNAMElen = Get-WmiCount($CNAME)
write-host -NoNewline ""CNAME=$CNAMElen
$MX = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_MXType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$MXlen = Get-WmiCount($MX)
write-host -NoNewline ""MX=$MXlen
$SRV = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SRVType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$SRVlen = Get-WmiCount($SRV)
write-host -NoNewline ""SRV=$SRVlen
$HINFO= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_HINFOType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$HINFOlen = Get-WmiCount($HINFO)
write-host -NoNewline ""HINFO=$HINFOlen
$TXT = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_TXTType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$TXTlen = Get-WmiCount($TXT)
write-host -NoNewline ""TXT=$TXTlen
$RR = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_ResourceRecord -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
$TotalRecords = Get-WmiCount($RR)
write-host ""TotalRecords=$TotalRecords
}
#
# Main Program
#
$ServerName = $env:ComputerName
$Scope = New-Object Management.ManagementScope("\\$ServerName\root\MicrosoftDNS")
$Path = New-Object Management.ManagementPath("MicrosoftDNS_Zone")
$Options = New-Object Management.ObjectGetOptions($Null, [System.TimeSpan]::MaxValue, $True)
$ZoneClass = New-Object Management.ManagementClass($Scope, $Path, $Options)
$Zones = Get-WMIObject -Computer $ServerName -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone"
$OutputEncoding = [Text.Encoding]::UTF8
Foreach ($Zone in $Zones) {
Output-ZoneInfo($Zone)
}

62
deployment-apps/Splunk_TA_windows/bin/powershell/generate_windows_update_logs.ps1
Unescape View File

@ -0,0 +1,62 @@
# ## This script generates WindowsUpdate.Log using Get-WindowsUpdateLog in $SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate
# ## It monitors the WindowsUpdate.log from $SplunkHome\var\log\Splunk_TA_windows\
Set-Variable -Name "LogFolder" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate"
Set-Variable -Name "MonitoredLogFile" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate.log"
if (!(Test-Path -Path $LogFolder )) {
New-Item -ItemType directory -Path $LogFolder
}
Get-WindowsUpdateLog -LogPath $LogFolder\WindowsUpdate.log
if (Test-Path $MonitoredLogFile) {
try{
$currentLastLogLine = Get-Content $MonitoredLogFile | Select-Object -Last 1
if ($currentLastLogLine -match '\d{4}[-\/]\d{2}[-\/]\d{2} \d{2}:\d{2}:\d{2}\.\d{7}') {
try{
$currentLastTimestamp = [datetime]::ParseExact($matches[0], 'yyyy-MM-dd HH:mm:ss.fffffff', $null)
$is_timeformate_contain_slash = $false
}catch {
$currentLastTimestamp = [datetime]::ParseExact($matches[0], 'yyyy/MM/dd HH:mm:ss.fffffff', $null)
$is_timeformate_contain_slash = $true
}
if($is_timeformate_contain_slash){
$newLogs = Get-Content "$LogFolder\WindowsUpdate.log" | Where-Object { $_ -match '\d{4}[-\/]\d{2}[-\/]\d{2} \d{2}:\d{2}:\d{2}\.\d{7}' } | ForEach-Object {
$logTimestamp = [datetime]::ParseExact($matches[0], 'yyyy/MM/dd HH:mm:ss.fffffff', $null)
if ($logTimestamp -gt $currentLastTimestamp) {
$_
}
}
}
else{
$newLogs = Get-Content "$LogFolder\WindowsUpdate.log" | Where-Object { $_ -match '\d{4}[-\/]\d{2}[-\/]\d{2} \d{2}:\d{2}:\d{2}\.\d{7}' } | ForEach-Object {
$logTimestamp = [datetime]::ParseExact($matches[0], 'yyyy-MM-dd HH:mm:ss.fffffff', $null)
if ($logTimestamp -gt $currentLastTimestamp) {
$_
}
}
}
if ($newLogs) {
$newLogs | Set-Content -Path $MonitoredLogFile
# Write-Output "New logs appended to $MonitoredLogFile."
}else {
# Write-Output "No new logs found to append."
exit
}
}else {
# Write-Output "No timestamp matched in the current log file, hence copied file content."
Copy-Item -Path "$LogFolder\WindowsUpdate.log" -Destination "$MonitoredLogFile"
}
}
catch {
# Write-Output "Something went wrong, hence copying the entire log file"
Copy-Item -Path "$LogFolder\WindowsUpdate.log" -Destination "$MonitoredLogFile"
}
}
else {
# Write-Output "File does not exist, hence copied file content."
Copy-Item -Path "$LogFolder\WindowsUpdate.log" -Destination "$MonitoredLogFile"
}
exit

170
deployment-apps/Splunk_TA_windows/bin/powershell/nt6-health.ps1
Unescape View File

@ -0,0 +1,170 @@
#
# Determine the health and statistics of this Active Directory Controller
#
$Output = New-Object System.Collections.ArrayList
$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
[void]$Output.Add($Date)
# Name of Server
$ServerName = $env:ComputerName
[void]$Output.Add("Server=""$ServerName""")
$BSSN = "\\" + $ServerName
# Domain Information
$S_DS_AD_DOM = [System.DirectoryServices.ActiveDirectory.Domain]::getComputerDomain()
$WMI_CS = (Get-WmiObject Win32_ComputerSystem)
$WMI_DOMAIN = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
$DomainDNSName = $WMI_CS.Domain
$DomainNetBIOSName = $WMI_DOMAIN.DomainName
$DomainLevel = $S_DS_AD_DOM.DomainMode
[void]$Output.Add("DomainDNSName=`"$DomainDNSName`"");
[void]$Output.Add("DomainNetBIOSName=`"$DomainNetBIOSName`"");
[void]$Output.Add("DomainLevel=`"$DomainLevel`"");
# Site Information
$SiteName = $WMI_DOMAIN.ClientSiteName
[void]$Output.Add("Site=`"$SiteName`"");
# Forest Information
$ForestName = $S_DS_AD_DOM.Forest.Name
$ForestLevel = $S_DS_AD_DOM.Forest.ForestMode
[void]$Output.Add("ForestName=`"$ForestName`"");
[void]$Output.Add("ForestLevel=`"$ForestLevel`"");
# Domain Controller Flags
$IsRO = "False"
$IsEnabled = "False"
$IsGC = "False"
$USN = "Unknown"
$MyName = ($env:ComputerName + "." + $DomainDNSName).ToLower()
if ($WMI_DOMAIN.Status -eq "OK") {
$MyDC = $S_DS_AD_DOM.DomainControllers | Where-Object { $_.Name.ToLower() -eq $MyName.ToLower() }
if ($MyDC) {
if ($MyDC.IsGlobalCatalog()) {
$IsGC = "True"
}
$USN = $MyDC.HighestCommittedUsn
$IsEnabled = "True"
$entry = $MyDC.getDirectoryEntry()
[void]$Output.Add("Created=`"$($entry.whenCreated)`"")
[void]$Output.Add("Changed=`"$($entry.whenChanged)`"")
$DN = $entry.Path
$ServerEntry = [ADSI]"$DN"
$ServerEntry.GetInfoEx(@("msDS-IsRODC"),0)
$IsRO = $ServerEntry."msDS-IsRODC"
}
}
[void]$Output.Add("GlobalCatalog=`"$IsGC`"")
[void]$Output.Add("RODC=`"$IsRO`"")
[void]$Output.Add("Enabled=`"$IsEnabled`"")
[void]$Output.Add("HighestUSN=`"$USN`"")
$SchemaInfo = Get-Item "HKLM:System\CurrentControlSet\Services\NTDS\Parameters"
$SchemaVersion = $SchemaInfo.GetValue("Schema Version")
[void]$Output.Add("SchemaVersion=$SchemaVersion")
$NetLogonParams = Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters"
$DCWeight = $NetLogonParams.GetValue("LdapSrvWeight", $null)
if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
$DCWeight = 100 # This is the default value
}
[void]$Output.Add("DCWeight=$DCWeight")
$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
# Is this host a BridgeHead Server?
# Field BridgeheadServer (Collection of DirectoryServer objects - check to see if we are listed and set IsBridgeHeadServer=True/False accordingly)
# Is this host a Intersite Topology Generator
if ($SiteInfoObj.IntersiteTopologyGenerator.Name -and ($SiteInfoObj.IntersiteTopologyGenerator.Name -eq $ServerName -or $SiteInfoObj.IntersiteTopologyGenerator.Name.ToLower() -eq $MyName)) {
[void]$Output.Add("IsIntersiteTopologyGenerator=`"True`"")
} else {
[void]$Output.Add("IsIntersiteTopologyGenerator=`"False`"")
}
#
# Windows Version and Build #
#
$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
$OS = $WindowsInfo.GetValue("ProductName")
$OSSP = $WindowsInfo.GetValue("CSDVersion")
$WinVer = $WindowsInfo.GetValue("CurrentVersion")
$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
$OSVER = "$WinVer ($WinBuild)"
[void]$Output.Add("OperatingSystem=""$OS""")
[void]$Output.Add("ServicePack=""$OSSP""")
[void]$Output.Add("OSVersion=""$OSVER""")
#
# FSMO Roles (Schema, DomainNaming, Infrastructure, RIDMaster, PDC)
#
$aFSMO = @()
if ($MyDC -and $MyDC.Roles) {
foreach ($role in $MyDC.Roles) {
switch ($role) {
"SchemaRole" { $aFSMO += "Schema" }
"NamingRole" { $aFSMO += "DomainNaming" }
"InfrastructureRole" { $aFSMO += "Infrastructure" }
"PdcRole" { $aFSMO += "PDCEmulator" }
"RidRole" { $aFSMO += "RIDMaster" }
}
}
}
$FSMORoles = [string]::join(' ', $aFSMO)
[void]$Output.Add("FSMORoles=""$FSMORoles""")
#
# Required Processes Running
# FRS, DFS-R, Net Logon, KDC, W32Time, ISMSERV
#
$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
$srvr = @()
$srvnr = @()
foreach ($srv in $RequiredServices) {
$status = (Get-Service $srv).Status
if ($status -eq "Running") {
$srvr += $srv
} else {
$srvnr += $srv
}
}
# Note that the only case that ProcsOK == True is when there is ONE service
# that isn't running - You need one replication services (ntfrs or dfsr) but
# not both
$ProcsOK = "False"
if (($srvnr.Count -eq 0) -or ($srvnr.Count -eq 1 -and ($srvnr[0] -eq "ntfrs" -or $srvnr[0] -eq "dfsr"))) {
$ProcsOK = "True"
}
$ServicesRunning = [string]::join(',', $srvr)
$ServicesNotRunning = [string]::join(',', $srvnr)
[void]$Output.Add("ServicesRunning=""$ServicesRunning""")
[void]$Output.Add("ServicesNotRunning=""$ServicesNotRunning""")
[void]$Output.Add("ProcsOK=""$ProcsOK""")
#
# Look for Common Problems
# SYSVOL is shared out
# DC is registered in DNS
#
$SysvolShare = (Get-WmiObject Win32_Share|Where-Object { $_.Name -eq "SYSVOL" })
if ($SysvolShare) {
[void]$Output.Add("SYSVOLShare=""True""")
} else {
[void]$Output.Add("SYSVOLShare=""False""")
}
$DNSEntry = ([System.Net.DNS]::GetHostEntry($ServerName))
if ($DNSEntry) {
[void]$Output.Add("DNSRegister=""True""")
} else {
[void]$Output.Add("DNSRegister=""False""")
}
# Output the final string
Write-Host ($output -join " ")

1
deployment-apps/Splunk_TA_windows/bin/powershell/nt6-repl-stat.ps1
View File

File diff suppressed because one or more lines are too long

41
deployment-apps/Splunk_TA_windows/bin/powershell/nt6-siteinfo.ps1
Unescape View File

@ -0,0 +1,41 @@
#
# Determine and output information about the Site the server is a member of
#
$ServerName = $env:ComputerName
$BSSN = "\\" + $ServerName
$WMI_DOMAIN = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
$SiteName = $WMI_DOMAIN.ClientSiteName
$ForestName = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Name
$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
$ISTG = $SiteInfoObj.IntersiteTopologyGenerator.Name
write-host $Date Type=`"Site`" ForestName=`"$ForestName`" Site=`"$SiteName`" Location=`"$($SiteInfoObj.Location)`" -NoNewline
$SiteInfoObj.AdjacentSites | Foreach-Object { write-host AdjacentSite=`"$($_.Name)`" -NoNewline }
write-host IntersiteTopologyGenerator=`"$ISTG`" -NoNewline
$SiteInfoObj.SiteLinks | Foreach-Object { write-host "" SiteLink=`"$($_.Name)`" -NoNewline }
$SiteInfoObj.Subnets | Foreach-Object { write-host "" Subnet=`"$($_.Name)`" -nonewline }
write-host #Needed to print a newline for next object
#
# Output Information about Site Links in this site
#
$SiteInfoObj.SiteLinks | Foreach-Object {
write-host $Date Type=`"SiteLink`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Cost=$($_.Cost) DataCompressionEnabled=$($_.DataCompressionEnabled) NotificationEnabled=$($_.NotificationEnabled) ReciprocalReplicationEnabled=$($_.ReciprocalReplicationEnabled) TransportType=$($_.TransportType) ReplicationIntervalSecs=$($_.ReplicationInterval.TotalSeconds) -NoNewLine
foreach ($site in $_.Sites) {
write-host ""Site=`"$($site.Name)`" -NoNewLine
}
}
Write-Host #similar to above
#
# Output Information about Subnets in this site
#
$SiteInfoObj.Subnets | Foreach-Object {
write-Host $Date Type=`"Subnet`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Site=`"$SiteName`" Location=`"$($_.Location)`"
}

5
deployment-apps/Splunk_TA_windows/bin/powershell/windows_bios_data.ps1
Unescape View File

@ -0,0 +1,5 @@
## This script fetches the Windows machine BIOS data using Get-WmiObject cmdlet
$bios_data = Get-WmiObject -class win32_bios | format-list -property * | Out-String
$bios_data = $bios_data.Trim()
$bios_data -replace '(.*?)\s:(.*)', '$1 = $2'

14
deployment-apps/Splunk_TA_windows/bin/runpowershell.cmd
Unescape View File

@ -0,0 +1,14 @@
@ECHO OFF
:: ######################################################
:: #
:: # Splunk for Microsoft Windows
:: #
:: # Copyright (C) 2021 Splunk, Inc.
:: # All Rights Reserved
:: #
:: ######################################################
set SplunkApp=Splunk_TA_windows
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%1'"

112
deployment-apps/Splunk_TA_windows/bin/user_account_control_property.py
Unescape View File

@ -0,0 +1,112 @@
#
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: LicenseRef-Splunk-8-2021
#
#
import csv
import sys
import log
import logging
# Map for possible property flags
property_flags = {
"1": "SCRIPT",
"2": "ACCOUNTDISABLE",
"8": "HOMEDIR_REQUIRED",
"16": "LOCKOUT",
"32": "PASSWD_NOTREQD",
"64": "PASSWD_CANT_CHANGE",
"128": "ENCRYPTED_TEXT_PWD_ALLOWED",
"256": "TEMP_DUPLICATE_ACCOUNT",
"512": "NORMAL_ACCOUNT",
"2048": "INTERDOMAIN_TRUST_ACCOUNT",
"4096": "WORKSTATION_TRUST_ACCOUNT",
"8192": "SERVER_TRUST_ACCOUNT",
"65536": "DONT_EXPIRE_PASSWORD",
"131072": "MNS_LOGON_ACCOUNT",
"262144": "SMARTCARD_REQUIRED",
"524288": "TRUSTED_FOR_DELEGATION",
"1048576": "NOT_DELEGATED",
"2097152": "USE_DES_KEY_ONLY",
"4194304": "DONT_REQ_PREAUTH",
"8388608": "PASSWORD_EXPIRED",
"16777216": "TRUSTED_TO_AUTH_FOR_DELEGATION",
"67108864": "PARTIAL_SECRETS_ACCOUNT",
}
def main():
logger = log.Log().get_logger("user_account_control_property")
logger.info("Lookup script started executing..")
# prints usage of the lookup script if wrong number of arguments provided
if len(sys.argv) != 3:
logger.debug(
"Usage: python user_account_control_property.py [userAccountControl] [userAccountPropertyFlag]"
)
logger.debug("Lookup script stopped..")
sys.exit(1)
# Lookup Field names
userAccountControl = sys.argv[1]
userAccountPropertyFlag = sys.argv[2]
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()
# Decode flags for every 'userAccountControl' attribute value present in a search result
for result in r:
try:
if result[userAccountControl].isdigit():
attribute_value = int(result[userAccountControl])
bit_cnt = 0
incorrect_result_flag = False
flags = list()
# Prepare flag list by decoding 'userAccountcontrol' decimal value
# As 'userAccountControl' is decimal value, For each bit set to '1' a property flag can be denoted by using 'property_flags' map given above
while attribute_value != 0:
if attribute_value & 1 == 1:
flags.append(str(1 << bit_cnt))
attribute_value = attribute_value >> 1
bit_cnt += 1
# If flag not present in 'property_flags' map, The 'userAccountPropertyFlag' won't be populated in search result
for flag in flags:
if flag not in list(property_flags.keys()):
logger.debug(
"'userAccountControl' attribute can not be decoded for value: {}".format(
result[userAccountControl]
)
)
incorrect_result_flag = True
break
if incorrect_result_flag:
continue
else:
for flag in flags:
result[userAccountPropertyFlag] = property_flags[flag]
w.writerow(result)
else:
logger.debug(
"'userAccountControl' attribute can not be decoded for value: {}".format(
result[userAccountControl]
)
)
except:
logger.debug(
"No results for 'userAccountControl' attribute value :{}".format(
result[userAccountControl]
)
)
if __name__ == "__main__":
main()

67
deployment-apps/Splunk_TA_windows/bin/win_installed_apps.bat
Unescape View File

@ -0,0 +1,67 @@
@echo off
REM --------------------------------------------------------
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
REM --------------------------------------------------------
setlocal EnableDelayedExpansion
REM For each app key, print out the name of the app and any parameters under the entry
for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 72)
REM Do the same as above but with 32-bit apps, first checking if the key exists
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" >nul 2>&1
if %ERRORLEVEL% EQU 0 (
for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 84)
)
goto :eof
:output_reg
REM Echo an empty line to indicate that this is a new entry
@echo.
REM Get the current date and time into into a variable
for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
REM Print out the date & time
@echo %date_time%
REM Add the enumerated key
@echo Installed application enumerated from %1
REM Get the name of the app from the last segment in the registry path
set app_name=%1
REM Strips out the first x characters (from input) of the path in order to get just the app name
set "app_name=!app_name:~%2%,150!"
REM Strip the last quote
set "app_name=!app_name:~0,-1!"
REM Store a count value so that we can avoid printing the first entry
set count=0
REM This variable determines if the display name was found
set display_name_found=0
REM Now get the sub-keys
for /F "tokens=1,2*" %%A in ('reg query %1') do (
set /a count+=1
REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
REM Note that the display name was already found
if %%A==DisplayName (
set /a display_name_found=1
echo %%A="%%C"
) else (
REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
if not "%%A" == %1 if not "%%A" == "" if not "%%A" == "<NO" if not "%%C" == "" if not %%A==DisplayName echo %%A=%%C
)
)
REM If the display name was not found, then use the name of the registry path name instead
if !display_name_found!==0 echo DisplayName="%app_name%"

63
deployment-apps/Splunk_TA_windows/bin/win_listening_ports.bat
Unescape View File

@ -0,0 +1,63 @@
@echo off
REM --------------------------------------------------------
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
REM --------------------------------------------------------
setlocal EnableDelayedExpansion
REM Get the current date and time into a variable
for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
REM Get the Tasklist command output and store array with pid and processname
for /f "tokens=1,2 delims=," %%T in ('tasklist /nh /fo csv') do (
set topic[%%~U]=%%~T
)
REM Get the list of open ports by running netstat and filtering the results to those that contain actual ports (dropping the header)
for /f "tokens=*" %%A in ('netstat -nao ^| findstr /r "LISTENING"') do (
set "line=%%A"
REM Replace % with %%
set "line=!line:%%=%%%%!"
call :output_ports "!line!"
)
goto :eof
:output_ports
REM Parse the ports list
for /f "tokens=1,2,4,5 delims= " %%A in (%1) do (
set protocol=%%A
set dest=%%B
set status=%%C
set pid=%%D
set appname=!topic[%%D]!
)
REM Skip the header
if "!protocol!"=="Proto" goto :eof
if "!protocol!"=="Active" goto :eof
REM Condition to ckeck IPv6 address
if "!dest:~0,1!"=="[" (
for /f "tokens=1,2 delims=]" %%Q in ("!dest!") do (
set full_ipv6=%%Q
set full_ipv6=!full_ipv6:~1!
set dest_ip=[!full_ipv6!]
set dest_port_temp=%%R
REM Below block is to remove leading ':' from dest_port_temp
for /f "tokens=1* delims=:" %%X in ("!dest_port_temp!") do (
set dest_port=%%X
)
)
) else (
for /f "tokens=1,2 delims=:" %%F in ("!dest!") do (
set dest_ip=%%F
set dest_port=%%G
)
)
REM Replace the dest IP with the empty IP range if necessary
if "!dest_ip!"=="[" set dest_ip=[::]
REM Print out the result
echo %date_time% transport=%protocol% dest_ip=%dest_ip% dest_port=%dest_port% pid=!pid! appname=%appname%

21
deployment-apps/Splunk_TA_windows/bin/win_timesync_configuration.bat
Unescape View File

@ -0,0 +1,21 @@
@echo off
REM --------------------------------------------------------
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
REM --------------------------------------------------------
setlocal EnableDelayedExpansion
REM Get the time service configuration and timezone.
REM Get the date & time
for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
REM Print the date and time. This will be the timestamp of the event.
echo Current time: %date_time%
REM Print the Windows time service configuration
w32tm /query /configuration /verbose
REM Print the Windows time zone information
w32tm /tz

28
deployment-apps/Splunk_TA_windows/bin/win_timesync_status.bat
Unescape View File

@ -0,0 +1,28 @@
@echo off
REM --------------------------------------------------------
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
REM --------------------------------------------------------
setlocal EnableDelayedExpansion
REM Get the last current time synchronization status
REM
REM Example:
REM
REM Successful sync:
REM Last Successful Sync Time: 1/22/2014 12:06:43 PM
REM Unsuccessful sync:
REM Last Successful Sync Time: unspecified
REM Get the date & time
for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
REM Print the date and time. This will be the timestamp of the event.
echo Current time: %date_time%
REM Print the Windows time service status
w32tm /query /status /verbose
REM Print the time zone
w32tm /tz

29
deployment-apps/Splunk_TA_windows/default/app.conf
Unescape View File

@ -0,0 +1,29 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[install]
is_configured = false
state = enabled
build = 1731337684
[ui]
is_visible = false
label = Splunk Add-on for Microsoft Windows
docs_section_override = AddOns:released
[launcher]
author = Splunk, Inc.
version = 9.0.1
description = Splunk Add-on for Microsoft Windows
[package]
id = Splunk_TA_windows
check_for_updates = true
[id]
name = Splunk_TA_windows
version = 9.0.1

221
deployment-apps/Splunk_TA_windows/default/data/ui/views/microsoft_windows_dashboard.xml
Unescape View File

@ -0,0 +1,221 @@
<!--
SPDX-FileCopyrightText: 2024 Splunk, Inc.
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<form version="1.1" theme="dark">
<label>Microsoft Windows Monitoring Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="log_time">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="index_name">
<label>Index</label>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| eventcount summarize=false index=* | dedup index | table index</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>main</default>
</input>
<input type="multiselect" token="host_name">
<label>Host</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>| tstats count where index=$index_name$ by host
| table host</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
<input type="multiselect" token="sourcetype_token">
<label>Sourcetypes</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<search>
<query>| tstats count where index=$index_name$ AND host IN ($host_name$) AND
sourcetype IN ("PerfmonMk:*", "Perfmon:*", "MSAD:*", "WindowsUpdateLog", "WMI:*","WinEventLog","Script:NetworkConfiguration", "Script:TimesyncConfiguration", "ActiveDirectory", "WinHostMon", "WinRegistry", "Script:InstalledApps", "DhcpSrvLog", "wmi", "Script:ListeningPorts", "XmlWinEventLog:*", "host::WinEventLogForwardHost", "WinEventLog:*", "Script:TimesyncStatus", "XmlWinEventLog","powershell", "WinRegMon", "admon", "WinNetMon", "WinPrintMon", "win:bios") AND NOT sourcetype IN ("winEventLog:*", "xmlWinEventLog:*") by sourcetype
| table sourcetype</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
<input type="multiselect" token="source_token">
<label>Sources</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>| tstats values(source) where index=$index_name$ AND sourcetype IN ($sourcetype_token$) AND host IN ($host_name$) AND source IN ("WinEventLog:*", "WMI*", "WinEventLog*", "XmlWinEventLog:*", "*WindowsUpdate.Log", "WMI:WinEventLog*", "Powershell", "service", "processor", "process", "printer", "port","outbound","networkadapter","operatingsystem","inbound", "driver","disk","computer", "roles","WinRegistry", "PerfmonMk:*", "*win_timesync_status.bat","*win_timesync_configuration.bat","*win_listening_ports.bat", "*win_installed_apps.bat", "*netsh_address.bat", "*DHCP" ,"*netlogon.log","*dns.log") by source
| table source</query>
<earliest>0</earliest>
<latest></latest>
</search>
<delimiter> </delimiter>
</input>
</fieldset>
<row>
<panel>
<title>Windows TA version</title>
<single>
<search>
<query>| rest services/apps/local/Splunk_TA_windows splunk_server=local| fields version</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Total number of events</title>
<single>
<search>
<query>index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data | stats count</query>
<earliest>$log_time.earliest$</earliest>
<latest>$log_time.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Event count per time span</title>
<input type="dropdown" token="span_time">
<label>TIme span</label>
<choice value="1s">1 second</choice>
<choice value="10s">10 seconds</choice>
<choice value="1m">1 minute</choice>
<choice value="15m">15 minutes</choice>
<choice value="30m">30 minutes</choice>
<choice value="1h">1 hour</choice>
<choice value="12h">12 hours</choice>
<choice value="24h">24 hours</choice>
<default>12h</default>
</input>
<chart>
<search>
<query>index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| timechart span=$span_time$ count as "Event count"</query>
<earliest>$log_time.earliest$</earliest>
<latest>$log_time.latest$</latest>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Events by Sourcetypes</title>
<chart>
<search>
<query>index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| stats count by sourcetype</query>
<earliest>$log_time.earliest$</earliest>
<latest>$log_time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="height">331</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Events by Sources</title>
<chart>
<search>
<query>index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| stats count by source</query>
<earliest>$log_time.earliest$</earliest>
<latest>$log_time.latest$</latest>
</search>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="height">332</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Trends of events by sourcetypes</title>
<table>
<search>
<query>index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| chart sparkline(count) AS "Sourcetypes Trend" count AS Total BY sourcetype</query>
<earliest>$log_time.earliest$</earliest>
<latest>$log_time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>CIM Supported Events</title>
<table>
<title>Total events mapped with tags</title>
<search>
<query>index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| stats count As TotalEvents by tag | table tag, TotalEvents</query>
<earliest>$log_time.earliest$</earliest>
<latest>$log_time.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

765
deployment-apps/Splunk_TA_windows/default/eventtypes.conf
Unescape View File

@ -0,0 +1,765 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
## DO NOT EDIT THIS FILE!
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
## into ../local and edit there.
##
###### Global Windows Eventtype ######
[windows_event_signature]
search = sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog
#tags = track_event_signatures
[wineventlog_windows]
search = eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security OR eventtype=wineventlog-ds OR eventtype=wineventlog-dfs OR eventtype=wineventlog-keymanagement OR eventtype=wineventlog-filereplication OR eventtype=wineventlog-dns
#tags = os windows
[wineventlog_application]
search = source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application
#tags = os windows
[wineventlog_system]
search = source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System
#tags = os windows
[wineventlog_security]
search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security
#tags = os windows
[perfmon_windows]
search = sourcetype=Perfmon:* OR sourcetype=PerfmonMk:* OR sourcetype=WMI:Perfmon*
#tags = os windows
[hostmon_windows]
search = sourcetype=WinHostMon
#tags = os windows
[hostmon_os]
search = sourcetype=WinHostMon Type=OperatingSystem
#tags = os windows memory performance
[hostmon_inventory]
search = sourcetype=WinHostMon (Type=OperatingSystem OR Type=Processor)
#tags = os inventory cpu memory
[hostmon_disk]
search = sourcetype=WinHostMon (Type=Disk)
#tags = inventory performance storage
[netmon_windows]
search = sourcetype=WinNetMon
#tags = os windows
[printmon_windows]
search = sourcetype=WinPrintMon
#tags = os windows
[script_windows]
search = sourcetype=Script:* source=*.bat
#tags = os windows
[wmi_windows]
search = sourcetype=WMI:*
#tags = os windows
[windowsupdatelog_windows]
search = sourcetype=WindowsUpdateLog
#tags = os windows
[winregistry_windows]
search = sourcetype=WinRegistry
#tags = os windows endpoint change registry
[winapp]
search = eventtype=wineventlog_application
[winsec]
search = eventtype=wineventlog_security
#tags = security
[winsystem]
search = eventtype=wineventlog_system
###### DHCP ######
[msdhcp]
search = sourcetype=msdhcp
#tags = dhcp network session windows
[msdhcp_start]
search = sourcetype=msdhcp (msdhcp_id=10 OR msdhcp_id=11 OR msdhcp_id=13)
#tags = start
[msdhcp_end]
search = sourcetype=msdhcp (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17)
#tags = end
[DhcpSrvLog]
search = sourcetype=DhcpSrvLog
#tags = windows
[DhcpSrvLog_dhcp]
search = sourcetype=DhcpSrvLog (msdhcp_id=13 OR msdhcp_id=14 OR msdhcp_id=15)
#tags = dhcp network session
[DhcpSrvLog_start]
search = sourcetype=DhcpSrvLog (msdhcp_id=10 OR msdhcp_id=11)
#tags = dhcp network session start
[DhcpSrvLog_end]
search = sourcetype=DhcpSrvLog (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17 OR msdhcp_id=18)
#tags = dhcp network session end
###### Security: Account Logon ######
## Authentication Ticket Granted/Failed
## EventCodes 4768, 4772, 672, 676
[windows_auth_ticket_granted]
search = eventtype=wineventlog_security (EventCode=4768 OR EventCode=672 OR EventCode=676)
#tags = authentication
## Service Ticket Granted/Failed
## EventCodes 4769, 4773, 673, 677
[windows_service_ticket_granted]
search = eventtype=wineventlog_security (EventCode=4769 OR EventCode=4773 OR EventCode=673 OR EventCode=677)
#tags = authentication
## Ticket Granted Renewed
## EventCodes 4770, 674
[windows_ticket_renewed]
search = eventtype=wineventlog_security (EventCode=4770 OR EventCode=674)
## tags intentionally left blank
#tags =
## Pre-authentication failed
## EventCodes 4771, 675
[windows_pre_auth_failed]
search = eventtype=wineventlog_security (EventCode=4771 OR EventCode=675)
#tags = authentication
## Account Mapped for Logon by
## EventCodes 4774, 678
[windows_account_mapped]
search = eventtype=wineventlog_security (EventCode=4774 OR EventCode=678)
## tags intentionally left blank
#tags = authentication
## The name: %2 could not be mapped for logon by: %1
## EventCodes 4775, 679
[windows_account_notmapped]
search = eventtype=wineventlog_security (EventCode=4775 OR EventCode=679)
#tags = authentication
## Account Used for Logon by
## The domain controller attempted/failed to validate the credentials for an account
## The logon to account: %2 by: %1 from workstation: %3 failed.
## EventCodes 4776, 4777, 680, 681
[windows_account_used4logon]
search = eventtype=wineventlog_security (EventCode=4776 OR EventCode=4777 OR EventCode=680 OR EventCode=681)
#tags = authentication
## Session reconnected to winstation
## EventCodes 4778, 682
[windows_session_reconnected]
search = eventtype=wineventlog_security (EventCode=4778 OR EventCode=682)
## tags intentionally left blank
#tags =
## Session disconnected from winstation
## EventCodes 4779, 683
[windows_session_disconnected]
search = eventtype=wineventlog_security (EventCode=4779 OR EventCode=683)
#tags = access stop logoff
###### Security: Account Management ######
[windows_account_management]
search = eventtype=wineventlog_security (ta_windows_security_CategoryString="Account Management" OR (TaskCategory="User Account Management" AND source!=XmlWinEventLog:Security) )
#tags = account change management
## User/Computer Account Created
## EventCodes 4720, 4741, 624, 645
[windows_account_created]
search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645)
#tags = add account change
## User Account Enabled
## EventCodes 4722, 626
[windows_account_enabled]
search = eventtype=wineventlog_security (EventCode=4722 OR EventCode=626)
#tags = enable account change
## Change Password Attempt
## EventCodes 4723, 627
[windows_account_password_change]
search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=627)
#tags = password modify account change
## User Account password set
## EventCodes 4724, 628
[windows_account_password_set]
search = eventtype=wineventlog_security (EventCode=4724 OR EventCode=628)
#tags = password modify account change
## User Account Disabled
## EventCodes 4725, 629
[windows_account_disabled]
search = eventtype=wineventlog_security (EventCode=4725 OR EventCode=629)
#tags = disable account change
## User/Computer Account Deleted
## EventCodes 4726, 4743, 630, 647
[windows_account_deleted]
search = eventtype=wineventlog_security (EventCode=4726 OR EventCode=4743 OR EventCode=630 OR EventCode=647)
#tags = delete account change
## User/Computer Account Changed
## EventCodes 4738, 4742, 642, 646, 625
[windows_account_modified]
search = eventtype=wineventlog_security (EventCode=4738 OR EventCode=4742 OR EventCode=642 OR EventCode=646 OR EventCode=625)
#tags = modify account change
## User Account Locked Out
## EventCodes 4740, 644
[windows_account_lockout]
search = eventtype=wineventlog_security (EventCode=4740 OR EventCode=644)
#tags = lock lockout account change
## User Account Unlocked
## EventCodes 4767, 671
[windows_account_unlocked]
search = eventtype=wineventlog_security (EventCode=4767 OR EventCode=671)
#tags = modify account change
###### Security: Audit (Event Log) ######
## The event logging service has shut down
## EventCode 1100
[windows_audit_log_stopped]
search = eventtype=wineventlog_security EventCode=1100
#tags = stop stopped watchlist
## Audit events have been dropped by the transport.
## The security Log is now full
## The event logging service encountered an error
## EventCodes 1101, 1104, 1108
[windows_audit_errors]
search = eventtype=wineventlog_security (EventCode=1101 OR EventCode=1104 OR EventCode=1108)
#tags = audit error
## The audit log was cleared
## EventCodes 1102, 517
[windows_audit_log_cleared]
search = eventtype=wineventlog_security (EventCode=1102 OR EventCode=517)
#tags = audit change delete cleared watchlist
## Event log automatic backup
## EventCode 1105
[windows_audit_backup]
search = eventtype=wineventlog_security EventCode=1105
#tags = audit backup change
## Logon/Logoff audit logs
## EventCode 4625
[windows_audit_log_logon]
search = eventtype=wineventlog_security EventCode=4625 (ta_windows_status=0xC0000064 OR ta_windows_status=0xC000006A OR ta_windows_status=0xC000006F OR ta_windows_status=0xC0000070 OR ta_windows_status=0xC0000071 OR ta_windows_status=0xC0000072 OR ta_windows_status=0XC000018C OR ta_windows_status=0XC0000192 OR ta_windows_status=0xC0000193 OR ta_windows_status=0xC0000234 OR ta_windows_status=0XC00002EE OR ta_windows_status=0XC0000413)
#tags = audit change
###### Security: Logon/Logoff ######
## User Logoff/User initiated logoff
## EventCodes 4634, 4647, 538, 551
[windows_logoff]
search = eventtype=wineventlog_security (EventCode=4634 OR EventCode=4647 OR EventCode=538 OR EventCode=551)
#tags = access stop logoff
## A logon was attempted using explicit credentials
## EventCodes 4648, 552
[windows_logon_explicit]
search = eventtype=wineventlog_security (EventCode=4648 OR EventCode=552)
#tags = authentication privileged
## An account failed to log on
## EventCodes 4625, 529, 530, 531, 532, 533, 534, 535, 536, 537, 539
[windows_logon_failure]
search = eventtype=wineventlog_security ((EventCode=4625 AND ta_windows_action!=error) OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
#tags = authentication
## An account was successfully logged on
## EventCodes 4624, 528, 540
[windows_logon_success]
search = eventtype=wineventlog_security (EventCode=4624 OR EventCode=528 OR EventCode=540)
#tags = authentication
###### Security: Object Access ######
## Object Open
## EventCodes 4656, 560
[windows_object_open]
search = eventtype=wineventlog_security (EventCode=4656 OR EventCode=560)
#tags = resource file access start
## Handle Closed
## EventCodes 4658, 562
[windows_handle_closed]
search = eventtype=wineventlog_security (EventCode=4658 OR EventCode=562)
#tags = resource file access stop
###### Security: Policy Change ######
## Audit Policy Change/The audit policy (SACL) on an object was changed
## EventCodes 4715, 4719, 612
[windows_audit_policy_change]
search = eventtype=wineventlog_security (EventCode=4715 OR EventCode=4719 OR EventCode=612)
#tags = policy configuration modify audit change
## System security access was granted to an account
## EventCodes 4717, 621
[windows_security_access_granted]
search = eventtype=wineventlog_security (EventCode=4717 OR EventCode=621)
#tags = access authorization add change account
## System security access was removed from an account
## EventCodes 4718, 622
[windows_security_access_removed]
search = eventtype=wineventlog_security (EventCode=4718 OR EventCode=622)
#tags = access authorization delete change account
## Per User Audit Policy was changed
## EventCodes 4912, 807
[windows_audit_policy_changed]
search = eventtype=wineventlog_security (EventCode=4912 OR EventCode=807)
#tags = policy configuration modify audit change
## The following policy was active when the Windows Firewall started
## EventCodes 848, 849, 850
[windows_firewall_policy_active]
search = eventtype=wineventlog_security (EventCode=848 OR EventCode=849 OR EventCode=850)
#tags = application firewall configuration report
## A change has been made to Windows Firewall
## EventCodes 4946, 4947, 4948, 851, 852
[windows_firewall_policy_change]
search = eventtype=wineventlog_security (EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=851 OR EventCode=852)
#tags = application firewall configuration modify
## The Windows Firewall has detected an application listening for incoming traffic
## EventCodes 4957, 861
[windows_firewall_port_listening]
search = eventtype=wineventlog_security (EventCode=4957 OR EventCode=861)
#tags = application firewall port listening report
###### Security: Privilege Use ######
## Special privileges assigned to new logon
## EventCodes 4672, 576
[windows_special_privileges]
search = eventtype=wineventlog_security (EventCode=4672 OR EventCode=576)
#tags = authentication privileged
## Privileged Service Called
## EventCodes 4673, 577
[windows_privileged_service_call]
search = eventtype=wineventlog_security (EventCode=4673 OR EventCode=577)
#tags = process execute start privileged
## Privileged object operation
## EventCodes 4674, 578
[windows_privileged_object_operation]
search = eventtype=wineventlog_security (EventCode=4674 OR EventCode=578)
#tags = resource execute start privileged
###### Security: Process Tracking ######
## A new process has been created
## EventCodes 4688, 592
[windows_process_new]
search = eventtype=wineventlog_security (EventCode=4688 OR EventCode=592)
#tags = process execute start
## A process has exited
## EventCodes 4689, 593
[windows_process_exit]
search = eventtype=wineventlog_security (EventCode=4689 OR EventCode=593)
#tags = process execute stop
## A process was assigned a primary token
## EventCodes 4696, 600
[windows_process_token]
search = eventtype=wineventlog_security (EventCode=4696 OR EventCode=600)
#tags = process execute start privileged
###### Security: System ######
## An authentication package has been loaded by the Local Security Authority
## EventCodes 4610, 514
[windows_auth_package]
search = eventtype=wineventlog_security (EventCode=4610 OR EventCode=514)
#tags = process execute start
## A trusted logon process has registered with the Local Security Authority
## EventCodes 4611, 515
[windows_logon_process]
search = eventtype=wineventlog_security (EventCode=4611 OR EventCode=515)
#tags = process authorization add
## A notification package has been loaded by the Security Account Manager
## EventCodes 4614, 518
[windows_notification_package]
search = eventtype=wineventlog_security (EventCode=4614 OR EventCode=518)
#tags = process execute start
###### Security: Vulnerability ######
## System security domain policy was changed
## EventCode 4739
[windows_security_misconfiguration_password_minimum_length]
search = eventtype=wineventlog_security EventCode="4739" (Min__Password_Length<7 OR Mixed_Domain_Mode<7)
#tags = misconfiguration password policy vulnerability report audit change
###### System: Time ######
## EventCode 35, 37
[windows_time_sync]
search = (eventtype=wineventlog_system (SourceName=W32Time OR SourceName=Microsoft-Windows-Time-Service) (EventCode=35 OR EventCode=37)) OR (sourcetype=Script:TimesyncStatus windows_action=success)
#tags = report time synchronize success performance
## EventCodes 17, 29, 36, 38
[windows_time_failure]
search = (eventtype=wineventlog_system (SourceName=W32Time OR Microsoft-Windows-Time-Service) (EventCode=17 OR EventCode=29 OR EventCode=36 OR EventCode=38)) OR (sourcetype=Script:TimesyncStatus windows_action=failure)
#tags = report time synchronize failure performance
###### System: Update ######
[windows_system_update]
search = eventtype=wineventlog_system "Microsoft-Windows-WindowsUpdateClient"
#tags = system update
## EventCodes 17, 18, 19
[windows_system_update_status]
search = eventtype=wineventlog_system "Microsoft-Windows-WindowsUpdateClient" (EventCode=17 OR EventCode=18 OR EventCode=19)
#tags = status
[windows_updatelog]
search = sourcetype=WindowsUpdateLog
#tags = system update
[windows_updatelog_status]
search = sourcetype=WindowsUpdateLog "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update"
#tags = status
## WMI:Update
[wmi_installed_packages]
search = sourcetype=WMI:InstalledUpdates
#tags = system update status
###### Splunk WMI ######
## ComputerSystem
[wmi_computersystem]
search = sourcetype=WMI:ComputerSystem
#tags = performance memory
## CPUTime
[perfmon_cputime]
search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime)
#tags = performance cpu report
[perfmon_cputime_anomalous]
search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) windows_cpu_load_percent>90
#tags = anomalous
[wmi_cputime]
search = sourcetype=WMI:CPUTime
#tags = performance cpu report
[wmi_cputime_anomalous]
search = sourcetype=WMI:CPUTime windows_percent_processor_time>90
#tags = anomalous
## System
[perfmon_system]
search = sourcetype=Perfmon:System OR sourcetype=PerfmonMk:System
#tags = performance cpu report
## Disk
[perfmon_freediskspace]
search = sourcetype=Perfmon:FreeDiskSpace
#tags = performance storage disk report
[perfmon_freediskspace_anomalous]
search = sourcetype=Perfmon:FreeDiskSpace windows_storage_free_percent<10
#tags = anomalous
[perfmon_logicaldisk]
search = sourcetype=Perfmon:LogicalDisk OR sourcetype=PerfmonMk:LogicalDisk
#tags = performance storage disk
##ProcessorInformation
[perfmon_processorinformation]
search = (sourcetype=Perfmon:ProcessorInformation OR sourcetype=PerfmonMk:ProcessorInformation)
#tags = performance cpu report process
[wmi_freediskspace]
search = sourcetype=WMI:FreeDiskSpace
#tags = performance storage disk report
[wmi_freediskspace_anomalous]
search = sourcetype=WMI:FreeDiskSpace windows_storage_free_percent<10
#tags = anomalous
[wmi_logicaldisk]
search = sourcetype=WMI:LogicalDisk
#tags = performance storage disk
## Listening Ports
[script_listeningports]
search = sourcetype=Script:ListeningPorts
#tags = port listening report
## Local Processes
[wmi_localprocesses]
search = sourcetype=WMI:LocalProcesses
#tags = process report
[wmi_localprocesses_anomalous]
search = sourcetype=WMI:LocalProcesses (windows_cpu_load_percent>50) NOT windows_app=*Total
#tags = anomalous
## Memory
[perfmon_memory]
search = sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory
#tags = performance memory report
[perfmon_memory_anomalous]
search = (sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory) windows_mem_free<104857600
#tags = anomalous
[wmi_memory]
search = sourcetype=WMI:Memory
#tags = performance memory report
[wmi_memory_anomalous]
search = sourcetype=WMI:Memory windows_mem_free<104857600
#tags = anomalous
## Service
[wmi_service]
search = sourcetype=WMI:Service
#tags = service report
[wmi_service_status_anomalous]
search = sourcetype=WMI:Service Status=* NOT Status=OK
#tags = anomalous
[wmi_service_state_anomalous]
search = sourcetype=WMI:Service windows_start_mode=Auto windows_state=* NOT windows_state=Running
#tags = anomalous
## Network
[perfmon_network]
search = sourcetype=Perfmon:Network OR sourcetype=PerfmonMk:Network
#tags = performance network
[perfmon_network_throughput]
search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Bytes Total/sec" OR Bytes_Total/sec = *)
#tags = performance network
[perfmon_network_bandwidth]
search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Current Bandwidth" OR Current_Bandwidth=*)
#tags = performance network
[wmi_network_throughput]
search = sourcetype=WMI:LocalNetwork BytesTotalPersec=*
#tags = performance network
[wmi_network_bandwidth]
search = sourcetype=WMI:LocalNetwork CurrentBandwidth=*
#tags = performance network
## Process
[perfmon_process]
search = sourcetype=Perfmon:Process OR sourcetype=PerfmonMk:Process
#tags = performance process report
## Uptime
[wmi_uptime]
search = sourcetype=WMI:Uptime
#tags = performance uptime report
[wmi_uptime_anomalous]
search = sourcetype=WMI:Uptime windows_uptime>2592000
#tags = anomalous
## User Accounts
[wmi_useraccounts]
search = sourcetype=WMI:UserAccounts
#tags = account report inventory user
## Version
[wmi_version]
search = sourcetype=WMI:Version
#tags = system version report inventory
[microsoft_windows_hostmon_process]
search = sourcetype=WinHostMon source=process
#tags = process report
[microsoft_windows_hostmon_service]
search = sourcetype=WinHostMon source=service
#tags = service report
[microsoft_windows_hostmon_service_time]
search = sourcetype=WinHostMon source=service Name=W32Time
#tags = time synchronize os performance
### AD/DNS eventtypes###
[wineventlog-ds]
search = source="WinEventLog:Directory Service" OR source="XmlWinEventLog:Directory Service"
[powershell]
search = source=Powershell
[msad-dc-health]
search = eventtype=powershell sourcetype="MSAD:*:Health"
[msad-rep-health]
search = eventtype=powershell sourcetype="MSAD:*:Replication"
[msad-site]
search = eventtype=powershell sourcetype="MSAD:*:SiteInfo"
[msad-subnetinfo]
search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet"
[msad-sitelinkinfo]
search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink"
[msad-siteinfo]
search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site"
[msad-subnet-affinity]
search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE
[admon-gpo]
search = eventtype=admon objectCategory="*CN=Group-Policy-Container*"
[admon-group]
search = eventtype=admon objectCategory="*CN=Group*"
[admon-computer]
search = eventtype=admon objectCategory="*CN=Computer*"
[admon-user]
search = eventtype=admon objectCategory="*CN=Person*"
[admon]
search = sourcetype=ActiveDirectory
[perfmon]
search = sourcetype="Perfmon:*" OR sourcetype="PerfmonMk:*"
[ad-files]
search = sourcetype=MSAD:NT6:Replication OR sourcetype=MSAD:NT6:Health OR sourcetype=MSAD:NT6:SiteInfo OR sourcetype=MSAD:NT6:Netlogon OR sourcetype=ActiveDirectory OR sourcetype=MSAD:NT6:DNS-Health OR sourcetype=MSAD:NT6:DNS-Zone-Information OR sourcetype=MSAD:NT6:DNS
[perfmon-ntds]
search = eventtype=perfmon (sourcetype="Perfmon:NTDS" OR sourcetype="PerfmonMk:NTDS")
[nt6-dns-events]
search = sourcetype=MSAD:NT6:DNS
[wineventlog-dns]
search = source="WinEventLog:DNS Server" OR source="XmlWinEventLog:DNS Server"
[msad-dns-zoneinfo]
search = eventtype=powershell sourcetype="MSAD:*:DNS-Zone-Information"
[msad-dns-health]
search = eventtype=powershell sourcetype="MSAD:*:DNS-Health"
[msad-dns-debuglog]
search = eventtype=ad-files sourcetype="MSAD:*:DNS"
[perfmon-dns]
search = eventtype=perfmon (sourcetype="Perfmon:DNS" OR sourcetype="PerfmonMk:DNS")
[wineventlog-dfs]
search = source="WinEventLog:DFS Replication" OR source="XmlWinEventLog:DFS Replication"
[wineventlog-filereplication]
search = source="WinEventLog:File Replication Service" OR source="XmlWinEventLog:File Replication Service"
[wineventlog-keymanagement]
search = source="WinEventLog:Key Management Service" OR source="XmlWinEventLog:Key Management Service"
[endpoint_services_processes]
search = source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog"
## Endpoint Processes
[windows_endpoint_processes]
search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security") (EventCode=4688 OR EventCode=4689 OR EventCode=4696 OR EventCode=4673 OR EventCode=4674)
#tags = process report
## Endpoint Services
[windows_endpoint_services]
search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System") (EventCode=1100 OR EventCode=4697 OR EventCode=5024 OR EventCode=5025 OR EventCode=5030 OR EventCode=5033 OR EventCode=5034 OR EventCode=5035 OR EventCode=5478 OR EventCode=7036 OR EventCode=7040 OR EventCode=7045)
#tags = service report
## Security-CIM Mappings
## Endpoint Registry
[windows_security_endpoint_registry]
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4657 OR (EventCode=4670 AND (Object_Type="Registry" OR ObjectType="Registry")))
#tags = endpoint registry
## Endpoint Port
[windows_security_endpoint_port]
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5158)
#tags = listening port
## Change Audit
[windows_security_change_audit]
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=1101 OR EventCode=1108 OR EventCode=4719 OR EventCode=1102)
#tags = change audit
## Change
[windows_security_change]
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5461 OR EventCode=4698 OR EventCode=4700 OR EventCode=4701 OR EventCode=4702 OR EventCode=4706 OR EventCode=4713 OR EventCode=4744 OR EventCode=4749 OR EventCode=4750 OR EventCode=4759 OR EventCode=4799 OR EventCode=4876)
#tags = change
## Authentication
[windows_security_authentication]
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4624 OR EventCode=4625 OR EventCode=4672)
#tags = authentication
## Change Account - ADDON-42191
[windows_security_change_account]
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) AND EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801,4798,4794)
#tags = change account
## System-CIM Mapping
# Change Audit - ADDON-48489
[windows_system_change_audit]
search = (source=WinEventLog:System OR source=XmlWinEventLog:System) (EventCode=104)
#tags = change audit
# Monitoring dashboard - ADDON-75689
[windows_ta_data]
search = sourcetype IN ("PerfmonMk:*", "Perfmon:*", "MSAD:*", "WindowsUpdateLog", "WMI:*","WinEventLog","Script:NetworkConfiguration", "Script:TimesyncConfiguration", "ActiveDirectory", "WinHostMon", "WinRegistry", "Script:InstalledApps", "DhcpSrvLog", "wmi", "Script:ListeningPorts", "XmlWinEventLog:*", "host::WinEventLogForwardHost", "WinEventLog:*", "Script:TimesyncStatus", "XmlWinEventLog","powershell", "WinRegMon", "admon", "WinNetMon", "WinPrintMon", "win:bios") OR source IN ("WinEventLog:*", "WMI*", "WinEventLog*", "XmlWinEventLog:*", "*WindowsUpdate.Log", "WMI:WinEventLog*", "Powershell", "service", "processor", "process", "printer", "port","outbound","networkadapter","operatingsystem","inbound", "driver","disk","computer", "roles","WinRegistry", "PerfmonMk:*", "*win_timesync_status.bat","*win_timesync_configuration.bat","*win_listening_ports.bat", "*win_installed_apps.bat", "*netsh_address.bat", "*DHCP" ,"*netlogon.log","*dns.log")

442
deployment-apps/Splunk_TA_windows/default/inputs.conf
Unescape View File

@ -0,0 +1,442 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
## DO NOT EDIT THIS FILE!
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
## into ../local and edit there.
##
###### OS Logs ######
[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
[WinEventLog://System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=true
host=WinEventLogForwardHost
###### WinEventLog Inputs for Active Directory ######
## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 1
renderXml=true
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 1
renderXml=true
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 1
renderXml=true
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 1
renderXml=true
###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled=1
renderXml=true
###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 1
sourcetype = WindowsUpdateLog
## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 1
## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 1
sourcetype = WindowsUpdateLog
###### Monitor Inputs for Active Directory ######
[monitor://$WINDIR\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled=1
###### Monitor Inputs for DNS ######
[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
sourcetype=MSAD:NT6:DNS
disabled=1
###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts
[script://.\bin\win_installed_apps.bat]
disabled = 1
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
[script://.\bin\win_timesync_status.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
[script://.\bin\win_timesync_configuration.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
[script://.\bin\netsh_address.bat]
disabled = 1
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration
###### Scripted/Powershell Mod inputs Active Directory ######
## Replication Information NT6
[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
source=Powershell
sourcetype=MSAD:NT6:Replication
interval=300
disabled=1
## Replication Information 2012r2 and 2016
[powershell://Replication-Stats]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype=MSAD:NT6:Replication
disabled=1
## Health and Topology Information NT6
[script://.\bin\runpowershell.cmd nt6-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:Health
interval=300
disabled=1
## Health and Topology Information 2012r2 and 2016
[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source=Powershell
sourcetype=MSAD:NT6:Health
disabled=1
## Site, Site Link and Subnet Information NT6
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:SiteInfo
interval=3600
disabled=1
## Site, Site Link and Subnet Information 2012r2 and 2016
[powershell://Siteinfo]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
schedule = 0 15 * ? * *
source = Powershell
sourcetype=MSAD:NT6:SiteInfo
disabled=1
##### Scripted Inputs for DNS #####
## DNS Zone Information Collection
[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:DNS-Zone-Information
interval=3600
disabled=1
## DNS Health Information Collection
[script://.\bin\runpowershell.cmd dns-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:DNS-Health
interval=3600
disabled=1
###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 1
type = Computer
[WinHostMon://Process]
interval = 600
disabled = 1
type = Process
[WinHostMon://Processor]
interval = 600
disabled = 1
type = Processor
[WinHostMon://NetworkAdapter]
interval = 600
disabled = 1
type = NetworkAdapter
[WinHostMon://Service]
interval = 600
disabled = 1
type = Service
[WinHostMon://OperatingSystem]
interval = 600
disabled = 1
type = OperatingSystem
[WinHostMon://Disk]
interval = 600
disabled = 1
type = Disk
[WinHostMon://Driver]
interval = 600
disabled = 1
type = Driver
[WinHostMon://Roles]
interval = 600
disabled = 1
type = Roles
###### Print monitoring ######
[WinPrintMon://printer]
type = printer
interval = 600
baseline = 1
disabled = 1
[WinPrintMon://driver]
type = driver
interval = 600
baseline = 1
disabled = 1
[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 1
###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 1
[WinNetMon://outbound]
direction = outbound
disabled = 1
###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 1
instances = *
interval = 10
mode = multikv
object = Processor
useEnglishOnly=true
## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 1
instances = *
interval = 10
mode = multikv
object = LogicalDisk
useEnglishOnly=true
## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 1
instances = *
interval = 10
mode = multikv
object = PhysicalDisk
useEnglishOnly=true
## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 1
interval = 10
mode = multikv
object = Memory
useEnglishOnly=true
## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 1
instances = *
interval = 10
mode = multikv
object = Network Interface
useEnglishOnly=true
## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 1
instances = *
interval = 10
mode = multikv
object = Process
useEnglishOnly=true
## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 1
instances = *
interval = 10
mode = multikv
object = Processor Information
useEnglishOnly=true
## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 1
instances = *
interval = 10
mode = multikv
object = System
useEnglishOnly=true
###### Perfmon Inputs from TA-AD/TA-DNS ######
[perfmon://Processor]
object = Processor
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
instances = *
interval = 10
disabled = 1
mode = multikv
useEnglishOnly=true
[perfmon://Network_Interface]
object = Network Interface
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
instances = *
interval = 10
disabled = 1
mode = multikv
useEnglishOnly=true
[perfmon://DFS_Replicated_Folders]
object = DFS Replicated Folders
counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
instances = *
interval = 30
disabled = 1
mode = multikv
useEnglishOnly=true
[perfmon://NTDS]
object = NTDS
counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run
interval = 10
disabled = 1
mode = multikv
useEnglishOnly=true
[perfmon://DNS]
object = DNS
counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received
interval = 10
disabled = 1
mode = multikv
useEnglishOnly=true
[admon://default]
disabled = 1
monitorSubtree = 1
[WinRegMon://default]
disabled = 1
hive = .*
proc = .*
type = rename|set|delete|create
[WinRegMon://hkcu_run]
disabled = 1
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
[WinRegMon://hklm_run]
disabled = 1
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
[powershell://windows_bios_data]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\windows_bios_data.ps1"
schedule = 0 */24 * * *
source = Powershell
sourcetype = win:bios
disabled = 1

38
deployment-apps/Splunk_TA_windows/default/macros.conf
Unescape View File

@ -0,0 +1,38 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[events-search(6)]
args = LogName, EventHost, TaskCategory, SourceName, EventCode, Type
definition = eventtype="wineventlog_windows" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$"
[compute-ingestion-stats]
# The below post-process can be used to compute generic statistics about event ingestion
# The search computes event rate (count and size) in 5 minute chunks by assigning each event a weight of 1/300.0 and then computing the sum. This is the best way to get this into a sparkline.
definition = eval temp=1/300.0, event_size=len(_raw) | eval event_size_temp=len(_raw)/300.0 | stats sparkline(sum(temp), 5m) as "Events per second", sparkline(sum(event_size_temp), 5m) as "Event throughput (kbps)", sum(event_size) as TotalBytes, sum(temp) as tempsum by sourcetype | eval "Total MB"=round(TotalBytes/1024.0/1024.0,2) | addinfo | eval APS=tempsum/(info_max_time-info_min_time) | eval "Average events per second"=round(APS*300.0,2) | fields sourcetype "Events per second" "Event throughput (kbps)" "Average events per second" "Total MB"
[netmon-hosts-search]
definition = eventtype=netmon_windows | stats count by host | sort +host
[event-hosts-search]
definition = eventtype=wineventlog_windows | stats count by host | sort +host
[log-names-search]
definition = eventtype=wineventlog_windows | stats count by LogName | sort +LogName
[source-names-search(1)]
args = LogName
definition = eventtype=wineventlog_windows LogName="$LogName$" | stats count by SourceName | sort +SourceName
[task-categories-search(2)]
args = LogName, SourceName
definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" | stats count by TaskCategory | sort +TaskCategory
[event-codes-search(3)]
args = LogName, SourceName, TaskCategory
definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" | stats count by EventCode | sort +EventCode
[event-types-search(4)]
args = LogName, SourceName, TaskCategory, EventCode
definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" EventCode="$EventCode$" | stats count by Type | sort +Type

1935
deployment-apps/Splunk_TA_windows/default/props.conf
View File

File diff suppressed because it is too large Load Diff

674
deployment-apps/Splunk_TA_windows/default/tags.conf
Unescape View File

@ -0,0 +1,674 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
## DO NOT EDIT THIS FILE!
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
## into ../local and edit there.
###### Global Windows Eventtype ######
[eventtype=windows_event_signature]
track_event_signatures = enabled
[eventtype=wineventlog_windows]
os = enabled
windows = enabled
[eventtype=wineventlog_application]
os = enabled
windows = enabled
[eventtype=wineventlog_system]
os = enabled
windows = enabled
[eventtype=wineventlog_security]
os = enabled
windows = enabled
[eventtype=perfmon_windows]
os = enabled
windows = enabled
[eventtype=perfmon_processorinformation]
process = enabled
report = enabled
performance = enabled
cpu = enabled
[eventtype=hostmon_windows]
os = enabled
windows = enabled
[eventtype=hostmon_os]
os = enabled
windows = enabled
memory = enabled
performance = enabled
oshost = enabled
[eventtype=hostmon_inventory]
os = enabled
inventory = enabled
cpu = enabled
memory = enabled
oshost = enabled
[eventtype=hostmon_disk]
performance = enabled
inventory = enabled
storage = enabled
oshost = enabled
[eventtype=netmon_windows]
os = enabled
windows = enabled
[eventtype=printmon_windows]
os = enabled
windows = enabled
[eventtype=script_windows]
os = enabled
windows = enabled
[eventtype=wmi_windows]
os = enabled
windows = enabled
[eventtype=windowsupdatelog_windows]
os = enabled
windows = enabled
[eventtype=winregistry_windows]
os = enabled
windows = enabled
endpoint = enabled
change = enabled
registry = enabled
[eventtype=winsec]
security = enabled
###### DHCP ######
[eventtype=msdhcp]
dhcp = enabled
network = enabled
session = enabled
windows = enabled
[eventtype=msdhcp_start]
start = enabled
[eventtype=msdhcp_end]
end = disabled
[eventtype=DhcpSrvLog]
windows = enabled
[eventtype=DhcpSrvLog_dhcp]
dhcp = enabled
network = enabled
session = enabled
[eventtype=DhcpSrvLog_start]
dhcp = enabled
network = enabled
session = enabled
start = enabled
[eventtype=DhcpSrvLog_end]
dhcp = enabled
network = enabled
session = enabled
end = enabled
###### Security: Account Logon ######
[eventtype=windows_auth_ticket_granted]
authentication = enabled
[eventtype=windows_service_ticket_granted]
authentication = enabled
[eventtype=windows_pre_auth_failed]
authentication = enabled
[eventtype=windows_account_used4logon]
authentication = enabled
[eventtype=windows_session_disconnected]
access = enabled
stop = enabled
logoff = enabled
###### Security: Account Management ######
[eventtype=windows_account_management]
account = enabled
change = enabled
management = enabled
[eventtype=windows_account_created]
add = enabled
account = enabled
change = enabled
[eventtype=windows_account_enabled]
enable = enabled
account = enabled
change = enabled
[eventtype=windows_account_password_change]
password = enabled
modify = enabled
account = enabled
change = enabled
[eventtype=windows_account_password_set]
password = enabled
modify = enabled
account = enabled
change = enabled
[Service_Name=kadmin%2Fchangepw]
account = enabled
change = enabled
password = enabled
modify = enabled
[eventtype=windows_account_disabled]
disable = enabled
account = enabled
change = enabled
[eventtype=windows_account_deleted]
delete = enabled
account = enabled
change = enabled
[eventtype=windows_account_modified]
modify = enabled
account = enabled
change = enabled
[eventtype=windows_account_lockout]
lock = enabled
lockout = enabled
account = enabled
change = enabled
[eventtype=windows_account_unlocked]
modify = enabled
account = enabled
change = enabled
###### Security: Audit (Event Log) ######
[eventtype=windows_audit_log_stopped]
stop = enabled
stopped = enabled
watchlist = enabled
[eventtype=windows_audit_errors]
audit = enabled
error = enabled
[eventtype=windows_audit_log_cleared]
audit = enabled
change = enabled
delete = enabled
cleared = enabled
watchlist = enabled
[eventtype=windows_audit_backup]
audit = enabled
backup = enabled
change = enabled
[eventtype=windows_audit_log_logon]
audit = enabled
change = enabled
[privilege_id=SeAuditPrivilege]
audit = enabled
[privilege_id=SeSecurityPrivilege]
audit = enabled
###### Security: Logon/Logoff ######
[eventtype=windows_logoff]
access = enabled
stop = enabled
logoff = enabled
[eventtype=windows_logon_explicit]
authentication = enabled
privileged = enabled
[eventtype=windows_logon_failure]
authentication = enabled
[app=win%3Alocal]
local = enabled
[app=win%3Aremote]
remote = enabled
[eventtype=windows_logon_success]
authentication = enabled
[Logon_Type=8]
cleartext = enabled
###### Security: Object Access ######
[eventtype=windows_object_open]
resource = enabled
file = enabled
access = enabled
start = enabled
[eventtype=windows_handle_closed]
resource = enabled
file = enabled
access = enabled
stop = enabled
###### Security: Policy Change ######
[eventtype=windows_audit_policy_change]
policy = enabled
configuration = enabled
modify = enabled
audit = enabled
change = enabled
[eventtype=windows_security_access_granted]
access = enabled
authorization = enabled
add = enabled
change = enabled
account = enabled
[eventtype=windows_security_access_removed]
access = enabled
authorization = enabled
delete = enabled
change = enabled
account = enabled
[eventtype=windows_audit_policy_changed]
policy = enabled
configuration = enabled
modify = enabled
audit = enabled
change = enabled
[eventtype=windows_firewall_policy_active]
application = enabled
firewall = enabled
configuration = enabled
report = enabled
[eventtype=windows_firewall_policy_change]
application = enabled
firewall = enabled
configuration = enabled
modify = enabled
[eventtype=windows_firewall_port_listening]
application = enabled
firewall = enabled
port = enabled
listening = enabled
report = enabled
###### Security: Privilege Use ######
[eventtype=windows_special_privileges]
authentication = enabled
privileged = enabled
[eventtype=windows_privileged_service_call]
process = enabled
execute = enabled
start = enabled
privileged = enabled
[eventtype=windows_privileged_object_operation]
resource = enabled
execute = enabled
start = enabled
privileged = enabled
###### Security: Process Tracking ######
[eventtype=windows_process_new]
process = enabled
execute = enabled
start = enabled
[eventtype=windows_process_exit]
process = enabled
execute = enabled
stop = enabled
[eventtype=windows_process_token]
process = enabled
execute = enabled
start = enabled
privileged = enabled
[Token_Elevation_Type_id=2]
privileged = enabled
###### Security: System ######
[eventtype=windows_auth_package]
process = enabled
execute = enabled
start = enabled
[eventtype=windows_logon_process]
process = enabled
authorization = enabled
add = enabled
[eventtype=windows_notification_package]
process = enabled
execute = enabled
start = enabled
###### Security: Vulnerability ######
[eventtype=windows_security_misconfiguration_password_minimum_length]
misconfiguration = enabled
password = enabled
policy = enabled
vulnerability = enabled
report = enabled
audit = enabled
change = enabled
###### System: Time ######
[eventtype=windows_time_sync]
report = enabled
time = enabled
synchronize = enabled
success = enabled
performance = enabled
[eventtype=windows_time_failure]
report = enabled
time = enabled
synchronize = enabled
failure = enabled
performance = enabled
###### System: Update ######
[eventtype=windows_system_update]
system = enabled
update = enabled
[eventtype=windows_system_update_status]
status = enabled
[eventtype=windows_updatelog]
system = enabled
update = enabled
[eventtype=windows_updatelog_status]
status = enabled
## WMI:Update
[eventtype=wmi_installed_packages]
system = enabled
update = enabled
status = enabled
###### Splunk WMI ######
## ComputerSystem
[eventtype=wmi_computersystem]
performance = enabled
memory = enabled
## CPUTime
[eventtype=perfmon_cputime]
cpu = enabled
report = enabled
performance = enabled
oshost = enabled
[eventtype=perfmon_cputime_anomalous]
anomalous = enabled
[eventtype=wmi_cputime]
cpu = enabled
report = enabled
performance = enabled
[eventtype=wmi_cputime_anomalous]
anomalous = enabled
## System
[eventtype=perfmon_system]
cpu = enabled
report = enabled
performance = enabled
oshost = enabled
## Disk
[eventtype=perfmon_freediskspace]
disk = enabled
report = enabled
performance = enabled
storage = enabled
oshost = enabled
[eventtype=perfmon_freediskspace_anomalous]
anomalous = enabled
[eventtype=wmi_freediskspace]
disk = enabled
report = enabled
performance = enabled
storage = enabled
[eventtype=wmi_freediskspace_anomalous]
anomalous = enabled
[eventtype=perfmon_logicaldisk]
disk = enabled
performance = enabled
storage = enabled
oshost = enabled
[eventtype=wmi_logicaldisk]
disk = enabled
performance = enabled
storage = enabled
## Network
[eventtype=perfmon_network]
network = enabled
performance = enabled
oshost = enabled
[eventtype=perfmon_network_throughput]
network = enabled
performance = enabled
oshost = enabled
[eventtype=perfmon_network_bandwidth]
network = enabled
performance = enabled
oshost = enabled
[eventtype=wmi_network_throughput]
network = enabled
performance = enabled
[eventtype=wmi_network_bandwidth]
network = enabled
performance = enabled
## Process
[eventtype=perfmon_process]
performance = enabled
process = enabled
oshost = enabled
report = enabled
## Listening Ports
[eventtype=script_listeningports]
port = enabled
listening = enabled
report = enabled
## Local Processes
[eventtype=wmi_localprocesses]
process = enabled
report = enabled
[eventtype=wmi_localprocesses_anomalous]
anomalous = enabled
## Memory
[eventtype=perfmon_memory]
memory = enabled
report = enabled
performance = enabled
oshost = enabled
[eventtype=perfmon_memory_anomalous]
anomalous = enabled
[eventtype=wmi_memory]
memory = enabled
report = enabled
performance = enabled
[eventtype=wmi_memory_anomalous]
anomalous = enabled
## Service
[eventtype=wmi_service]
service = enabled
report = enabled
[eventtype=wmi_service_status_anomalous]
anomalous = enabled
[eventtype=wmi_service_state_anomalous]
anomalous = enabled
[app=W32Time]
time = enabled
synchronize = enabled
[app=wuauserv]
automatic = enabled
update = enabled
## Uptime
[eventtype=wmi_uptime]
uptime = enabled
report = enabled
performance = enabled
[eventtype=wmi_uptime_anomalous]
anomalous = enabled
## User Accounts
[eventtype=wmi_useraccounts]
account = enabled
report = enabled
inventory = enabled
user = enabled
## Version
[eventtype=wmi_version]
system = enabled
version = enabled
report = enabled
inventory = enabled
[eventtype=windows_account_mapped]
authentication = enabled
[eventtype=windows_account_notmapped]
authentication = enabled
[eventtype=microsoft_windows_hostmon_process]
process = enabled
report = enabled
[eventtype=microsoft_windows_hostmon_service]
service = enabled
report = enabled
[eventtype=microsoft_windows_hostmon_service_time]
time = enabled
synchronize = enabled
os = enabled
performance = enabled
## Endpoint.processes Data Model
[eventtype=windows_endpoint_processes]
process = enabled
report = enabled
## Endpoint.services Data Model
[eventtype=windows_endpoint_services]
service = enabled
report = enabled
## Security-CIM Mappings
## Endpoint Registry Data Model
[eventtype=windows_security_endpoint_registry]
endpoint = enabled
registry = enabled
## Endpoint Port Data Model
[eventtype=windows_security_endpoint_port]
listening = enabled
port = enabled
## Change Audit Data Model
[eventtype=windows_security_change_audit]
change = enabled
audit = enabled
## Change Data Model
[eventtype=windows_security_change]
change = enabled
# Authentication Data Model
[eventtype=windows_security_authentication]
authentication = enabled
[eventtype=windows_security_change_account]
change = enabled
account = enabled
# Change Audit DM for Windows System
[eventtype=windows_system_change_audit]
change = enabled
audit = enabled
# Network resolution (dns) DM for DNS events.
[eventtype=nt6-dns-events]
network = enabled
resolution = enabled
dns = enabled

1482
deployment-apps/Splunk_TA_windows/default/transforms.conf
View File

File diff suppressed because it is too large Load Diff

152
deployment-apps/Splunk_TA_windows/default/wmi.conf
Unescape View File

@ -0,0 +1,152 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
## DO NOT EDIT THIS FILE!
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
## into ../local and edit there.
##
## This file contains possible attribute/value pairs for configuring WMI access FROM Splunk.
##
[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 0
checkpoint_sync_interval = 2
## Pull event logs FROM the local system
## Usually disabled in favor of using WinEventLog inputs
[WMI:LocalApplication]
interval = 10
event_log_file = Application
disabled = 1
[WMI:LocalSystem]
interval = 10
event_log_file = System
disabled = 1
[WMI:LocalSecurity]
interval = 10
event_log_file = Security
disabled = 1
## Gather performance data FROM the local system
## Computer System
[WMI:ComputerSystem]
disabled = 1
## Run once per day
interval = 86400
wql = SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
## CPU
## Usually disabled in favor of Perfmon counters
[WMI:CPUTime]
interval = 3
wql = SELECT PercentProcessorTime,PercentUserTime,Name FROM Win32_PerfFormattedData_PerfOS_Processor
disabled = 1
## Disk
## Usually disabled in favor of Perfmon counters
[WMI:FreeDiskSpace]
interval = 120
wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
disabled = 1
[WMI:LogicalDisk]
interval = 120
wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
disabled = 1
[WMI:LocalPhysicalDisk]
interval = 10
wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
disabled = 1
## Memory
## Usually disabled in favor of Perfmon counters
[WMI:Memory]
interval = 5
wql = SELECT PagesPerSec, PagesInputPerSec, PagesOutputPerSec, AvailableBytes, CommittedBytes, PercentCommittedBytesInUse, PoolPagedBytes, PoolNonpagedBytes FROM Win32_PerfFormattedData_PerfOS_Memory
disabled = 1
## Network
## Usuall disabled in favor of Perfmon counters
[WMI:LocalNetwork]
interval = 10
wql = SELECT Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth FROM Win32_PerfFormattedData_Tcpip_NetworkInterface
disabled = 1
## Processes
[WMI:LocalProcesses]
interval = 30
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
disabled = 1
## Scheduled Jobs
## Use the Win32_ScheduledJob class. Note that this class can only return jobs that are created using either a script or AT.exe.
## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
[WMI:ScheduledJobs]
disabled = 1
## Run twice per day
interval = 43200
wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
## Services
## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
## Lists all services registered on the system,if they are running,and the status
[WMI:Service]
disabled = 1
## Run once an hour
interval = 3600
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
## Update
[WMI:InstalledUpdates]
disabled = 1
## Run once per day
interval = 86400
wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
## Uptime
[WMI:Uptime]
disabled = 1
## Run once per day
interval = 86400
wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
## User Accounts
[WMI:UserAccounts]
disabled = 1
## Run twice per day
interval = 43200
wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account WHERE LocalAccount = true
## Deprecated: The SIDs for local accounts can be retrieved by enabling the WMI:UserAccounts stanza
## disabled = 1
## Run twice per day
## interval = 43200
## wql = SELECT * FROM Win32_AccountSID
## Version
[WMI:Version]
disabled = 1
## Run once per day
interval = 86400
wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem

50
deployment-apps/Splunk_TA_windows/default/workflow_actions.conf
Unescape View File

@ -0,0 +1,50 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
## DO NOT EDIT THIS FILE!
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
## into ../local and edit there.
##
###### EventID.net ######
[windows_eventidnet_winapp]
display_location = both
eventtypes = winapp
fields = SourceName, EventCode, signature_id
label = EventId Encyclopedia
link.method = get
link.target = blank
link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$
type = link
[windows_eventidnet_winsec]
display_location = both
eventtypes = winsec
fields = SourceName, EventCode, signature_id
label = EventId Encyclopedia
link.method = get
link.target = blank
link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$
type = link
[windows_eventidnet_winsystem]
display_location = both
eventtypes = winsystem
fields = SourceName, EventCode, signature_id
label = EventId Encyclopedia
link.method = get
link.target = blank
link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$
type = link
###### Ultimate Windows Security ######
[windows_ultimatewinsec]
display_location = both
eventtypes = winsec
fields = EventCode, signature_id
label = Winsec Encyclopedia
link.method = get
link.target = blank
link.uri = https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=$signature_id$
type = link

8
deployment-apps/Splunk_TA_windows/lookups/dns_recordclass_lookup.csv
Unescape View File

@ -0,0 +1,8 @@
record_class_number,record_class
0,reserved
1,internet(IN)
2,unassigned
3,chaos (CH)
4,hesiod (HS)
255,* (any)
65535,reserved
1 record_class_number record_class
2 0 reserved
3 1 internet(IN)
4 2 unassigned
5 3 chaos (CH)
6 4 hesiod (HS)
7 255 * (any)
8 65535 reserved

5
deployment-apps/Splunk_TA_windows/lookups/msad_group_type.csv
Unescape View File

@ -0,0 +1,5 @@
MSADGroupClassID,MSADGroupClass
Enabled,Security
Disabled,Distribution
enabled,Security
disabled,Distribution
1 MSADGroupClassID MSADGroupClass
2 Enabled Security
3 Disabled Distribution
4 enabled Security
5 disabled Distribution

80
deployment-apps/Splunk_TA_windows/lookups/msdhcp_signatures.csv
Unescape View File

@ -0,0 +1,80 @@
msdhcp_id,signature
00,"The log was started"
01,"The log was stopped"
02,"The log was temporarily paused due to low disk space"
0,"The log was started"
1,"The log was stopped"
2,"The log was temporarily paused due to low disk space"
10,"A new IP address was leased to a client"
11,"A lease was renewed by a client"
12,"A lease was released by a client"
13,"An IP address was found to be in use on the network"
14,"A lease request could not be satisfied because the scope's address pool was exhausted"
15,"A lease was denied"
16,"A lease was deleted"
17,"A lease was expired and DNS records for an expired leases have not been deleted"
18,"A lease was expired and DNS records were deleted"
20,"A BOOTP address was leased to a client"
21,"A dynamic BOOTP address was leased to a client"
22,"A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"
23,"A BOOTP IP address was deleted after checking to see that it was not in use"
24,"IP address cleanup operation has began"
25,"IP address cleanup statistics"
30,"DNS dynamic update request"
31,"DNS dynamic update failed"
32,"DNS dynamic update successful"
33,"Packet dropped due to NAP policy"
34,"DNS update request failed.as the DNS update request queue limit exceeded"
35,"DNS update request failed"
36,"Packet dropped because the server is in failover standby role or the hash of the client ID does not match"
50,"Rogue Server Detection"
51,"Rogue Server Detection"
52,"Rogue Server Detection"
53,"Rogue Server Detection"
54,"Rogue Server Detection"
55,"Rogue Server Detection"
56,"Rogue Server Detection"
57,"Rogue Server Detection"
58,"Rogue Server Detection"
59,"Rogue Server Detection"
60,"Rogue Server Detection"
61,"Rogue Server Detection"
62,"Rogue Server Detection"
63,"Rogue Server Detection"
64,"Rogue Server Detection"
65,"Rogue Server Detection"
66,"Rogue Server Detection"
67,"Rogue Server Detection"
68,"Rogue Server Detection"
69,"Rogue Server Detection"
70,"Rogue Server Detection"
71,"Rogue Server Detection"
72,"Rogue Server Detection"
73,"Rogue Server Detection"
74,"Rogue Server Detection"
75,"Rogue Server Detection"
76,"Rogue Server Detection"
77,"Rogue Server Detection"
78,"Rogue Server Detection"
79,"Rogue Server Detection"
80,"Rogue Server Detection"
81,"Rogue Server Detection"
82,"Rogue Server Detection"
83,"Rogue Server Detection"
84,"Rogue Server Detection"
85,"Rogue Server Detection"
86,"Rogue Server Detection"
87,"Rogue Server Detection"
88,"Rogue Server Detection"
89,"Rogue Server Detection"
90,"Rogue Server Detection"
91,"Rogue Server Detection"
92,"Rogue Server Detection"
93,"Rogue Server Detection"
94,"Rogue Server Detection"
95,"Rogue Server Detection"
96,"Rogue Server Detection"
97,"Rogue Server Detection"
98,"Rogue Server Detection"
99,"Rogue Server Detection"
100,"Rogue Server Detection"
1 msdhcp_id signature
2 00 The log was started
3 01 The log was stopped
4 02 The log was temporarily paused due to low disk space
5 0 The log was started
6 1 The log was stopped
7 2 The log was temporarily paused due to low disk space
8 10 A new IP address was leased to a client
9 11 A lease was renewed by a client
10 12 A lease was released by a client
11 13 An IP address was found to be in use on the network
12 14 A lease request could not be satisfied because the scope's address pool was exhausted
13 15 A lease was denied
14 16 A lease was deleted
15 17 A lease was expired and DNS records for an expired leases have not been deleted
16 18 A lease was expired and DNS records were deleted
17 20 A BOOTP address was leased to a client
18 21 A dynamic BOOTP address was leased to a client
19 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted
20 23 A BOOTP IP address was deleted after checking to see that it was not in use
21 24 IP address cleanup operation has began
22 25 IP address cleanup statistics
23 30 DNS dynamic update request
24 31 DNS dynamic update failed
25 32 DNS dynamic update successful
26 33 Packet dropped due to NAP policy
27 34 DNS update request failed.as the DNS update request queue limit exceeded
28 35 DNS update request failed
29 36 Packet dropped because the server is in failover standby role or the hash of the client ID does not match
30 50 Rogue Server Detection
31 51 Rogue Server Detection
32 52 Rogue Server Detection
33 53 Rogue Server Detection
34 54 Rogue Server Detection
35 55 Rogue Server Detection
36 56 Rogue Server Detection
37 57 Rogue Server Detection
38 58 Rogue Server Detection
39 59 Rogue Server Detection
40 60 Rogue Server Detection
41 61 Rogue Server Detection
42 62 Rogue Server Detection
43 63 Rogue Server Detection
44 64 Rogue Server Detection
45 65 Rogue Server Detection
46 66 Rogue Server Detection
47 67 Rogue Server Detection
48 68 Rogue Server Detection
49 69 Rogue Server Detection
50 70 Rogue Server Detection
51 71 Rogue Server Detection
52 72 Rogue Server Detection
53 73 Rogue Server Detection
54 74 Rogue Server Detection
55 75 Rogue Server Detection
56 76 Rogue Server Detection
57 77 Rogue Server Detection
58 78 Rogue Server Detection
59 79 Rogue Server Detection
60 80 Rogue Server Detection
61 81 Rogue Server Detection
62 82 Rogue Server Detection
63 83 Rogue Server Detection
64 84 Rogue Server Detection
65 85 Rogue Server Detection
66 86 Rogue Server Detection
67 87 Rogue Server Detection
68 88 Rogue Server Detection
69 89 Rogue Server Detection
70 90 Rogue Server Detection
71 91 Rogue Server Detection
72 92 Rogue Server Detection
73 93 Rogue Server Detection
74 94 Rogue Server Detection
75 95 Rogue Server Detection
76 96 Rogue Server Detection
77 97 Rogue Server Detection
78 98 Rogue Server Detection
79 99 Rogue Server Detection
80 100 Rogue Server Detection

2
deployment-apps/Splunk_TA_windows/lookups/object_category_850.csv
Unescape View File

@ -0,0 +1,2 @@
object,object_category
WinRegistry,registry
1 object object_category
2 WinRegistry registry

2
deployment-apps/Splunk_TA_windows/lookups/status_850.csv
Unescape View File

@ -0,0 +1,2 @@
vendor_status,status
0,success
1 vendor_status status
2 0 success

2
deployment-apps/Splunk_TA_windows/lookups/user_types.csv
Unescape View File

@ -0,0 +1,2 @@
sourcetype,user_type
WinRegistry,process
1 sourcetype user_type
2 WinRegistry process

11
deployment-apps/Splunk_TA_windows/lookups/vendor_actions.csv
Unescape View File

@ -0,0 +1,11 @@
vendor_action,action
CreateKey,created
SetValue,modified
DeleteKey,deleted
RenameKey,modified
add,created
delete,deleted
update,modified
created,created
deleted,deleted
modified,modified
1 vendor_action action
2 CreateKey created
3 SetValue modified
4 DeleteKey deleted
5 RenameKey modified
6 add created
7 delete deleted
8 update modified
9 created created
10 deleted deleted
11 modified modified

18
deployment-apps/Splunk_TA_windows/lookups/windows_actions.csv
Unescape View File

@ -0,0 +1,18 @@
Type,action
"audit failure",failure
"Audit Failure",failure
"AUDIT_FAILURE",failure
"failure audit",failure
"Failure Audit",failure
"FAILURE_AUDIT",failure
"audit success",success
"Audit Success",success
"AUDIT_SUCCESS",success
"success audit",success
"Success Audit",success
"SUCCESS_AUDIT",success
"success","success"
"failure","failure"
"0x8010000000000000","failure"
"0x8020000000000000","success"
"0x4020000000000000","success"
1 Type action
2 audit failure failure
3 Audit Failure failure
4 AUDIT_FAILURE failure
5 failure audit failure
6 Failure Audit failure
7 FAILURE_AUDIT failure
8 audit success success
9 Audit Success success
10 AUDIT_SUCCESS success
11 success audit success
12 Success Audit success
13 SUCCESS_AUDIT success
14 success success
15 failure failure
16 0x8010000000000000 failure
17 0x8020000000000000 success
18 0x4020000000000000 success

21
deployment-apps/Splunk_TA_windows/lookups/windows_apps.csv
Unescape View File

@ -0,0 +1,21 @@
EventCode,Source_Network_Address,Target_Server_Name,Logon_Type,source,app
552,,,,,win:remote
4648,,,,,win:remote
,127.0.0.1,,,,win:local
,::1,,,,win:local
,,localhost,,,win:local
,,,0,,win:unknown
,,,1,,win:unknown
,,,2,,win:local
,,,3,,win:remote
,,,4,,win:local
,,,5,,win:local
,,,6,,win:local
,,,7,,win:local
,,,8,,win:remote
,,,9,,win:local
,,,10,,win:remote
,,,11,,win:local
,,,,WinEventLog:Security,win:unknown
,,,,XmlWinEventLog:Security,win:unknown
,,,,WMI:WinEventLog:Security,win:unknown
1 EventCode Source_Network_Address Target_Server_Name Logon_Type source app
2 552 win:remote
3 4648 win:remote
4 127.0.0.1 win:local
5 ::1 win:local
6 localhost win:local
7 0 win:unknown
8 1 win:unknown
9 2 win:local
10 3 win:remote
11 4 win:local
12 5 win:local
13 6 win:local
14 7 win:local
15 8 win:remote
16 9 win:local
17 10 win:remote
18 11 win:local
19 WinEventLog:Security win:unknown
20 XmlWinEventLog:Security win:unknown
21 WMI:WinEventLog:Security win:unknown

73
deployment-apps/Splunk_TA_windows/lookups/windows_audit_changes_900.csv
Unescape View File

@ -0,0 +1,73 @@
EventCode,action,change_type,object_category
517,cleared,audit,audit
1100,stopped,audit,audit
1102,cleared,audit,audit log
4720,created,AAA,user
4741,created,user,user
624,created,user,user
645,created,user,user
4722,modified,AAA,user
626,modified,user,user
4723,modified,AAA,user
627,modified,user,user
4724,modified,AAA,user
628,modified,user,user
4725,modified,AAA,user
629,modified,user,user
4726,deleted,AAA,user
4743,deleted,user,user
630,deleted,user,user
647,deleted,user,user
4738,modified,AAA,user
4742,modified,user,user
642,modified,user,user
646,modified,user,user
4740,lockout,AAA,user
644,modified,user,user
625,modified,user,user
671,modified,user,user
4767,modified,AAA,user
1101,success,audit,audit
1108,success,audit,audit
4719,modified,audit,audit policy
4717,,AAA,security access
4718,,AAA,security access
4727,,AAA,group
4728,,AAA,user
4729,,AAA,user
4730,,AAA,group
4731,,AAA,group
4732,modified,AAA,user
4733,,AAA,user
4734,,AAA,group
4735,,AAA,group
4737,,AAA,group
4739,,AAA,global group
4750,modified,AAA,user group
4753,,AAA,global group
4754,,AAA,group
4755,,AAA,group
4756,,AAA,user
4757,,AAA,user
4758,,AAA,group
4764,,AAA,group
4799,,AAA,group
4781,modified,AAA,user
4703,modified,AAA,user
4704,modified,AAA,user
4705,modified,AAA,user
4706,modified,AAA,directory service
4800,locked,AAA,user
4801,unlocked,AAA,user
4634,logoff,AAA,user
4698,created,scheduled task,scheduled task
4700,started,scheduled task,scheduled task
4701,stopped,scheduled task,scheduled task
4702,modified,scheduled task,scheduled task
4713,modified,AAA,directory service
4794,modified,AAA,user
4798,read,AAA,user
4744,created,AAA,user group
4749,created,AAA,user group
4759,created,AAA,user group
4876,read,AAA,database
1 EventCode action change_type object_category
2 517 cleared audit audit
3 1100 stopped audit audit
4 1102 cleared audit audit log
5 4720 created AAA user
6 4741 created user user
7 624 created user user
8 645 created user user
9 4722 modified AAA user
10 626 modified user user
11 4723 modified AAA user
12 627 modified user user
13 4724 modified AAA user
14 628 modified user user
15 4725 modified AAA user
16 629 modified user user
17 4726 deleted AAA user
18 4743 deleted user user
19 630 deleted user user
20 647 deleted user user
21 4738 modified AAA user
22 4742 modified user user
23 642 modified user user
24 646 modified user user
25 4740 lockout AAA user
26 644 modified user user
27 625 modified user user
28 671 modified user user
29 4767 modified AAA user
30 1101 success audit audit
31 1108 success audit audit
32 4719 modified audit audit policy
33 4717 AAA security access
34 4718 AAA security access
35 4727 AAA group
36 4728 AAA user
37 4729 AAA user
38 4730 AAA group
39 4731 AAA group
40 4732 modified AAA user
41 4733 AAA user
42 4734 AAA group
43 4735 AAA group
44 4737 AAA group
45 4739 AAA global group
46 4750 modified AAA user group
47 4753 AAA global group
48 4754 AAA group
49 4755 AAA group
50 4756 AAA user
51 4757 AAA user
52 4758 AAA group
53 4764 AAA group
54 4799 AAA group
55 4781 modified AAA user
56 4703 modified AAA user
57 4704 modified AAA user
58 4705 modified AAA user
59 4706 modified AAA directory service
60 4800 locked AAA user
61 4801 unlocked AAA user
62 4634 logoff AAA user
63 4698 created scheduled task scheduled task
64 4700 started scheduled task scheduled task
65 4701 stopped scheduled task scheduled task
66 4702 modified scheduled task scheduled task
67 4713 modified AAA directory service
68 4794 modified AAA user
69 4798 read AAA user
70 4744 created AAA user group
71 4749 created AAA user group
72 4759 created AAA user group
73 4876 read AAA database

43
deployment-apps/Splunk_TA_windows/lookups/windows_dns_action_lookup.csv
Unescape View File

@ -0,0 +1,43 @@
message_type,vendor_dns_action,action,reply_code,reply_code_id
Response,NOERROR,success,No Error,0
Response,FORMERR,failure,Format Error,1
Response,SERVFAIL,failure,Server Failure,2
Response,NXDOMAIN,failure,Non-Existent Domain,3
Response,NOTIMPL,failure,NotImp,4
Response,REFUSED,failure,Refused,5
Response,YXDOMAIN,failure,YXDomain,6
Response,YXRRSET,failure,YXRRSet,7
Response,NXRRSET,failure,NXRRSer,8
Response,NOTAUTH,failure,NotAuth,9
Response,NOTZONE,failure,NotZone,10
Response,DSOTYPENI,failure,DSOTYPENI,11
Response,BADVERS,failure,BADVERS,16
Response,BADSIG,failure,BADSIG,16
Response,BADKEY,failure,BADKEY,17
Response,BADTIME,failure,BADTIME,18
Response,BADMODE,failure,BADMODE,19
Response,BADNAME,failure,BADNAME,20
Response,BADALG,failure,BADALG,21
Response,BADTRUNC,failure,BADTRUNC,22
Response,BADCOOKIE,failure,BADCOOKIE,23
Query,NOERROR,success,,
Query,FORMERR,failure,,
Query,SERVFAIL,failure,,
Query,NXDOMAIN,failure,,
Query,NOTIMPL,failure,,
Query,REFUSED,failure,,
Query,YXDOMAIN,failure,,
Query,YXRRSET,failure,,
Query,NXRRSET,failure,,
Query,NOTAUTH,failure,,
Query,NOTZONE,failure,,
Query,DSOTYPENI,failure,,
Query,BADVERS,failure,,
Query,BADSIG,failure,,
Query,BADKEY,failure,,
Query,BADTIME,failure,,
Query,BADMODE,failure,,
Query,BADNAME,failure,,
Query,BADALG,failure,,
Query,BADTRUNC,failure,,
Query,BADCOOKIE,failure,,
1 message_type vendor_dns_action action reply_code reply_code_id
2 Response NOERROR success No Error 0
3 Response FORMERR failure Format Error 1
4 Response SERVFAIL failure Server Failure 2
5 Response NXDOMAIN failure Non-Existent Domain 3
6 Response NOTIMPL failure NotImp 4
7 Response REFUSED failure Refused 5
8 Response YXDOMAIN failure YXDomain 6
9 Response YXRRSET failure YXRRSet 7
10 Response NXRRSET failure NXRRSer 8
11 Response NOTAUTH failure NotAuth 9
12 Response NOTZONE failure NotZone 10
13 Response DSOTYPENI failure DSOTYPENI 11
14 Response BADVERS failure BADVERS 16
15 Response BADSIG failure BADSIG 16
16 Response BADKEY failure BADKEY 17
17 Response BADTIME failure BADTIME 18
18 Response BADMODE failure BADMODE 19
19 Response BADNAME failure BADNAME 20
20 Response BADALG failure BADALG 21
21 Response BADTRUNC failure BADTRUNC 22
22 Response BADCOOKIE failure BADCOOKIE 23
23 Query NOERROR success
24 Query FORMERR failure
25 Query SERVFAIL failure
26 Query NXDOMAIN failure
27 Query NOTIMPL failure
28 Query REFUSED failure
29 Query YXDOMAIN failure
30 Query YXRRSET failure
31 Query NXRRSET failure
32 Query NOTAUTH failure
33 Query NOTZONE failure
34 Query DSOTYPENI failure
35 Query BADVERS failure
36 Query BADSIG failure
37 Query BADKEY failure
38 Query BADTIME failure
39 Query BADMODE failure
40 Query BADNAME failure
41 Query BADALG failure
42 Query BADTRUNC failure
43 Query BADCOOKIE failure

4
deployment-apps/Splunk_TA_windows/lookups/windows_dns_query_type_lookup.csv
Unescape View File

@ -0,0 +1,4 @@
opcode,query_type
Q,Query
N,Notify
U,Update
1 opcode query_type
2 Q Query
3 N Notify
4 U Update

16
deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_port_transport_890.csv
Unescape View File

@ -0,0 +1,16 @@
Protocol,transport
1,icmp
6,tcp
17,udp
47,gre
51,ah
50,esp
8,egp
3,ggp
20,hmp
88,igmp
66,rvd
89,ospf
12,pup
27,rdp
46,rsvp
1 Protocol transport
2 1 icmp
3 6 tcp
4 17 udp
5 47 gre
6 51 ah
7 50 esp
8 8 egp
9 3 ggp
10 20 hmp
11 88 igmp
12 66 rvd
13 89 ospf
14 12 pup
15 27 rdp
16 46 rsvp

9
deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_name.csv
Unescape View File

@ -0,0 +1,9 @@
EventCode,service,service_name
5024,Firewall,Firewall
5025,Firewall,Firewall
5030,Firewall,Firewall
5033,Firewall Driver,Firewall Driver
5034,Firewall Driver,Firewall Driver
5035,Firewall Driver,Firewall Driver
5478,IPsec Policy Agent service,IPsec Policy Agent service
1100,Event Logging Service,Event Logging Service
1 EventCode service service_name
2 5024 Firewall Firewall
3 5025 Firewall Firewall
4 5030 Firewall Firewall
5 5033 Firewall Driver Firewall Driver
6 5034 Firewall Driver Firewall Driver
7 5035 Firewall Driver Firewall Driver
8 5478 IPsec Policy Agent service IPsec Policy Agent service
9 1100 Event Logging Service Event Logging Service

6
deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_type.csv
Unescape View File

@ -0,0 +1,6 @@
Service_Start_Type,start_mode
0,auto
1,auto
2,auto
3,manual
4,disabled
1 Service_Start_Type start_mode
2 0 auto
3 1 auto
4 2 auto
5 3 manual
6 4 disabled

7
deployment-apps/Splunk_TA_windows/lookups/windows_eventtypes.csv
Unescape View File

@ -0,0 +1,7 @@
EventType,Description
0,Information
1,Error
2,Warning
4,Information
8,Success Audit
16,Failure Audit
1 EventType Description
2 0 Information
3 1 Error
4 2 Warning
5 4 Information
6 8 Success Audit
7 16 Failure Audit

29
deployment-apps/Splunk_TA_windows/lookups/windows_privileges.csv
Unescape View File

@ -0,0 +1,29 @@
privilege_id,privilege
SeAssignPrimaryTokenPrivilege,"Replace a process level token"
SeAuditPrivilege,"Generate security audits"
SeBackupPrivilege,"Back up files and directories"
SeChangeNotifyPrivilege,"Bypass traverse checking"
SeCreatePagefilePrivilege,"Create a pagefile"
SeCreatePermanentPrivilege,"Create permanent shared objects"
SeCreateTokenPrivilege,"Create a token object"
SeDebugPrivilege,"Debug programs"
SeEnableDelegationPrivilege,"Enable computer and user accounts to be trusted for delegation"
SeImpersonatePrivilege,"Impersonate a Client After Authentication"
SeIncreaseBasePriorityPrivilege,"Increase scheduling priority"
SeIncreaseQuotaPrivilege,"Adjust memory quotas for a process"
SeLoadDriverPrivilege,"Load and unload device drivers"
SeLockMemoryPrivilege,"Lock pages in memory"
SeMachineAccountPrivilege,"Add workstations to domain"
SeManageVolumePrivilege,"Perform volume maintenance tasks"
SeProfileSingleProcessPrivilege,"Profile single process"
SeRemoteShutdownPrivilege,"Force shutdown from a remote system"
SeRestorePrivilege,"Restore files and directories"
SeSecurityPrivilege,"Manage auditing and security log"
SeShutdownPrivilege,"Shut down the system"
SeSyncAgentPrivilege,"Synchronize directory service data"
SeSystemEnvironmentPrivilege,"Modify firmware environment values"
SeSystemProfilePrivilege,"Profile system performance"
SeSystemtimePrivilege,"Change the system time"
SeTakeOwnershipPrivilege,"Take ownership of files or other objects"
SeTcbPrivilege,"Act as part of the operating system"
SeUndockPrivilege,"Remove computer from docking station"
1 privilege_id privilege
2 SeAssignPrimaryTokenPrivilege Replace a process level token
3 SeAuditPrivilege Generate security audits
4 SeBackupPrivilege Back up files and directories
5 SeChangeNotifyPrivilege Bypass traverse checking
6 SeCreatePagefilePrivilege Create a pagefile
7 SeCreatePermanentPrivilege Create permanent shared objects
8 SeCreateTokenPrivilege Create a token object
9 SeDebugPrivilege Debug programs
10 SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
11 SeImpersonatePrivilege Impersonate a Client After Authentication
12 SeIncreaseBasePriorityPrivilege Increase scheduling priority
13 SeIncreaseQuotaPrivilege Adjust memory quotas for a process
14 SeLoadDriverPrivilege Load and unload device drivers
15 SeLockMemoryPrivilege Lock pages in memory
16 SeMachineAccountPrivilege Add workstations to domain
17 SeManageVolumePrivilege Perform volume maintenance tasks
18 SeProfileSingleProcessPrivilege Profile single process
19 SeRemoteShutdownPrivilege Force shutdown from a remote system
20 SeRestorePrivilege Restore files and directories
21 SeSecurityPrivilege Manage auditing and security log
22 SeShutdownPrivilege Shut down the system
23 SeSyncAgentPrivilege Synchronize directory service data
24 SeSystemEnvironmentPrivilege Modify firmware environment values
25 SeSystemProfilePrivilege Profile system performance
26 SeSystemtimePrivilege Change the system time
27 SeTakeOwnershipPrivilege Take ownership of files or other objects
28 SeTcbPrivilege Act as part of the operating system
29 SeUndockPrivilege Remove computer from docking station

7
deployment-apps/Splunk_TA_windows/lookups/windows_severities.csv
Unescape View File

@ -0,0 +1,7 @@
Type,EventCode,severity
Error,,high
Warning,,medium
Information,,informational
Success Audit,,informational
Failure Audit,,medium
,4739,high
1 Type EventCode severity
2 Error high
3 Warning medium
4 Information informational
5 Success Audit informational
6 Failure Audit medium
7 4739 high

541
deployment-apps/Splunk_TA_windows/lookups/windows_signatures_900.csv
Unescape View File

@ -0,0 +1,541 @@
signature_id,signature,CategoryString,action,result,command
512,"Windows NT is starting up",,,,
513,"Windows is shutting down",,,,
514,"An authentication package has been loaded by the Local Security Authority",,,,
515,"A trusted logon process has registered with the Local Security Authority",,,,
516,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits",,,,
517,"The audit log was cleared",,,,
518,"A notification package has been loaded by the Security Account Manager",,,,
519,"A process is using an invalid local procedure call (LPC) port",,,,
520,"The system time was changed",,,,
528,"Successful Logon",,,,
529,"Unknown user name or bad password",,,,
530,"Account logon time restriction violation",,,,
531,"Account currently disabled",,,,
532,"The specified user account has expired",,,,
533,"User not allowed to logon at this computer",,,,
534,"The user has not been granted the requested logon type at this machine",,,,
535,"The specified account's password has expired",,,,
536,"The NetLogon component is not active",,,,
537,"The logon attempt failed for other reasons.",,,,
538,"User Logoff",,,,
539,"Logon Failure - Account locked out",,,,
540,"Successful Network Logon",,,,
551,"User initiated logoff",,,,
552,"Logon attempt using explicit credentials",,,,
560,"Object Open",,,,
561,"Handle Allocated",,,,
562,"Handle Closed",,,,
563,"Object Open for Delete",,,,
564,"Object Deleted",,,,
565,"Object Open (Active Directory)",,,,
566,"Object Operation (W3 Active Directory)",,,,
567,"Object Access Attempt",,,,
576,"Special privileges assigned to new logon",,,,
577,"Privileged Service Called",,,,
578,"Privileged object operation",,,,
592,"A new process has been created",,,,
593,"A process has exited",,,,
594,"A handle to an object has been duplicated",,,,
595,"Indirect access to an object has been obtained",,,,
600,"A process was assigned a primary token",,,,
601,"Attempt to install service",,,,
602,"Scheduled Task created",,,,
608,"User Right Assigned",,,,
609,"User Right Removed",,,,
610,"New Trusted Domain",,,,
611,"Removing Trusted Domain",,,,
612,"Audit Policy Change",,,,
613,"IPSec policy agent started",,,,
614,"IPSec policy agent disabled",,,,
615,"IPSEC PolicyAgent Service",,,,
616,"IPSec policy agent encountered a potentially serious failure.",,,,
617,"Kerberos Policy Changed",,,,
618,"Encrypted Data Recovery Policy Changed",,,,
619,"Quality of Service Policy Changed",,,,
620,"Trusted Domain Information Modified",,,,
621,"System Security Access Granted",,,,
622,"System Security Access Removed",,,,
623,"Per User Audit Policy was refreshed",,,,
624,"User Account Created",Account Management,created,,
625,"User Account Type Changed",,,,
626,"User Account Enabled",Account Management,,,
627,"Change Password Attempt",Account Management,,,
628,"User Account password set",Account Management,modified,,
629,"User Account Disabled",Account Management,,,
630,"User Account Deleted",Account Management,deleted,,
631,"Security Enabled Global Group Created",Account Management,,,
632,"Security Enabled Global Group Member Added",Account Management,,,
633,"Security Enabled Global Group Member Removed",Account Management,,,
634,"Security Enabled Global Group Deleted",Account Management,,,
635,"Security Enabled Local Group Created",Account Management,,,
636,"Security Enabled Local Group Member Added",Account Management,,,
637,"Security Enabled Local Group Member Removed",Account Management,,,
638,"Security Enabled Local Group Deleted",Account Management,,,
639,"Security Enabled Local Group Changed",Account Management,,,
640,"General Account Database Change",Account Management,,,
641,"Security Enabled Global Group Changed",Account Management,,,
642,"User Account Changed",Account Management,modified,,
643,"Domain Policy Changed",Account Management,,,
644,"User Account Locked Out",Account Management,modified,lockout,
645,"Computer Account Created",Account Management,,,
646,"Computer Account Changed",Account Management,,,
647,"Computer Account Deleted",Account Management,,,
648,"Security Disabled Local Group Created",Account Management,,,
649,"Security Disabled Local Group Changed",Account Management,,,
650,"Security Disabled Local Group Member Added",Account Management,,,
651,"Security Disabled Local Group Member Removed",Account Management,,,
652,"Security Disabled Local Group Deleted",Account Management,,,
653,"Security Disabled Global Group Created",Account Management,,,
654,"Security Disabled Global Group Changed",Account Management,,,
655,"Security Disabled Global Group Member Added",Account Management,,,
656,"Security Disabled Global Group Member Removed",Account Management,,,
657,"Security Disabled Global Group Deleted",Account Management,,,
658,"Security Enabled Universal Group Created",Account Management,,,
659,"Security Enabled Universal Group Changed",Account Management,,,
660,"Security Enabled Universal Group Member Added",Account Management,,,
661,"Security Enabled Universal Group Member Removed",Account Management,,,
662,"Security Enabled Universal Group Deleted",Account Management,,,
663,"Security Disabled Universal Group Created",Account Management,,,
664,"Security Disabled Universal Group Changed",Account Management,,,
665,"Security Disabled Universal Group Member Added",Account Management,,,
666,"Security Disabled Universal Group Member Removed",Account Management,,,
667,"Security Disabled Universal Group Deleted",Account Management,,,
668,"Group Type Changed",Account Management,,,
669,"Add SID History",Account Management,,,
670,"Add SID History",Account Management,,,
671,"User Account Unlocked",Account Management,,,
672,"Authentication Ticket Granted",,,,
673,"Service Ticket Granted",,,,
674,"Ticket Granted Renewed",,,,
675,"Pre-authentication failed",,,,
676,"Authentication Ticket Request Failed",,,,
677,"Service Ticket Request Failed",,,,
678,"Account Mapped for Logon by",,,,
679,"The name: %2 could not be mapped for logon by: %1",,,,
680,"Account Used for Logon by",,,,
681,"The logon to account: %2 by: %1 from workstation: %3 failed.",,,,
682,"Session reconnected to winstation",,,,
683,"Session disconnected from winstation",,,,
684,"Set ACLs of members in administrators groups",Account Management,,,
685,"Account Name Changed",Account Management,,,
686,"Password of the following user accessed",Account Management,,,
687,"Basic Application Group Created",Account Management,,,
688,"Basic Application Group Changed",Account Management,,,
689,"Basic Application Group Member Added",Account Management,,,
690,"Basic Application Group Member Removed",Account Management,,,
691,"Basic Application Group Non-Member Added",Account Management,,,
692,"Basic Application Group Non-Member Removed",Account Management,,,
693,"Basic Application Group Deleted",Account Management,,,
694,"LDAP Query Group Created",Account Management,,,
695,"LDAP Query Group Changed",Account Management,,,
696,"LDAP Query Group Deleted",Account Management,,,
697,"Password Policy Checking API is called",API Calls,,,
806,"Per User Audit Policy was refreshed",,,,
807,"Per user auditing policy set for user",,,,
808,"A security event source has attempted to register",,,,
809,"A security event source has attempted to unregister",,,,
848,"The following policy was active when the Windows Firewall started",,,,
849,"An application was listed as an exception when the Windows Firewall started",,,,
850,"A port was listed as an exception when the Windows Firewall started",,,,
852,"A change has been made to the Windows Firewall port exception list",,,,
861,"The Windows Firewall has detected an application listening for incoming traffic",,,,
1100,"The event logging service has shut down",,,,
1101,"Audit events have been dropped by the transport.",,,,
1102,"The audit log was cleared",,,,
1104,"The security Log is now full",,,,
1105,"Event log automatic backup",,,,
1108,"The event logging service encountered an error",,,,
4500,"Metabase Add Key",,,,
4501,"Metabase Delete Key",,,,
4502,"Metabase Delete Chid Keys",,,,
4503,"Metabase Copy Key",,,,
4504,"Metabase Rename Key",,,,
4505,"Metabase Set Data",,,,
4506,"Metabase Delete Data",,,,
4507,"Metabase Delete All Data",,,,
4508,"Metabase Copy Data",,,,
4509,"Metabase Set Last Change Time",,,,
4510,"Metabase Restore",,,,
4511,"Metabase Delete Backup",,,,
4512,"Metabase Import",,,,
4608,"Windows is starting up",,,,
4609,"Windows is shutting down",,,,
4610,"An authentication package has been loaded by the Local Security Authority",,,,
4611,"A trusted logon process has been registered with the Local Security Authority",,,,
4612,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.",,,,
4614,"A notification package has been loaded by the Security Account Manager.",,,,
4615,"Invalid use of LPC port",,,,
4616,"The system time was changed.",,,,
4618,"A monitored security event pattern has occurred",,,,
4621,"Administrator recovered system from CrashOnAuditFail",,,,
4622,"A security package has been loaded by the Local Security Authority.",,,,
4624,"An account was successfully logged on",,,,
4625,"An account failed to log on",,,,
4634,"An account was logged off",,,,
4646,"%1",,,,
4647,"User initiated logoff",,,,
4648,"A logon was attempted using explicit credentials",,,,
4649,"A replay attack was detected",,,,
4650,"An IPsec Main Mode security association was established",,,,
4651,"An IPsec Main Mode security association was established",,,,
4652,"An IPsec Main Mode negotiation failed",,,,
4653,"An IPsec Main Mode negotiation failed",,,,
4654,"An IPsec Quick Mode negotiation failed",,,,
4655,"An IPsec Main Mode security association ended",,,,
4656,"A handle to an object was requested",,,,
4657,"A registry value was modified",,,,
4658,"The handle to an object was closed",,,,
4659,"A handle to an object was requested with intent to delete",,,,
4660,"An object was deleted",,,,
4661,"A handle to an object was requested",,,,
4662,"An operation was performed on an object",,,,
4663,"An attempt was made to access an object",,,,
4664,"An attempt was made to create a hard link",,,,
4665,"An attempt was made to create an application client context.",,,,
4666,"An application attempted an operation",,,,
4667,"An application client context was deleted",,,,
4668,"An application was initialized",,,,
4670,"Permissions on an object were changed",,,,
4671,"An application attempted to access a blocked ordinal through the TBS",,,,
4672,"Special privileges assigned to new logon",,,,
4673,"A privileged service was called",,,,
4674,"An operation was attempted on a privileged object",,,,
4675,"SIDs were filtered",,,,
4685,"The state of a transaction has changed",,,,
4688,"A new process has been created",,,,
4689,"A process has exited",,,,
4690,"An attempt was made to duplicate a handle to an object",,,,
4691,"Indirect access to an object was requested",,,,
4692,"Backup of data protection master key was attempted",,,,
4693,"Recovery of data protection master key was attempted",,,,
4694,"Protection of auditable protected data was attempted",,,,
4695,"Unprotection of auditable protected data was attempted",,,,
4696,"A primary token was assigned to process",,,,
4697,"A service was installed in the system",,,,
4698,"A scheduled task was created",,,,
4699,"A scheduled task was deleted",,,,
4700,"A scheduled task was enabled",,,,
4701,"A scheduled task was disabled",,,,
4702,"A scheduled task was updated",,,,
4704,"A user right was assigned",,,,
4705,"A user right was removed",,,,
4706,"A new trust was created to a domain",,,"A new trust was created to a domain","A new trust was created to a domain."
4707,"A trust to a domain was removed",,,,
4709,"IPsec Services was started",,,,
4710,"IPsec Services was disabled",,,,
4711,"PAStore Engine (1%)",,,,
4712,"IPsec Services encountered a potentially serious failure",,,,
4713,"Kerberos policy was changed",,,"Kerberos policy was changed","Kerberos policy was changed."
4714,"Encrypted data recovery policy was changed",,,,
4715,"The audit policy (SACL) on an object was changed",,,,
4716,"Trusted domain information was modified",,,,
4717,"System security access was granted to an account",,,,
4718,"System security access was removed from an account",,,,
4719,"System audit policy was changed",,,,
4720,"A user account was created",Account Management,,,
4722,"A user account was enabled",Account Management,,,
4723,"An attempt was made to change an account's password",Account Management,,,
4724,"An attempt was made to reset an accounts password",Account Management,,,
4725,"A user account was disabled",Account Management,,,
4726,"A user account was deleted",Account Management,,,
4727,"A security-enabled global group was created",Account Management,,,
4728,"A member was added to a security-enabled global group",Account Management,,,
4729,"A member was removed from a security-enabled global group",Account Management,,,
4730,"A security-enabled global group was deleted",Account Management,,,
4731,"A security-enabled local group was created",Account Management,,,
4732,"A member was added to a security-enabled local group",Account Management,,,
4733,"A member was removed from a security-enabled local group",Account Management,,,
4734,"A security-enabled local group was deleted",Account Management,,,
4735,"A security-enabled local group was changed",Account Management,,,
4737,"A security-enabled global group was changed",Account Management,,,
4738,"A user account was changed",Account Management,,,
4739,"Domain Policy was changed",Account Management,,,
4740,"A user account was locked out",Account Management,,,
4741,"A computer account was created",Account Management,,,
4742,"A computer account was changed",Account Management,,,
4743,"A computer account was deleted",Account Management,,,
4744,"A security-disabled local group was created",,,"A security-disabled local group was created","A security-disabled local group was created."
4745,"A security-disabled local group was changed",Account Management,,,
4746,"A member was added to a security-disabled local group",Account Management,,,
4747,"A member was removed from a security-disabled local group",Account Management,,,
4748,"A security-disabled local group was deleted",Account Management,,,
4749,"A security-disabled global group was created",,,"A security-disabled global group was created","A security-disabled global group was created."
4750,"A security-disabled global group was changed",,,"A security-disabled global group was changed","A security-disabled global group was changed."
4751,"A member was added to a security-disabled global group",Account Management,,,
4752,"A member was removed from a security-disabled global group",Account Management,,,
4753,"A security-disabled global group was deleted",Account Management,,,
4754,"A security-enabled universal group was created",Account Management,,,
4755,"A security-enabled universal group was changed",Account Management,,,
4756,"A member was added to a security-enabled universal group",Account Management,,,
4757,"A member was removed from a security-enabled universal group",Account Management,,,
4758,"A security-enabled universal group was deleted",Account Management,,,
4759,"A security-disabled universal group was created",,,"A security-disabled universal group was created","A security-disabled universal group was created."
4760,"A security-disabled universal group was changed",Account Management,,,
4761,"A member was added to a security-disabled universal group",Account Management,,,
4762,"A member was removed from a security-disabled universal group",Account Management,,,
4763,"A security-disabled universal group was deleted",Account Management,,,
4764,"A group's type was changed",Account Management,,,
4765,"SID History was added to an account",Account Management,,,
4766,"An attempt to add SID History to an account failed",Account Management,,,
4767,"A user account was unlocked",Account Management,,,
4768,"A Kerberos authentication ticket (TGT) was requested",,,,
4769,"A Kerberos service ticket was requested",,,,
4770,"A Kerberos service ticket was renewed",,,,
4771,"Kerberos pre-authentication failed",,,,
4772,"A Kerberos authentication ticket request failed",,,,
4773,"A Kerberos service ticket request failed",,,,
4774,"An account was mapped for logon",,,,
4775,"An account could not be mapped for logon",,,,
4776,"The domain controller attempted to validate the credentials for an account",,,,
4777,"The domain controller failed to validate the credentials for an account",,,,
4778,"A session was reconnected to a Window Station",,,,
4779,"A session was disconnected from a Window Station",,,,
4780,"The ACL was set on accounts which are members of administrators groups",Account Management,,,
4781,"The name of an account was changed",Account Management,,,
4782,"The password hash an account was accessed",Account Management,,,
4783,"A basic application group was created",Account Management,,,
4784,"A basic application group was changed",Account Management,,,
4785,"A member was added to a basic application group",Account Management,,,
4786,"A member was removed from a basic application group",Account Management,,,
4787,"A non-member was added to a basic application group",Account Management,,,
4788,"A non-member was removed from a basic application group..",Account Management,,,
4789,"A basic application group was deleted",Account Management,,,
4790,"An LDAP query group was created",Account Management,,,
4791,"A basic application group was changed",Account Management,,,
4792,"An LDAP query group was deleted",Account Management,,,
4793,"The Password Policy Checking API was called",API Calls,,,
4794,"An attempt was made to set the Directory Services Restore Mode administrator password",Account Management,,,"set the Directory Services Restore Mode administrator password."
4798,"A user's local group membership was enumerated.",,,,
4799,"A security-enabled local group membership was enumerated",,,,
4800,"The workstation was locked",,,,
4801,"The workstation was unlocked",,,,
4802,"The screen saver was invoked",,,,
4803,"The screen saver was dismissed",,,,
4816,"RPC detected an integrity violation while decrypting an incoming message",,,,
4817,"Auditing settings on object were changed.",,,,
4864,"A namespace collision was detected",,,,
4865,"A trusted forest information entry was added",,,,
4866,"A trusted forest information entry was removed",,,,
4867,"A trusted forest information entry was modified",,,,
4868,"The certificate manager denied a pending certificate request",,,,
4869,"Certificate Services received a resubmitted certificate request",,,,
4870,"Certificate Services revoked a certificate",,,,
4871,"Certificate Services received a request to publish the certificate revocation list (CRL)",,,,
4872,"Certificate Services published the certificate revocation list (CRL)",,,,
4873,"A certificate request extension changed",,,,
4874,"One or more certificate request attributes changed.",,,,
4875,"Certificate Services received a request to shut down",,,,
4876,"Certificate Services backup started",,,"Certificate Services backup started","Certificate Services backup started."
4877,"Certificate Services backup completed",,,,
4878,"Certificate Services restore started",,,,
4879,"Certificate Services restore completed",,,,
4880,"Certificate Services started",,,,
4881,"Certificate Services stopped",,,,
4882,"The security permissions for Certificate Services changed",,,,
4883,"Certificate Services retrieved an archived key",,,,
4884,"Certificate Services imported a certificate into its database",,,,
4885,"The audit filter for Certificate Services changed",,,,
4886,"Certificate Services received a certificate request",,,,
4887,"Certificate Services approved a certificate request and issued a certificate",,,,
4888,"Certificate Services denied a certificate request",,,,
4889,"Certificate Services set the status of a certificate request to pending",,,,
4890,"The certificate manager settings for Certificate Services changed.",,,,
4891,"A configuration entry changed in Certificate Services",,,,
4892,"A property of Certificate Services changed",,,,
4893,"Certificate Services archived a key",,,,
4894,"Certificate Services imported and archived a key",,,,
4895,"Certificate Services published the CA certificate to Active Directory Domain Services",,,,
4896,"One or more rows have been deleted from the certificate database",,,,
4897,"Role separation enabled",,,,
4898,"Certificate Services loaded a template",,,,
4899,"A Certificate Services template was updated",,,,
4900,"Certificate Services template security was updated",,,,
4902,"The Per-user audit policy table was created",,,,
4904,"An attempt was made to register a security event source",,,,
4905,"An attempt was made to unregister a security event source",,,,
4906,"The CrashOnAuditFail value has changed",,,,
4907,"Auditing settings on object were changed",,,,
4908,"Special Groups Logon table modified",,,,
4909,"The local policy settings for the TBS were changed",,,,
4910,"The group policy settings for the TBS were changed",,,,
4912,"Per User Audit Policy was changed",,,,
4928,"An Active Directory replica source naming context was established",,,,
4929,"An Active Directory replica source naming context was removed",,,,
4930,"An Active Directory replica source naming context was modified",,,,
4931,"An Active Directory replica destination naming context was modified",,,,
4932,"Synchronization of a replica of an Active Directory naming context has begun",,,,
4933,"Synchronization of a replica of an Active Directory naming context has ended",,,,
4934,"Attributes of an Active Directory object were replicated",,,,
4935,"Replication failure begins",,,,
4936,"Replication failure ends",,,,
4937,"A lingering object was removed from a replica",,,,
4944,"The following policy was active when the Windows Firewall started",,,,
4945,"A rule was listed when the Windows Firewall started",,,,
4946,"A change has been made to Windows Firewall exception list. A rule was added",,,,
4947,"A change has been made to Windows Firewall exception list. A rule was modified",,,,
4948,"A change has been made to Windows Firewall exception list. A rule was deleted",,,,
4949,"Windows Firewall settings were restored to the default values",,,,
4950,"A Windows Firewall setting has changed",,,,
4951,"A rule has been ignored because its major version number was not recognized by Windows Firewall",,,,
4952,"Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall",,,,
4953,"A rule has been ignored by Windows Firewall because it could not parse the rule",,,,
4954,"Windows Firewall Group Policy settings has changed. The new settings have been applied",,,,
4956,"Windows Firewall has changed the active profile",,,,
4957,"Windows Firewall did not apply the following rule",,,,
4958,"Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer",,,,
4960,"IPsec dropped an inbound packet that failed an integrity check",,,,
4961,"IPsec dropped an inbound packet that failed a replay check",,,,
4962,"IPsec dropped an inbound packet that failed a replay check",,,,
4963,"IPsec dropped an inbound clear text packet that should have been secured",,,,
4964,"Special groups have been assigned to a new logon",,,,
4965,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).",,,,
4976,"During Main Mode negotiation, IPsec received an invalid negotiation packet.",,,,
4977,"During Quick Mode negotiation, IPsec received an invalid negotiation packet.",,,,
4978,"During Extended Mode negotiation, IPsec received an invalid negotiation packet.",,,,
4979,"IPsec Main Mode and Extended Mode security associations were established.",,,,
4980,"IPsec Main Mode and Extended Mode security associations were established",,,,
4981,"IPsec Main Mode and Extended Mode security associations were established",,,,
4982,"IPsec Main Mode and Extended Mode security associations were established",,,,
4983,"An IPsec Extended Mode negotiation failed",,,,
4984,"An IPsec Extended Mode negotiation failed",,,,
4985,"The state of a transaction has changed",,,,
5024,"The Windows Firewall Service has started successfully",,,,
5025,"The Windows Firewall Service has been stopped",,,,
5027,"The Windows Firewall Service was unable to retrieve the security policy from the local storage",,,,
5028,"The Windows Firewall Service was unable to parse the new security policy.",,,,
5029,"The Windows Firewall Service failed to initialize the driver",,,,
5030,"The Windows Firewall Service failed to start",,,,
5031,"The Windows Firewall Service blocked an application from accepting incoming connections on the network.",,,,
5032,"Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network",,,,
5033,"The Windows Firewall Driver has started successfully",,,,
5034,"The Windows Firewall Driver has been stopped",,,,
5035,"The Windows Firewall Driver failed to start",,,,
5037,"The Windows Firewall Driver detected critical runtime error. Terminating",,,,
5038,"Code integrity determined that the image hash of a file is not valid",,,,
5039,"A registry key was virtualized.",,,,
5040,"A change has been made to IPsec settings. An Authentication Set was added.",,,,
5041,"A change has been made to IPsec settings. An Authentication Set was modified",,,,
5042,"A change has been made to IPsec settings. An Authentication Set was deleted",,,,
5043,"A change has been made to IPsec settings. A Connection Security Rule was added",,,,
5044,"A change has been made to IPsec settings. A Connection Security Rule was modified",,,,
5045,"A change has been made to IPsec settings. A Connection Security Rule was deleted",,,,
5046,"A change has been made to IPsec settings. A Crypto Set was added",,,,
5047,"A change has been made to IPsec settings. A Crypto Set was modified",,,,
5048,"A change has been made to IPsec settings. A Crypto Set was deleted",,,,
5049,"An IPsec Security Association was deleted",,,,
5050,"An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE",,,,
5051,"A file was virtualized",,,,
5056,"A cryptographic self test was performed",,,,
5057,"A cryptographic primitive operation failed",,,,
5058,"Key file operation",,,,
5059,"Key migration operation",,,,
5060,"Verification operation failed",,,,
5061,"Cryptographic operation",,,,
5062,"A kernel-mode cryptographic self test was performed",,,,
5063,"A cryptographic provider operation was attempted",,,,
5064,"A cryptographic context operation was attempted",,,,
5065,"A cryptographic context modification was attempted",,,,
5066,"A cryptographic function operation was attempted",,,,
5067,"A cryptographic function modification was attempted",,,,
5068,"A cryptographic function provider operation was attempted",,,,
5069,"A cryptographic function property operation was attempted",,,,
5070,"A cryptographic function property operation was attempted",,,,
5120,"OCSP Responder Service Started",,,,
5121,"OCSP Responder Service Stopped",,,,
5122,"A Configuration entry changed in the OCSP Responder Service",,,,
5123,"A configuration entry changed in the OCSP Responder Service",,,,
5124,"A security setting was updated on OCSP Responder Service",,,,
5125,"A request was submitted to OCSP Responder Service",,,,
5126,"Signing Certificate was automatically updated by the OCSP Responder Service",,,,
5127,"The OCSP Revocation Provider successfully updated the revocation information",,,,
5136,"A directory service object was modified",,,,
5137,"A directory service object was created",,,,
5138,"A directory service object was undeleted",,,,
5139,"A directory service object was moved",,,,
5140,"A network share object was accessed",,,,
5141,"A directory service object was deleted",,,,
5142,"A network share object was added.",,,,
5143,"A network share object was modified",,,,
5144,"A network share object was deleted.",,,,
5145,"A network share object was checked to see whether client can be granted desired access",,,,
5148,"The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.",,,,
5149,"The DoS attack has subsided and normal processing is being resumed.",,,,
5150,"The Windows Filtering Platform has blocked a packet.",,,,
5151,"A more restrictive Windows Filtering Platform filter has blocked a packet.",,,,
5152,"The Windows Filtering Platform blocked a packet",,,,
5153,"A more restrictive Windows Filtering Platform filter has blocked a packet",,,,
5154,"The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections",,,,
5155,"The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections",,,,
5156,"The Windows Filtering Platform has allowed a connection",,,,
5157,"The Windows Filtering Platform has blocked a connection",,,,
5158,"The Windows Filtering Platform has permitted a bind to a local port",,,,
5159,"The Windows Filtering Platform has blocked a bind to a local port",,,,
5168,"Spn check for SMB/SMB2 fails.",,,,
5376,"Credential Manager credentials were backed up",Account Management,,,
5377,"Credential Manager credentials were restored from a backup",Account Management,,,
5378,"The requested credentials delegation was disallowed by policy",,,,
5440,"The following callout was present when the Windows Filtering Platform Base Filtering Engine started",,,,
5441,"The following filter was present when the Windows Filtering Platform Base Filtering Engine started",,,,
5442,"The following provider was present when the Windows Filtering Platform Base Filtering Engine started",,,,
5443,"The following provider context was present when the Windows Filtering Platform Base Filtering Engine started",,,,
5444,"The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started",,,,
5446,"A Windows Filtering Platform callout has been changed",,,,
5447,"A Windows Filtering Platform filter has been changed",,,,
5448,"A Windows Filtering Platform provider has been changed",,,,
5449,"A Windows Filtering Platform provider context has been changed",,,,
5450,"A Windows Filtering Platform sub-layer has been changed",,,,
5451,"An IPsec Quick Mode security association was established",,,,
5452,"An IPsec Quick Mode security association ended",,,,
5453,"An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started",,,,
5456,"PAStore Engine applied Active Directory storage IPsec policy on the computer",,,,
5457,"PAStore Engine failed to apply Active Directory storage IPsec policy on the computer",,,,
5458,"PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer",,,,
5459,"PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer",,,,
5460,"PAStore Engine applied local registry storage IPsec policy on the computer",,,,
5461,"PAStore Engine failed to apply local registry storage IPsec policy on the computer",,,,
5462,"PAStore Engine failed to apply some rules of the active IPsec policy on the computer",,,,
5463,"PAStore Engine polled for changes to the active IPsec policy and detected no changes",,,,
5464,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services",,,,
5465,"PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully",,,,
5466,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead",,,,
5467,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy",,,,
5468,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes",,,,
5471,"PAStore Engine loaded local storage IPsec policy on the computer",,,,
5472,"PAStore Engine failed to load local storage IPsec policy on the computer",,,,
5473,"PAStore Engine loaded directory storage IPsec policy on the computer",,,,
5474,"PAStore Engine failed to load directory storage IPsec policy on the computer",,,,
5477,"PAStore Engine failed to add quick mode filter",,,,
5478,"IPsec Services has started successfully",,,,
5479,"IPsec Services has been shut down successfully",,,,
5480,"IPsec Services failed to get the complete list of network interfaces on the computer",,,,
5483,"IPsec Services failed to initialize RPC server. IPsec Services could not be started",,,,
5484,"IPsec Services has experienced a critical failure and has been shut down",,,,
5485,"IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces",,,,
5632,"A request was made to authenticate to a wireless network",,,,
5633,"A request was made to authenticate to a wired network",,,,
5712,"A Remote Procedure Call (RPC) was attempted",,,,
5888,"An object in the COM+ Catalog was modified",,,,
5889,"An object was deleted from the COM+ Catalog",,,,
5890,"An object was added to the COM+ Catalog",,,,
6144,"Security policy in the group policy objects has been applied successfully",,,,
6145,"One or more errors occured while processing security policy in the group policy objects",,,,
6272,"Network Policy Server granted access to a user",,,,
6273,"Network Policy Server denied access to a user",,,,
6274,"Network Policy Server discarded the request for a user",,,,
6275,"Network Policy Server discarded the accounting request for a user",,,,
6276,"Network Policy Server quarantined a user",,,,
6277,"Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy",,,,
6278,"Network Policy Server granted full access to a user because the host met the defined health policy",,,,
6279,"Network Policy Server locked the user account due to repeated failed authentication attempts",,,,
6280,"Network Policy Server unlocked the user account",,,,
6281,"Code Integrity determined that the page hashes of an image file are not valid...",,,,
6400,"BranchCache: Received an incorrectly formatted response while discovering availability of content.",,,,
6401,"BranchCache: Received invalid data from a peer. Data discarded.",,,,
6402,"BranchCache: The message to the hosted cache offering it data is incorrectly formatted.",,,,
6403,"BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.",,,,
6404,"BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.",,,,
6405,"BranchCache: %2 instance(s) of event id %1 occurred.",,,,
6406,"%1 registered to Windows Firewall to control filtering for the following:",,,,
6407,"%1",,,,
6408,"Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.",,,,
1 signature_id signature CategoryString action result command
2 512 Windows NT is starting up
3 513 Windows is shutting down
4 514 An authentication package has been loaded by the Local Security Authority
5 515 A trusted logon process has registered with the Local Security Authority
6 516 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
7 517 The audit log was cleared
8 518 A notification package has been loaded by the Security Account Manager
9 519 A process is using an invalid local procedure call (LPC) port
10 520 The system time was changed
11 528 Successful Logon
12 529 Unknown user name or bad password
13 530 Account logon time restriction violation
14 531 Account currently disabled
15 532 The specified user account has expired
16 533 User not allowed to logon at this computer
17 534 The user has not been granted the requested logon type at this machine
18 535 The specified account's password has expired
19 536 The NetLogon component is not active
20 537 The logon attempt failed for other reasons.
21 538 User Logoff
22 539 Logon Failure - Account locked out
23 540 Successful Network Logon
24 551 User initiated logoff
25 552 Logon attempt using explicit credentials
26 560 Object Open
27 561 Handle Allocated
28 562 Handle Closed
29 563 Object Open for Delete
30 564 Object Deleted
31 565 Object Open (Active Directory)
32 566 Object Operation (W3 Active Directory)
33 567 Object Access Attempt
34 576 Special privileges assigned to new logon
35 577 Privileged Service Called
36 578 Privileged object operation
37 592 A new process has been created
38 593 A process has exited
39 594 A handle to an object has been duplicated
40 595 Indirect access to an object has been obtained
41 600 A process was assigned a primary token
42 601 Attempt to install service
43 602 Scheduled Task created
44 608 User Right Assigned
45 609 User Right Removed
46 610 New Trusted Domain
47 611 Removing Trusted Domain
48 612 Audit Policy Change
49 613 IPSec policy agent started
50 614 IPSec policy agent disabled
51 615 IPSEC PolicyAgent Service
52 616 IPSec policy agent encountered a potentially serious failure.
53 617 Kerberos Policy Changed
54 618 Encrypted Data Recovery Policy Changed
55 619 Quality of Service Policy Changed
56 620 Trusted Domain Information Modified
57 621 System Security Access Granted
58 622 System Security Access Removed
59 623 Per User Audit Policy was refreshed
60 624 User Account Created Account Management created
61 625 User Account Type Changed
62 626 User Account Enabled Account Management
63 627 Change Password Attempt Account Management
64 628 User Account password set Account Management modified
65 629 User Account Disabled Account Management
66 630 User Account Deleted Account Management deleted
67 631 Security Enabled Global Group Created Account Management
68 632 Security Enabled Global Group Member Added Account Management
69 633 Security Enabled Global Group Member Removed Account Management
70 634 Security Enabled Global Group Deleted Account Management
71 635 Security Enabled Local Group Created Account Management
72 636 Security Enabled Local Group Member Added Account Management
73 637 Security Enabled Local Group Member Removed Account Management
74 638 Security Enabled Local Group Deleted Account Management
75 639 Security Enabled Local Group Changed Account Management
76 640 General Account Database Change Account Management
77 641 Security Enabled Global Group Changed Account Management
78 642 User Account Changed Account Management modified
79 643 Domain Policy Changed Account Management
80 644 User Account Locked Out Account Management modified lockout
81 645 Computer Account Created Account Management
82 646 Computer Account Changed Account Management
83 647 Computer Account Deleted Account Management
84 648 Security Disabled Local Group Created Account Management
85 649 Security Disabled Local Group Changed Account Management
86 650 Security Disabled Local Group Member Added Account Management
87 651 Security Disabled Local Group Member Removed Account Management
88 652 Security Disabled Local Group Deleted Account Management
89 653 Security Disabled Global Group Created Account Management
90 654 Security Disabled Global Group Changed Account Management
91 655 Security Disabled Global Group Member Added Account Management
92 656 Security Disabled Global Group Member Removed Account Management
93 657 Security Disabled Global Group Deleted Account Management
94 658 Security Enabled Universal Group Created Account Management
95 659 Security Enabled Universal Group Changed Account Management
96 660 Security Enabled Universal Group Member Added Account Management
97 661 Security Enabled Universal Group Member Removed Account Management
98 662 Security Enabled Universal Group Deleted Account Management
99 663 Security Disabled Universal Group Created Account Management
100 664 Security Disabled Universal Group Changed Account Management
101 665 Security Disabled Universal Group Member Added Account Management
102 666 Security Disabled Universal Group Member Removed Account Management
103 667 Security Disabled Universal Group Deleted Account Management
104 668 Group Type Changed Account Management
105 669 Add SID History Account Management
106 670 Add SID History Account Management
107 671 User Account Unlocked Account Management
108 672 Authentication Ticket Granted
109 673 Service Ticket Granted
110 674 Ticket Granted Renewed
111 675 Pre-authentication failed
112 676 Authentication Ticket Request Failed
113 677 Service Ticket Request Failed
114 678 Account Mapped for Logon by
115 679 The name: %2 could not be mapped for logon by: %1
116 680 Account Used for Logon by
117 681 The logon to account: %2 by: %1 from workstation: %3 failed.
118 682 Session reconnected to winstation
119 683 Session disconnected from winstation
120 684 Set ACLs of members in administrators groups Account Management
121 685 Account Name Changed Account Management
122 686 Password of the following user accessed Account Management
123 687 Basic Application Group Created Account Management
124 688 Basic Application Group Changed Account Management
125 689 Basic Application Group Member Added Account Management
126 690 Basic Application Group Member Removed Account Management
127 691 Basic Application Group Non-Member Added Account Management
128 692 Basic Application Group Non-Member Removed Account Management
129 693 Basic Application Group Deleted Account Management
130 694 LDAP Query Group Created Account Management
131 695 LDAP Query Group Changed Account Management
132 696 LDAP Query Group Deleted Account Management
133 697 Password Policy Checking API is called API Calls
134 806 Per User Audit Policy was refreshed
135 807 Per user auditing policy set for user
136 808 A security event source has attempted to register
137 809 A security event source has attempted to unregister
138 848 The following policy was active when the Windows Firewall started
139 849 An application was listed as an exception when the Windows Firewall started
140 850 A port was listed as an exception when the Windows Firewall started
141 852 A change has been made to the Windows Firewall port exception list
142 861 The Windows Firewall has detected an application listening for incoming traffic
143 1100 The event logging service has shut down
144 1101 Audit events have been dropped by the transport.
145 1102 The audit log was cleared
146 1104 The security Log is now full
147 1105 Event log automatic backup
148 1108 The event logging service encountered an error
149 4500 Metabase Add Key
150 4501 Metabase Delete Key
151 4502 Metabase Delete Chid Keys
152 4503 Metabase Copy Key
153 4504 Metabase Rename Key
154 4505 Metabase Set Data
155 4506 Metabase Delete Data
156 4507 Metabase Delete All Data
157 4508 Metabase Copy Data
158 4509 Metabase Set Last Change Time
159 4510 Metabase Restore
160 4511 Metabase Delete Backup
161 4512 Metabase Import
162 4608 Windows is starting up
163 4609 Windows is shutting down
164 4610 An authentication package has been loaded by the Local Security Authority
165 4611 A trusted logon process has been registered with the Local Security Authority
166 4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
167 4614 A notification package has been loaded by the Security Account Manager.
168 4615 Invalid use of LPC port
169 4616 The system time was changed.
170 4618 A monitored security event pattern has occurred
171 4621 Administrator recovered system from CrashOnAuditFail
172 4622 A security package has been loaded by the Local Security Authority.
173 4624 An account was successfully logged on
174 4625 An account failed to log on
175 4634 An account was logged off
176 4646 %1
177 4647 User initiated logoff
178 4648 A logon was attempted using explicit credentials
179 4649 A replay attack was detected
180 4650 An IPsec Main Mode security association was established
181 4651 An IPsec Main Mode security association was established
182 4652 An IPsec Main Mode negotiation failed
183 4653 An IPsec Main Mode negotiation failed
184 4654 An IPsec Quick Mode negotiation failed
185 4655 An IPsec Main Mode security association ended
186 4656 A handle to an object was requested
187 4657 A registry value was modified
188 4658 The handle to an object was closed
189 4659 A handle to an object was requested with intent to delete
190 4660 An object was deleted
191 4661 A handle to an object was requested
192 4662 An operation was performed on an object
193 4663 An attempt was made to access an object
194 4664 An attempt was made to create a hard link
195 4665 An attempt was made to create an application client context.
196 4666 An application attempted an operation
197 4667 An application client context was deleted
198 4668 An application was initialized
199 4670 Permissions on an object were changed
200 4671 An application attempted to access a blocked ordinal through the TBS
201 4672 Special privileges assigned to new logon
202 4673 A privileged service was called
203 4674 An operation was attempted on a privileged object
204 4675 SIDs were filtered
205 4685 The state of a transaction has changed
206 4688 A new process has been created
207 4689 A process has exited
208 4690 An attempt was made to duplicate a handle to an object
209 4691 Indirect access to an object was requested
210 4692 Backup of data protection master key was attempted
211 4693 Recovery of data protection master key was attempted
212 4694 Protection of auditable protected data was attempted
213 4695 Unprotection of auditable protected data was attempted
214 4696 A primary token was assigned to process
215 4697 A service was installed in the system
216 4698 A scheduled task was created
217 4699 A scheduled task was deleted
218 4700 A scheduled task was enabled
219 4701 A scheduled task was disabled
220 4702 A scheduled task was updated
221 4704 A user right was assigned
222 4705 A user right was removed
223 4706 A new trust was created to a domain A new trust was created to a domain A new trust was created to a domain.
224 4707 A trust to a domain was removed
225 4709 IPsec Services was started
226 4710 IPsec Services was disabled
227 4711 PAStore Engine (1%)
228 4712 IPsec Services encountered a potentially serious failure
229 4713 Kerberos policy was changed Kerberos policy was changed Kerberos policy was changed.
230 4714 Encrypted data recovery policy was changed
231 4715 The audit policy (SACL) on an object was changed
232 4716 Trusted domain information was modified
233 4717 System security access was granted to an account
234 4718 System security access was removed from an account
235 4719 System audit policy was changed
236 4720 A user account was created Account Management
237 4722 A user account was enabled Account Management
238 4723 An attempt was made to change an account's password Account Management
239 4724 An attempt was made to reset an accounts password Account Management
240 4725 A user account was disabled Account Management
241 4726 A user account was deleted Account Management
242 4727 A security-enabled global group was created Account Management
243 4728 A member was added to a security-enabled global group Account Management
244 4729 A member was removed from a security-enabled global group Account Management
245 4730 A security-enabled global group was deleted Account Management
246 4731 A security-enabled local group was created Account Management
247 4732 A member was added to a security-enabled local group Account Management
248 4733 A member was removed from a security-enabled local group Account Management
249 4734 A security-enabled local group was deleted Account Management
250 4735 A security-enabled local group was changed Account Management
251 4737 A security-enabled global group was changed Account Management
252 4738 A user account was changed Account Management
253 4739 Domain Policy was changed Account Management
254 4740 A user account was locked out Account Management
255 4741 A computer account was created Account Management
256 4742 A computer account was changed Account Management
257 4743 A computer account was deleted Account Management
258 4744 A security-disabled local group was created A security-disabled local group was created A security-disabled local group was created.
259 4745 A security-disabled local group was changed Account Management
260 4746 A member was added to a security-disabled local group Account Management
261 4747 A member was removed from a security-disabled local group Account Management
262 4748 A security-disabled local group was deleted Account Management
263 4749 A security-disabled global group was created A security-disabled global group was created A security-disabled global group was created.
264 4750 A security-disabled global group was changed A security-disabled global group was changed A security-disabled global group was changed.
265 4751 A member was added to a security-disabled global group Account Management
266 4752 A member was removed from a security-disabled global group Account Management
267 4753 A security-disabled global group was deleted Account Management
268 4754 A security-enabled universal group was created Account Management
269 4755 A security-enabled universal group was changed Account Management
270 4756 A member was added to a security-enabled universal group Account Management
271 4757 A member was removed from a security-enabled universal group Account Management
272 4758 A security-enabled universal group was deleted Account Management
273 4759 A security-disabled universal group was created A security-disabled universal group was created A security-disabled universal group was created.
274 4760 A security-disabled universal group was changed Account Management
275 4761 A member was added to a security-disabled universal group Account Management
276 4762 A member was removed from a security-disabled universal group Account Management
277 4763 A security-disabled universal group was deleted Account Management
278 4764 A group's type was changed Account Management
279 4765 SID History was added to an account Account Management
280 4766 An attempt to add SID History to an account failed Account Management
281 4767 A user account was unlocked Account Management
282 4768 A Kerberos authentication ticket (TGT) was requested
283 4769 A Kerberos service ticket was requested
284 4770 A Kerberos service ticket was renewed
285 4771 Kerberos pre-authentication failed
286 4772 A Kerberos authentication ticket request failed
287 4773 A Kerberos service ticket request failed
288 4774 An account was mapped for logon
289 4775 An account could not be mapped for logon
290 4776 The domain controller attempted to validate the credentials for an account
291 4777 The domain controller failed to validate the credentials for an account
292 4778 A session was reconnected to a Window Station
293 4779 A session was disconnected from a Window Station
294 4780 The ACL was set on accounts which are members of administrators groups Account Management
295 4781 The name of an account was changed Account Management
296 4782 The password hash an account was accessed Account Management
297 4783 A basic application group was created Account Management
298 4784 A basic application group was changed Account Management
299 4785 A member was added to a basic application group Account Management
300 4786 A member was removed from a basic application group Account Management
301 4787 A non-member was added to a basic application group Account Management
302 4788 A non-member was removed from a basic application group.. Account Management
303 4789 A basic application group was deleted Account Management
304 4790 An LDAP query group was created Account Management
305 4791 A basic application group was changed Account Management
306 4792 An LDAP query group was deleted Account Management
307 4793 The Password Policy Checking API was called API Calls
308 4794 An attempt was made to set the Directory Services Restore Mode administrator password Account Management set the Directory Services Restore Mode administrator password.
309 4798 A user's local group membership was enumerated.
310 4799 A security-enabled local group membership was enumerated
311 4800 The workstation was locked
312 4801 The workstation was unlocked
313 4802 The screen saver was invoked
314 4803 The screen saver was dismissed
315 4816 RPC detected an integrity violation while decrypting an incoming message
316 4817 Auditing settings on object were changed.
317 4864 A namespace collision was detected
318 4865 A trusted forest information entry was added
319 4866 A trusted forest information entry was removed
320 4867 A trusted forest information entry was modified
321 4868 The certificate manager denied a pending certificate request
322 4869 Certificate Services received a resubmitted certificate request
323 4870 Certificate Services revoked a certificate
324 4871 Certificate Services received a request to publish the certificate revocation list (CRL)
325 4872 Certificate Services published the certificate revocation list (CRL)
326 4873 A certificate request extension changed
327 4874 One or more certificate request attributes changed.
328 4875 Certificate Services received a request to shut down
329 4876 Certificate Services backup started Certificate Services backup started Certificate Services backup started.
330 4877 Certificate Services backup completed
331 4878 Certificate Services restore started
332 4879 Certificate Services restore completed
333 4880 Certificate Services started
334 4881 Certificate Services stopped
335 4882 The security permissions for Certificate Services changed
336 4883 Certificate Services retrieved an archived key
337 4884 Certificate Services imported a certificate into its database
338 4885 The audit filter for Certificate Services changed
339 4886 Certificate Services received a certificate request
340 4887 Certificate Services approved a certificate request and issued a certificate
341 4888 Certificate Services denied a certificate request
342 4889 Certificate Services set the status of a certificate request to pending
343 4890 The certificate manager settings for Certificate Services changed.
344 4891 A configuration entry changed in Certificate Services
345 4892 A property of Certificate Services changed
346 4893 Certificate Services archived a key
347 4894 Certificate Services imported and archived a key
348 4895 Certificate Services published the CA certificate to Active Directory Domain Services
349 4896 One or more rows have been deleted from the certificate database
350 4897 Role separation enabled
351 4898 Certificate Services loaded a template
352 4899 A Certificate Services template was updated
353 4900 Certificate Services template security was updated
354 4902 The Per-user audit policy table was created
355 4904 An attempt was made to register a security event source
356 4905 An attempt was made to unregister a security event source
357 4906 The CrashOnAuditFail value has changed
358 4907 Auditing settings on object were changed
359 4908 Special Groups Logon table modified
360 4909 The local policy settings for the TBS were changed
361 4910 The group policy settings for the TBS were changed
362 4912 Per User Audit Policy was changed
363 4928 An Active Directory replica source naming context was established
364 4929 An Active Directory replica source naming context was removed
365 4930 An Active Directory replica source naming context was modified
366 4931 An Active Directory replica destination naming context was modified
367 4932 Synchronization of a replica of an Active Directory naming context has begun
368 4933 Synchronization of a replica of an Active Directory naming context has ended
369 4934 Attributes of an Active Directory object were replicated
370 4935 Replication failure begins
371 4936 Replication failure ends
372 4937 A lingering object was removed from a replica
373 4944 The following policy was active when the Windows Firewall started
374 4945 A rule was listed when the Windows Firewall started
375 4946 A change has been made to Windows Firewall exception list. A rule was added
376 4947 A change has been made to Windows Firewall exception list. A rule was modified
377 4948 A change has been made to Windows Firewall exception list. A rule was deleted
378 4949 Windows Firewall settings were restored to the default values
379 4950 A Windows Firewall setting has changed
380 4951 A rule has been ignored because its major version number was not recognized by Windows Firewall
381 4952 Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall
382 4953 A rule has been ignored by Windows Firewall because it could not parse the rule
383 4954 Windows Firewall Group Policy settings has changed. The new settings have been applied
384 4956 Windows Firewall has changed the active profile
385 4957 Windows Firewall did not apply the following rule
386 4958 Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
387 4960 IPsec dropped an inbound packet that failed an integrity check
388 4961 IPsec dropped an inbound packet that failed a replay check
389 4962 IPsec dropped an inbound packet that failed a replay check
390 4963 IPsec dropped an inbound clear text packet that should have been secured
391 4964 Special groups have been assigned to a new logon
392 4965 IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).
393 4976 During Main Mode negotiation, IPsec received an invalid negotiation packet.
394 4977 During Quick Mode negotiation, IPsec received an invalid negotiation packet.
395 4978 During Extended Mode negotiation, IPsec received an invalid negotiation packet.
396 4979 IPsec Main Mode and Extended Mode security associations were established.
397 4980 IPsec Main Mode and Extended Mode security associations were established
398 4981 IPsec Main Mode and Extended Mode security associations were established
399 4982 IPsec Main Mode and Extended Mode security associations were established
400 4983 An IPsec Extended Mode negotiation failed
401 4984 An IPsec Extended Mode negotiation failed
402 4985 The state of a transaction has changed
403 5024 The Windows Firewall Service has started successfully
404 5025 The Windows Firewall Service has been stopped
405 5027 The Windows Firewall Service was unable to retrieve the security policy from the local storage
406 5028 The Windows Firewall Service was unable to parse the new security policy.
407 5029 The Windows Firewall Service failed to initialize the driver
408 5030 The Windows Firewall Service failed to start
409 5031 The Windows Firewall Service blocked an application from accepting incoming connections on the network.
410 5032 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
411 5033 The Windows Firewall Driver has started successfully
412 5034 The Windows Firewall Driver has been stopped
413 5035 The Windows Firewall Driver failed to start
414 5037 The Windows Firewall Driver detected critical runtime error. Terminating
415 5038 Code integrity determined that the image hash of a file is not valid
416 5039 A registry key was virtualized.
417 5040 A change has been made to IPsec settings. An Authentication Set was added.
418 5041 A change has been made to IPsec settings. An Authentication Set was modified
419 5042 A change has been made to IPsec settings. An Authentication Set was deleted
420 5043 A change has been made to IPsec settings. A Connection Security Rule was added
421 5044 A change has been made to IPsec settings. A Connection Security Rule was modified
422 5045 A change has been made to IPsec settings. A Connection Security Rule was deleted
423 5046 A change has been made to IPsec settings. A Crypto Set was added
424 5047 A change has been made to IPsec settings. A Crypto Set was modified
425 5048 A change has been made to IPsec settings. A Crypto Set was deleted
426 5049 An IPsec Security Association was deleted
427 5050 An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE
428 5051 A file was virtualized
429 5056 A cryptographic self test was performed
430 5057 A cryptographic primitive operation failed
431 5058 Key file operation
432 5059 Key migration operation
433 5060 Verification operation failed
434 5061 Cryptographic operation
435 5062 A kernel-mode cryptographic self test was performed
436 5063 A cryptographic provider operation was attempted
437 5064 A cryptographic context operation was attempted
438 5065 A cryptographic context modification was attempted
439 5066 A cryptographic function operation was attempted
440 5067 A cryptographic function modification was attempted
441 5068 A cryptographic function provider operation was attempted
442 5069 A cryptographic function property operation was attempted
443 5070 A cryptographic function property operation was attempted
444 5120 OCSP Responder Service Started
445 5121 OCSP Responder Service Stopped
446 5122 A Configuration entry changed in the OCSP Responder Service
447 5123 A configuration entry changed in the OCSP Responder Service
448 5124 A security setting was updated on OCSP Responder Service
449 5125 A request was submitted to OCSP Responder Service
450 5126 Signing Certificate was automatically updated by the OCSP Responder Service
451 5127 The OCSP Revocation Provider successfully updated the revocation information
452 5136 A directory service object was modified
453 5137 A directory service object was created
454 5138 A directory service object was undeleted
455 5139 A directory service object was moved
456 5140 A network share object was accessed
457 5141 A directory service object was deleted
458 5142 A network share object was added.
459 5143 A network share object was modified
460 5144 A network share object was deleted.
461 5145 A network share object was checked to see whether client can be granted desired access
462 5148 The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
463 5149 The DoS attack has subsided and normal processing is being resumed.
464 5150 The Windows Filtering Platform has blocked a packet.
465 5151 A more restrictive Windows Filtering Platform filter has blocked a packet.
466 5152 The Windows Filtering Platform blocked a packet
467 5153 A more restrictive Windows Filtering Platform filter has blocked a packet
468 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
469 5155 The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
470 5156 The Windows Filtering Platform has allowed a connection
471 5157 The Windows Filtering Platform has blocked a connection
472 5158 The Windows Filtering Platform has permitted a bind to a local port
473 5159 The Windows Filtering Platform has blocked a bind to a local port
474 5168 Spn check for SMB/SMB2 fails.
475 5376 Credential Manager credentials were backed up Account Management
476 5377 Credential Manager credentials were restored from a backup Account Management
477 5378 The requested credentials delegation was disallowed by policy
478 5440 The following callout was present when the Windows Filtering Platform Base Filtering Engine started
479 5441 The following filter was present when the Windows Filtering Platform Base Filtering Engine started
480 5442 The following provider was present when the Windows Filtering Platform Base Filtering Engine started
481 5443 The following provider context was present when the Windows Filtering Platform Base Filtering Engine started
482 5444 The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started
483 5446 A Windows Filtering Platform callout has been changed
484 5447 A Windows Filtering Platform filter has been changed
485 5448 A Windows Filtering Platform provider has been changed
486 5449 A Windows Filtering Platform provider context has been changed
487 5450 A Windows Filtering Platform sub-layer has been changed
488 5451 An IPsec Quick Mode security association was established
489 5452 An IPsec Quick Mode security association ended
490 5453 An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started
491 5456 PAStore Engine applied Active Directory storage IPsec policy on the computer
492 5457 PAStore Engine failed to apply Active Directory storage IPsec policy on the computer
493 5458 PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer
494 5459 PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer
495 5460 PAStore Engine applied local registry storage IPsec policy on the computer
496 5461 PAStore Engine failed to apply local registry storage IPsec policy on the computer
497 5462 PAStore Engine failed to apply some rules of the active IPsec policy on the computer
498 5463 PAStore Engine polled for changes to the active IPsec policy and detected no changes
499 5464 PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services
500 5465 PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully
501 5466 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead
502 5467 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy
503 5468 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes
504 5471 PAStore Engine loaded local storage IPsec policy on the computer
505 5472 PAStore Engine failed to load local storage IPsec policy on the computer
506 5473 PAStore Engine loaded directory storage IPsec policy on the computer
507 5474 PAStore Engine failed to load directory storage IPsec policy on the computer
508 5477 PAStore Engine failed to add quick mode filter
509 5478 IPsec Services has started successfully
510 5479 IPsec Services has been shut down successfully
511 5480 IPsec Services failed to get the complete list of network interfaces on the computer
512 5483 IPsec Services failed to initialize RPC server. IPsec Services could not be started
513 5484 IPsec Services has experienced a critical failure and has been shut down
514 5485 IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces
515 5632 A request was made to authenticate to a wireless network
516 5633 A request was made to authenticate to a wired network
517 5712 A Remote Procedure Call (RPC) was attempted
518 5888 An object in the COM+ Catalog was modified
519 5889 An object was deleted from the COM+ Catalog
520 5890 An object was added to the COM+ Catalog
521 6144 Security policy in the group policy objects has been applied successfully
522 6145 One or more errors occured while processing security policy in the group policy objects
523 6272 Network Policy Server granted access to a user
524 6273 Network Policy Server denied access to a user
525 6274 Network Policy Server discarded the request for a user
526 6275 Network Policy Server discarded the accounting request for a user
527 6276 Network Policy Server quarantined a user
528 6277 Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy
529 6278 Network Policy Server granted full access to a user because the host met the defined health policy
530 6279 Network Policy Server locked the user account due to repeated failed authentication attempts
531 6280 Network Policy Server unlocked the user account
532 6281 Code Integrity determined that the page hashes of an image file are not valid...
533 6400 BranchCache: Received an incorrectly formatted response while discovering availability of content.
534 6401 BranchCache: Received invalid data from a peer. Data discarded.
535 6402 BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
536 6403 BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
537 6404 BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
538 6405 BranchCache: %2 instance(s) of event id %1 occurred.
539 6406 %1 registered to Windows Firewall to control filtering for the following:
540 6407 %1
541 6408 Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.

41
deployment-apps/Splunk_TA_windows/lookups/windows_signatures_substatus_850.csv
Unescape View File

@ -0,0 +1,41 @@
signature_id,Sub_Status,signature
4625,0xc0000064,"User logon with misspelled or bad user account"
4625,0xC0000064,"User logon with misspelled or bad user account"
4625,0xc000006a,"User logon with misspelled or bad password"
4625,0xC000006A,"User logon with misspelled or bad password"
4625,0xc0000234,"User logon with account locked"
4625,0xC0000234,"User logon with account locked"
4625,0xc0000072,"User logon to account disabled by administrator"
4625,0xC0000072,"User logon to account disabled by administrator"
4625,0xc000006f,"User logon outside authorized hours"
4625,0xC000006F,"User logon outside authorized hours"
4625,0xc0000070,"User logon from unauthorized workstation"
4625,0xC0000070,"User logon from unauthorized workstation"
4625,0xc0000193,"User logon with expired account"
4625,0xC0000193,"User logon with expired account"
4625,0xc0000071,"User logon with expired password"
4625,0xC0000071,"User logon with expired password"
4625,0xc0000133,"Clocks between DC and other computer too far out of sync"
4625,0xC0000133,"Clocks between DC and other computer too far out of sync"
4625,0xc0000224,"User is required to change password at next logon"
4625,0xC0000224,"User is required to change password at next logon"
4625,0xc0000225,"Evidently a bug in Windows and not a risk"
4625,0xC0000225,"Evidently a bug in Windows and not a risk"
4625,0xc000005e,"There are currently no logon servers available to service the logon request"
4625,0xC000005E,"There are currently no logon servers available to service the logon request"
4625,0xc000006d,"The cause is either a bad username or authentication information"
4625,0xC000006D,"The cause is either a bad username or authentication information"
4625,0xc000006e,"Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions)"
4625,0xC000006E,"Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions)"
4625,0xc00000dc,"Indicates the Sam Server was in the wrong state to perform the desired operation"
4625,0xC00000DC,"Indicates the Sam Server was in the wrong state to perform the desired operation"
4625,0xc000015b,"The user has not been granted the requested logon type (also called the logon right) at this machine"
4625,0xC000015B,"The user has not been granted the requested logon type (also called the logon right) at this machine"
4625,0xc000018c,"The logon request failed because the trust relationship between the primary domain and the trusted domain failed"
4625,0xC000018C,"The logon request failed because the trust relationship between the primary domain and the trusted domain failed"
4625,0xc0000192,"An attempt was made to logon, but the Netlogon service was not started"
4625,0xC0000192,"An attempt was made to logon, but the Netlogon service was not started"
4625,0xc00002ee,"Failure Reason: An Error occurred during Logon"
4625,0xC00002EE,"Failure Reason: An Error occurred during Logon"
4625,0xc0000413,"Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine"
4625,0xC0000413,"Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine"
1 signature_id Sub_Status signature
2 4625 0xc0000064 User logon with misspelled or bad user account
3 4625 0xC0000064 User logon with misspelled or bad user account
4 4625 0xc000006a User logon with misspelled or bad password
5 4625 0xC000006A User logon with misspelled or bad password
6 4625 0xc0000234 User logon with account locked
7 4625 0xC0000234 User logon with account locked
8 4625 0xc0000072 User logon to account disabled by administrator
9 4625 0xC0000072 User logon to account disabled by administrator
10 4625 0xc000006f User logon outside authorized hours
11 4625 0xC000006F User logon outside authorized hours
12 4625 0xc0000070 User logon from unauthorized workstation
13 4625 0xC0000070 User logon from unauthorized workstation
14 4625 0xc0000193 User logon with expired account
15 4625 0xC0000193 User logon with expired account
16 4625 0xc0000071 User logon with expired password
17 4625 0xC0000071 User logon with expired password
18 4625 0xc0000133 Clocks between DC and other computer too far out of sync
19 4625 0xC0000133 Clocks between DC and other computer too far out of sync
20 4625 0xc0000224 User is required to change password at next logon
21 4625 0xC0000224 User is required to change password at next logon
22 4625 0xc0000225 Evidently a bug in Windows and not a risk
23 4625 0xC0000225 Evidently a bug in Windows and not a risk
24 4625 0xc000005e There are currently no logon servers available to service the logon request
25 4625 0xC000005E There are currently no logon servers available to service the logon request
26 4625 0xc000006d The cause is either a bad username or authentication information
27 4625 0xC000006D The cause is either a bad username or authentication information
28 4625 0xc000006e Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions)
29 4625 0xC000006E Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions)
30 4625 0xc00000dc Indicates the Sam Server was in the wrong state to perform the desired operation
31 4625 0xC00000DC Indicates the Sam Server was in the wrong state to perform the desired operation
32 4625 0xc000015b The user has not been granted the requested logon type (also called the logon right) at this machine
33 4625 0xC000015B The user has not been granted the requested logon type (also called the logon right) at this machine
34 4625 0xc000018c The logon request failed because the trust relationship between the primary domain and the trusted domain failed
35 4625 0xC000018C The logon request failed because the trust relationship between the primary domain and the trusted domain failed
36 4625 0xc0000192 An attempt was made to logon, but the Netlogon service was not started
37 4625 0xC0000192 An attempt was made to logon, but the Netlogon service was not started
38 4625 0xc00002ee Failure Reason: An Error occurred during Logon
39 4625 0xC00002EE Failure Reason: An Error occurred during Logon
40 4625 0xc0000413 Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
41 4625 0xC0000413 Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine

6
deployment-apps/Splunk_TA_windows/lookups/windows_start_mode_lookup.csv
Unescape View File

@ -0,0 +1,6 @@
StartType,start_mode
disabled,disabled
"auto start",auto
"demand start",manual
"boot start",auto
"system start",auto
1 StartType start_mode
2 disabled disabled
3 auto start auto
4 demand start manual
5 boot start auto
6 system start auto

3
deployment-apps/Splunk_TA_windows/lookups/windows_timesync_actions.csv
Unescape View File

@ -0,0 +1,3 @@
Last_Sync_Error,windows_action
0*,success
*,failure
1 Last_Sync_Error windows_action
2 0* success
3 * failure

10
deployment-apps/Splunk_TA_windows/lookups/windows_update_statii.csv
Unescape View File

@ -0,0 +1,10 @@
sourcetype,EventCode,vendor_status,status
WMI:InstalledUpdates,,,installed
,17,,available
,18,,available
,19,,installed
,,"Installation Ready",available
,,"Installation Successful",installed
,,"Restart Required","restart required"
,,"Installation successful and restart required","restart required"
,,"Installation Failure",failure
1 sourcetype EventCode vendor_status status
2 WMI:InstalledUpdates installed
3 17 available
4 18 available
5 19 installed
6 Installation Ready available
7 Installation Successful installed
8 Restart Required restart required
9 Installation successful and restart required restart required
10 Installation Failure failure

36
deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_action_900.csv
Unescape View File

@ -0,0 +1,36 @@
EventCode,action,status
5461,modified,failure
1100,,stopped
4697,,started
5024,,started
5025,,stopped
5033,,started
5034,,stopped
5478,,started
4706,modified,success
4713,modified,success
4727,created,success
4728,modified,success
4729,modified,success
4730,deleted,success
4731,created,success
4733,modified,success
4734,deleted,success
4735,modified,success
4737,modified,success
4744,created,success
4749,created,success
4750,modified,success
4754,created,success
4755,modified,success
4756,modified,success
4757,modified,success
4758,deleted,success
4759,created,success
4764,modified,success
4794,modified,success
4799,read,success
4876,read,success
5156,allowed,success
5157,blocked,success
4798,read,success
1 EventCode action status
2 5461 modified failure
3 1100 stopped
4 4697 started
5 5024 started
6 5025 stopped
7 5033 started
8 5034 stopped
9 5478 started
10 4706 modified success
11 4713 modified success
12 4727 created success
13 4728 modified success
14 4729 modified success
15 4730 deleted success
16 4731 created success
17 4733 modified success
18 4734 deleted success
19 4735 modified success
20 4737 modified success
21 4744 created success
22 4749 created success
23 4750 modified success
24 4754 created success
25 4755 modified success
26 4756 modified success
27 4757 modified success
28 4758 deleted success
29 4759 created success
30 4764 modified success
31 4794 modified success
32 4799 read success
33 4876 read success
34 5156 allowed success
35 5157 blocked success
36 4798 read success

60
deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_object_fields_900.csv
Unescape View File

@ -0,0 +1,60 @@
EventCode,change_type,object_attrs,object_category,result
1100,,service,,
1101,audit,transport,audit,
1102,,registry,,The audit log was cleared
1108,audit,Microsoft-Windows-Security-Auditing,audit,
4706,AAA,domain trust,directory service,A new trust was created to a domain
4713,AAA,Kerberos policy,directory service,Kerberos policy was changed
4719,audit,Kerberos Authentication Service,audit policy,System audit policy was changed
4717,AAA,,security access,access was granted
4718,AAA,,security access,account was removed
4720,,account,,A user account was created
4722,,account,,A user account was enabled
4723,,account,,An attempt was made to change an account's password
4724,,account,,An attempt was made to reset an account's password
4725,,account,,A user account was disabled
4726,,account,,A user account was deleted
4727,AAA,global group,group,A security-enabled global group was created
4728,AAA,,user,A member was added to a security-enabled global group
4729,AAA,,user,A member was removed from a security-enabled global group
4730,AAA,global group,group,A security-enabled global group was deleted
4731,AAA,local group,group,A security-enabled local group was created
4732,AAA,,user,A member was added to a security-enabled local group
4733,AAA,,user,A member was removed from a security-enabled local group
4734,AAA,local group,group,A security-enabled local group was deleted
4735,AAA,local group,group,A security-enabled local group was changed
4737,AAA,global group,group,A security-enabled global group was changed
4738,,account,,A user account was changed
4739,AAA,domain policy,global group,Domain Policy was changed
4740,,account,,A user account was locked out
4741,,computer account,,account was created
4742,,computer account,,account was changed
4743,,computer account,,account was deleted
4744,AAA,security-disabled local group,user group,A security-disabled local group was created
4749,AAA,security-disabled global group,user group,A security-disabled global group was created
4750,AAA,security-disabled global group,user group,A security-disabled global group was changed
4753,AAA,,global group,group was deleted
4754,AAA,universal group,group,A security-enabled universal group was created
4755,AAA,universal group,group,A security-enabled universal group was changed
4756,AAA,,user,A member was added to a security-enabled universal group
4757,AAA,,user,A member was removed from a security-enabled universal group
4758,AAA,universal group,group,A security-enabled universal group was deleted
4759,AAA,security-disabled universal group,user group,A security-disabled universal group was created
4764,AAA,,group,A group's type was changed
4767,AAA,account,user,A user account was unlocked
4781,AAA,account,user,The name of an account was changed
5461,AAA,registry,policy,failed
4703,,account,,A token right was adjusted
4704,,account,,A user right was assigned
4705,,account,,A user right was removed
4800,AAA,workstation,user,The workstation was locked
4801,AAA,workstation,user,The workstation was unlocked
4876,AAA,Certificate Services,database,Certificate Services backup started
4634,,login session,,An account was logged off
4698,,,,A scheduled task was created
4700,,,,A scheduled task was enabled
4701,,,,A scheduled task was disabled
4702,,,,A scheduled task was updated
4794,AAA,Directory Services Restore Mode,user,set the Directory Services Restore Mode administrator password
4799,AAA,local group,group,A security-enabled local group membership was enumerated
4798,,local group,,A user's local group membership was enumerated
1 EventCode change_type object_attrs object_category result
2 1100 service
3 1101 audit transport audit
4 1102 registry The audit log was cleared
5 1108 audit Microsoft-Windows-Security-Auditing audit
6 4706 AAA domain trust directory service A new trust was created to a domain
7 4713 AAA Kerberos policy directory service Kerberos policy was changed
8 4719 audit Kerberos Authentication Service audit policy System audit policy was changed
9 4717 AAA security access access was granted
10 4718 AAA security access account was removed
11 4720 account A user account was created
12 4722 account A user account was enabled
13 4723 account An attempt was made to change an account's password
14 4724 account An attempt was made to reset an account's password
15 4725 account A user account was disabled
16 4726 account A user account was deleted
17 4727 AAA global group group A security-enabled global group was created
18 4728 AAA user A member was added to a security-enabled global group
19 4729 AAA user A member was removed from a security-enabled global group
20 4730 AAA global group group A security-enabled global group was deleted
21 4731 AAA local group group A security-enabled local group was created
22 4732 AAA user A member was added to a security-enabled local group
23 4733 AAA user A member was removed from a security-enabled local group
24 4734 AAA local group group A security-enabled local group was deleted
25 4735 AAA local group group A security-enabled local group was changed
26 4737 AAA global group group A security-enabled global group was changed
27 4738 account A user account was changed
28 4739 AAA domain policy global group Domain Policy was changed
29 4740 account A user account was locked out
30 4741 computer account account was created
31 4742 computer account account was changed
32 4743 computer account account was deleted
33 4744 AAA security-disabled local group user group A security-disabled local group was created
34 4749 AAA security-disabled global group user group A security-disabled global group was created
35 4750 AAA security-disabled global group user group A security-disabled global group was changed
36 4753 AAA global group group was deleted
37 4754 AAA universal group group A security-enabled universal group was created
38 4755 AAA universal group group A security-enabled universal group was changed
39 4756 AAA user A member was added to a security-enabled universal group
40 4757 AAA user A member was removed from a security-enabled universal group
41 4758 AAA universal group group A security-enabled universal group was deleted
42 4759 AAA security-disabled universal group user group A security-disabled universal group was created
43 4764 AAA group A group's type was changed
44 4767 AAA account user A user account was unlocked
45 4781 AAA account user The name of an account was changed
46 5461 AAA registry policy failed
47 4703 account A token right was adjusted
48 4704 account A user right was assigned
49 4705 account A user right was removed
50 4800 AAA workstation user The workstation was locked
51 4801 AAA workstation user The workstation was unlocked
52 4876 AAA Certificate Services database Certificate Services backup started
53 4634 login session An account was logged off
54 4698 A scheduled task was created
55 4700 A scheduled task was enabled
56 4701 A scheduled task was disabled
57 4702 A scheduled task was updated
58 4794 AAA Directory Services Restore Mode user set the Directory Services Restore Mode administrator password
59 4799 AAA local group group A security-enabled local group membership was enumerated
60 4798 local group A user's local group membership was enumerated

3
deployment-apps/Splunk_TA_windows/lookups/wmi_user_account_status.csv
Unescape View File

@ -0,0 +1,3 @@
status,enabled
OK,true
Degraded,false
1 status enabled
2 OK true
3 Degraded false

2
deployment-apps/Splunk_TA_windows/lookups/wmi_version_range.csv
Unescape View File

@ -0,0 +1,2 @@
sourcetype,range
WMI:Version,windows
1 sourcetype range
2 WMI:Version windows

53
deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_change_audit_and_account_management_900.csv
Unescape View File

@ -0,0 +1,53 @@
EventCode,object_attrs,result
1100,service,
1102,registry,The audit log was cleared
4720,account,A user account was created
4741,computer account,account was created
4722,account,A user account was enabled
4723,account,An attempt was made to change an account's password
4724,account,An attempt was made to reset an account's password
4725,account,A user account was disabled
4726,account,A user account was deleted
4743,computer account,account was deleted
4738,account,A user account was changed
4742,computer account,account was changed
4740,account,A user account was locked out
4767,account,A user account was unlocked
1101,transport,
1108,Microsoft-Windows-Security-Auditing,
4719,Kerberos Authentication Service,System audit policy was changed
4717,,access was granted
4718,,account was removed
4727,global group,A security-enabled global group was created
4728,,A member was added to a security-enabled global group
4729,,A member was removed from a security-enabled global group
4730,global group,A security-enabled global group was deleted
4731,local group,A security-enabled local group was created
4732,,A member was added to a security-enabled local group
4733,,A member was removed from a security-enabled local group
4734,local group,A security-enabled local group was deleted
4735,local group,A security-enabled local group was changed
4737,global group,A security-enabled global group was changed
4739,domain policy,Domain Policy was changed
4750,,group was changed
4753,,group was deleted
4754,universal group,A security-enabled universal group was created
4755,universal group,A security-enabled universal group was changed
4756,,A member was added to a security-enabled universal group
4757,,A member was removed from a security-enabled universal group
4758,universal group,A security-enabled universal group was deleted
4764,,A group's type was changed
4799,local group,A security-enabled local group membership was enumerated
4781,account,The name of an account was changed
4703,account,A token right was adjusted
4704,account,A user right was assigned
4705,account,A user right was removed
4800,workstation,The workstation was locked
4801,workstation,The workstation was unlocked
4634,login session,An account was logged off
4698,,A scheduled task was created
4700,,A scheduled task was enabled
4701,,A scheduled task was disabled
4702,,A scheduled task was updated
4794,Directory Services Restore Mode,set the Directory Services Restore Mode administrator password
4798,local group,A user's local group membership was enumerated
1 EventCode object_attrs result
2 1100 service
3 1102 registry The audit log was cleared
4 4720 account A user account was created
5 4741 computer account account was created
6 4722 account A user account was enabled
7 4723 account An attempt was made to change an account's password
8 4724 account An attempt was made to reset an account's password
9 4725 account A user account was disabled
10 4726 account A user account was deleted
11 4743 computer account account was deleted
12 4738 account A user account was changed
13 4742 computer account account was changed
14 4740 account A user account was locked out
15 4767 account A user account was unlocked
16 1101 transport
17 1108 Microsoft-Windows-Security-Auditing
18 4719 Kerberos Authentication Service System audit policy was changed
19 4717 access was granted
20 4718 account was removed
21 4727 global group A security-enabled global group was created
22 4728 A member was added to a security-enabled global group
23 4729 A member was removed from a security-enabled global group
24 4730 global group A security-enabled global group was deleted
25 4731 local group A security-enabled local group was created
26 4732 A member was added to a security-enabled local group
27 4733 A member was removed from a security-enabled local group
28 4734 local group A security-enabled local group was deleted
29 4735 local group A security-enabled local group was changed
30 4737 global group A security-enabled global group was changed
31 4739 domain policy Domain Policy was changed
32 4750 group was changed
33 4753 group was deleted
34 4754 universal group A security-enabled universal group was created
35 4755 universal group A security-enabled universal group was changed
36 4756 A member was added to a security-enabled universal group
37 4757 A member was removed from a security-enabled universal group
38 4758 universal group A security-enabled universal group was deleted
39 4764 A group's type was changed
40 4799 local group A security-enabled local group membership was enumerated
41 4781 account The name of an account was changed
42 4703 account A token right was adjusted
43 4704 account A user right was assigned
44 4705 account A user right was removed
45 4800 workstation The workstation was locked
46 4801 workstation The workstation was unlocked
47 4634 login session An account was logged off
48 4698 A scheduled task was created
49 4700 A scheduled task was enabled
50 4701 A scheduled task was disabled
51 4702 A scheduled task was updated
52 4794 Directory Services Restore Mode set the Directory Services Restore Mode administrator password
53 4798 local group A user's local group membership was enumerated

362
deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action.csv
Unescape View File

@ -0,0 +1,362 @@
EventCode,action,Category,Subcategory,message,os
4608,success,System,Security State Change,Windows is starting up.,"Windows Vista, Windows Server 2008"
4609,unknown,System,Security State Change,Windows is shutting down.,"Windows Vista, Windows Server 2008"
4610,unknown,System,Security System Extension,An authentication package has been loaded by the Local Security Authority.,"Windows Vista, Windows Server 2008"
4611,success,System,Security System Extension,A trusted logon process has been registered with the Local Security Authority.,"Windows Vista, Windows Server 2008"
4612,unknown,System,System Integrity,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.","Windows Vista, Windows Server 2008"
4614,unknown,System,Security System Extension,A notification package has been loaded by the Security Account Manager.,"Windows Vista, Windows Server 2008"
4615,unknown,System,System Integrity,Invalid use of LPC port.,"Windows Vista, Windows Server 2008"
4616,success,System,Security State Change,The system time was changed.,"Windows Vista, Windows Server 2008"
4618,unknown,System,System Integrity,A monitored security event pattern has occurred.,"Windows Vista, Windows Server 2008"
4621,unknown,System,Security State Change,Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.,"Windows Vista, Windows Server 2008"
4622,unknown,System,Security System Extension,A security package has been loaded by the Local Security Authority.,"Windows Vista, Windows Server 2008"
4624,success,Logon/Logoff,Logon,An account was successfully logged on.,"Windows Vista, Windows Server 2008"
4626,unknown,Logon/Logoff,Logon,User/Device claims information.,"Windows 8, Windows Server 2012"
4634,success,Logon/Logoff,Logoff,An account was logged off.,"Windows Vista, Windows Server 2008"
4646,unknown,Logon/Logoff,IPsec Main Mode,IKE DoS-prevention mode started.,"Windows Vista, Windows Server 2008"
4647,success,Logon/Logoff,Logoff,User initiated logoff.,"Windows Vista, Windows Server 2008"
4648,success,Logon/Logoff,Logon,A logon was attempted using explicit credentials.,"Windows Vista, Windows Server 2008"
4649,unknown,Logon/Logoff,Other Logon/Logoff Events,A replay attack was detected.,"Windows Vista, Windows Server 2008"
4650,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.,"Windows Vista, Windows Server 2008"
4651,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.,"Windows Vista, Windows Server 2008"
4652,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode negotiation failed.,"Windows Vista, Windows Server 2008"
4653,failure,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode negotiation failed.,"Windows Vista, Windows Server 2008"
4654,unknown,Logon/Logoff,IPsec Quick Mode,An IPsec Quick Mode negotiation failed.,"Windows Vista, Windows Server 2008"
4655,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode security association ended.,"Windows Vista, Windows Server 2008"
4656,failure,Object Access,Handle Manipulation,A handle to an object was requested.,"Windows Vista, Windows Server 2008"
4657,unknown,Object Access,Registry,A registry value was modified.,"Windows Vista, Windows Server 2008"
4658,success,Object Access,Handle Manipulation,The handle to an object was closed.,"Windows Vista, Windows Server 2008"
4659,unknown,Object Access,Special,A handle to an object was requested with intent to delete.,"Windows Vista, Windows Server 2008"
4660,unknown,Object Access,Special,An object was deleted.,"Windows Vista, Windows Server 2008"
4661,success,Object Access,Special,A handle to an object was requested.,"Windows Vista, Windows Server 2008"
4662,success,DS Access,Directory Service Access,An operation was performed on an object.,"Windows Vista, Windows Server 2008"
4663,success,Object Access,Special,An attempt was made to access an object.,"Windows Vista, Windows Server 2008"
4664,success,Object Access,File System,An attempt was made to create a hard link.,"Windows Vista, Windows Server 2008"
4665,unknown,Object Access,Application Generated,An attempt was made to create an application client context.,"Windows Vista, Windows Server 2008"
4666,unknown,Object Access,Application Generated,An application attempted an operation:,"Windows Vista, Windows Server 2008"
4667,unknown,Object Access,Application Generated,An application client context was deleted.,"Windows Vista, Windows Server 2008"
4668,unknown,Object Access,Application Generated,An application was initialized.,"Windows Vista, Windows Server 2008"
4670,success,Policy Change,Subcategory (special),Permissions on an object were changed.,"Windows Vista, Windows Server 2008"
4671,unknown,Object Access,Other Object Access Events,An application attempted to access a blocked ordinal through the TBS.,"Windows Vista, Windows Server 2008"
4672,success,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,Special privileges assigned to new logon.,"Windows Vista, Windows Server 2008"
4673,failure,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,A privileged service was called.,"Windows Vista, Windows Server 2008"
4674,success,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,An operation was attempted on a privileged object.,"Windows Vista, Windows Server 2008"
4675,unknown,Logon/Logoff,Logon,SIDs were filtered.,"Windows Vista, Windows Server 2008"
4688,success,Detailed Tracking,Process Creation,A new process has been created.,"Windows Vista, Windows Server 2008"
4689,success,Detailed Tracking,Process Termination,A process has exited.,"Windows Vista, Windows Server 2008"
4690,success,Object Access,Handle Manipulation,An attempt was made to duplicate a handle to an object.,"Windows Vista, Windows Server 2008"
4691,unknown,Object Access,Other Object Access Events,Indirect access to an object was requested.,"Windows Vista, Windows Server 2008"
4692,unknown,Detailed Tracking,DPAPI Activity,Backup of data protection master key was attempted.,"Windows Vista, Windows Server 2008"
4693,unknown,Detailed Tracking,DPAPI Activity,Recovery of data protection master key was attempted.,"Windows Vista, Windows Server 2008"
4694,unknown,Detailed Tracking,DPAPI Activity,Protection of auditable protected data was attempted.,"Windows Vista, Windows Server 2008"
4695,unknown,Detailed Tracking,DPAPI Activity,Unprotection of auditable protected data was attempted.,"Windows Vista, Windows Server 2008"
4696,unknown,Detailed Tracking,Process Creation,A primary token was assigned to process.,"Windows Vista, Windows Server 2008"
4697,unknown,System,Security System Extension,A service was installed in the system.,"Windows Vista, Windows Server 2008"
4698,unknown,Object Access,Other Object Access Events,A scheduled task was created.,"Windows Vista, Windows Server 2008"
4699,unknown,Object Access,Other Object Access Events,A scheduled task was deleted.,"Windows Vista, Windows Server 2008"
4700,unknown,Object Access,Other Object Access Events,A scheduled task was enabled.,"Windows Vista, Windows Server 2008"
4701,unknown,Object Access,Other Object Access Events,A scheduled task was disabled.,"Windows Vista, Windows Server 2008"
4702,success,Object Access,Other Object Access Events,A scheduled task was updated.,"Windows Vista, Windows Server 2008"
4704,success,Policy Change,Authorization Policy Change,A user right was assigned.,"Windows Vista, Windows Server 2008"
4705,unknown,Policy Change,Authorization Policy Change,A user right was removed.,"Windows Vista, Windows Server 2008"
4706,unknown,Policy Change,Authorization Policy Change,A new trust was created to a domain.,"Windows Vista, Windows Server 2008"
4707,unknown,Policy Change,Authorization Policy Change,A trust to a domain was removed.,"Windows Vista, Windows Server 2008"
4709,unknown,Policy Change,Filtering Platform Policy Change,IPsec Services was started.,"Windows Vista, Windows Server 2008"
4710,unknown,Policy Change,Filtering Platform Policy Change,IPsec Services was disabled.,"Windows Vista, Windows Server 2008"
4711,unknown,Policy Change,Filtering Platform Policy Change,"May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.","Windows Vista, Windows Server 2008"
4712,unknown,Policy Change,Filtering Platform Policy Change,IPsec Services encountered a potentially serious failure.,"Windows Vista, Windows Server 2008"
4713,unknown,Policy Change,Authentication Policy Change,Kerberos policy was changed.,"Windows Vista, Windows Server 2008"
4714,unknown,Policy Change,Authorization Policy Change,Encrypted data recovery policy was changed.,"Windows Vista, Windows Server 2008"
4715,unknown,Policy Change,Audit Policy Change,The audit policy (SACL) on an object was changed.,"Windows Vista, Windows Server 2008"
4716,unknown,Policy Change,Authentication Policy Change,Trusted domain information was modified.,"Windows Vista, Windows Server 2008"
4717,success,Policy Change,Authentication Policy Change,System security access was granted to an account.,"Windows Vista, Windows Server 2008"
4718,unknown,Policy Change,Authentication Policy Change,System security access was removed from an account.,"Windows Vista, Windows Server 2008"
4719,unknown,Policy Change,Audit Policy Change,System audit policy was changed.,"Windows Vista, Windows Server 2008"
4720,created,Account Management,User Account Management,A user account was created.,"Windows Vista, Windows Server 2008"
4722,modified,Account Management,User Account Management,A user account was enabled.,"Windows Vista, Windows Server 2008"
4723,modified,Account Management,User Account Management,An attempt was made to change an account's password.,"Windows Vista, Windows Server 2008"
4724,modified,Account Management,User Account Management,An attempt was made to reset an account's password.,"Windows Vista, Windows Server 2008"
4725,modified,Account Management,User Account Management,A user account was disabled.,"Windows Vista, Windows Server 2008"
4726,deleted,Account Management,User Account Management,A user account was deleted.,"Windows Vista, Windows Server 2008"
4727,success,Account Management,Security Group Management,A security-enabled global group was created.,"Windows Vista, Windows Server 2008"
4728,success,Account Management,Security Group Management,A member was added to a security-enabled global group.,"Windows Vista, Windows Server 2008"
4729,success,Account Management,Security Group Management,A member was removed from a security-enabled global group.,"Windows Vista, Windows Server 2008"
4730,unknown,Account Management,Security Group Management,A security-enabled global group was deleted.,"Windows Vista, Windows Server 2008"
4731,unknown,Account Management,Security Group Management,A security-enabled local group was created.,"Windows Vista, Windows Server 2008"
4732,success,Account Management,Security Group Management,A member was added to a security-enabled local group.,"Windows Vista, Windows Server 2008"
4733,success,Account Management,Security Group Management,A member was removed from a security-enabled local group.,"Windows Vista, Windows Server 2008"
4734,unknown,Account Management,Security Group Management,A security-enabled local group was deleted.,"Windows Vista, Windows Server 2008"
4735,success,Account Management,Security Group Management,A security-enabled local group was changed.,"Windows Vista, Windows Server 2008"
4737,success,Account Management,Security Group Management,A security-enabled global group was changed.,"Windows Vista, Windows Server 2008"
4738,modified,Account Management,User Account Management,A user account was changed.,"Windows Vista, Windows Server 2008"
4739,unknown,Policy Change,Authentication Policy Change,Domain Policy was changed.,"Windows Vista, Windows Server 2008"
4740,unknown,Account Management,User Account Management,A user account was locked out.,"Windows Vista, Windows Server 2008"
4742,modified,Account Management,Computer Account Management,A computer account was changed.,"Windows Vista, Windows Server 2008"
4743,unknown,Account Management,Computer Account Management,A computer account was deleted.,"Windows Vista, Windows Server 2008"
4744,unknown,Account Management,Distribution Group Management,A security-disabled local group was created.,"Windows Vista, Windows Server 2008"
4745,unknown,Account Management,Distribution Group Management,A security-disabled local group was changed.,"Windows Vista, Windows Server 2008"
4746,unknown,Account Management,Distribution Group Management,A member was added to a security-disabled local group.,"Windows Vista, Windows Server 2008"
4747,unknown,Account Management,Distribution Group Management,A member was removed from a security-disabled local group.,"Windows Vista, Windows Server 2008"
4748,unknown,Account Management,Distribution Group Management,A security-disabled local group was deleted.,"Windows Vista, Windows Server 2008"
4749,unknown,Account Management,Distribution Group Management,A security-disabled global group was created.,"Windows Vista, Windows Server 2008"
4750,unknown,Account Management,Distribution Group Management,A security-disabled global group was changed.,"Windows Vista, Windows Server 2008"
4751,unknown,Account Management,Distribution Group Management,A member was added to a security-disabled global group.,"Windows Vista, Windows Server 2008"
4752,unknown,Account Management,Distribution Group Management,A member was removed from a security-disabled global group.,"Windows Vista, Windows Server 2008"
4753,unknown,Account Management,Distribution Group Management,A security-disabled global group was deleted.,"Windows Vista, Windows Server 2008"
4754,success,Account Management,Security Group Management,A security-enabled universal group was created.,"Windows Vista, Windows Server 2008"
4755,success,Account Management,Security Group Management,A security-enabled universal group was changed.,"Windows Vista, Windows Server 2008"
4756,success,Account Management,Security Group Management,A member was added to a security-enabled universal group.,"Windows Vista, Windows Server 2008"
4757,success,Account Management,Security Group Management,A member was removed from a security-enabled universal group.,"Windows Vista, Windows Server 2008"
4758,unknown,Account Management,Security Group Management,A security-enabled universal group was deleted.,"Windows Vista, Windows Server 2008"
4759,unknown,Account Management,Distribution Group Management,A security-disabled universal group was created.,"Windows Vista, Windows Server 2008"
4760,unknown,Account Management,Distribution Group Management,A security-disabled universal group was changed.,"Windows Vista, Windows Server 2008"
4761,unknown,Account Management,Distribution Group Management,A member was added to a security-disabled universal group.,"Windows Vista, Windows Server 2008"
4762,unknown,Account Management,Distribution Group Management,A member was removed from a security-disabled universal group.,"Windows Vista, Windows Server 2008"
4764,unknown,Account Management,Security Group Management,A group's type was changed.,"Windows Vista, Windows Server 2008"
4765,unknown,Account Management,User Account Management,SID History was added to an account.,"Windows Vista, Windows Server 2008"
4766,unknown,Account Management,User Account Management,An attempt to add SID History to an account failed.,"Windows Vista, Windows Server 2008"
4767,modified,Account Management,User Account Management,A user account was unlocked.,"Windows Vista, Windows Server 2008"
4770,success,Account Logon,Kerberos Service Ticket Operations,A Kerberos service ticket was renewed.,"Windows Vista, Windows Server 2008"
4772,unknown,Account Logon,Kerberos Authentication Service,A Kerberos authentication ticket request failed.,"Windows Vista, Windows Server 2008"
4774,unknown,Account Logon,Credential Validation,An account was mapped for logon.,"Windows Vista, Windows Server 2008"
4775,unknown,Account Logon,Credential Validation,An account could not be mapped for logon.,"Windows Vista, Windows Server 2008"
4777,unknown,Account Logon,Credential Validation,The domain controller failed to validate the credentials for an account.,"Windows Vista, Windows Server 2008"
4778,success,Logon/Logoff,Other Logon/Logoff Events,A session was reconnected to a Window Station.,"Windows Vista, Windows Server 2008"
4779,success,Logon/Logoff,Other Logon/Logoff Events,A session was disconnected from a Window Station.,"Windows Vista, Windows Server 2008"
4780,success,Account Management,User Account Management,The ACL was set on accounts which are members of administrators groups.,"Windows Vista, Windows Server 2008"
4781,unknown,Account Management,User Account Management,The name of an account was changed:,"Windows Vista, Windows Server 2008"
4782,unknown,Account Management,Other Account Management Events,The password hash an account was accessed.,"Windows Vista, Windows Server 2008"
4783,unknown,Account Management,Application Group Management,A basic application group was created.,"Windows Vista, Windows Server 2008"
4784,unknown,Account Management,Application Group Management,A basic application group was changed.,"Windows Vista, Windows Server 2008"
4785,unknown,Account Management,Application Group Management,A member was added to a basic application group.,"Windows Vista, Windows Server 2008"
4786,unknown,Account Management,Application Group Management,A member was removed from a basic application group.,"Windows Vista, Windows Server 2008"
4787,unknown,Account Management,Application Group Management,A non-member was added to a basic application group.,"Windows Vista, Windows Server 2008"
4788,unknown,Account Management,Application Group Management,A non-member was removed from a basic application group.,"Windows Vista, Windows Server 2008"
4789,unknown,Account Management,Application Group Management,A basic application group was deleted.,"Windows Vista, Windows Server 2008"
4790,unknown,Account Management,Application Group Management,An LDAP query group was created.,"Windows Vista, Windows Server 2008"
4793,unknown,Account Management,Other Account Management Events,The Password Policy Checking API was called.,"Windows Vista, Windows Server 2008"
4794,unknown,Account Management,User Account Management,An attempt was made to set the Directory Services Restore Mode.,"Windows Vista, Windows Server 2008"
4800,success,Logon/Logoff,Other Logon/Logoff Events,The workstation was locked.,"Windows Vista, Windows Server 2008"
4801,unknown,Logon/Logoff,Other Logon/Logoff Events,The workstation was unlocked.,"Windows Vista, Windows Server 2008"
4802,unknown,Logon/Logoff,Other Logon/Logoff Events,The screen saver was invoked.,"Windows Vista, Windows Server 2008"
4803,unknown,Logon/Logoff,Other Logon/Logoff Events,The screen saver was dismissed.,"Windows Vista, Windows Server 2008"
4816,unknown,System,System Integrity,RPC detected an integrity violation while decrypting an incoming message.,"Windows Vista, Windows Server 2008"
4817,unknown,Policy Change,Audit Policy Change,Auditing settings on an object were changed.,"Windows 7, Windows Server 2008 R2"
4818,unknown,Object Access,Central Policy Staging,Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy,"Windows 8, Windows Server 2012"
4819,unknown,Policy Change,Other Policy Change Events,Central Access Policies on the machine have been changed.,"Windows 8, Windows Server 2012"
4864,unknown,Policy Change,Authentication Policy Change,A namespace collision was detected.,"Windows Vista, Windows Server 2008"
4865,unknown,Policy Change,Authentication Policy Change,A trusted forest information entry was added.,"Windows Vista, Windows Server 2008"
4866,unknown,Policy Change,Authentication Policy Change,A trusted forest information entry was removed.,"Windows Vista, Windows Server 2008"
4867,unknown,Policy Change,Authentication Policy Change,A trusted forest information entry was modified.,"Windows Vista, Windows Server 2008"
4868,unknown,Object Access,Certification Services,The certificate manager denied a pending certificate request.,"Windows Vista, Windows Server 2008"
4869,unknown,Object Access,Certification Services,Certificate Services received a resubmitted certificate request.,"Windows Vista, Windows Server 2008"
4870,unknown,Object Access,Certification Services,Certificate Services revoked a certificate.,"Windows Vista, Windows Server 2008"
4871,unknown,Object Access,Certification Services,Certificate Services received a request to publish the certificate revocation list (CRL).,"Windows Vista, Windows Server 2008"
4872,unknown,Object Access,Certification Services,Certificate Services published the certificate revocation list (CRL).,"Windows Vista, Windows Server 2008"
4873,unknown,Object Access,Certification Services,A certificate request extension changed.,"Windows Vista, Windows Server 2008"
4874,unknown,Object Access,Certification Services,One or more certificate request attributes changed.,"Windows Vista, Windows Server 2008"
4875,unknown,Object Access,Certification Services,Certificate Services received a request to shut down.,"Windows Vista, Windows Server 2008"
4876,unknown,Object Access,Certification Services,Certificate Services backup started.,"Windows Vista, Windows Server 2008"
4877,unknown,Object Access,Certification Services,Certificate Services backup completed.,"Windows Vista, Windows Server 2008"
4878,unknown,Object Access,Certification Services,Certificate Services restore started.,"Windows Vista, Windows Server 2008"
4879,unknown,Object Access,Certification Services,Certificate Services restore completed.,"Windows Vista, Windows Server 2008"
4880,unknown,Object Access,Certification Services,Certificate Services started.,"Windows Vista, Windows Server 2008"
4881,unknown,Object Access,Certification Services,Certificate Services stopped.,"Windows Vista, Windows Server 2008"
4882,unknown,Object Access,Certification Services,The security permissions for Certificate Services changed.,"Windows Vista, Windows Server 2008"
4883,unknown,Object Access,Certification Services,Certificate Services retrieved an archived key.,"Windows Vista, Windows Server 2008"
4884,unknown,Object Access,Certification Services,Certificate Services imported a certificate into its database.,"Windows Vista, Windows Server 2008"
4885,unknown,Object Access,Certification Services,The audit filter for Certificate Services changed.,"Windows Vista, Windows Server 2008"
4886,unknown,Object Access,Certification Services,Certificate Services received a certificate request.,"Windows Vista, Windows Server 2008"
4887,unknown,Object Access,Certification Services,Certificate Services approved a certificate request and issued a certificate.,"Windows Vista, Windows Server 2008"
4888,unknown,Object Access,Certification Services,Certificate Services denied a certificate request.,"Windows Vista, Windows Server 2008"
4889,unknown,Object Access,Certification Services,Certificate Services set the status of a certificate request to pending.,"Windows Vista, Windows Server 2008"
4890,unknown,Object Access,Certification Services,The certificate manager settings for Certificate Services changed.,"Windows Vista, Windows Server 2008"
4891,unknown,Object Access,Certification Services,A configuration entry changed in Certificate Services.,"Windows Vista, Windows Server 2008"
4892,unknown,Object Access,Certification Services,A property of Certificate Services changed.,"Windows Vista, Windows Server 2008"
4893,unknown,Object Access,Certification Services,Certificate Services archived a key.,"Windows Vista, Windows Server 2008"
4894,unknown,Object Access,Certification Services,Certificate Services imported and archived a key.,"Windows Vista, Windows Server 2008"
4895,unknown,Object Access,Certification Services,Certificate Services published the CA certificate to Active Directory Domain Services.,"Windows Vista, Windows Server 2008"
4896,unknown,Object Access,Certification Services,One or more rows have been deleted from the certificate database.,"Windows Vista, Windows Server 2008"
4897,unknown,Object Access,Certification Services,Role separation enabled:,"Windows Vista, Windows Server 2008"
4898,unknown,Object Access,Certification Services,Certificate Services loaded a template.,"Windows Vista, Windows Server 2008"
4902,success,Policy Change,Audit Policy Change,The Per-user audit policy table was created.,"Windows Vista, Windows Server 2008"
4904,success,Policy Change,Audit Policy Change,An attempt was made to register a security event source.,"Windows Vista, Windows Server 2008"
4905,success,Policy Change,Audit Policy Change,An attempt was made to unregister a security event source.,"Windows Vista, Windows Server 2008"
4906,unknown,Policy Change,Audit Policy Change,The CrashOnAuditFail value has changed.,"Windows Vista, Windows Server 2008"
4907,success,Policy Change,Audit Policy Change,Auditing settings on object were changed.,"Windows Vista, Windows Server 2008"
4908,unknown,Policy Change,Audit Policy Change,Special Groups Logon table modified.,"Windows Vista, Windows Server 2008"
4909,unknown,Policy Change,Other Policy Change Events,The local policy settings for the TBS were changed.,"Windows Vista, Windows Server 2008"
4910,unknown,Policy Change,Other Policy Change Events,The group policy settings for the TBS were changed.,"Windows Vista, Windows Server 2008"
4911,unknown,Policy Change,Authorization Policy Change,Resource attributes of the object were changed.,"Windows 8, Windows Server 2012"
4912,unknown,Policy Change,Audit Policy Change,Per User Audit Policy was changed.,"Windows Vista, Windows Server 2008"
4913,unknown,Policy Change,Authorization Policy Change,Central Access Policy on the object was changed.,"Windows 8, Windows Server 2012"
4928,unknown,DS Access,Detailed Directory Service Replication,An Active Directory replica source naming context was established.,"Windows Vista, Windows Server 2008"
4929,unknown,DS Access,Detailed Directory Service Replication,An Active Directory replica source naming context was removed.,"Windows Vista, Windows Server 2008"
4930,unknown,DS Access,Detailed Directory Service Replication,An Active Directory replica source naming context was modified.,"Windows Vista, Windows Server 2008"
4931,success,DS Access,Detailed Directory Service Replication,An Active Directory replica destination naming context was modified.,"Windows Vista, Windows Server 2008"
4932,success,DS Access,Directory Service Replication,Synchronization of a replica of an Active Directory naming context has begun.,"Windows Vista, Windows Server 2008"
4933,failure,DS Access,Directory Service Replication,Synchronization of a replica of an Active Directory naming context has ended.,"Windows Vista, Windows Server 2008"
4934,unknown,DS Access,Detailed Directory Service Replication,Attributes of an Active Directory object were replicated.,"Windows Vista, Windows Server 2008"
4935,unknown,DS Access,Detailed Directory Service Replication,Replication failure begins.,"Windows Vista, Windows Server 2008"
4936,unknown,DS Access,Detailed Directory Service Replication,Replication failure ends.,"Windows Vista, Windows Server 2008"
4937,unknown,DS Access,Detailed Directory Service Replication,A lingering object was removed from a replica.,"Windows Vista, Windows Server 2008"
4944,success,Policy Change,MPSSVC Rule-Level Policy Change,The following policy was active when the Windows Firewall started.,"Windows Vista, Windows Server 2008"
4945,success,Policy Change,MPSSVC Rule-Level Policy Change,A rule was listed when the Windows Firewall started.,"Windows Vista, Windows Server 2008"
4946,success,Policy Change,MPSSVC Rule-Level Policy Change,A change has been made to Windows Firewall exception list. A rule was added.,"Windows Vista, Windows Server 2008"
4947,success,Policy Change,MPSSVC Rule-Level Policy Change,A change has been made to Windows Firewall exception list. A rule was modified.,"Windows Vista, Windows Server 2008"
4948,success,Policy Change,MPSSVC Rule-Level Policy Change,A change has been made to Windows Firewall exception list. A rule was deleted.,"Windows Vista, Windows Server 2008"
4949,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall settings were restored to the default values.,"Windows Vista, Windows Server 2008"
4950,unknown,Policy Change,MPSSVC Rule-Level Policy Change,A Windows Firewall setting has changed.,"Windows Vista, Windows Server 2008"
4951,failure,Policy Change,MPSSVC Rule-Level Policy Change,A rule has been ignored because its major version number was not recognized by Windows Firewall.,"Windows Vista, Windows Server 2008"
4952,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.,"Windows Vista, Windows Server 2008"
4953,failure,Policy Change,MPSSVC Rule-Level Policy Change,A rule has been ignored by Windows Firewall because it could not parse the rule.,"Windows Vista, Windows Server 2008"
4954,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall Group Policy settings have changed. The new settings have been applied.,"Windows Vista, Windows Server 2008"
4956,success,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall has changed the active profile.,"Windows Vista, Windows Server 2008"
4957,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall did not apply the following rule:,"Windows Vista, Windows Server 2008"
4958,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:,"Windows Vista, Windows Server 2008"
4960,unknown,System,IPsec Driver,"IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.","Windows Vista, Windows Server 2008"
4961,unknown,System,IPsec Driver,"IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.","Windows Vista, Windows Server 2008"
4962,unknown,System,IPsec Driver,IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.,"Windows Vista, Windows Server 2008"
4963,unknown,System,IPsec Driver,IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.,"Windows Vista, Windows Server 2008"
4964,unknown,Logon/Logoff,Special Logon,Special groups have been assigned to a new logon.,"Windows Vista, Windows Server 2008"
4965,unknown,System,IPsec Driver,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.","Windows Vista, Windows Server 2008"
4976,unknown,Logon/Logoff,IPsec Main Mode,"During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","Windows Vista, Windows Server 2008"
4977,unknown,Logon/Logoff,IPsec Quick Mode,"During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","Windows Vista, Windows Server 2008"
4978,unknown,Logon/Logoff,IPsec Extended Mode,"During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","Windows Vista, Windows Server 2008"
4979,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008"
4980,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008"
4981,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008"
4982,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008"
4983,unknown,Logon/Logoff,IPsec Extended Mode,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,"Windows Vista, Windows Server 2008"
4984,unknown,Logon/Logoff,IPsec Extended Mode,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,"Windows Vista, Windows Server 2008"
4985,success,Object Access,File System,The state of a transaction has changed.,"Windows Vista, Windows Server 2008"
5024,success,System,Other System Events,The Windows Firewall Service has started successfully.,"Windows Vista, Windows Server 2008"
5025,unknown,System,Other System Events,The Windows Firewall Service has been stopped.,"Windows Vista, Windows Server 2008"
5027,unknown,System,Other System Events,The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.,"Windows Vista, Windows Server 2008"
5028,unknown,System,Other System Events,The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.,"Windows Vista, Windows Server 2008"
5029,unknown,System,Other System Events,The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.,"Windows Vista, Windows Server 2008"
5030,unknown,System,Other System Events,The Windows Firewall Service failed to start.,"Windows Vista, Windows Server 2008"
5031,unknown,Object Access,Filtering Platform Connection,The Windows Firewall Service blocked an application from accepting incoming connections on the network.,"Windows Vista, Windows Server 2008"
5032,unknown,System,Other System Events,Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.,"Windows Vista, Windows Server 2008"
5033,success,System,Other System Events,The Windows Firewall Driver has started successfully.,"Windows Vista, Windows Server 2008"
5034,unknown,System,Other System Events,The Windows Firewall Driver has been stopped.,"Windows Vista, Windows Server 2008"
5035,unknown,System,Other System Events,The Windows Firewall Driver failed to start.,"Windows Vista, Windows Server 2008"
5037,unknown,System,Other System Events,The Windows Firewall Driver detected critical runtime error. Terminating.,"Windows Vista, Windows Server 2008"
5038,unknown,System,System Integrity,Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.,"Windows Vista, Windows Server 2008"
5039,unknown,Object Access,Registry,A registry key was virtualized.,"Windows Vista, Windows Server 2008"
5040,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. An Authentication Set was added.,"Windows Vista, Windows Server 2008"
5041,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. An Authentication Set was modified.,"Windows Vista, Windows Server 2008"
5042,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. An Authentication Set was deleted.,"Windows Vista, Windows Server 2008"
5043,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Connection Security Rule was added.,"Windows Vista, Windows Server 2008"
5044,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Connection Security Rule was modified.,"Windows Vista, Windows Server 2008"
5045,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Connection Security Rule was deleted.,"Windows Vista, Windows Server 2008"
5046,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Crypto Set was added.,"Windows Vista, Windows Server 2008"
5047,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Crypto Set was modified.,"Windows Vista, Windows Server 2008"
5048,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Crypto Set was deleted.,"Windows Vista, Windows Server 2008"
5049,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Security Association was deleted.,"Windows Vista, Windows Server 2008"
5051,unknown,Object Access,File System,A file was virtualized.,"Windows Vista, Windows Server 2008"
5056,success,System,System Integrity,A cryptographic self test was performed.,"Windows Vista, Windows Server 2008"
5057,unknown,System,System Integrity,A cryptographic primitive operation failed.,"Windows Vista, Windows Server 2008"
5058,success,System,Other System Events,Key file operation.,"Windows Vista, Windows Server 2008"
5059,success,System,Other System Events,Key migration operation.,"Windows Vista, Windows Server 2008"
5060,unknown,System,System Integrity,Verification operation failed.,"Windows Vista, Windows Server 2008"
5061,failure,System,System Integrity,Cryptographic operation.,"Windows Vista, Windows Server 2008"
5062,unknown,System,System Integrity,A kernel-mode cryptographic self test was performed.,"Windows Vista, Windows Server 2008"
5063,unknown,Policy Change,Other Policy Change Events,A cryptographic provider operation was attempted.,"Windows Vista, Windows Server 2008"
5064,unknown,Policy Change,Other Policy Change Events,A cryptographic context operation was attempted.,"Windows Vista, Windows Server 2008"
5065,unknown,Policy Change,Other Policy Change Events,A cryptographic context modification was attempted.,"Windows Vista, Windows Server 2008"
5066,unknown,Policy Change,Other Policy Change Events,A cryptographic function operation was attempted.,"Windows Vista, Windows Server 2008"
5067,unknown,Policy Change,Other Policy Change Events,A cryptographic function modification was attempted.,"Windows Vista, Windows Server 2008"
5068,unknown,Policy Change,Other Policy Change Events,A cryptographic function provider operation was attempted.,"Windows Vista, Windows Server 2008"
5069,unknown,Policy Change,Other Policy Change Events,A cryptographic function property operation was attempted.,"Windows Vista, Windows Server 2008"
5070,unknown,Policy Change,Other Policy Change Events,A cryptographic function property modification was attempted.,"Windows Vista, Windows Server 2008"
5136,success,DS Access,Directory Service Changes,A directory service object was modified.,"Windows Vista, Windows Server 2008"
5137,unknown,DS Access,Directory Service Changes,A directory service object was created.,"Windows Vista, Windows Server 2008"
5138,unknown,DS Access,Directory Service Changes,A directory service object was undeleted.,"Windows Vista, Windows Server 2008"
5139,unknown,DS Access,Directory Service Changes,A directory service object was moved.,"Windows Vista, Windows Server 2008"
5140,failure,Object Access,File Share,A network share object was accessed.,"Windows Vista, Windows Server 2008"
5141,unknown,DS Access,Directory Service Changes,A directory service object was deleted.,"Windows Vista SP1, Windows Server 2008"
5142,unknown,Object Access,File Share,A network share object was added.,"Windows 7, Windows Server 2008 R2"
5143,success,Object Access,File Share,A network share object was modified.,"Windows 7, Windows Server 2008 R2"
5144,unknown,Object Access,File Share,A network share object was deleted.,"Windows 7, Windows Server 2008 R2"
5145,unknown,Object Access,Detailed File Share,A network share object was checked to see whether the client can be granted desired access.,"Windows 7, Windows Server 2008 R2"
5148,unknown,Object Access,Other Object Access Events,The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.,"Windows 7, Windows Server 2008 R2"
5149,unknown,Object Access,Other Object Access Events,The DoS attack has subsided and normal processing is being resumed.,"Windows 7, Windows Server 2008 R2"
5150,unknown,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked a packet.,"Windows 7, Windows Server 2008 R2"
5151,unknown,Object Access,Filtering Platform Connection,A more restrictive Windows Filtering Platform filter has blocked a packet.,"Windows 7, Windows Server 2008 R2"
5152,failure,Object Access,Filtering Platform Packet Drop ,The Windows Filtering Platform blocked a packet.,"Windows Vista, Windows Server 2008"
5153,unknown,Object Access,Filtering Platform Packet Drop ,A more restrictive Windows Filtering Platform filter has blocked a packet.,"Windows Vista, Windows Server 2008"
5154,success,Object Access,Filtering Platform Connection,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,"Windows Vista, Windows Server 2008"
5155,unknown,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,"Windows Vista, Windows Server 2008"
5156,success,Object Access,Filtering Platform Connection,The Windows Filtering Platform has allowed a connection.,"Windows Vista, Windows Server 2008"
5157,failure,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked a connection.,"Windows Vista, Windows Server 2008"
5158,success,Object Access,Filtering Platform Connection,The Windows Filtering Platform has permitted a bind to a local port.,"Windows Vista, Windows Server 2008"
5159,unknown,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked a bind to a local port.,"Windows Vista, Windows Server 2008"
5168,unknown,Object Access,File Share,Spn check for SMB/SMB2 failed.,"Windows 7, Windows Server 2008 R2"
5376,unknown,Account Management,User Account Management,Credential Manager credentials were backed up.,"Windows Vista, Windows Server 2008"
5377,unknown,Account Management,User Account Management,Credential Manager credentials were restored from a backup.,"Windows Vista, Windows Server 2008"
5378,unknown,Logon/Logoff,Other Logon/Logoff Events,The requested credentials delegation was disallowed by policy.,"Windows Vista, Windows Server 2008"
5440,success,Policy Change,Filtering Platform Policy Change,The following callout was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
5441,success,Policy Change,Filtering Platform Policy Change,The following filter was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
5442,success,Policy Change,Filtering Platform Policy Change,The following provider was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
5443,unknown,Policy Change,Filtering Platform Policy Change,The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
5444,success,Policy Change,Filtering Platform Policy Change,The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
5446,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform callout has been changed.,"Windows Vista, Windows Server 2008"
5447,success,Policy Change,Other Policy Change Events,A Windows Filtering Platform filter has been changed.,"Windows Vista, Windows Server 2008"
5448,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform provider has been changed.,"Windows Vista, Windows Server 2008"
5449,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform provider context has been changed.,"Windows Vista, Windows Server 2008"
5450,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform sub-layer has been changed.,"Windows Vista, Windows Server 2008"
5451,unknown,Logon/Logoff,IPsec Quick Mode,An IPsec Quick Mode security association was established.,"Windows Vista, Windows Server 2008"
5452,unknown,Logon/Logoff,IPsec Quick Mode,An IPsec Quick Mode security association ended.,"Windows Vista, Windows Server 2008"
5453,unknown,Logon/Logoff,IPsec Main Mode,An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.,"Windows Vista, Windows Server 2008"
5456,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine applied Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5457,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5458,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5459,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5460,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine applied local registry storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5461,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply local registry storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5462,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.,"Windows Vista, Windows Server 2008"
5463,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine polled for changes to the active IPsec policy and detected no changes.,"Windows Vista, Windows Server 2008"
5464,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.","Windows Vista, Windows Server 2008"
5465,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.,"Windows Vista, Windows Server 2008"
5466,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.","Windows Vista, Windows Server 2008"
5467,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.","Windows Vista, Windows Server 2008"
5468,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.","Windows Vista, Windows Server 2008"
5471,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine loaded local storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5472,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to load local storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5473,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine loaded directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5474,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to load directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
5477,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to add quick mode filter.,"Windows Vista, Windows Server 2008"
5478,unknown,System,IPsec Driver,IPsec Services has started successfully.,"Windows Vista, Windows Server 2008"
5479,unknown,System,IPsec Driver,IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,"Windows Vista, Windows Server 2008"
5480,unknown,System,IPsec Driver,IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,"Windows Vista, Windows Server 2008"
5483,unknown,System,IPsec Driver,IPsec Services failed to initialize RPC server. IPsec Services could not be started.,"Windows Vista, Windows Server 2008"
5484,unknown,System,IPsec Driver,IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,"Windows Vista, Windows Server 2008"
5485,unknown,System,IPsec Driver,IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,"Windows Vista, Windows Server 2008"
5632,unknown,Logon/Logoff,Other Logon/Logoff Events,A request was made to authenticate to a wireless network.,"Windows Vista, Windows Server 2008"
5633,unknown,Logon/Logoff,Other Logon/Logoff Events,A request was made to authenticate to a wired network.,"Windows Vista, Windows Server 2008"
5712,unknown,Detailed Tracking,RPC Events,A Remote Procedure Call (RPC) was attempted.,"Windows Vista, Windows Server 2008"
5888,unknown,Object Access,Other Object Access Events,An object in the COM+ Catalog was modified.,"Windows Vista, Windows Server 2008"
5889,unknown,Object Access,Other Object Access Events,An object was deleted from the COM+ Catalog.,"Windows Vista, Windows Server 2008"
5890,unknown,Object Access,Other Object Access Events,An object was added to the COM+ Catalog.,"Windows Vista, Windows Server 2008"
6144,success,Policy Change,Other Policy Change Events,Security policy in the group policy objects has been applied successfully.,"Windows Vista, Windows Server 2008"
6145,unknown,Policy Change,Other Policy Change Events,One or more errors occurred while processing security policy in the group policy objects.,"Windows Vista, Windows Server 2008"
6272,unknown,Logon/Logoff,Network Policy Server,Network Policy Server granted access to a user.,"Windows Vista SP1, Windows Server 2008"
6273,unknown,Logon/Logoff,Network Policy Server,Network Policy Server denied access to a user.,"Windows Vista SP1, Windows Server 2008"
6274,unknown,Logon/Logoff,Network Policy Server,Network Policy Server discarded the request for a user.,"Windows Vista SP1, Windows Server 2008"
6275,unknown,Logon/Logoff,Network Policy Server,Network Policy Server discarded the accounting request for a user.,"Windows Vista SP1, Windows Server 2008"
6276,unknown,Logon/Logoff,Network Policy Server,Network Policy Server quarantined a user.,"Windows Vista SP1, Windows Server 2008"
6277,unknown,Logon/Logoff,Network Policy Server,Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.,"Windows Vista SP1, Windows Server 2008"
6278,unknown,Logon/Logoff,Network Policy Server,Network Policy Server granted full access to a user because the host met the defined health policy.,"Windows Vista SP1, Windows Server 2008"
6279,unknown,Logon/Logoff,Network Policy Server,Network Policy Server locked the user account due to repeated failed authentication attempts.,"Windows Vista SP1, Windows Server 2008"
6280,unknown,Logon/Logoff,Network Policy Server,Network Policy Server unlocked the user account.,"Windows Vista SP1, Windows Server 2008"
6281,unknown,System,System Integrity,Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error,"Windows 7, Windows Server 2008 R2"
6400,unknown,System,Other System Events,BranchCache: Received an incorrectly formatted response while discovering availability of content. ,"Windows 7, Windows Server 2008 R2"
6401,unknown,System,Other System Events,BranchCache: Received invalid data from a peer. Data discarded. ,"Windows 7, Windows Server 2008 R2"
6402,unknown,System,Other System Events,BranchCache: The message to the hosted cache offering it data is incorrectly formatted. ,"Windows 7, Windows Server 2008 R2"
6403,unknown,System,Other System Events,BranchCache: The hosted cache sent an incorrectly formatted response to the client.,"Windows 7, Windows Server 2008 R2"
6404,unknown,System,Other System Events,BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. ,"Windows 7, Windows Server 2008 R2"
6405,unknown,System,Other System Events,BranchCache: %2 instance(s) of event id %1 occurred.,"Windows 7, Windows Server 2008 R2"
6406,unknown,System,Other System Events,%1 registered to Windows Firewall to control filtering for the following: %2,"Windows 7, Windows Server 2008 R2"
6407,unknown,System,Other System Events,1%,"Windows 7, Windows Server 2008 R2"
6408,unknown,System,Other System Events,Registered product %1 failed and Windows Firewall is now controlling the filtering for %2,"Windows 7, Windows Server 2008 R2"
1 EventCode action Category Subcategory message os
2 4608 success System Security State Change Windows is starting up. Windows Vista, Windows Server 2008
3 4609 unknown System Security State Change Windows is shutting down. Windows Vista, Windows Server 2008
4 4610 unknown System Security System Extension An authentication package has been loaded by the Local Security Authority. Windows Vista, Windows Server 2008
5 4611 success System Security System Extension A trusted logon process has been registered with the Local Security Authority. Windows Vista, Windows Server 2008
6 4612 unknown System System Integrity Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Windows Vista, Windows Server 2008
7 4614 unknown System Security System Extension A notification package has been loaded by the Security Account Manager. Windows Vista, Windows Server 2008
8 4615 unknown System System Integrity Invalid use of LPC port. Windows Vista, Windows Server 2008
9 4616 success System Security State Change The system time was changed. Windows Vista, Windows Server 2008
10 4618 unknown System System Integrity A monitored security event pattern has occurred. Windows Vista, Windows Server 2008
11 4621 unknown System Security State Change Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. Windows Vista, Windows Server 2008
12 4622 unknown System Security System Extension A security package has been loaded by the Local Security Authority. Windows Vista, Windows Server 2008
13 4624 success Logon/Logoff Logon An account was successfully logged on. Windows Vista, Windows Server 2008
14 4626 unknown Logon/Logoff Logon User/Device claims information. Windows 8, Windows Server 2012
15 4634 success Logon/Logoff Logoff An account was logged off. Windows Vista, Windows Server 2008
16 4646 unknown Logon/Logoff IPsec Main Mode IKE DoS-prevention mode started. Windows Vista, Windows Server 2008
17 4647 success Logon/Logoff Logoff User initiated logoff. Windows Vista, Windows Server 2008
18 4648 success Logon/Logoff Logon A logon was attempted using explicit credentials. Windows Vista, Windows Server 2008
19 4649 unknown Logon/Logoff Other Logon/Logoff Events A replay attack was detected. Windows Vista, Windows Server 2008
20 4650 unknown Logon/Logoff IPsec Main Mode An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. Windows Vista, Windows Server 2008
21 4651 unknown Logon/Logoff IPsec Main Mode An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. Windows Vista, Windows Server 2008
22 4652 unknown Logon/Logoff IPsec Main Mode An IPsec Main Mode negotiation failed. Windows Vista, Windows Server 2008
23 4653 failure Logon/Logoff IPsec Main Mode An IPsec Main Mode negotiation failed. Windows Vista, Windows Server 2008
24 4654 unknown Logon/Logoff IPsec Quick Mode An IPsec Quick Mode negotiation failed. Windows Vista, Windows Server 2008
25 4655 unknown Logon/Logoff IPsec Main Mode An IPsec Main Mode security association ended. Windows Vista, Windows Server 2008
26 4656 failure Object Access Handle Manipulation A handle to an object was requested. Windows Vista, Windows Server 2008
27 4657 unknown Object Access Registry A registry value was modified. Windows Vista, Windows Server 2008
28 4658 success Object Access Handle Manipulation The handle to an object was closed. Windows Vista, Windows Server 2008
29 4659 unknown Object Access Special A handle to an object was requested with intent to delete. Windows Vista, Windows Server 2008
30 4660 unknown Object Access Special An object was deleted. Windows Vista, Windows Server 2008
31 4661 success Object Access Special A handle to an object was requested. Windows Vista, Windows Server 2008
32 4662 success DS Access Directory Service Access An operation was performed on an object. Windows Vista, Windows Server 2008
33 4663 success Object Access Special An attempt was made to access an object. Windows Vista, Windows Server 2008
34 4664 success Object Access File System An attempt was made to create a hard link. Windows Vista, Windows Server 2008
35 4665 unknown Object Access Application Generated An attempt was made to create an application client context. Windows Vista, Windows Server 2008
36 4666 unknown Object Access Application Generated An application attempted an operation: Windows Vista, Windows Server 2008
37 4667 unknown Object Access Application Generated An application client context was deleted. Windows Vista, Windows Server 2008
38 4668 unknown Object Access Application Generated An application was initialized. Windows Vista, Windows Server 2008
39 4670 success Policy Change Subcategory (special) Permissions on an object were changed. Windows Vista, Windows Server 2008
40 4671 unknown Object Access Other Object Access Events An application attempted to access a blocked ordinal through the TBS. Windows Vista, Windows Server 2008
41 4672 success Privilege Use Sensitive Privilege Use / Non Sensitive Privilege Use Special privileges assigned to new logon. Windows Vista, Windows Server 2008
42 4673 failure Privilege Use Sensitive Privilege Use / Non Sensitive Privilege Use A privileged service was called. Windows Vista, Windows Server 2008
43 4674 success Privilege Use Sensitive Privilege Use / Non Sensitive Privilege Use An operation was attempted on a privileged object. Windows Vista, Windows Server 2008
44 4675 unknown Logon/Logoff Logon SIDs were filtered. Windows Vista, Windows Server 2008
45 4688 success Detailed Tracking Process Creation A new process has been created. Windows Vista, Windows Server 2008
46 4689 success Detailed Tracking Process Termination A process has exited. Windows Vista, Windows Server 2008
47 4690 success Object Access Handle Manipulation An attempt was made to duplicate a handle to an object. Windows Vista, Windows Server 2008
48 4691 unknown Object Access Other Object Access Events Indirect access to an object was requested. Windows Vista, Windows Server 2008
49 4692 unknown Detailed Tracking DPAPI Activity Backup of data protection master key was attempted. Windows Vista, Windows Server 2008
50 4693 unknown Detailed Tracking DPAPI Activity Recovery of data protection master key was attempted. Windows Vista, Windows Server 2008
51 4694 unknown Detailed Tracking DPAPI Activity Protection of auditable protected data was attempted. Windows Vista, Windows Server 2008
52 4695 unknown Detailed Tracking DPAPI Activity Unprotection of auditable protected data was attempted. Windows Vista, Windows Server 2008
53 4696 unknown Detailed Tracking Process Creation A primary token was assigned to process. Windows Vista, Windows Server 2008
54 4697 unknown System Security System Extension A service was installed in the system. Windows Vista, Windows Server 2008
55 4698 unknown Object Access Other Object Access Events A scheduled task was created. Windows Vista, Windows Server 2008
56 4699 unknown Object Access Other Object Access Events A scheduled task was deleted. Windows Vista, Windows Server 2008
57 4700 unknown Object Access Other Object Access Events A scheduled task was enabled. Windows Vista, Windows Server 2008
58 4701 unknown Object Access Other Object Access Events A scheduled task was disabled. Windows Vista, Windows Server 2008
59 4702 success Object Access Other Object Access Events A scheduled task was updated. Windows Vista, Windows Server 2008
60 4704 success Policy Change Authorization Policy Change A user right was assigned. Windows Vista, Windows Server 2008
61 4705 unknown Policy Change Authorization Policy Change A user right was removed. Windows Vista, Windows Server 2008
62 4706 unknown Policy Change Authorization Policy Change A new trust was created to a domain. Windows Vista, Windows Server 2008
63 4707 unknown Policy Change Authorization Policy Change A trust to a domain was removed. Windows Vista, Windows Server 2008
64 4709 unknown Policy Change Filtering Platform Policy Change IPsec Services was started. Windows Vista, Windows Server 2008
65 4710 unknown Policy Change Filtering Platform Policy Change IPsec Services was disabled. Windows Vista, Windows Server 2008
66 4711 unknown Policy Change Filtering Platform Policy Change May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes. Windows Vista, Windows Server 2008
67 4712 unknown Policy Change Filtering Platform Policy Change IPsec Services encountered a potentially serious failure. Windows Vista, Windows Server 2008
68 4713 unknown Policy Change Authentication Policy Change Kerberos policy was changed. Windows Vista, Windows Server 2008
69 4714 unknown Policy Change Authorization Policy Change Encrypted data recovery policy was changed. Windows Vista, Windows Server 2008
70 4715 unknown Policy Change Audit Policy Change The audit policy (SACL) on an object was changed. Windows Vista, Windows Server 2008
71 4716 unknown Policy Change Authentication Policy Change Trusted domain information was modified. Windows Vista, Windows Server 2008
72 4717 success Policy Change Authentication Policy Change System security access was granted to an account. Windows Vista, Windows Server 2008
73 4718 unknown Policy Change Authentication Policy Change System security access was removed from an account. Windows Vista, Windows Server 2008
74 4719 unknown Policy Change Audit Policy Change System audit policy was changed. Windows Vista, Windows Server 2008
75 4720 created Account Management User Account Management A user account was created. Windows Vista, Windows Server 2008
76 4722 modified Account Management User Account Management A user account was enabled. Windows Vista, Windows Server 2008
77 4723 modified Account Management User Account Management An attempt was made to change an account's password. Windows Vista, Windows Server 2008
78 4724 modified Account Management User Account Management An attempt was made to reset an account's password. Windows Vista, Windows Server 2008
79 4725 modified Account Management User Account Management A user account was disabled. Windows Vista, Windows Server 2008
80 4726 deleted Account Management User Account Management A user account was deleted. Windows Vista, Windows Server 2008
81 4727 success Account Management Security Group Management A security-enabled global group was created. Windows Vista, Windows Server 2008
82 4728 success Account Management Security Group Management A member was added to a security-enabled global group. Windows Vista, Windows Server 2008
83 4729 success Account Management Security Group Management A member was removed from a security-enabled global group. Windows Vista, Windows Server 2008
84 4730 unknown Account Management Security Group Management A security-enabled global group was deleted. Windows Vista, Windows Server 2008
85 4731 unknown Account Management Security Group Management A security-enabled local group was created. Windows Vista, Windows Server 2008
86 4732 success Account Management Security Group Management A member was added to a security-enabled local group. Windows Vista, Windows Server 2008
87 4733 success Account Management Security Group Management A member was removed from a security-enabled local group. Windows Vista, Windows Server 2008
88 4734 unknown Account Management Security Group Management A security-enabled local group was deleted. Windows Vista, Windows Server 2008
89 4735 success Account Management Security Group Management A security-enabled local group was changed. Windows Vista, Windows Server 2008
90 4737 success Account Management Security Group Management A security-enabled global group was changed. Windows Vista, Windows Server 2008
91 4738 modified Account Management User Account Management A user account was changed. Windows Vista, Windows Server 2008
92 4739 unknown Policy Change Authentication Policy Change Domain Policy was changed. Windows Vista, Windows Server 2008
93 4740 unknown Account Management User Account Management A user account was locked out. Windows Vista, Windows Server 2008
94 4742 modified Account Management Computer Account Management A computer account was changed. Windows Vista, Windows Server 2008
95 4743 unknown Account Management Computer Account Management A computer account was deleted. Windows Vista, Windows Server 2008
96 4744 unknown Account Management Distribution Group Management A security-disabled local group was created. Windows Vista, Windows Server 2008
97 4745 unknown Account Management Distribution Group Management A security-disabled local group was changed. Windows Vista, Windows Server 2008
98 4746 unknown Account Management Distribution Group Management A member was added to a security-disabled local group. Windows Vista, Windows Server 2008
99 4747 unknown Account Management Distribution Group Management A member was removed from a security-disabled local group. Windows Vista, Windows Server 2008
100 4748 unknown Account Management Distribution Group Management A security-disabled local group was deleted. Windows Vista, Windows Server 2008
101 4749 unknown Account Management Distribution Group Management A security-disabled global group was created. Windows Vista, Windows Server 2008
102 4750 unknown Account Management Distribution Group Management A security-disabled global group was changed. Windows Vista, Windows Server 2008
103 4751 unknown Account Management Distribution Group Management A member was added to a security-disabled global group. Windows Vista, Windows Server 2008
104 4752 unknown Account Management Distribution Group Management A member was removed from a security-disabled global group. Windows Vista, Windows Server 2008
105 4753 unknown Account Management Distribution Group Management A security-disabled global group was deleted. Windows Vista, Windows Server 2008
106 4754 success Account Management Security Group Management A security-enabled universal group was created. Windows Vista, Windows Server 2008
107 4755 success Account Management Security Group Management A security-enabled universal group was changed. Windows Vista, Windows Server 2008
108 4756 success Account Management Security Group Management A member was added to a security-enabled universal group. Windows Vista, Windows Server 2008
109 4757 success Account Management Security Group Management A member was removed from a security-enabled universal group. Windows Vista, Windows Server 2008
110 4758 unknown Account Management Security Group Management A security-enabled universal group was deleted. Windows Vista, Windows Server 2008
111 4759 unknown Account Management Distribution Group Management A security-disabled universal group was created. Windows Vista, Windows Server 2008
112 4760 unknown Account Management Distribution Group Management A security-disabled universal group was changed. Windows Vista, Windows Server 2008
113 4761 unknown Account Management Distribution Group Management A member was added to a security-disabled universal group. Windows Vista, Windows Server 2008
114 4762 unknown Account Management Distribution Group Management A member was removed from a security-disabled universal group. Windows Vista, Windows Server 2008
115 4764 unknown Account Management Security Group Management A group's type was changed. Windows Vista, Windows Server 2008
116 4765 unknown Account Management User Account Management SID History was added to an account. Windows Vista, Windows Server 2008
117 4766 unknown Account Management User Account Management An attempt to add SID History to an account failed. Windows Vista, Windows Server 2008
118 4767 modified Account Management User Account Management A user account was unlocked. Windows Vista, Windows Server 2008
119 4770 success Account Logon Kerberos Service Ticket Operations A Kerberos service ticket was renewed. Windows Vista, Windows Server 2008
120 4772 unknown Account Logon Kerberos Authentication Service A Kerberos authentication ticket request failed. Windows Vista, Windows Server 2008
121 4774 unknown Account Logon Credential Validation An account was mapped for logon. Windows Vista, Windows Server 2008
122 4775 unknown Account Logon Credential Validation An account could not be mapped for logon. Windows Vista, Windows Server 2008
123 4777 unknown Account Logon Credential Validation The domain controller failed to validate the credentials for an account. Windows Vista, Windows Server 2008
124 4778 success Logon/Logoff Other Logon/Logoff Events A session was reconnected to a Window Station. Windows Vista, Windows Server 2008
125 4779 success Logon/Logoff Other Logon/Logoff Events A session was disconnected from a Window Station. Windows Vista, Windows Server 2008
126 4780 success Account Management User Account Management The ACL was set on accounts which are members of administrators groups. Windows Vista, Windows Server 2008
127 4781 unknown Account Management User Account Management The name of an account was changed: Windows Vista, Windows Server 2008
128 4782 unknown Account Management Other Account Management Events The password hash an account was accessed. Windows Vista, Windows Server 2008
129 4783 unknown Account Management Application Group Management A basic application group was created. Windows Vista, Windows Server 2008
130 4784 unknown Account Management Application Group Management A basic application group was changed. Windows Vista, Windows Server 2008
131 4785 unknown Account Management Application Group Management A member was added to a basic application group. Windows Vista, Windows Server 2008
132 4786 unknown Account Management Application Group Management A member was removed from a basic application group. Windows Vista, Windows Server 2008
133 4787 unknown Account Management Application Group Management A non-member was added to a basic application group. Windows Vista, Windows Server 2008
134 4788 unknown Account Management Application Group Management A non-member was removed from a basic application group. Windows Vista, Windows Server 2008
135 4789 unknown Account Management Application Group Management A basic application group was deleted. Windows Vista, Windows Server 2008
136 4790 unknown Account Management Application Group Management An LDAP query group was created. Windows Vista, Windows Server 2008
137 4793 unknown Account Management Other Account Management Events The Password Policy Checking API was called. Windows Vista, Windows Server 2008
138 4794 unknown Account Management User Account Management An attempt was made to set the Directory Services Restore Mode. Windows Vista, Windows Server 2008
139 4800 success Logon/Logoff Other Logon/Logoff Events The workstation was locked. Windows Vista, Windows Server 2008
140 4801 unknown Logon/Logoff Other Logon/Logoff Events The workstation was unlocked. Windows Vista, Windows Server 2008
141 4802 unknown Logon/Logoff Other Logon/Logoff Events The screen saver was invoked. Windows Vista, Windows Server 2008
142 4803 unknown Logon/Logoff Other Logon/Logoff Events The screen saver was dismissed. Windows Vista, Windows Server 2008
143 4816 unknown System System Integrity RPC detected an integrity violation while decrypting an incoming message. Windows Vista, Windows Server 2008
144 4817 unknown Policy Change Audit Policy Change Auditing settings on an object were changed. Windows 7, Windows Server 2008 R2
145 4818 unknown Object Access Central Policy Staging Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Windows 8, Windows Server 2012
146 4819 unknown Policy Change Other Policy Change Events Central Access Policies on the machine have been changed. Windows 8, Windows Server 2012
147 4864 unknown Policy Change Authentication Policy Change A namespace collision was detected. Windows Vista, Windows Server 2008
148 4865 unknown Policy Change Authentication Policy Change A trusted forest information entry was added. Windows Vista, Windows Server 2008
149 4866 unknown Policy Change Authentication Policy Change A trusted forest information entry was removed. Windows Vista, Windows Server 2008
150 4867 unknown Policy Change Authentication Policy Change A trusted forest information entry was modified. Windows Vista, Windows Server 2008
151 4868 unknown Object Access Certification Services The certificate manager denied a pending certificate request. Windows Vista, Windows Server 2008
152 4869 unknown Object Access Certification Services Certificate Services received a resubmitted certificate request. Windows Vista, Windows Server 2008
153 4870 unknown Object Access Certification Services Certificate Services revoked a certificate. Windows Vista, Windows Server 2008
154 4871 unknown Object Access Certification Services Certificate Services received a request to publish the certificate revocation list (CRL). Windows Vista, Windows Server 2008
155 4872 unknown Object Access Certification Services Certificate Services published the certificate revocation list (CRL). Windows Vista, Windows Server 2008
156 4873 unknown Object Access Certification Services A certificate request extension changed. Windows Vista, Windows Server 2008
157 4874 unknown Object Access Certification Services One or more certificate request attributes changed. Windows Vista, Windows Server 2008
158 4875 unknown Object Access Certification Services Certificate Services received a request to shut down. Windows Vista, Windows Server 2008
159 4876 unknown Object Access Certification Services Certificate Services backup started. Windows Vista, Windows Server 2008
160 4877 unknown Object Access Certification Services Certificate Services backup completed. Windows Vista, Windows Server 2008
161 4878 unknown Object Access Certification Services Certificate Services restore started. Windows Vista, Windows Server 2008
162 4879 unknown Object Access Certification Services Certificate Services restore completed. Windows Vista, Windows Server 2008
163 4880 unknown Object Access Certification Services Certificate Services started. Windows Vista, Windows Server 2008
164 4881 unknown Object Access Certification Services Certificate Services stopped. Windows Vista, Windows Server 2008
165 4882 unknown Object Access Certification Services The security permissions for Certificate Services changed. Windows Vista, Windows Server 2008
166 4883 unknown Object Access Certification Services Certificate Services retrieved an archived key. Windows Vista, Windows Server 2008
167 4884 unknown Object Access Certification Services Certificate Services imported a certificate into its database. Windows Vista, Windows Server 2008
168 4885 unknown Object Access Certification Services The audit filter for Certificate Services changed. Windows Vista, Windows Server 2008
169 4886 unknown Object Access Certification Services Certificate Services received a certificate request. Windows Vista, Windows Server 2008
170 4887 unknown Object Access Certification Services Certificate Services approved a certificate request and issued a certificate. Windows Vista, Windows Server 2008
171 4888 unknown Object Access Certification Services Certificate Services denied a certificate request. Windows Vista, Windows Server 2008
172 4889 unknown Object Access Certification Services Certificate Services set the status of a certificate request to pending. Windows Vista, Windows Server 2008
173 4890 unknown Object Access Certification Services The certificate manager settings for Certificate Services changed. Windows Vista, Windows Server 2008
174 4891 unknown Object Access Certification Services A configuration entry changed in Certificate Services. Windows Vista, Windows Server 2008
175 4892 unknown Object Access Certification Services A property of Certificate Services changed. Windows Vista, Windows Server 2008
176 4893 unknown Object Access Certification Services Certificate Services archived a key. Windows Vista, Windows Server 2008
177 4894 unknown Object Access Certification Services Certificate Services imported and archived a key. Windows Vista, Windows Server 2008
178 4895 unknown Object Access Certification Services Certificate Services published the CA certificate to Active Directory Domain Services. Windows Vista, Windows Server 2008
179 4896 unknown Object Access Certification Services One or more rows have been deleted from the certificate database. Windows Vista, Windows Server 2008
180 4897 unknown Object Access Certification Services Role separation enabled: Windows Vista, Windows Server 2008
181 4898 unknown Object Access Certification Services Certificate Services loaded a template. Windows Vista, Windows Server 2008
182 4902 success Policy Change Audit Policy Change The Per-user audit policy table was created. Windows Vista, Windows Server 2008
183 4904 success Policy Change Audit Policy Change An attempt was made to register a security event source. Windows Vista, Windows Server 2008
184 4905 success Policy Change Audit Policy Change An attempt was made to unregister a security event source. Windows Vista, Windows Server 2008
185 4906 unknown Policy Change Audit Policy Change The CrashOnAuditFail value has changed. Windows Vista, Windows Server 2008
186 4907 success Policy Change Audit Policy Change Auditing settings on object were changed. Windows Vista, Windows Server 2008
187 4908 unknown Policy Change Audit Policy Change Special Groups Logon table modified. Windows Vista, Windows Server 2008
188 4909 unknown Policy Change Other Policy Change Events The local policy settings for the TBS were changed. Windows Vista, Windows Server 2008
189 4910 unknown Policy Change Other Policy Change Events The group policy settings for the TBS were changed. Windows Vista, Windows Server 2008
190 4911 unknown Policy Change Authorization Policy Change Resource attributes of the object were changed. Windows 8, Windows Server 2012
191 4912 unknown Policy Change Audit Policy Change Per User Audit Policy was changed. Windows Vista, Windows Server 2008
192 4913 unknown Policy Change Authorization Policy Change Central Access Policy on the object was changed. Windows 8, Windows Server 2012
193 4928 unknown DS Access Detailed Directory Service Replication An Active Directory replica source naming context was established. Windows Vista, Windows Server 2008
194 4929 unknown DS Access Detailed Directory Service Replication An Active Directory replica source naming context was removed. Windows Vista, Windows Server 2008
195 4930 unknown DS Access Detailed Directory Service Replication An Active Directory replica source naming context was modified. Windows Vista, Windows Server 2008
196 4931 success DS Access Detailed Directory Service Replication An Active Directory replica destination naming context was modified. Windows Vista, Windows Server 2008
197 4932 success DS Access Directory Service Replication Synchronization of a replica of an Active Directory naming context has begun. Windows Vista, Windows Server 2008
198 4933 failure DS Access Directory Service Replication Synchronization of a replica of an Active Directory naming context has ended. Windows Vista, Windows Server 2008
199 4934 unknown DS Access Detailed Directory Service Replication Attributes of an Active Directory object were replicated. Windows Vista, Windows Server 2008
200 4935 unknown DS Access Detailed Directory Service Replication Replication failure begins. Windows Vista, Windows Server 2008
201 4936 unknown DS Access Detailed Directory Service Replication Replication failure ends. Windows Vista, Windows Server 2008
202 4937 unknown DS Access Detailed Directory Service Replication A lingering object was removed from a replica. Windows Vista, Windows Server 2008
203 4944 success Policy Change MPSSVC Rule-Level Policy Change The following policy was active when the Windows Firewall started. Windows Vista, Windows Server 2008
204 4945 success Policy Change MPSSVC Rule-Level Policy Change A rule was listed when the Windows Firewall started. Windows Vista, Windows Server 2008
205 4946 success Policy Change MPSSVC Rule-Level Policy Change A change has been made to Windows Firewall exception list. A rule was added. Windows Vista, Windows Server 2008
206 4947 success Policy Change MPSSVC Rule-Level Policy Change A change has been made to Windows Firewall exception list. A rule was modified. Windows Vista, Windows Server 2008
207 4948 success Policy Change MPSSVC Rule-Level Policy Change A change has been made to Windows Firewall exception list. A rule was deleted. Windows Vista, Windows Server 2008
208 4949 unknown Policy Change MPSSVC Rule-Level Policy Change Windows Firewall settings were restored to the default values. Windows Vista, Windows Server 2008
209 4950 unknown Policy Change MPSSVC Rule-Level Policy Change A Windows Firewall setting has changed. Windows Vista, Windows Server 2008
210 4951 failure Policy Change MPSSVC Rule-Level Policy Change A rule has been ignored because its major version number was not recognized by Windows Firewall. Windows Vista, Windows Server 2008
211 4952 unknown Policy Change MPSSVC Rule-Level Policy Change Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. Windows Vista, Windows Server 2008
212 4953 failure Policy Change MPSSVC Rule-Level Policy Change A rule has been ignored by Windows Firewall because it could not parse the rule. Windows Vista, Windows Server 2008
213 4954 unknown Policy Change MPSSVC Rule-Level Policy Change Windows Firewall Group Policy settings have changed. The new settings have been applied. Windows Vista, Windows Server 2008
214 4956 success Policy Change MPSSVC Rule-Level Policy Change Windows Firewall has changed the active profile. Windows Vista, Windows Server 2008
215 4957 unknown Policy Change MPSSVC Rule-Level Policy Change Windows Firewall did not apply the following rule: Windows Vista, Windows Server 2008
216 4958 unknown Policy Change MPSSVC Rule-Level Policy Change Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: Windows Vista, Windows Server 2008
217 4960 unknown System IPsec Driver IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. Windows Vista, Windows Server 2008
218 4961 unknown System IPsec Driver IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. Windows Vista, Windows Server 2008
219 4962 unknown System IPsec Driver IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. Windows Vista, Windows Server 2008
220 4963 unknown System IPsec Driver IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. Windows Vista, Windows Server 2008
221 4964 unknown Logon/Logoff Special Logon Special groups have been assigned to a new logon. Windows Vista, Windows Server 2008
222 4965 unknown System IPsec Driver IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. Windows Vista, Windows Server 2008
223 4976 unknown Logon/Logoff IPsec Main Mode During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. Windows Vista, Windows Server 2008
224 4977 unknown Logon/Logoff IPsec Quick Mode During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. Windows Vista, Windows Server 2008
225 4978 unknown Logon/Logoff IPsec Extended Mode During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. Windows Vista, Windows Server 2008
226 4979 unknown Logon/Logoff IPsec Extended Mode IPsec Main Mode and Extended Mode security associations were established. Windows Vista, Windows Server 2008
227 4980 unknown Logon/Logoff IPsec Extended Mode IPsec Main Mode and Extended Mode security associations were established. Windows Vista, Windows Server 2008
228 4981 unknown Logon/Logoff IPsec Extended Mode IPsec Main Mode and Extended Mode security associations were established. Windows Vista, Windows Server 2008
229 4982 unknown Logon/Logoff IPsec Extended Mode IPsec Main Mode and Extended Mode security associations were established. Windows Vista, Windows Server 2008
230 4983 unknown Logon/Logoff IPsec Extended Mode An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. Windows Vista, Windows Server 2008
231 4984 unknown Logon/Logoff IPsec Extended Mode An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. Windows Vista, Windows Server 2008
232 4985 success Object Access File System The state of a transaction has changed. Windows Vista, Windows Server 2008
233 5024 success System Other System Events The Windows Firewall Service has started successfully. Windows Vista, Windows Server 2008
234 5025 unknown System Other System Events The Windows Firewall Service has been stopped. Windows Vista, Windows Server 2008
235 5027 unknown System Other System Events The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. Windows Vista, Windows Server 2008
236 5028 unknown System Other System Events The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. Windows Vista, Windows Server 2008
237 5029 unknown System Other System Events The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. Windows Vista, Windows Server 2008
238 5030 unknown System Other System Events The Windows Firewall Service failed to start. Windows Vista, Windows Server 2008
239 5031 unknown Object Access Filtering Platform Connection The Windows Firewall Service blocked an application from accepting incoming connections on the network. Windows Vista, Windows Server 2008
240 5032 unknown System Other System Events Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. Windows Vista, Windows Server 2008
241 5033 success System Other System Events The Windows Firewall Driver has started successfully. Windows Vista, Windows Server 2008
242 5034 unknown System Other System Events The Windows Firewall Driver has been stopped. Windows Vista, Windows Server 2008
243 5035 unknown System Other System Events The Windows Firewall Driver failed to start. Windows Vista, Windows Server 2008
244 5037 unknown System Other System Events The Windows Firewall Driver detected critical runtime error. Terminating. Windows Vista, Windows Server 2008
245 5038 unknown System System Integrity Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. Windows Vista, Windows Server 2008
246 5039 unknown Object Access Registry A registry key was virtualized. Windows Vista, Windows Server 2008
247 5040 unknown Policy Change Filtering Platform Policy Change A change has been made to IPsec settings. An Authentication Set was added. Windows Vista, Windows Server 2008
248 5041 unknown Policy Change Filtering Platform Policy Change A change has been made to IPsec settings. An Authentication Set was modified. Windows Vista, Windows Server 2008
249 5042 unknown Policy Change Filtering Platform Policy Change A change has been made to IPsec settings. An Authentication Set was deleted. Windows Vista, Windows Server 2008
250 5043 unknown Policy Change Filtering Platform Policy Change A change has been made to IPsec settings. A Connection Security Rule was added. Windows Vista, Windows Server 2008
251 5044 unknown Policy Change Filtering Platform Policy Change A change has been made to IPsec settings. A Connection Security Rule was modified. Windows Vista, Windows Server 2008
252 5045 unknown Policy Change Filtering Platform Policy Change A change has been made to IPsec settings. A Connection Security Rule was deleted. Windows Vista, Windows Server 2008
253 5046 unknown Policy Change Filtering Platform Policy Change A change has been made to IPsec settings. A Crypto Set was added. Windows Vista, Windows Server 2008
254 5047 unknown Policy Change Filtering Platform Policy Change A change has been made to IPsec settings. A Crypto Set was modified. Windows Vista, Windows Server 2008
255 5048 unknown Policy Change Filtering Platform Policy Change A change has been made to IPsec settings. A Crypto Set was deleted. Windows Vista, Windows Server 2008
256 5049 unknown Logon/Logoff IPsec Main Mode An IPsec Security Association was deleted. Windows Vista, Windows Server 2008
257 5051 unknown Object Access File System A file was virtualized. Windows Vista, Windows Server 2008
258 5056 success System System Integrity A cryptographic self test was performed. Windows Vista, Windows Server 2008
259 5057 unknown System System Integrity A cryptographic primitive operation failed. Windows Vista, Windows Server 2008
260 5058 success System Other System Events Key file operation. Windows Vista, Windows Server 2008
261 5059 success System Other System Events Key migration operation. Windows Vista, Windows Server 2008
262 5060 unknown System System Integrity Verification operation failed. Windows Vista, Windows Server 2008
263 5061 failure System System Integrity Cryptographic operation. Windows Vista, Windows Server 2008
264 5062 unknown System System Integrity A kernel-mode cryptographic self test was performed. Windows Vista, Windows Server 2008
265 5063 unknown Policy Change Other Policy Change Events A cryptographic provider operation was attempted. Windows Vista, Windows Server 2008
266 5064 unknown Policy Change Other Policy Change Events A cryptographic context operation was attempted. Windows Vista, Windows Server 2008
267 5065 unknown Policy Change Other Policy Change Events A cryptographic context modification was attempted. Windows Vista, Windows Server 2008
268 5066 unknown Policy Change Other Policy Change Events A cryptographic function operation was attempted. Windows Vista, Windows Server 2008
269 5067 unknown Policy Change Other Policy Change Events A cryptographic function modification was attempted. Windows Vista, Windows Server 2008
270 5068 unknown Policy Change Other Policy Change Events A cryptographic function provider operation was attempted. Windows Vista, Windows Server 2008
271 5069 unknown Policy Change Other Policy Change Events A cryptographic function property operation was attempted. Windows Vista, Windows Server 2008
272 5070 unknown Policy Change Other Policy Change Events A cryptographic function property modification was attempted. Windows Vista, Windows Server 2008
273 5136 success DS Access Directory Service Changes A directory service object was modified. Windows Vista, Windows Server 2008
274 5137 unknown DS Access Directory Service Changes A directory service object was created. Windows Vista, Windows Server 2008
275 5138 unknown DS Access Directory Service Changes A directory service object was undeleted. Windows Vista, Windows Server 2008
276 5139 unknown DS Access Directory Service Changes A directory service object was moved. Windows Vista, Windows Server 2008
277 5140 failure Object Access File Share A network share object was accessed. Windows Vista, Windows Server 2008
278 5141 unknown DS Access Directory Service Changes A directory service object was deleted. Windows Vista SP1, Windows Server 2008
279 5142 unknown Object Access File Share A network share object was added. Windows 7, Windows Server 2008 R2
280 5143 success Object Access File Share A network share object was modified. Windows 7, Windows Server 2008 R2
281 5144 unknown Object Access File Share A network share object was deleted. Windows 7, Windows Server 2008 R2
282 5145 unknown Object Access Detailed File Share A network share object was checked to see whether the client can be granted desired access. Windows 7, Windows Server 2008 R2
283 5148 unknown Object Access Other Object Access Events The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. Windows 7, Windows Server 2008 R2
284 5149 unknown Object Access Other Object Access Events The DoS attack has subsided and normal processing is being resumed. Windows 7, Windows Server 2008 R2
285 5150 unknown Object Access Filtering Platform Connection The Windows Filtering Platform has blocked a packet. Windows 7, Windows Server 2008 R2
286 5151 unknown Object Access Filtering Platform Connection A more restrictive Windows Filtering Platform filter has blocked a packet. Windows 7, Windows Server 2008 R2
287 5152 failure Object Access Filtering Platform Packet Drop The Windows Filtering Platform blocked a packet. Windows Vista, Windows Server 2008
288 5153 unknown Object Access Filtering Platform Packet Drop A more restrictive Windows Filtering Platform filter has blocked a packet. Windows Vista, Windows Server 2008
289 5154 success Object Access Filtering Platform Connection The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. Windows Vista, Windows Server 2008
290 5155 unknown Object Access Filtering Platform Connection The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. Windows Vista, Windows Server 2008
291 5156 success Object Access Filtering Platform Connection The Windows Filtering Platform has allowed a connection. Windows Vista, Windows Server 2008
292 5157 failure Object Access Filtering Platform Connection The Windows Filtering Platform has blocked a connection. Windows Vista, Windows Server 2008
293 5158 success Object Access Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port. Windows Vista, Windows Server 2008
294 5159 unknown Object Access Filtering Platform Connection The Windows Filtering Platform has blocked a bind to a local port. Windows Vista, Windows Server 2008
295 5168 unknown Object Access File Share Spn check for SMB/SMB2 failed. Windows 7, Windows Server 2008 R2
296 5376 unknown Account Management User Account Management Credential Manager credentials were backed up. Windows Vista, Windows Server 2008
297 5377 unknown Account Management User Account Management Credential Manager credentials were restored from a backup. Windows Vista, Windows Server 2008
298 5378 unknown Logon/Logoff Other Logon/Logoff Events The requested credentials delegation was disallowed by policy. Windows Vista, Windows Server 2008
299 5440 success Policy Change Filtering Platform Policy Change The following callout was present when the Windows Filtering Platform Base Filtering Engine started. Windows Vista, Windows Server 2008
300 5441 success Policy Change Filtering Platform Policy Change The following filter was present when the Windows Filtering Platform Base Filtering Engine started. Windows Vista, Windows Server 2008
301 5442 success Policy Change Filtering Platform Policy Change The following provider was present when the Windows Filtering Platform Base Filtering Engine started. Windows Vista, Windows Server 2008
302 5443 unknown Policy Change Filtering Platform Policy Change The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. Windows Vista, Windows Server 2008
303 5444 success Policy Change Filtering Platform Policy Change The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. Windows Vista, Windows Server 2008
304 5446 success Policy Change Filtering Platform Policy Change A Windows Filtering Platform callout has been changed. Windows Vista, Windows Server 2008
305 5447 success Policy Change Other Policy Change Events A Windows Filtering Platform filter has been changed. Windows Vista, Windows Server 2008
306 5448 success Policy Change Filtering Platform Policy Change A Windows Filtering Platform provider has been changed. Windows Vista, Windows Server 2008
307 5449 success Policy Change Filtering Platform Policy Change A Windows Filtering Platform provider context has been changed. Windows Vista, Windows Server 2008
308 5450 success Policy Change Filtering Platform Policy Change A Windows Filtering Platform sub-layer has been changed. Windows Vista, Windows Server 2008
309 5451 unknown Logon/Logoff IPsec Quick Mode An IPsec Quick Mode security association was established. Windows Vista, Windows Server 2008
310 5452 unknown Logon/Logoff IPsec Quick Mode An IPsec Quick Mode security association ended. Windows Vista, Windows Server 2008
311 5453 unknown Logon/Logoff IPsec Main Mode An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. Windows Vista, Windows Server 2008
312 5456 unknown Policy Change Filtering Platform Policy Change PAStore Engine applied Active Directory storage IPsec policy on the computer. Windows Vista, Windows Server 2008
313 5457 unknown Policy Change Filtering Platform Policy Change PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. Windows Vista, Windows Server 2008
314 5458 unknown Policy Change Filtering Platform Policy Change PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. Windows Vista, Windows Server 2008
315 5459 unknown Policy Change Filtering Platform Policy Change PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. Windows Vista, Windows Server 2008
316 5460 unknown Policy Change Filtering Platform Policy Change PAStore Engine applied local registry storage IPsec policy on the computer. Windows Vista, Windows Server 2008
317 5461 unknown Policy Change Filtering Platform Policy Change PAStore Engine failed to apply local registry storage IPsec policy on the computer. Windows Vista, Windows Server 2008
318 5462 unknown Policy Change Filtering Platform Policy Change PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. Windows Vista, Windows Server 2008
319 5463 unknown Policy Change Filtering Platform Policy Change PAStore Engine polled for changes to the active IPsec policy and detected no changes. Windows Vista, Windows Server 2008
320 5464 unknown Policy Change Filtering Platform Policy Change PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. Windows Vista, Windows Server 2008
321 5465 unknown Policy Change Filtering Platform Policy Change PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. Windows Vista, Windows Server 2008
322 5466 unknown Policy Change Filtering Platform Policy Change PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. Windows Vista, Windows Server 2008
323 5467 unknown Policy Change Filtering Platform Policy Change PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. Windows Vista, Windows Server 2008
324 5468 unknown Policy Change Filtering Platform Policy Change PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. Windows Vista, Windows Server 2008
325 5471 unknown Policy Change Filtering Platform Policy Change PAStore Engine loaded local storage IPsec policy on the computer. Windows Vista, Windows Server 2008
326 5472 unknown Policy Change Filtering Platform Policy Change PAStore Engine failed to load local storage IPsec policy on the computer. Windows Vista, Windows Server 2008
327 5473 unknown Policy Change Filtering Platform Policy Change PAStore Engine loaded directory storage IPsec policy on the computer. Windows Vista, Windows Server 2008
328 5474 unknown Policy Change Filtering Platform Policy Change PAStore Engine failed to load directory storage IPsec policy on the computer. Windows Vista, Windows Server 2008
329 5477 unknown Policy Change Filtering Platform Policy Change PAStore Engine failed to add quick mode filter. Windows Vista, Windows Server 2008
330 5478 unknown System IPsec Driver IPsec Services has started successfully. Windows Vista, Windows Server 2008
331 5479 unknown System IPsec Driver IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. Windows Vista, Windows Server 2008
332 5480 unknown System IPsec Driver IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. Windows Vista, Windows Server 2008
333 5483 unknown System IPsec Driver IPsec Services failed to initialize RPC server. IPsec Services could not be started. Windows Vista, Windows Server 2008
334 5484 unknown System IPsec Driver IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. Windows Vista, Windows Server 2008
335 5485 unknown System IPsec Driver IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. Windows Vista, Windows Server 2008
336 5632 unknown Logon/Logoff Other Logon/Logoff Events A request was made to authenticate to a wireless network. Windows Vista, Windows Server 2008
337 5633 unknown Logon/Logoff Other Logon/Logoff Events A request was made to authenticate to a wired network. Windows Vista, Windows Server 2008
338 5712 unknown Detailed Tracking RPC Events A Remote Procedure Call (RPC) was attempted. Windows Vista, Windows Server 2008
339 5888 unknown Object Access Other Object Access Events An object in the COM+ Catalog was modified. Windows Vista, Windows Server 2008
340 5889 unknown Object Access Other Object Access Events An object was deleted from the COM+ Catalog. Windows Vista, Windows Server 2008
341 5890 unknown Object Access Other Object Access Events An object was added to the COM+ Catalog. Windows Vista, Windows Server 2008
342 6144 success Policy Change Other Policy Change Events Security policy in the group policy objects has been applied successfully. Windows Vista, Windows Server 2008
343 6145 unknown Policy Change Other Policy Change Events One or more errors occurred while processing security policy in the group policy objects. Windows Vista, Windows Server 2008
344 6272 unknown Logon/Logoff Network Policy Server Network Policy Server granted access to a user. Windows Vista SP1, Windows Server 2008
345 6273 unknown Logon/Logoff Network Policy Server Network Policy Server denied access to a user. Windows Vista SP1, Windows Server 2008
346 6274 unknown Logon/Logoff Network Policy Server Network Policy Server discarded the request for a user. Windows Vista SP1, Windows Server 2008
347 6275 unknown Logon/Logoff Network Policy Server Network Policy Server discarded the accounting request for a user. Windows Vista SP1, Windows Server 2008
348 6276 unknown Logon/Logoff Network Policy Server Network Policy Server quarantined a user. Windows Vista SP1, Windows Server 2008
349 6277 unknown Logon/Logoff Network Policy Server Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. Windows Vista SP1, Windows Server 2008
350 6278 unknown Logon/Logoff Network Policy Server Network Policy Server granted full access to a user because the host met the defined health policy. Windows Vista SP1, Windows Server 2008
351 6279 unknown Logon/Logoff Network Policy Server Network Policy Server locked the user account due to repeated failed authentication attempts. Windows Vista SP1, Windows Server 2008
352 6280 unknown Logon/Logoff Network Policy Server Network Policy Server unlocked the user account. Windows Vista SP1, Windows Server 2008
353 6281 unknown System System Integrity Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error Windows 7, Windows Server 2008 R2
354 6400 unknown System Other System Events BranchCache: Received an incorrectly formatted response while discovering availability of content. Windows 7, Windows Server 2008 R2
355 6401 unknown System Other System Events BranchCache: Received invalid data from a peer. Data discarded. Windows 7, Windows Server 2008 R2
356 6402 unknown System Other System Events BranchCache: The message to the hosted cache offering it data is incorrectly formatted. Windows 7, Windows Server 2008 R2
357 6403 unknown System Other System Events BranchCache: The hosted cache sent an incorrectly formatted response to the client. Windows 7, Windows Server 2008 R2
358 6404 unknown System Other System Events BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. Windows 7, Windows Server 2008 R2
359 6405 unknown System Other System Events BranchCache: %2 instance(s) of event id %1 occurred. Windows 7, Windows Server 2008 R2
360 6406 unknown System Other System Events %1 registered to Windows Firewall to control filtering for the following: %2 Windows 7, Windows Server 2008 R2
361 6407 unknown System Other System Events 1% Windows 7, Windows Server 2008 R2
362 6408 unknown System Other System Events Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 Windows 7, Windows Server 2008 R2

197
deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action_multiinput.csv
Unescape View File

@ -0,0 +1,197 @@
EventCode,action,Error_Code,Description
4625,failure,0XC000005E,There are currently no logon servers available to service the logon request.
4625,unknown,0xC0000064,User logon with misspelled or bad user account
4625,failure,0xC000006A,User logon with misspelled or bad password
4625,failure,0XC000006D,This is either due to a bad username or authentication information
4625,failure,0XC000006E,Unknown user name or bad password.
4625,failure,0XC000010B,Indicates an invalid value has been provided for the LogonType requested.
4625,denied,0xC000006F,User logon outside authorized hours
4625,denied,0xC0000070,User logon from unauthorized workstation
4625,failure,0xC0000071,User logon with expired password
4625,failure,0xC0000072,User logon to account disabled by administrator
4625,failure,0XC00000DC,Indicates the Sam Server was in the wrong state to perform the desired operation.
4625,error,0XC0000133,Clocks between DC and other computer too far out of sync
4625,denied,0XC000015B,The user has not been granted the requested logon type (aka logon right) at this machine
4625,failure,0XC000018C,The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
4625,failure,0XC0000192,"An attempt was made to logon, but the Netlogon service was not started."
4625,failure,0xC0000193,User logon with expired account
4625,failure,0XC0000224,User is required to change password at next logon
4625,error,0XC0000225,Evidently a bug in Windows and not a risk
4625,denied,0xC0000234,User logon with account locked
4625,failure,0XC00002EE,Failure Reason: An Error occurred during Logon
4625,failure,0XC0000413,Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
4625,failure,0x0,Status OK.
4776,failure,0xC0000064,The username you typed does not exist. Bad username.
4776,failure,0xC000006A,Account logon with misspelled or bad password.
4776,failure,0xC000006D,Generic logon failure.
4776,denied,0xC000006F,Account logon outside authorized hours.
4776,denied,0xC0000070,Account logon from unauthorized workstation.
4776,failure,0xC0000071,Account logon with expired password.
4776,failure,0xC0000072,Account logon to account disabled by administrator.
4776,failure,0xC0000193,Account logon with expired account.
4776,failure,0xC0000224,Account logon with "Change Password at Next Logon" flagged.
4776,failure,0xC0000234,Account logon with account locked.
4776,failure,0xc0000371,The local account store does not contain secret material for the specified account.
4776,success,0x0,No errors.
4768,success,0x0,No error
4768,failure,0x1,Client's entry in KDC database has expired
4768,failure,0x2,Server's entry in KDC database has expired
4768,failure,0x3,Requested Kerberos version number not supported
4768,failure,0x4,Client's key encrypted in old master key
4768,failure,0x5,Server's key encrypted in old master key
4768,failure,0x6,Client not found in Kerberos database
4768,failure,0x7,Server not found in Kerberos database
4768,failure,0x8,Multiple principal entries in KDC database
4768,failure,0x9,The client or server has a null key (master key)
4768,failure,0xA,Ticket (TGT) not eligible for postdating
4768,failure,0xB,Requested start time is later than end time
4768,failure,0xC,Requested start time is later than end time
4768,failure,0xD,KDC cannot accommodate requested option
4768,failure,0xE,KDC has no support for encryption type
4768,failure,0xF,KDC has no support for checksum type
4768,failure,0x10,KDC has no support for PADATA type (pre-authentication data)
4768,failure,0x11,KDC has no support for transited type
4768,failure,0x12,Client's credentials have been revoked
4768,failure,0x13,Credentials for server have been revoked
4768,failure,0x14,TGT has been revoked
4768,failure,0x15,Client not yet valid-try again later
4768,failure,0x16,Server not yet valid-try again later
4768,failure,0x17,Password has expired-change password to reset
4768,failure,0x18,Pre-authentication information was invalid
4768,failure,0x19,Additional pre-authentication required
4768,failure,0x1A,KDC does not know about the requested server
4768,failure,0x1B,KDC is unavailable
4768,failure,0x1F,Integrity check on decrypted field failed
4768,failure,0x20,The ticket has expired
4768,failure,0x21,The ticket is not yet valid
4768,failure,0x22,The request is a replay
4768,failure,0x23,The ticket is not for us
4768,failure,0x24,The ticket and authenticator do not match
4768,failure,0x25,The clock skew is too great
4768,failure,0x26,Network address in network layer header doesn't match address inside ticket
4768,failure,0x27,Protocol version numbers don't match (PVNO)
4768,failure,0x28,Message type is unsupported
4768,failure,0x29,Message stream modified and checksum didn't match
4768,failure,0x2A,Message out of order (possible tampering)
4768,failure,0x2C,Specified version of key is not available
4768,failure,0x2D,Service key not available
4768,failure,0x2E,Mutual authentication failed
4768,failure,0x2F,Incorrect message direction
4768,failure,0x30,Alternative authentication method required
4768,failure,0x31,Incorrect sequence number in message
4768,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported)
4768,failure,0x33,Desired path is unreachable
4768,failure,0x34,Too much data
4768,failure,0x3C,Generic error
4768,failure,0x3D,Field is too long for this implementation
4768,failure,0x3E,The client trust failed or is not implemented
4768,failure,0x3F,The KDC server trust failed or could not be verified
4768,failure,0x40,The signature is invalid
4768,failure,0x41,A higher encryption level is needed
4768,failure,0x42,User-to-user authorization is required
4768,failure,0x43,No TGT was presented or available
4768,failure,0x44,Incorrect domain or principal
4769,success,0x0,No error
4769,failure,0x1,Client's entry in KDC database has expired
4769,failure,0x2,Server's entry in KDC database has expired
4769,failure,0x3,Requested Kerberos version number not supported
4769,failure,0x4,Client's key encrypted in old master key
4769,failure,0x5,Server's key encrypted in old master key
4769,failure,0x6,Client not found in Kerberos database
4769,failure,0x7,Server not found in Kerberos database
4769,failure,0x8,Multiple principal entries in KDC database
4769,failure,0x9,The client or server has a null key (master key)
4769,failure,0xA,Ticket (TGT) not eligible for postdating
4769,failure,0xB,Requested start time is later than end time
4769,failure,0xC,Requested start time is later than end time
4769,failure,0xD,KDC cannot accommodate requested option
4769,failure,0xE,KDC has no support for encryption type
4769,failure,0xF,KDC has no support for checksum type
4769,failure,0x10,KDC has no support for PADATA type (pre-authentication data)
4769,failure,0x11,KDC has no support for transited type
4769,failure,0x12,Client's credentials have been revoked
4769,failure,0x13,Credentials for server have been revoked
4769,failure,0x14,TGT has been revoked
4769,failure,0x15,Client not yet valid try again later
4769,failure,0x16,Server not yet valid try again later
4769,failure,0x17,Password has expired change password to reset
4769,failure,0x18,Pre-authentication information was invalid
4769,failure,0x19,Additional pre-authentication required
4769,failure,0x1A,KDC does not know about the requested server
4769,failure,0x1B,KDC is unavailable
4769,failure,0x1F,Integrity check on decrypted field failed
4769,failure,0x20,The ticket has expired
4769,failure,0x21,The ticket is not yet valid
4769,failure,0x22,The request is a replay
4769,failure,0x23,The ticket is not for us
4769,failure,0x24,The ticket and authenticator do not match
4769,failure,0x25,The clock skew is too great
4769,failure,0x26,Network address in network layer header doesn't match address inside ticket
4769,failure,0x27,Protocol version numbers don't match (PVNO)
4769,failure,0x28,Message type is unsupported
4769,failure,0x29,Message stream modified and checksum didn't match
4769,failure,0x2A,Message out of order (possible tampering)
4769,failure,0x2C,Specified version of key is not available
4769,failure,0x2D,Service key not available
4769,failure,0x2E,Mutual authentication failed
4769,failure,0x2F,Incorrect message direction
4769,failure,0x30,Alternative authentication method required
4769,failure,0x31,Incorrect sequence number in message
4769,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported)
4769,failure,0x33,Desired path is unreachable
4769,failure,0x34,Too much data
4769,failure,0x3C,Generic error
4769,failure,0x3D,Field is too long for this implementation
4769,failure,0x3E,The client trust failed or is not implemented
4769,failure,0x3F,The KDC server trust failed or could not be verified
4769,failure,0x40,The signature is invalid
4769,failure,0x41,A higher encryption level is needed
4769,failure,0x42,User-to-user authorization is required
4769,failure,0x43,No TGT was presented or available
4769,failure,0x44,Incorrect domain or principal
4771,failure,0x1,Client's entry in database has expired
4771,failure,0x2,Server's entry in database has expired
4771,failure,0x3,Requested protocol version # not supported
4771,failure,0x4,Client's key encrypted in old master key
4771,failure,0x5,Server's key encrypted in old master key
4771,failure,0x6,Client not found in Kerberos database
4771,failure,0x7,Server not found in Kerberos database
4771,failure,0x8,Multiple principal entries in database
4771,failure,0x9,The client or server has a null key
4771,failure,0xA,Ticket not eligible for postdating
4771,failure,0xB,Requested start time is later than end time
4771,failure,0xC,KDC policy rejects request
4771,failure,0xD,KDC cannot accommodate requested option
4771,failure,0xE,KDC has no support for encryption type
4771,failure,0xF,KDC has no support for checksum type
4771,failure,0x10,KDC has no support for padata type
4771,failure,0x11,KDC has no support for transited type
4771,failure,0x12,Clients credentials have been revoked
4771,failure,0x13,Credentials for server have been revoked
4771,failure,0x14,TGT has been revoked
4771,failure,0x15,Client not yet valid - try again later
4771,failure,0x16,Server not yet valid - try again later
4771,failure,0x17,Password has expired
4771,failure,0x18,Pre-authentication information was invalid
4771,failure,0x19,Additional pre-authentication required*
4771,failure,0x1F,Integrity check on decrypted field failed
4771,failure,0x20,Ticket expired
4771,failure,0x21,Ticket not yet valid
4771,failure,0x22,Request is a replay
4771,failure,0x23,The ticket isn't for us
4771,failure,0x24,Ticket and authenticator don't match
4771,failure,0x25,Clock skew too great
4771,failure,0x26,Incorrect net address
4771,failure,0x27,Protocol version mismatch
4771,failure,0x28,Invalid msg type
4771,failure,0x29,Message stream modified
4771,failure,0x2A,Message out of order
4771,failure,0x2C,Specified version of key is not available
4771,failure,0x2D,Service key not available
4771,failure,0x2E,Mutual authentication failed
4771,failure,0x2F,Incorrect message direction
4771,failure,0x30,Alternative authentication method required*
4771,failure,0x31,Incorrect sequence number in message
4771,failure,0x32,Inappropriate type of checksum in message
4771,failure,0x3C,Generic error
4771,failure,0x3D,Field is too long for this implementation
Can't render this file because it contains an unexpected character in line 32 and column 44.

557
deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_errorcode_action.csv
Unescape View File

@ -0,0 +1,557 @@
EventCode,action,Error_Code,Description,Category,Subcategory,os
4608,success,-,Windows is starting up.,System,Security State Change,"Windows Vista, Windows Server 2008"
4609,unknown,-,Windows is shutting down.,System,Security State Change,"Windows Vista, Windows Server 2008"
4610,unknown,-,An authentication package has been loaded by the Local Security Authority.,System,Security System Extension,"Windows Vista, Windows Server 2008"
4611,success,-,A trusted logon process has been registered with the Local Security Authority.,System,Security System Extension,"Windows Vista, Windows Server 2008"
4612,unknown,-,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.",System,System Integrity,"Windows Vista, Windows Server 2008"
4614,unknown,-,A notification package has been loaded by the Security Account Manager.,System,Security System Extension,"Windows Vista, Windows Server 2008"
4615,unknown,-,Invalid use of LPC port.,System,System Integrity,"Windows Vista, Windows Server 2008"
4616,success,-,The system time was changed.,System,Security State Change,"Windows Vista, Windows Server 2008"
4618,unknown,-,A monitored security event pattern has occurred.,System,System Integrity,"Windows Vista, Windows Server 2008"
4621,unknown,-,Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.,System,Security State Change,"Windows Vista, Windows Server 2008"
4622,unknown,-,A security package has been loaded by the Local Security Authority.,System,Security System Extension,"Windows Vista, Windows Server 2008"
4624,success,-,An account was successfully logged on.,Logon/Logoff,Logon,"Windows Vista, Windows Server 2008"
4626,unknown,-,User/Device claims information.,Logon/Logoff,Logon,"Windows 8, Windows Server 2012"
4634,success,-,An account was logged off.,Logon/Logoff,Logoff,"Windows Vista, Windows Server 2008"
4646,unknown,-,IKE DoS-prevention mode started.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
4647,success,-,User initiated logoff.,Logon/Logoff,Logoff,"Windows Vista, Windows Server 2008"
4648,success,-,A logon was attempted using explicit credentials.,Logon/Logoff,Logon,"Windows Vista, Windows Server 2008"
4649,unknown,-,A replay attack was detected.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
4650,unknown,-,An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
4651,unknown,-,An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
4652,unknown,-,An IPsec Main Mode negotiation failed.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
4653,failure,-,An IPsec Main Mode negotiation failed.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
4654,unknown,-,An IPsec Quick Mode negotiation failed.,Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008"
4655,unknown,-,An IPsec Main Mode security association ended.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
4656,failure,-,A handle to an object was requested.,Object Access,Handle Manipulation,"Windows Vista, Windows Server 2008"
4657,unknown,-,A registry value was modified.,Object Access,Registry,"Windows Vista, Windows Server 2008"
4658,success,-,The handle to an object was closed.,Object Access,Handle Manipulation,"Windows Vista, Windows Server 2008"
4659,unknown,-,A handle to an object was requested with intent to delete.,Object Access,Special,"Windows Vista, Windows Server 2008"
4660,unknown,-,An object was deleted.,Object Access,Special,"Windows Vista, Windows Server 2008"
4661,success,-,A handle to an object was requested.,Object Access,Special,"Windows Vista, Windows Server 2008"
4662,success,-,An operation was performed on an object.,DS Access,Directory Service Access,"Windows Vista, Windows Server 2008"
4663,success,-,An attempt was made to access an object.,Object Access,Special,"Windows Vista, Windows Server 2008"
4664,success,-,An attempt was made to create a hard link.,Object Access,File System,"Windows Vista, Windows Server 2008"
4665,unknown,-,An attempt was made to create an application client context.,Object Access,Application Generated,"Windows Vista, Windows Server 2008"
4666,unknown,-,An application attempted an operation:,Object Access,Application Generated,"Windows Vista, Windows Server 2008"
4667,unknown,-,An application client context was deleted.,Object Access,Application Generated,"Windows Vista, Windows Server 2008"
4668,unknown,-,An application was initialized.,Object Access,Application Generated,"Windows Vista, Windows Server 2008"
4670,success,-,Permissions on an object were changed.,Policy Change,Subcategory (special),"Windows Vista, Windows Server 2008"
4671,unknown,-,An application attempted to access a blocked ordinal through the TBS.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
4672,success,-,Special privileges assigned to new logon.,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,"Windows Vista, Windows Server 2008"
4673,failure,-,A privileged service was called.,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,"Windows Vista, Windows Server 2008"
4674,success,-,An operation was attempted on a privileged object.,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,"Windows Vista, Windows Server 2008"
4675,unknown,-,SIDs were filtered.,Logon/Logoff,Logon,"Windows Vista, Windows Server 2008"
4689,success,-,A process has exited.,Detailed Tracking,Process Termination,"Windows Vista, Windows Server 2008"
4690,success,-,An attempt was made to duplicate a handle to an object.,Object Access,Handle Manipulation,"Windows Vista, Windows Server 2008"
4691,unknown,-,Indirect access to an object was requested.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
4692,unknown,-,Backup of data protection master key was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008"
4693,unknown,-,Recovery of data protection master key was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008"
4694,unknown,-,Protection of auditable protected data was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008"
4695,unknown,-,Unprotection of auditable protected data was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008"
4696,unknown,-,A primary token was assigned to process.,Detailed Tracking,Process Creation,"Windows Vista, Windows Server 2008"
4697,unknown,-,A service was installed in the system.,System,Security System Extension,"Windows Vista, Windows Server 2008"
4698,unknown,-,A scheduled task was created.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
4699,unknown,-,A scheduled task was deleted.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
4700,unknown,-,A scheduled task was enabled.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
4701,unknown,-,A scheduled task was disabled.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
4702,success,-,A scheduled task was updated.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
4704,success,-,A user right was assigned.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
4705,unknown,-,A user right was removed.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
4706,unknown,-,A new trust was created to a domain.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
4707,unknown,-,A trust to a domain was removed.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
4709,unknown,-,IPsec Services was started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
4710,unknown,-,IPsec Services was disabled.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
4711,unknown,-,May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
4712,unknown,-,IPsec Services encountered a potentially serious failure.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
4713,unknown,-,Kerberos policy was changed.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
4714,unknown,-,Encrypted data recovery policy was changed.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
4715,unknown,-,The audit policy (SACL) on an object was changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
4716,unknown,-,Trusted domain information was modified.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
4717,success,-,System security access was granted to an account.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
4718,unknown,-,System security access was removed from an account.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
4719,unknown,-,System audit policy was changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
4720,created,-,A user account was created.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4722,modified,-,A user account was enabled.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4723,modified,-,An attempt was made to change an account's password.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4724,modified,-,An attempt was made to reset an account's password.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4725,modified,-,A user account was disabled.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4726,deleted,-,A user account was deleted.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4727,success,-,A security-enabled global group was created.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4728,success,-,A member was added to a security-enabled global group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4729,success,-,A member was removed from a security-enabled global group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4730,unknown,-,A security-enabled global group was deleted.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4731,unknown,-,A security-enabled local group was created.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4732,success,-,A member was added to a security-enabled local group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4733,success,-,A member was removed from a security-enabled local group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4734,unknown,-,A security-enabled local group was deleted.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4735,success,-,A security-enabled local group was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4737,success,-,A security-enabled global group was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4738,modified,-,A user account was changed.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4739,unknown,-,Domain Policy was changed.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
4740,unknown,-,A user account was locked out.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4742,modified,-,A computer account was changed.,Account Management,Computer Account Management,"Windows Vista, Windows Server 2008"
4743,unknown,-,A computer account was deleted.,Account Management,Computer Account Management,"Windows Vista, Windows Server 2008"
4744,unknown,-,A security-disabled local group was created.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4745,unknown,-,A security-disabled local group was changed.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4746,unknown,-,A member was added to a security-disabled local group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4747,unknown,-,A member was removed from a security-disabled local group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4748,unknown,-,A security-disabled local group was deleted.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4749,unknown,-,A security-disabled global group was created.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4750,unknown,-,A security-disabled global group was changed.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4751,unknown,-,A member was added to a security-disabled global group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4752,unknown,-,A member was removed from a security-disabled global group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4753,unknown,-,A security-disabled global group was deleted.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4754,success,-,A security-enabled universal group was created.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4755,success,-,A security-enabled universal group was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4756,success,-,A member was added to a security-enabled universal group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4757,success,-,A member was removed from a security-enabled universal group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4758,unknown,-,A security-enabled universal group was deleted.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4759,unknown,-,A security-disabled universal group was created.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4760,unknown,-,A security-disabled universal group was changed.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4761,unknown,-,A member was added to a security-disabled universal group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4762,unknown,-,A member was removed from a security-disabled universal group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
4764,unknown,-,A group's type was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
4765,unknown,-,SID History was added to an account.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4766,unknown,-,An attempt to add SID History to an account failed.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4767,modified,-,A user account was unlocked.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4770,success,-,A Kerberos service ticket was renewed.,Account Logon,Kerberos Service Ticket Operations,"Windows Vista, Windows Server 2008"
4772,unknown,-,A Kerberos authentication ticket request failed.,Account Logon,Kerberos Authentication Service,"Windows Vista, Windows Server 2008"
4774,unknown,-,An account was mapped for logon.,Account Logon,Credential Validation,"Windows Vista, Windows Server 2008"
4775,unknown,-,An account could not be mapped for logon.,Account Logon,Credential Validation,"Windows Vista, Windows Server 2008"
4777,unknown,-,The domain controller failed to validate the credentials for an account.,Account Logon,Credential Validation,"Windows Vista, Windows Server 2008"
4778,success,-,A session was reconnected to a Window Station.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
4779,success,-,A session was disconnected from a Window Station.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
4780,success,-,The ACL was set on accounts which are members of administrators groups.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4781,unknown,-,The name of an account was changed:,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4782,unknown,-,The password hash an account was accessed.,Account Management,Other Account Management Events,"Windows Vista, Windows Server 2008"
4783,unknown,-,A basic application group was created.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
4784,unknown,-,A basic application group was changed.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
4785,unknown,-,A member was added to a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
4786,unknown,-,A member was removed from a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
4787,unknown,-,A non-member was added to a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
4788,unknown,-,A non-member was removed from a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
4789,unknown,-,A basic application group was deleted.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
4790,unknown,-,An LDAP query group was created.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
4793,unknown,-,The Password Policy Checking API was called.,Account Management,Other Account Management Events,"Windows Vista, Windows Server 2008"
4794,unknown,-,An attempt was made to set the Directory Services Restore Mode.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
4800,success,-,The workstation was locked.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
4801,unknown,-,The workstation was unlocked.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
4802,unknown,-,The screen saver was invoked.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
4803,unknown,-,The screen saver was dismissed.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
4816,unknown,-,RPC detected an integrity violation while decrypting an incoming message.,System,System Integrity,"Windows Vista, Windows Server 2008"
4817,unknown,-,Auditing settings on an object were changed.,Policy Change,Audit Policy Change,"Windows 7, Windows Server 2008 R2"
4818,unknown,-,Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy,Object Access,Central Policy Staging,"Windows 8, Windows Server 2012"
4819,unknown,-,Central Access Policies on the machine have been changed.,Policy Change,Other Policy Change Events,"Windows 8, Windows Server 2012"
4864,unknown,-,A namespace collision was detected.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
4865,unknown,-,A trusted forest information entry was added.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
4866,unknown,-,A trusted forest information entry was removed.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
4867,unknown,-,A trusted forest information entry was modified.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
4868,unknown,-,The certificate manager denied a pending certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4869,unknown,-,Certificate Services received a resubmitted certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4870,unknown,-,Certificate Services revoked a certificate.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4871,unknown,-,Certificate Services received a request to publish the certificate revocation list (CRL).,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4872,unknown,-,Certificate Services published the certificate revocation list (CRL).,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4873,unknown,-,A certificate request extension changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4874,unknown,-,One or more certificate request attributes changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4875,unknown,-,Certificate Services received a request to shut down.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4876,unknown,-,Certificate Services backup started.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4877,unknown,-,Certificate Services backup completed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4878,unknown,-,Certificate Services restore started.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4879,unknown,-,Certificate Services restore completed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4880,unknown,-,Certificate Services started.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4881,unknown,-,Certificate Services stopped.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4882,unknown,-,The security permissions for Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4883,unknown,-,Certificate Services retrieved an archived key.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4884,unknown,-,Certificate Services imported a certificate into its database.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4885,unknown,-,The audit filter for Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4886,unknown,-,Certificate Services received a certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4887,unknown,-,Certificate Services approved a certificate request and issued a certificate.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4888,unknown,-,Certificate Services denied a certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4889,unknown,-,Certificate Services set the status of a certificate request to pending.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4890,unknown,-,The certificate manager settings for Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4891,unknown,-,A configuration entry changed in Certificate Services.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4892,unknown,-,A property of Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4893,unknown,-,Certificate Services archived a key.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4894,unknown,-,Certificate Services imported and archived a key.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4895,unknown,-,Certificate Services published the CA certificate to Active Directory Domain Services.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4896,unknown,-,One or more rows have been deleted from the certificate database.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4897,unknown,-,Role separation enabled:,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4898,unknown,-,Certificate Services loaded a template.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
4902,success,-,The Per-user audit policy table was created.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
4904,success,-,An attempt was made to register a security event source.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
4905,success,-,An attempt was made to unregister a security event source.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
4906,unknown,-,The CrashOnAuditFail value has changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
4907,success,-,Auditing settings on object were changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
4908,unknown,-,Special Groups Logon table modified.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
4909,unknown,-,The local policy settings for the TBS were changed.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
4910,unknown,-,The group policy settings for the TBS were changed.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
4911,unknown,-,Resource attributes of the object were changed.,Policy Change,Authorization Policy Change,"Windows 8, Windows Server 2012"
4912,unknown,-,Per User Audit Policy was changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
4913,unknown,-,Central Access Policy on the object was changed.,Policy Change,Authorization Policy Change,"Windows 8, Windows Server 2012"
4928,unknown,-,An Active Directory replica source naming context was established.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
4929,unknown,-,An Active Directory replica source naming context was removed.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
4930,unknown,-,An Active Directory replica source naming context was modified.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
4931,success,-,An Active Directory replica destination naming context was modified.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
4932,success,-,Synchronization of a replica of an Active Directory naming context has begun.,DS Access,Directory Service Replication,"Windows Vista, Windows Server 2008"
4933,failure,-,Synchronization of a replica of an Active Directory naming context has ended.,DS Access,Directory Service Replication,"Windows Vista, Windows Server 2008"
4934,unknown,-,Attributes of an Active Directory object were replicated.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
4935,unknown,-,Replication failure begins.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
4936,unknown,-,Replication failure ends.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
4937,unknown,-,A lingering object was removed from a replica.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
4944,success,-,The following policy was active when the Windows Firewall started.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4945,success,-,A rule was listed when the Windows Firewall started.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4946,success,-,A change has been made to Windows Firewall exception list. A rule was added.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4947,success,-,A change has been made to Windows Firewall exception list. A rule was modified.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4948,success,-,A change has been made to Windows Firewall exception list. A rule was deleted.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4949,unknown,-,Windows Firewall settings were restored to the default values.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4950,unknown,-,A Windows Firewall setting has changed.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4951,failure,-,A rule has been ignored because its major version number was not recognized by Windows Firewall.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4952,unknown,-,Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4953,failure,-,A rule has been ignored by Windows Firewall because it could not parse the rule.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4954,unknown,-,Windows Firewall Group Policy settings have changed. The new settings have been applied.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4956,success,-,Windows Firewall has changed the active profile.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4957,unknown,-,Windows Firewall did not apply the following rule:,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4958,unknown,-,Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
4960,unknown,-,"IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.",System,IPsec Driver,"Windows Vista, Windows Server 2008"
4961,unknown,-,"IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.",System,IPsec Driver,"Windows Vista, Windows Server 2008"
4962,unknown,-,IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
4963,unknown,-,IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
4964,unknown,-,Special groups have been assigned to a new logon.,Logon/Logoff,Special Logon,"Windows Vista, Windows Server 2008"
4965,unknown,-,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.",System,IPsec Driver,"Windows Vista, Windows Server 2008"
4976,unknown,-,"During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
4977,unknown,-,"During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008"
4978,unknown,-,"During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
4979,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
4980,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
4981,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
4982,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
4983,unknown,-,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
4984,unknown,-,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
4985,success,-,The state of a transaction has changed.,Object Access,File System,"Windows Vista, Windows Server 2008"
5024,success,-,The Windows Firewall Service has started successfully.,System,Other System Events,"Windows Vista, Windows Server 2008"
5025,unknown,-,The Windows Firewall Service has been stopped.,System,Other System Events,"Windows Vista, Windows Server 2008"
5027,unknown,-,The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.,System,Other System Events,"Windows Vista, Windows Server 2008"
5028,unknown,-,The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.,System,Other System Events,"Windows Vista, Windows Server 2008"
5029,unknown,-,The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.,System,Other System Events,"Windows Vista, Windows Server 2008"
5030,unknown,-,The Windows Firewall Service failed to start.,System,Other System Events,"Windows Vista, Windows Server 2008"
5031,unknown,-,The Windows Firewall Service blocked an application from accepting incoming connections on the network.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
5032,unknown,-,Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.,System,Other System Events,"Windows Vista, Windows Server 2008"
5033,success,-,The Windows Firewall Driver has started successfully.,System,Other System Events,"Windows Vista, Windows Server 2008"
5034,unknown,-,The Windows Firewall Driver has been stopped.,System,Other System Events,"Windows Vista, Windows Server 2008"
5035,unknown,-,The Windows Firewall Driver failed to start.,System,Other System Events,"Windows Vista, Windows Server 2008"
5037,unknown,-,The Windows Firewall Driver detected critical runtime error. Terminating.,System,Other System Events,"Windows Vista, Windows Server 2008"
5038,unknown,-,Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.,System,System Integrity,"Windows Vista, Windows Server 2008"
5039,unknown,-,A registry key was virtualized.,Object Access,Registry,"Windows Vista, Windows Server 2008"
5040,unknown,-,A change has been made to IPsec settings. An Authentication Set was added.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5041,unknown,-,A change has been made to IPsec settings. An Authentication Set was modified.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5042,unknown,-,A change has been made to IPsec settings. An Authentication Set was deleted.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5043,unknown,-,A change has been made to IPsec settings. A Connection Security Rule was added.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5044,unknown,-,A change has been made to IPsec settings. A Connection Security Rule was modified.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5045,unknown,-,A change has been made to IPsec settings. A Connection Security Rule was deleted.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5046,unknown,-,A change has been made to IPsec settings. A Crypto Set was added.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5047,unknown,-,A change has been made to IPsec settings. A Crypto Set was modified.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5048,unknown,-,A change has been made to IPsec settings. A Crypto Set was deleted.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5049,unknown,-,An IPsec Security Association was deleted.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
5051,unknown,-,A file was virtualized.,Object Access,File System,"Windows Vista, Windows Server 2008"
5056,success,-,A cryptographic self test was performed.,System,System Integrity,"Windows Vista, Windows Server 2008"
5057,unknown,-,A cryptographic primitive operation failed.,System,System Integrity,"Windows Vista, Windows Server 2008"
5058,success,-,Key file operation.,System,Other System Events,"Windows Vista, Windows Server 2008"
5059,success,-,Key migration operation.,System,Other System Events,"Windows Vista, Windows Server 2008"
5060,unknown,-,Verification operation failed.,System,System Integrity,"Windows Vista, Windows Server 2008"
5061,failure,-,Cryptographic operation.,System,System Integrity,"Windows Vista, Windows Server 2008"
5062,unknown,-,A kernel-mode cryptographic self test was performed.,System,System Integrity,"Windows Vista, Windows Server 2008"
5063,unknown,-,A cryptographic provider operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
5064,unknown,-,A cryptographic context operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
5065,unknown,-,A cryptographic context modification was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
5066,unknown,-,A cryptographic function operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
5067,unknown,-,A cryptographic function modification was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
5068,unknown,-,A cryptographic function provider operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
5069,unknown,-,A cryptographic function property operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
5070,unknown,-,A cryptographic function property modification was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
5136,success,-,A directory service object was modified.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008"
5137,unknown,-,A directory service object was created.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008"
5138,unknown,-,A directory service object was undeleted.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008"
5139,unknown,-,A directory service object was moved.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008"
5140,failure,-,A network share object was accessed.,Object Access,File Share,"Windows Vista, Windows Server 2008"
5141,unknown,-,A directory service object was deleted.,DS Access,Directory Service Changes,"Windows Vista SP1, Windows Server 2008"
5142,unknown,-,A network share object was added.,Object Access,File Share,"Windows 7, Windows Server 2008 R2"
5143,success,-,A network share object was modified.,Object Access,File Share,"Windows 7, Windows Server 2008 R2"
5144,unknown,-,A network share object was deleted.,Object Access,File Share,"Windows 7, Windows Server 2008 R2"
5145,unknown,-,A network share object was checked to see whether the client can be granted desired access.,Object Access,Detailed File Share,"Windows 7, Windows Server 2008 R2"
5148,unknown,-,The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.,Object Access,Other Object Access Events,"Windows 7, Windows Server 2008 R2"
5149,unknown,-,The DoS attack has subsided and normal processing is being resumed.,Object Access,Other Object Access Events,"Windows 7, Windows Server 2008 R2"
5150,unknown,-,The Windows Filtering Platform has blocked a packet.,Object Access,Filtering Platform Connection,"Windows 7, Windows Server 2008 R2"
5151,unknown,-,A more restrictive Windows Filtering Platform filter has blocked a packet.,Object Access,Filtering Platform Connection,"Windows 7, Windows Server 2008 R2"
5152,failure,-,The Windows Filtering Platform blocked a packet.,Object Access,Filtering Platform Packet Drop ,"Windows Vista, Windows Server 2008"
5153,unknown,-,A more restrictive Windows Filtering Platform filter has blocked a packet.,Object Access,Filtering Platform Packet Drop ,"Windows Vista, Windows Server 2008"
5154,success,-,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
5155,unknown,-,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
5156,success,-,The Windows Filtering Platform has allowed a connection.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
5157,failure,-,The Windows Filtering Platform has blocked a connection.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
5158,success,-,The Windows Filtering Platform has permitted a bind to a local port.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
5159,unknown,-,The Windows Filtering Platform has blocked a bind to a local port.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
5168,unknown,-,Spn check for SMB/SMB2 failed.,Object Access,File Share,"Windows 7, Windows Server 2008 R2"
5376,unknown,-,Credential Manager credentials were backed up.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
5377,unknown,-,Credential Manager credentials were restored from a backup.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
5378,unknown,-,The requested credentials delegation was disallowed by policy.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
5440,success,-,The following callout was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5441,success,-,The following filter was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5442,success,-,The following provider was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5443,unknown,-,The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5444,success,-,The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5446,success,-,A Windows Filtering Platform callout has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5447,success,-,A Windows Filtering Platform filter has been changed.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
5448,success,-,A Windows Filtering Platform provider has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5449,success,-,A Windows Filtering Platform provider context has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5450,success,-,A Windows Filtering Platform sub-layer has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5451,unknown,-,An IPsec Quick Mode security association was established.,Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008"
5452,unknown,-,An IPsec Quick Mode security association ended.,Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008"
5453,unknown,-,An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
5456,unknown,-,PAStore Engine applied Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5457,unknown,-,PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5458,unknown,-,PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5459,unknown,-,PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5460,unknown,-,PAStore Engine applied local registry storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5461,unknown,-,PAStore Engine failed to apply local registry storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5462,unknown,-,PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5463,unknown,-,PAStore Engine polled for changes to the active IPsec policy and detected no changes.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5464,unknown,-,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5465,unknown,-,PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5466,unknown,-,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5467,unknown,-,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5468,unknown,-,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5471,unknown,-,PAStore Engine loaded local storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5472,unknown,-,PAStore Engine failed to load local storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5473,unknown,-,PAStore Engine loaded directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5474,unknown,-,PAStore Engine failed to load directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5477,unknown,-,PAStore Engine failed to add quick mode filter.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
5478,unknown,-,IPsec Services has started successfully.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
5479,unknown,-,IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
5480,unknown,-,IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
5483,unknown,-,IPsec Services failed to initialize RPC server. IPsec Services could not be started.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
5484,unknown,-,IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
5485,unknown,-,IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
5632,unknown,-,A request was made to authenticate to a wireless network.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
5633,unknown,-,A request was made to authenticate to a wired network.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
5712,unknown,-,A Remote Procedure Call (RPC) was attempted.,Detailed Tracking,RPC Events,"Windows Vista, Windows Server 2008"
5888,unknown,-,An object in the COM+ Catalog was modified.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
5889,unknown,-,An object was deleted from the COM+ Catalog.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
5890,unknown,-,An object was added to the COM+ Catalog.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
6144,success,-,Security policy in the group policy objects has been applied successfully.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
6145,unknown,-,One or more errors occurred while processing security policy in the group policy objects.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
6272,unknown,-,Network Policy Server granted access to a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
6273,unknown,-,Network Policy Server denied access to a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
6274,unknown,-,Network Policy Server discarded the request for a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
6275,unknown,-,Network Policy Server discarded the accounting request for a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
6276,unknown,-,Network Policy Server quarantined a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
6277,unknown,-,Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
6278,unknown,-,Network Policy Server granted full access to a user because the host met the defined health policy.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
6279,unknown,-,Network Policy Server locked the user account due to repeated failed authentication attempts.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
6280,unknown,-,Network Policy Server unlocked the user account.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
6281,unknown,-,Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error,System,System Integrity,"Windows 7, Windows Server 2008 R2"
6400,unknown,-,BranchCache: Received an incorrectly formatted response while discovering availability of content. ,System,Other System Events,"Windows 7, Windows Server 2008 R2"
6401,unknown,-,BranchCache: Received invalid data from a peer. Data discarded. ,System,Other System Events,"Windows 7, Windows Server 2008 R2"
6402,unknown,-,BranchCache: The message to the hosted cache offering it data is incorrectly formatted. ,System,Other System Events,"Windows 7, Windows Server 2008 R2"
6403,unknown,-,BranchCache: The hosted cache sent an incorrectly formatted response to the client.,System,Other System Events,"Windows 7, Windows Server 2008 R2"
6404,unknown,-,BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. ,System,Other System Events,"Windows 7, Windows Server 2008 R2"
6405,unknown,-,BranchCache: %2 instance(s) of event id %1 occurred.,System,Other System Events,"Windows 7, Windows Server 2008 R2"
6406,unknown,-,%1 registered to Windows Firewall to control filtering for the following: %2,System,Other System Events,"Windows 7, Windows Server 2008 R2"
6407,unknown,-,1%,System,Other System Events,"Windows 7, Windows Server 2008 R2"
6408,unknown,-,Registered product %1 failed and Windows Firewall is now controlling the filtering for %2,System,Other System Events,"Windows 7, Windows Server 2008 R2"
4625,failure,0XC000005E,There are currently no logon servers available to service the logon request.,,,
4625,unknown,0xC0000064,User logon with misspelled or bad user account,,,
4625,failure,0xC000006A,User logon with misspelled or bad password,,,
4625,failure,0XC000006D,This is either due to a bad username or authentication information,,,
4625,failure,0XC000006E,Unknown user name or bad password.,,,
4625,failure,0XC000010B,Indicates an invalid value has been provided for the LogonType requested.,,,
4625,denied,0xC000006F,User logon outside authorized hours,,,
4625,denied,0xC0000070,User logon from unauthorized workstation,,,
4625,failure,0xC0000071,User logon with expired password,,,
4625,failure,0xC0000072,User logon to account disabled by administrator,,,
4625,failure,0XC00000DC,Indicates the Sam Server was in the wrong state to perform the desired operation.,,,
4625,error,0XC0000133,Clocks between DC and other computer too far out of sync,,,
4625,denied,0XC000015B,The user has not been granted the requested logon type (aka logon right) at this machine,,,
4625,failure,0XC000018C,The logon request failed because the trust relationship between the primary domain and the trusted domain failed.,,,
4625,failure,0XC0000192,"An attempt was made to logon, but the Netlogon service was not started.",,,
4625,failure,0xC0000193,User logon with expired account,,,
4625,failure,0XC0000224,User is required to change password at next logon,,,
4625,error,0XC0000225,Evidently a bug in Windows and not a risk,,,
4625,denied,0xC0000234,User logon with account locked,,,
4625,failure,0XC00002EE,Failure Reason: An Error occurred during Logon,,,
4625,failure,0XC0000413,Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.,,,
4625,failure,0x0,Status OK.,,,
4776,failure,0xC0000064,The username you typed does not exist. Bad username.,,,
4776,failure,0xC000006A,Account logon with misspelled or bad password.,,,
4776,failure,0xC000006D,Generic logon failure.,,,
4776,denied,0xC000006F,Account logon outside authorized hours.,,,
4776,denied,0xC0000070,Account logon from unauthorized workstation.,,,
4776,failure,0xC0000071,Account logon with expired password.,,,
4776,failure,0xC0000072,Account logon to account disabled by administrator.,,,
4776,failure,0xC0000193,Account logon with expired account.,,,
4776,failure,0xC0000224,"Account logon with ""Change Password at Next Logon"" flagged.",,,
4776,failure,0xC0000234,Account logon with account locked.,,,
4776,failure,0xc0000371,The local account store does not contain secret material for the specified account.,,,
4776,success,0x0,No errors.,,,
4768,success,0x0,No error,,,
4768,failure,0x1,Client's entry in KDC database has expired,,,
4768,failure,0x2,Server's entry in KDC database has expired,,,
4768,failure,0x3,Requested Kerberos version number not supported,,,
4768,failure,0x4,Client's key encrypted in old master key,,,
4768,failure,0x5,Server's key encrypted in old master key,,,
4768,failure,0x6,Client not found in Kerberos database,,,
4768,failure,0x7,Server not found in Kerberos database,,,
4768,failure,0x8,Multiple principal entries in KDC database,,,
4768,failure,0x9,The client or server has a null key (master key),,,
4768,failure,0xA,Ticket (TGT) not eligible for postdating,,,
4768,failure,0xB,Requested start time is later than end time,,,
4768,failure,0xC,Requested start time is later than end time,,,
4768,failure,0xD,KDC cannot accommodate requested option,,,
4768,failure,0xE,KDC has no support for encryption type,,,
4768,failure,0xF,KDC has no support for checksum type,,,
4768,failure,0x10,KDC has no support for PADATA type (pre-authentication data),,,
4768,failure,0x11,KDC has no support for transited type,,,
4768,failure,0x12,Client's credentials have been revoked,,,
4768,failure,0x13,Credentials for server have been revoked,,,
4768,failure,0x14,TGT has been revoked,,,
4768,failure,0x15,Client not yet valid-try again later,,,
4768,failure,0x16,Server not yet valid-try again later,,,
4768,failure,0x17,Password has expired-change password to reset,,,
4768,failure,0x18,Pre-authentication information was invalid,,,
4768,failure,0x19,Additional pre-authentication required,,,
4768,failure,0x1A,KDC does not know about the requested server,,,
4768,failure,0x1B,KDC is unavailable,,,
4768,failure,0x1F,Integrity check on decrypted field failed,,,
4768,failure,0x20,The ticket has expired,,,
4768,failure,0x21,The ticket is not yet valid,,,
4768,failure,0x22,The request is a replay,,,
4768,failure,0x23,The ticket is not for us,,,
4768,failure,0x24,The ticket and authenticator do not match,,,
4768,failure,0x25,The clock skew is too great,,,
4768,failure,0x26,Network address in network layer header doesn't match address inside ticket,,,
4768,failure,0x27,Protocol version numbers don't match (PVNO),,,
4768,failure,0x28,Message type is unsupported,,,
4768,failure,0x29,Message stream modified and checksum didn't match ,,,
4768,failure,0x2A,Message out of order (possible tampering),,,
4768,failure,0x2C,Specified version of key is not available,,,
4768,failure,0x2D,Service key not available,,,
4768,failure,0x2E,Mutual authentication failed,,,
4768,failure,0x2F,Incorrect message direction,,,
4768,failure,0x30,Alternative authentication method required,,,
4768,failure,0x31,Incorrect sequence number in message,,,
4768,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported),,,
4768,failure,0x33,Desired path is unreachable,,,
4768,failure,0x34,Too much data,,,
4768,failure,0x3C,Generic error,,,
4768,failure,0x3D,Field is too long for this implementation,,,
4768,failure,0x3E,The client trust failed or is not implemented,,,
4768,failure,0x3F,The KDC server trust failed or could not be verified,,,
4768,failure,0x40,The signature is invalid,,,
4768,failure,0x41,A higher encryption level is needed,,,
4768,failure,0x42,User-to-user authorization is required,,,
4768,failure,0x43,No TGT was presented or available,,,
4768,failure,0x44,Incorrect domain or principal,,,
4769,success,0x0,No error,,,
4769,failure,0x1,Client's entry in KDC database has expired,,,
4769,failure,0x2,Server's entry in KDC database has expired,,,
4769,failure,0x3,Requested Kerberos version number not supported,,,
4769,failure,0x4,Client's key encrypted in old master key,,,
4769,failure,0x5,Server's key encrypted in old master key,,,
4769,failure,0x6,Client not found in Kerberos database,,,
4769,failure,0x7,Server not found in Kerberos database,,,
4769,failure,0x8,Multiple principal entries in KDC database,,,
4769,failure,0x9,The client or server has a null key (master key),,,
4769,failure,0xA,Ticket (TGT) not eligible for postdating,,,
4769,failure,0xB,Requested start time is later than end time,,,
4769,failure,0xC,Requested start time is later than end time,,,
4769,failure,0xD,KDC cannot accommodate requested option,,,
4769,failure,0xE,KDC has no support for encryption type,,,
4769,failure,0xF,KDC has no support for checksum type,,,
4769,failure,0x10,KDC has no support for PADATA type (pre-authentication data),,,
4769,failure,0x11,KDC has no support for transited type,,,
4769,failure,0x12,Client's credentials have been revoked,,,
4769,failure,0x13,Credentials for server have been revoked,,,
4769,failure,0x14,TGT has been revoked,,,
4769,failure,0x15,Client not yet valid try again later,,,
4769,failure,0x16,Server not yet valid try again later,,,
4769,failure,0x17,Password has expired change password to reset,,,
4769,failure,0x18,Pre-authentication information was invalid,,,
4769,failure,0x19,Additional pre-authentication required,,,
4769,failure,0x1A,KDC does not know about the requested server,,,
4769,failure,0x1B,KDC is unavailable,,,
4769,failure,0x1F,Integrity check on decrypted field failed,,,
4769,failure,0x20,The ticket has expired,,,
4769,failure,0x21,The ticket is not yet valid,,,
4769,failure,0x22,The request is a replay,,,
4769,failure,0x23,The ticket is not for us,,,
4769,failure,0x24,The ticket and authenticator do not match,,,
4769,failure,0x25,The clock skew is too great,,,
4769,failure,0x26,Network address in network layer header doesn't match address inside ticket,,,
4769,failure,0x27,Protocol version numbers don't match (PVNO),,,
4769,failure,0x28,Message type is unsupported,,,
4769,failure,0x29,Message stream modified and checksum didn't match,,,
4769,failure,0x2A,Message out of order (possible tampering),,,
4769,failure,0x2C,Specified version of key is not available,,,
4769,failure,0x2D,Service key not available,,,
4769,failure,0x2E,Mutual authentication failed,,,
4769,failure,0x2F,Incorrect message direction,,,
4769,failure,0x30,Alternative authentication method required,,,
4769,failure,0x31,Incorrect sequence number in message,,,
4769,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported),,,
4769,failure,0x33,Desired path is unreachable,,,
4769,failure,0x34,Too much data,,,
4769,failure,0x3C,Generic error,,,
4769,failure,0x3D,Field is too long for this implementation,,,
4769,failure,0x3E,The client trust failed or is not implemented,,,
4769,failure,0x3F,The KDC server trust failed or could not be verified,,,
4769,failure,0x40,The signature is invalid,,,
4769,failure,0x41,A higher encryption level is needed,,,
4769,failure,0x42,User-to-user authorization is required,,,
4769,failure,0x43,No TGT was presented or available,,,
4769,failure,0x44,Incorrect domain or principal,,,
4771,failure,0x1,Client's entry in database has expired,,,
4771,failure,0x2,Server's entry in database has expired,,,
4771,failure,0x3,Requested protocol version # not supported,,,
4771,failure,0x4,Client's key encrypted in old master key,,,
4771,failure,0x5,Server's key encrypted in old master key,,,
4771,failure,0x6,Client not found in Kerberos database,,,
4771,failure,0x7,Server not found in Kerberos database,,,
4771,failure,0x8,Multiple principal entries in database,,,
4771,failure,0x9,The client or server has a null key,,,
4771,failure,0xA,Ticket not eligible for postdating,,,
4771,failure,0xB,Requested start time is later than end time,,,
4771,failure,0xC,KDC policy rejects request,,,
4771,failure,0xD,KDC cannot accommodate requested option,,,
4771,failure,0xE,KDC has no support for encryption type,,,
4771,failure,0xF,KDC has no support for checksum type,,,
4771,failure,0x10,KDC has no support for padata type,,,
4771,failure,0x11,KDC has no support for transited type,,,
4771,failure,0x12,Clients credentials have been revoked ,,,
4771,failure,0x13,Credentials for server have been revoked,,,
4771,failure,0x14,TGT has been revoked,,,
4771,failure,0x15,Client not yet valid - try again later,,,
4771,failure,0x16,Server not yet valid - try again later,,,
4771,failure,0x17,Password has expired,,,
4771,failure,0x18,Pre-authentication information was invalid,,,
4771,failure,0x19,Additional pre-authentication required*,,,
4771,failure,0x1F,Integrity check on decrypted field failed,,,
4771,failure,0x20,Ticket expired,,,
4771,failure,0x21,Ticket not yet valid,,,
4771,failure,0x22,Request is a replay,,,
4771,failure,0x23,The ticket isn't for us,,,
4771,failure,0x24,Ticket and authenticator don't match ,,,
4771,failure,0x25,Clock skew too great,,,
4771,failure,0x26,Incorrect net address,,,
4771,failure,0x27,Protocol version mismatch,,,
4771,failure,0x28,Invalid msg type,,,
4771,failure,0x29,Message stream modified,,,
4771,failure,0x2A,Message out of order,,,
4771,failure,0x2C,Specified version of key is not available,,,
4771,failure,0x2D,Service key not available,,,
4771,failure,0x2E,Mutual authentication failed,,,
4771,failure,0x2F,Incorrect message direction,,,
4771,failure,0x30,Alternative authentication method required*,,,
4771,failure,0x31,Incorrect sequence number in message,,,
4771,failure,0x32,Inappropriate type of checksum in message,,,
4771,failure,0x3C,Generic error,,,
4771,failure,0x3D,Field is too long for this implementation,,,
1 EventCode action Error_Code Description Category Subcategory os
2 4608 success - Windows is starting up. System Security State Change Windows Vista, Windows Server 2008
3 4609 unknown - Windows is shutting down. System Security State Change Windows Vista, Windows Server 2008
4 4610 unknown - An authentication package has been loaded by the Local Security Authority. System Security System Extension Windows Vista, Windows Server 2008
5 4611 success - A trusted logon process has been registered with the Local Security Authority. System Security System Extension Windows Vista, Windows Server 2008
6 4612 unknown - Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. System System Integrity Windows Vista, Windows Server 2008
7 4614 unknown - A notification package has been loaded by the Security Account Manager. System Security System Extension Windows Vista, Windows Server 2008
8 4615 unknown - Invalid use of LPC port. System System Integrity Windows Vista, Windows Server 2008
9 4616 success - The system time was changed. System Security State Change Windows Vista, Windows Server 2008
10 4618 unknown - A monitored security event pattern has occurred. System System Integrity Windows Vista, Windows Server 2008
11 4621 unknown - Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. System Security State Change Windows Vista, Windows Server 2008
12 4622 unknown - A security package has been loaded by the Local Security Authority. System Security System Extension Windows Vista, Windows Server 2008
13 4624 success - An account was successfully logged on. Logon/Logoff Logon Windows Vista, Windows Server 2008
14 4626 unknown - User/Device claims information. Logon/Logoff Logon Windows 8, Windows Server 2012
15 4634 success - An account was logged off. Logon/Logoff Logoff Windows Vista, Windows Server 2008
16 4646 unknown - IKE DoS-prevention mode started. Logon/Logoff IPsec Main Mode Windows Vista, Windows Server 2008
17 4647 success - User initiated logoff. Logon/Logoff Logoff Windows Vista, Windows Server 2008
18 4648 success - A logon was attempted using explicit credentials. Logon/Logoff Logon Windows Vista, Windows Server 2008
19 4649 unknown - A replay attack was detected. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
20 4650 unknown - An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. Logon/Logoff IPsec Main Mode Windows Vista, Windows Server 2008
21 4651 unknown - An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. Logon/Logoff IPsec Main Mode Windows Vista, Windows Server 2008
22 4652 unknown - An IPsec Main Mode negotiation failed. Logon/Logoff IPsec Main Mode Windows Vista, Windows Server 2008
23 4653 failure - An IPsec Main Mode negotiation failed. Logon/Logoff IPsec Main Mode Windows Vista, Windows Server 2008
24 4654 unknown - An IPsec Quick Mode negotiation failed. Logon/Logoff IPsec Quick Mode Windows Vista, Windows Server 2008
25 4655 unknown - An IPsec Main Mode security association ended. Logon/Logoff IPsec Main Mode Windows Vista, Windows Server 2008
26 4656 failure - A handle to an object was requested. Object Access Handle Manipulation Windows Vista, Windows Server 2008
27 4657 unknown - A registry value was modified. Object Access Registry Windows Vista, Windows Server 2008
28 4658 success - The handle to an object was closed. Object Access Handle Manipulation Windows Vista, Windows Server 2008
29 4659 unknown - A handle to an object was requested with intent to delete. Object Access Special Windows Vista, Windows Server 2008
30 4660 unknown - An object was deleted. Object Access Special Windows Vista, Windows Server 2008
31 4661 success - A handle to an object was requested. Object Access Special Windows Vista, Windows Server 2008
32 4662 success - An operation was performed on an object. DS Access Directory Service Access Windows Vista, Windows Server 2008
33 4663 success - An attempt was made to access an object. Object Access Special Windows Vista, Windows Server 2008
34 4664 success - An attempt was made to create a hard link. Object Access File System Windows Vista, Windows Server 2008
35 4665 unknown - An attempt was made to create an application client context. Object Access Application Generated Windows Vista, Windows Server 2008
36 4666 unknown - An application attempted an operation: Object Access Application Generated Windows Vista, Windows Server 2008
37 4667 unknown - An application client context was deleted. Object Access Application Generated Windows Vista, Windows Server 2008
38 4668 unknown - An application was initialized. Object Access Application Generated Windows Vista, Windows Server 2008
39 4670 success - Permissions on an object were changed. Policy Change Subcategory (special) Windows Vista, Windows Server 2008
40 4671 unknown - An application attempted to access a blocked ordinal through the TBS. Object Access Other Object Access Events Windows Vista, Windows Server 2008
41 4672 success - Special privileges assigned to new logon. Privilege Use Sensitive Privilege Use / Non Sensitive Privilege Use Windows Vista, Windows Server 2008
42 4673 failure - A privileged service was called. Privilege Use Sensitive Privilege Use / Non Sensitive Privilege Use Windows Vista, Windows Server 2008
43 4674 success - An operation was attempted on a privileged object. Privilege Use Sensitive Privilege Use / Non Sensitive Privilege Use Windows Vista, Windows Server 2008
44 4675 unknown - SIDs were filtered. Logon/Logoff Logon Windows Vista, Windows Server 2008
45 4689 success - A process has exited. Detailed Tracking Process Termination Windows Vista, Windows Server 2008
46 4690 success - An attempt was made to duplicate a handle to an object. Object Access Handle Manipulation Windows Vista, Windows Server 2008
47 4691 unknown - Indirect access to an object was requested. Object Access Other Object Access Events Windows Vista, Windows Server 2008
48 4692 unknown - Backup of data protection master key was attempted. Detailed Tracking DPAPI Activity Windows Vista, Windows Server 2008
49 4693 unknown - Recovery of data protection master key was attempted. Detailed Tracking DPAPI Activity Windows Vista, Windows Server 2008
50 4694 unknown - Protection of auditable protected data was attempted. Detailed Tracking DPAPI Activity Windows Vista, Windows Server 2008
51 4695 unknown - Unprotection of auditable protected data was attempted. Detailed Tracking DPAPI Activity Windows Vista, Windows Server 2008
52 4696 unknown - A primary token was assigned to process. Detailed Tracking Process Creation Windows Vista, Windows Server 2008
53 4697 unknown - A service was installed in the system. System Security System Extension Windows Vista, Windows Server 2008
54 4698 unknown - A scheduled task was created. Object Access Other Object Access Events Windows Vista, Windows Server 2008
55 4699 unknown - A scheduled task was deleted. Object Access Other Object Access Events Windows Vista, Windows Server 2008
56 4700 unknown - A scheduled task was enabled. Object Access Other Object Access Events Windows Vista, Windows Server 2008
57 4701 unknown - A scheduled task was disabled. Object Access Other Object Access Events Windows Vista, Windows Server 2008
58 4702 success - A scheduled task was updated. Object Access Other Object Access Events Windows Vista, Windows Server 2008
59 4704 success - A user right was assigned. Policy Change Authorization Policy Change Windows Vista, Windows Server 2008
60 4705 unknown - A user right was removed. Policy Change Authorization Policy Change Windows Vista, Windows Server 2008
61 4706 unknown - A new trust was created to a domain. Policy Change Authorization Policy Change Windows Vista, Windows Server 2008
62 4707 unknown - A trust to a domain was removed. Policy Change Authorization Policy Change Windows Vista, Windows Server 2008
63 4709 unknown - IPsec Services was started. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
64 4710 unknown - IPsec Services was disabled. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
65 4711 unknown - May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
66 4712 unknown - IPsec Services encountered a potentially serious failure. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
67 4713 unknown - Kerberos policy was changed. Policy Change Authentication Policy Change Windows Vista, Windows Server 2008
68 4714 unknown - Encrypted data recovery policy was changed. Policy Change Authorization Policy Change Windows Vista, Windows Server 2008
69 4715 unknown - The audit policy (SACL) on an object was changed. Policy Change Audit Policy Change Windows Vista, Windows Server 2008
70 4716 unknown - Trusted domain information was modified. Policy Change Authentication Policy Change Windows Vista, Windows Server 2008
71 4717 success - System security access was granted to an account. Policy Change Authentication Policy Change Windows Vista, Windows Server 2008
72 4718 unknown - System security access was removed from an account. Policy Change Authentication Policy Change Windows Vista, Windows Server 2008
73 4719 unknown - System audit policy was changed. Policy Change Audit Policy Change Windows Vista, Windows Server 2008
74 4720 created - A user account was created. Account Management User Account Management Windows Vista, Windows Server 2008
75 4722 modified - A user account was enabled. Account Management User Account Management Windows Vista, Windows Server 2008
76 4723 modified - An attempt was made to change an account's password. Account Management User Account Management Windows Vista, Windows Server 2008
77 4724 modified - An attempt was made to reset an account's password. Account Management User Account Management Windows Vista, Windows Server 2008
78 4725 modified - A user account was disabled. Account Management User Account Management Windows Vista, Windows Server 2008
79 4726 deleted - A user account was deleted. Account Management User Account Management Windows Vista, Windows Server 2008
80 4727 success - A security-enabled global group was created. Account Management Security Group Management Windows Vista, Windows Server 2008
81 4728 success - A member was added to a security-enabled global group. Account Management Security Group Management Windows Vista, Windows Server 2008
82 4729 success - A member was removed from a security-enabled global group. Account Management Security Group Management Windows Vista, Windows Server 2008
83 4730 unknown - A security-enabled global group was deleted. Account Management Security Group Management Windows Vista, Windows Server 2008
84 4731 unknown - A security-enabled local group was created. Account Management Security Group Management Windows Vista, Windows Server 2008
85 4732 success - A member was added to a security-enabled local group. Account Management Security Group Management Windows Vista, Windows Server 2008
86 4733 success - A member was removed from a security-enabled local group. Account Management Security Group Management Windows Vista, Windows Server 2008
87 4734 unknown - A security-enabled local group was deleted. Account Management Security Group Management Windows Vista, Windows Server 2008
88 4735 success - A security-enabled local group was changed. Account Management Security Group Management Windows Vista, Windows Server 2008
89 4737 success - A security-enabled global group was changed. Account Management Security Group Management Windows Vista, Windows Server 2008
90 4738 modified - A user account was changed. Account Management User Account Management Windows Vista, Windows Server 2008
91 4739 unknown - Domain Policy was changed. Policy Change Authentication Policy Change Windows Vista, Windows Server 2008
92 4740 unknown - A user account was locked out. Account Management User Account Management Windows Vista, Windows Server 2008
93 4742 modified - A computer account was changed. Account Management Computer Account Management Windows Vista, Windows Server 2008
94 4743 unknown - A computer account was deleted. Account Management Computer Account Management Windows Vista, Windows Server 2008
95 4744 unknown - A security-disabled local group was created. Account Management Distribution Group Management Windows Vista, Windows Server 2008
96 4745 unknown - A security-disabled local group was changed. Account Management Distribution Group Management Windows Vista, Windows Server 2008
97 4746 unknown - A member was added to a security-disabled local group. Account Management Distribution Group Management Windows Vista, Windows Server 2008
98 4747 unknown - A member was removed from a security-disabled local group. Account Management Distribution Group Management Windows Vista, Windows Server 2008
99 4748 unknown - A security-disabled local group was deleted. Account Management Distribution Group Management Windows Vista, Windows Server 2008
100 4749 unknown - A security-disabled global group was created. Account Management Distribution Group Management Windows Vista, Windows Server 2008
101 4750 unknown - A security-disabled global group was changed. Account Management Distribution Group Management Windows Vista, Windows Server 2008
102 4751 unknown - A member was added to a security-disabled global group. Account Management Distribution Group Management Windows Vista, Windows Server 2008
103 4752 unknown - A member was removed from a security-disabled global group. Account Management Distribution Group Management Windows Vista, Windows Server 2008
104 4753 unknown - A security-disabled global group was deleted. Account Management Distribution Group Management Windows Vista, Windows Server 2008
105 4754 success - A security-enabled universal group was created. Account Management Security Group Management Windows Vista, Windows Server 2008
106 4755 success - A security-enabled universal group was changed. Account Management Security Group Management Windows Vista, Windows Server 2008
107 4756 success - A member was added to a security-enabled universal group. Account Management Security Group Management Windows Vista, Windows Server 2008
108 4757 success - A member was removed from a security-enabled universal group. Account Management Security Group Management Windows Vista, Windows Server 2008
109 4758 unknown - A security-enabled universal group was deleted. Account Management Security Group Management Windows Vista, Windows Server 2008
110 4759 unknown - A security-disabled universal group was created. Account Management Distribution Group Management Windows Vista, Windows Server 2008
111 4760 unknown - A security-disabled universal group was changed. Account Management Distribution Group Management Windows Vista, Windows Server 2008
112 4761 unknown - A member was added to a security-disabled universal group. Account Management Distribution Group Management Windows Vista, Windows Server 2008
113 4762 unknown - A member was removed from a security-disabled universal group. Account Management Distribution Group Management Windows Vista, Windows Server 2008
114 4764 unknown - A group's type was changed. Account Management Security Group Management Windows Vista, Windows Server 2008
115 4765 unknown - SID History was added to an account. Account Management User Account Management Windows Vista, Windows Server 2008
116 4766 unknown - An attempt to add SID History to an account failed. Account Management User Account Management Windows Vista, Windows Server 2008
117 4767 modified - A user account was unlocked. Account Management User Account Management Windows Vista, Windows Server 2008
118 4770 success - A Kerberos service ticket was renewed. Account Logon Kerberos Service Ticket Operations Windows Vista, Windows Server 2008
119 4772 unknown - A Kerberos authentication ticket request failed. Account Logon Kerberos Authentication Service Windows Vista, Windows Server 2008
120 4774 unknown - An account was mapped for logon. Account Logon Credential Validation Windows Vista, Windows Server 2008
121 4775 unknown - An account could not be mapped for logon. Account Logon Credential Validation Windows Vista, Windows Server 2008
122 4777 unknown - The domain controller failed to validate the credentials for an account. Account Logon Credential Validation Windows Vista, Windows Server 2008
123 4778 success - A session was reconnected to a Window Station. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
124 4779 success - A session was disconnected from a Window Station. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
125 4780 success - The ACL was set on accounts which are members of administrators groups. Account Management User Account Management Windows Vista, Windows Server 2008
126 4781 unknown - The name of an account was changed: Account Management User Account Management Windows Vista, Windows Server 2008
127 4782 unknown - The password hash an account was accessed. Account Management Other Account Management Events Windows Vista, Windows Server 2008
128 4783 unknown - A basic application group was created. Account Management Application Group Management Windows Vista, Windows Server 2008
129 4784 unknown - A basic application group was changed. Account Management Application Group Management Windows Vista, Windows Server 2008
130 4785 unknown - A member was added to a basic application group. Account Management Application Group Management Windows Vista, Windows Server 2008
131 4786 unknown - A member was removed from a basic application group. Account Management Application Group Management Windows Vista, Windows Server 2008
132 4787 unknown - A non-member was added to a basic application group. Account Management Application Group Management Windows Vista, Windows Server 2008
133 4788 unknown - A non-member was removed from a basic application group. Account Management Application Group Management Windows Vista, Windows Server 2008
134 4789 unknown - A basic application group was deleted. Account Management Application Group Management Windows Vista, Windows Server 2008
135 4790 unknown - An LDAP query group was created. Account Management Application Group Management Windows Vista, Windows Server 2008
136 4793 unknown - The Password Policy Checking API was called. Account Management Other Account Management Events Windows Vista, Windows Server 2008
137 4794 unknown - An attempt was made to set the Directory Services Restore Mode. Account Management User Account Management Windows Vista, Windows Server 2008
138 4800 success - The workstation was locked. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
139 4801 unknown - The workstation was unlocked. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
140 4802 unknown - The screen saver was invoked. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
141 4803 unknown - The screen saver was dismissed. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
142 4816 unknown - RPC detected an integrity violation while decrypting an incoming message. System System Integrity Windows Vista, Windows Server 2008
143 4817 unknown - Auditing settings on an object were changed. Policy Change Audit Policy Change Windows 7, Windows Server 2008 R2
144 4818 unknown - Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Object Access Central Policy Staging Windows 8, Windows Server 2012
145 4819 unknown - Central Access Policies on the machine have been changed. Policy Change Other Policy Change Events Windows 8, Windows Server 2012
146 4864 unknown - A namespace collision was detected. Policy Change Authentication Policy Change Windows Vista, Windows Server 2008
147 4865 unknown - A trusted forest information entry was added. Policy Change Authentication Policy Change Windows Vista, Windows Server 2008
148 4866 unknown - A trusted forest information entry was removed. Policy Change Authentication Policy Change Windows Vista, Windows Server 2008
149 4867 unknown - A trusted forest information entry was modified. Policy Change Authentication Policy Change Windows Vista, Windows Server 2008
150 4868 unknown - The certificate manager denied a pending certificate request. Object Access Certification Services Windows Vista, Windows Server 2008
151 4869 unknown - Certificate Services received a resubmitted certificate request. Object Access Certification Services Windows Vista, Windows Server 2008
152 4870 unknown - Certificate Services revoked a certificate. Object Access Certification Services Windows Vista, Windows Server 2008
153 4871 unknown - Certificate Services received a request to publish the certificate revocation list (CRL). Object Access Certification Services Windows Vista, Windows Server 2008
154 4872 unknown - Certificate Services published the certificate revocation list (CRL). Object Access Certification Services Windows Vista, Windows Server 2008
155 4873 unknown - A certificate request extension changed. Object Access Certification Services Windows Vista, Windows Server 2008
156 4874 unknown - One or more certificate request attributes changed. Object Access Certification Services Windows Vista, Windows Server 2008
157 4875 unknown - Certificate Services received a request to shut down. Object Access Certification Services Windows Vista, Windows Server 2008
158 4876 unknown - Certificate Services backup started. Object Access Certification Services Windows Vista, Windows Server 2008
159 4877 unknown - Certificate Services backup completed. Object Access Certification Services Windows Vista, Windows Server 2008
160 4878 unknown - Certificate Services restore started. Object Access Certification Services Windows Vista, Windows Server 2008
161 4879 unknown - Certificate Services restore completed. Object Access Certification Services Windows Vista, Windows Server 2008
162 4880 unknown - Certificate Services started. Object Access Certification Services Windows Vista, Windows Server 2008
163 4881 unknown - Certificate Services stopped. Object Access Certification Services Windows Vista, Windows Server 2008
164 4882 unknown - The security permissions for Certificate Services changed. Object Access Certification Services Windows Vista, Windows Server 2008
165 4883 unknown - Certificate Services retrieved an archived key. Object Access Certification Services Windows Vista, Windows Server 2008
166 4884 unknown - Certificate Services imported a certificate into its database. Object Access Certification Services Windows Vista, Windows Server 2008
167 4885 unknown - The audit filter for Certificate Services changed. Object Access Certification Services Windows Vista, Windows Server 2008
168 4886 unknown - Certificate Services received a certificate request. Object Access Certification Services Windows Vista, Windows Server 2008
169 4887 unknown - Certificate Services approved a certificate request and issued a certificate. Object Access Certification Services Windows Vista, Windows Server 2008
170 4888 unknown - Certificate Services denied a certificate request. Object Access Certification Services Windows Vista, Windows Server 2008
171 4889 unknown - Certificate Services set the status of a certificate request to pending. Object Access Certification Services Windows Vista, Windows Server 2008
172 4890 unknown - The certificate manager settings for Certificate Services changed. Object Access Certification Services Windows Vista, Windows Server 2008
173 4891 unknown - A configuration entry changed in Certificate Services. Object Access Certification Services Windows Vista, Windows Server 2008
174 4892 unknown - A property of Certificate Services changed. Object Access Certification Services Windows Vista, Windows Server 2008
175 4893 unknown - Certificate Services archived a key. Object Access Certification Services Windows Vista, Windows Server 2008
176 4894 unknown - Certificate Services imported and archived a key. Object Access Certification Services Windows Vista, Windows Server 2008
177 4895 unknown - Certificate Services published the CA certificate to Active Directory Domain Services. Object Access Certification Services Windows Vista, Windows Server 2008
178 4896 unknown - One or more rows have been deleted from the certificate database. Object Access Certification Services Windows Vista, Windows Server 2008
179 4897 unknown - Role separation enabled: Object Access Certification Services Windows Vista, Windows Server 2008
180 4898 unknown - Certificate Services loaded a template. Object Access Certification Services Windows Vista, Windows Server 2008
181 4902 success - The Per-user audit policy table was created. Policy Change Audit Policy Change Windows Vista, Windows Server 2008
182 4904 success - An attempt was made to register a security event source. Policy Change Audit Policy Change Windows Vista, Windows Server 2008
183 4905 success - An attempt was made to unregister a security event source. Policy Change Audit Policy Change Windows Vista, Windows Server 2008
184 4906 unknown - The CrashOnAuditFail value has changed. Policy Change Audit Policy Change Windows Vista, Windows Server 2008
185 4907 success - Auditing settings on object were changed. Policy Change Audit Policy Change Windows Vista, Windows Server 2008
186 4908 unknown - Special Groups Logon table modified. Policy Change Audit Policy Change Windows Vista, Windows Server 2008
187 4909 unknown - The local policy settings for the TBS were changed. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
188 4910 unknown - The group policy settings for the TBS were changed. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
189 4911 unknown - Resource attributes of the object were changed. Policy Change Authorization Policy Change Windows 8, Windows Server 2012
190 4912 unknown - Per User Audit Policy was changed. Policy Change Audit Policy Change Windows Vista, Windows Server 2008
191 4913 unknown - Central Access Policy on the object was changed. Policy Change Authorization Policy Change Windows 8, Windows Server 2012
192 4928 unknown - An Active Directory replica source naming context was established. DS Access Detailed Directory Service Replication Windows Vista, Windows Server 2008
193 4929 unknown - An Active Directory replica source naming context was removed. DS Access Detailed Directory Service Replication Windows Vista, Windows Server 2008
194 4930 unknown - An Active Directory replica source naming context was modified. DS Access Detailed Directory Service Replication Windows Vista, Windows Server 2008
195 4931 success - An Active Directory replica destination naming context was modified. DS Access Detailed Directory Service Replication Windows Vista, Windows Server 2008
196 4932 success - Synchronization of a replica of an Active Directory naming context has begun. DS Access Directory Service Replication Windows Vista, Windows Server 2008
197 4933 failure - Synchronization of a replica of an Active Directory naming context has ended. DS Access Directory Service Replication Windows Vista, Windows Server 2008
198 4934 unknown - Attributes of an Active Directory object were replicated. DS Access Detailed Directory Service Replication Windows Vista, Windows Server 2008
199 4935 unknown - Replication failure begins. DS Access Detailed Directory Service Replication Windows Vista, Windows Server 2008
200 4936 unknown - Replication failure ends. DS Access Detailed Directory Service Replication Windows Vista, Windows Server 2008
201 4937 unknown - A lingering object was removed from a replica. DS Access Detailed Directory Service Replication Windows Vista, Windows Server 2008
202 4944 success - The following policy was active when the Windows Firewall started. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
203 4945 success - A rule was listed when the Windows Firewall started. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
204 4946 success - A change has been made to Windows Firewall exception list. A rule was added. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
205 4947 success - A change has been made to Windows Firewall exception list. A rule was modified. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
206 4948 success - A change has been made to Windows Firewall exception list. A rule was deleted. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
207 4949 unknown - Windows Firewall settings were restored to the default values. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
208 4950 unknown - A Windows Firewall setting has changed. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
209 4951 failure - A rule has been ignored because its major version number was not recognized by Windows Firewall. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
210 4952 unknown - Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
211 4953 failure - A rule has been ignored by Windows Firewall because it could not parse the rule. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
212 4954 unknown - Windows Firewall Group Policy settings have changed. The new settings have been applied. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
213 4956 success - Windows Firewall has changed the active profile. Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
214 4957 unknown - Windows Firewall did not apply the following rule: Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
215 4958 unknown - Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: Policy Change MPSSVC Rule-Level Policy Change Windows Vista, Windows Server 2008
216 4960 unknown - IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. System IPsec Driver Windows Vista, Windows Server 2008
217 4961 unknown - IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. System IPsec Driver Windows Vista, Windows Server 2008
218 4962 unknown - IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. System IPsec Driver Windows Vista, Windows Server 2008
219 4963 unknown - IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. System IPsec Driver Windows Vista, Windows Server 2008
220 4964 unknown - Special groups have been assigned to a new logon. Logon/Logoff Special Logon Windows Vista, Windows Server 2008
221 4965 unknown - IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. System IPsec Driver Windows Vista, Windows Server 2008
222 4976 unknown - During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. Logon/Logoff IPsec Main Mode Windows Vista, Windows Server 2008
223 4977 unknown - During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. Logon/Logoff IPsec Quick Mode Windows Vista, Windows Server 2008
224 4978 unknown - During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. Logon/Logoff IPsec Extended Mode Windows Vista, Windows Server 2008
225 4979 unknown - IPsec Main Mode and Extended Mode security associations were established. Logon/Logoff IPsec Extended Mode Windows Vista, Windows Server 2008
226 4980 unknown - IPsec Main Mode and Extended Mode security associations were established. Logon/Logoff IPsec Extended Mode Windows Vista, Windows Server 2008
227 4981 unknown - IPsec Main Mode and Extended Mode security associations were established. Logon/Logoff IPsec Extended Mode Windows Vista, Windows Server 2008
228 4982 unknown - IPsec Main Mode and Extended Mode security associations were established. Logon/Logoff IPsec Extended Mode Windows Vista, Windows Server 2008
229 4983 unknown - An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. Logon/Logoff IPsec Extended Mode Windows Vista, Windows Server 2008
230 4984 unknown - An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. Logon/Logoff IPsec Extended Mode Windows Vista, Windows Server 2008
231 4985 success - The state of a transaction has changed. Object Access File System Windows Vista, Windows Server 2008
232 5024 success - The Windows Firewall Service has started successfully. System Other System Events Windows Vista, Windows Server 2008
233 5025 unknown - The Windows Firewall Service has been stopped. System Other System Events Windows Vista, Windows Server 2008
234 5027 unknown - The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. System Other System Events Windows Vista, Windows Server 2008
235 5028 unknown - The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. System Other System Events Windows Vista, Windows Server 2008
236 5029 unknown - The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. System Other System Events Windows Vista, Windows Server 2008
237 5030 unknown - The Windows Firewall Service failed to start. System Other System Events Windows Vista, Windows Server 2008
238 5031 unknown - The Windows Firewall Service blocked an application from accepting incoming connections on the network. Object Access Filtering Platform Connection Windows Vista, Windows Server 2008
239 5032 unknown - Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. System Other System Events Windows Vista, Windows Server 2008
240 5033 success - The Windows Firewall Driver has started successfully. System Other System Events Windows Vista, Windows Server 2008
241 5034 unknown - The Windows Firewall Driver has been stopped. System Other System Events Windows Vista, Windows Server 2008
242 5035 unknown - The Windows Firewall Driver failed to start. System Other System Events Windows Vista, Windows Server 2008
243 5037 unknown - The Windows Firewall Driver detected critical runtime error. Terminating. System Other System Events Windows Vista, Windows Server 2008
244 5038 unknown - Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. System System Integrity Windows Vista, Windows Server 2008
245 5039 unknown - A registry key was virtualized. Object Access Registry Windows Vista, Windows Server 2008
246 5040 unknown - A change has been made to IPsec settings. An Authentication Set was added. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
247 5041 unknown - A change has been made to IPsec settings. An Authentication Set was modified. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
248 5042 unknown - A change has been made to IPsec settings. An Authentication Set was deleted. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
249 5043 unknown - A change has been made to IPsec settings. A Connection Security Rule was added. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
250 5044 unknown - A change has been made to IPsec settings. A Connection Security Rule was modified. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
251 5045 unknown - A change has been made to IPsec settings. A Connection Security Rule was deleted. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
252 5046 unknown - A change has been made to IPsec settings. A Crypto Set was added. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
253 5047 unknown - A change has been made to IPsec settings. A Crypto Set was modified. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
254 5048 unknown - A change has been made to IPsec settings. A Crypto Set was deleted. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
255 5049 unknown - An IPsec Security Association was deleted. Logon/Logoff IPsec Main Mode Windows Vista, Windows Server 2008
256 5051 unknown - A file was virtualized. Object Access File System Windows Vista, Windows Server 2008
257 5056 success - A cryptographic self test was performed. System System Integrity Windows Vista, Windows Server 2008
258 5057 unknown - A cryptographic primitive operation failed. System System Integrity Windows Vista, Windows Server 2008
259 5058 success - Key file operation. System Other System Events Windows Vista, Windows Server 2008
260 5059 success - Key migration operation. System Other System Events Windows Vista, Windows Server 2008
261 5060 unknown - Verification operation failed. System System Integrity Windows Vista, Windows Server 2008
262 5061 failure - Cryptographic operation. System System Integrity Windows Vista, Windows Server 2008
263 5062 unknown - A kernel-mode cryptographic self test was performed. System System Integrity Windows Vista, Windows Server 2008
264 5063 unknown - A cryptographic provider operation was attempted. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
265 5064 unknown - A cryptographic context operation was attempted. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
266 5065 unknown - A cryptographic context modification was attempted. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
267 5066 unknown - A cryptographic function operation was attempted. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
268 5067 unknown - A cryptographic function modification was attempted. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
269 5068 unknown - A cryptographic function provider operation was attempted. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
270 5069 unknown - A cryptographic function property operation was attempted. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
271 5070 unknown - A cryptographic function property modification was attempted. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
272 5136 success - A directory service object was modified. DS Access Directory Service Changes Windows Vista, Windows Server 2008
273 5137 unknown - A directory service object was created. DS Access Directory Service Changes Windows Vista, Windows Server 2008
274 5138 unknown - A directory service object was undeleted. DS Access Directory Service Changes Windows Vista, Windows Server 2008
275 5139 unknown - A directory service object was moved. DS Access Directory Service Changes Windows Vista, Windows Server 2008
276 5140 failure - A network share object was accessed. Object Access File Share Windows Vista, Windows Server 2008
277 5141 unknown - A directory service object was deleted. DS Access Directory Service Changes Windows Vista SP1, Windows Server 2008
278 5142 unknown - A network share object was added. Object Access File Share Windows 7, Windows Server 2008 R2
279 5143 success - A network share object was modified. Object Access File Share Windows 7, Windows Server 2008 R2
280 5144 unknown - A network share object was deleted. Object Access File Share Windows 7, Windows Server 2008 R2
281 5145 unknown - A network share object was checked to see whether the client can be granted desired access. Object Access Detailed File Share Windows 7, Windows Server 2008 R2
282 5148 unknown - The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. Object Access Other Object Access Events Windows 7, Windows Server 2008 R2
283 5149 unknown - The DoS attack has subsided and normal processing is being resumed. Object Access Other Object Access Events Windows 7, Windows Server 2008 R2
284 5150 unknown - The Windows Filtering Platform has blocked a packet. Object Access Filtering Platform Connection Windows 7, Windows Server 2008 R2
285 5151 unknown - A more restrictive Windows Filtering Platform filter has blocked a packet. Object Access Filtering Platform Connection Windows 7, Windows Server 2008 R2
286 5152 failure - The Windows Filtering Platform blocked a packet. Object Access Filtering Platform Packet Drop Windows Vista, Windows Server 2008
287 5153 unknown - A more restrictive Windows Filtering Platform filter has blocked a packet. Object Access Filtering Platform Packet Drop Windows Vista, Windows Server 2008
288 5154 success - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. Object Access Filtering Platform Connection Windows Vista, Windows Server 2008
289 5155 unknown - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. Object Access Filtering Platform Connection Windows Vista, Windows Server 2008
290 5156 success - The Windows Filtering Platform has allowed a connection. Object Access Filtering Platform Connection Windows Vista, Windows Server 2008
291 5157 failure - The Windows Filtering Platform has blocked a connection. Object Access Filtering Platform Connection Windows Vista, Windows Server 2008
292 5158 success - The Windows Filtering Platform has permitted a bind to a local port. Object Access Filtering Platform Connection Windows Vista, Windows Server 2008
293 5159 unknown - The Windows Filtering Platform has blocked a bind to a local port. Object Access Filtering Platform Connection Windows Vista, Windows Server 2008
294 5168 unknown - Spn check for SMB/SMB2 failed. Object Access File Share Windows 7, Windows Server 2008 R2
295 5376 unknown - Credential Manager credentials were backed up. Account Management User Account Management Windows Vista, Windows Server 2008
296 5377 unknown - Credential Manager credentials were restored from a backup. Account Management User Account Management Windows Vista, Windows Server 2008
297 5378 unknown - The requested credentials delegation was disallowed by policy. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
298 5440 success - The following callout was present when the Windows Filtering Platform Base Filtering Engine started. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
299 5441 success - The following filter was present when the Windows Filtering Platform Base Filtering Engine started. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
300 5442 success - The following provider was present when the Windows Filtering Platform Base Filtering Engine started. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
301 5443 unknown - The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
302 5444 success - The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
303 5446 success - A Windows Filtering Platform callout has been changed. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
304 5447 success - A Windows Filtering Platform filter has been changed. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
305 5448 success - A Windows Filtering Platform provider has been changed. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
306 5449 success - A Windows Filtering Platform provider context has been changed. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
307 5450 success - A Windows Filtering Platform sub-layer has been changed. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
308 5451 unknown - An IPsec Quick Mode security association was established. Logon/Logoff IPsec Quick Mode Windows Vista, Windows Server 2008
309 5452 unknown - An IPsec Quick Mode security association ended. Logon/Logoff IPsec Quick Mode Windows Vista, Windows Server 2008
310 5453 unknown - An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. Logon/Logoff IPsec Main Mode Windows Vista, Windows Server 2008
311 5456 unknown - PAStore Engine applied Active Directory storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
312 5457 unknown - PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
313 5458 unknown - PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
314 5459 unknown - PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
315 5460 unknown - PAStore Engine applied local registry storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
316 5461 unknown - PAStore Engine failed to apply local registry storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
317 5462 unknown - PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
318 5463 unknown - PAStore Engine polled for changes to the active IPsec policy and detected no changes. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
319 5464 unknown - PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
320 5465 unknown - PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
321 5466 unknown - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
322 5467 unknown - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
323 5468 unknown - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
324 5471 unknown - PAStore Engine loaded local storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
325 5472 unknown - PAStore Engine failed to load local storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
326 5473 unknown - PAStore Engine loaded directory storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
327 5474 unknown - PAStore Engine failed to load directory storage IPsec policy on the computer. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
328 5477 unknown - PAStore Engine failed to add quick mode filter. Policy Change Filtering Platform Policy Change Windows Vista, Windows Server 2008
329 5478 unknown - IPsec Services has started successfully. System IPsec Driver Windows Vista, Windows Server 2008
330 5479 unknown - IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. System IPsec Driver Windows Vista, Windows Server 2008
331 5480 unknown - IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. System IPsec Driver Windows Vista, Windows Server 2008
332 5483 unknown - IPsec Services failed to initialize RPC server. IPsec Services could not be started. System IPsec Driver Windows Vista, Windows Server 2008
333 5484 unknown - IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. System IPsec Driver Windows Vista, Windows Server 2008
334 5485 unknown - IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. System IPsec Driver Windows Vista, Windows Server 2008
335 5632 unknown - A request was made to authenticate to a wireless network. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
336 5633 unknown - A request was made to authenticate to a wired network. Logon/Logoff Other Logon/Logoff Events Windows Vista, Windows Server 2008
337 5712 unknown - A Remote Procedure Call (RPC) was attempted. Detailed Tracking RPC Events Windows Vista, Windows Server 2008
338 5888 unknown - An object in the COM+ Catalog was modified. Object Access Other Object Access Events Windows Vista, Windows Server 2008
339 5889 unknown - An object was deleted from the COM+ Catalog. Object Access Other Object Access Events Windows Vista, Windows Server 2008
340 5890 unknown - An object was added to the COM+ Catalog. Object Access Other Object Access Events Windows Vista, Windows Server 2008
341 6144 success - Security policy in the group policy objects has been applied successfully. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
342 6145 unknown - One or more errors occurred while processing security policy in the group policy objects. Policy Change Other Policy Change Events Windows Vista, Windows Server 2008
343 6272 unknown - Network Policy Server granted access to a user. Logon/Logoff Network Policy Server Windows Vista SP1, Windows Server 2008
344 6273 unknown - Network Policy Server denied access to a user. Logon/Logoff Network Policy Server Windows Vista SP1, Windows Server 2008
345 6274 unknown - Network Policy Server discarded the request for a user. Logon/Logoff Network Policy Server Windows Vista SP1, Windows Server 2008
346 6275 unknown - Network Policy Server discarded the accounting request for a user. Logon/Logoff Network Policy Server Windows Vista SP1, Windows Server 2008
347 6276 unknown - Network Policy Server quarantined a user. Logon/Logoff Network Policy Server Windows Vista SP1, Windows Server 2008
348 6277 unknown - Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. Logon/Logoff Network Policy Server Windows Vista SP1, Windows Server 2008
349 6278 unknown - Network Policy Server granted full access to a user because the host met the defined health policy. Logon/Logoff Network Policy Server Windows Vista SP1, Windows Server 2008
350 6279 unknown - Network Policy Server locked the user account due to repeated failed authentication attempts. Logon/Logoff Network Policy Server Windows Vista SP1, Windows Server 2008
351 6280 unknown - Network Policy Server unlocked the user account. Logon/Logoff Network Policy Server Windows Vista SP1, Windows Server 2008
352 6281 unknown - Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error System System Integrity Windows 7, Windows Server 2008 R2
353 6400 unknown - BranchCache: Received an incorrectly formatted response while discovering availability of content. System Other System Events Windows 7, Windows Server 2008 R2
354 6401 unknown - BranchCache: Received invalid data from a peer. Data discarded. System Other System Events Windows 7, Windows Server 2008 R2
355 6402 unknown - BranchCache: The message to the hosted cache offering it data is incorrectly formatted. System Other System Events Windows 7, Windows Server 2008 R2
356 6403 unknown - BranchCache: The hosted cache sent an incorrectly formatted response to the client. System Other System Events Windows 7, Windows Server 2008 R2
357 6404 unknown - BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. System Other System Events Windows 7, Windows Server 2008 R2
358 6405 unknown - BranchCache: %2 instance(s) of event id %1 occurred. System Other System Events Windows 7, Windows Server 2008 R2
359 6406 unknown - %1 registered to Windows Firewall to control filtering for the following: %2 System Other System Events Windows 7, Windows Server 2008 R2
360 6407 unknown - 1% System Other System Events Windows 7, Windows Server 2008 R2
361 6408 unknown - Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 System Other System Events Windows 7, Windows Server 2008 R2
362 4625 failure 0XC000005E There are currently no logon servers available to service the logon request.
363 4625 unknown 0xC0000064 User logon with misspelled or bad user account
364 4625 failure 0xC000006A User logon with misspelled or bad password
365 4625 failure 0XC000006D This is either due to a bad username or authentication information
366 4625 failure 0XC000006E Unknown user name or bad password.
367 4625 failure 0XC000010B Indicates an invalid value has been provided for the LogonType requested.
368 4625 denied 0xC000006F User logon outside authorized hours
369 4625 denied 0xC0000070 User logon from unauthorized workstation
370 4625 failure 0xC0000071 User logon with expired password
371 4625 failure 0xC0000072 User logon to account disabled by administrator
372 4625 failure 0XC00000DC Indicates the Sam Server was in the wrong state to perform the desired operation.
373 4625 error 0XC0000133 Clocks between DC and other computer too far out of sync
374 4625 denied 0XC000015B The user has not been granted the requested logon type (aka logon right) at this machine
375 4625 failure 0XC000018C The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
376 4625 failure 0XC0000192 An attempt was made to logon, but the Netlogon service was not started.
377 4625 failure 0xC0000193 User logon with expired account
378 4625 failure 0XC0000224 User is required to change password at next logon
379 4625 error 0XC0000225 Evidently a bug in Windows and not a risk
380 4625 denied 0xC0000234 User logon with account locked
381 4625 failure 0XC00002EE Failure Reason: An Error occurred during Logon
382 4625 failure 0XC0000413 Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
383 4625 failure 0x0 Status OK.
384 4776 failure 0xC0000064 The username you typed does not exist. Bad username.
385 4776 failure 0xC000006A Account logon with misspelled or bad password.
386 4776 failure 0xC000006D Generic logon failure.
387 4776 denied 0xC000006F Account logon outside authorized hours.
388 4776 denied 0xC0000070 Account logon from unauthorized workstation.
389 4776 failure 0xC0000071 Account logon with expired password.
390 4776 failure 0xC0000072 Account logon to account disabled by administrator.
391 4776 failure 0xC0000193 Account logon with expired account.
392 4776 failure 0xC0000224 Account logon with "Change Password at Next Logon" flagged.
393 4776 failure 0xC0000234 Account logon with account locked.
394 4776 failure 0xc0000371 The local account store does not contain secret material for the specified account.
395 4776 success 0x0 No errors.
396 4768 success 0x0 No error
397 4768 failure 0x1 Client's entry in KDC database has expired
398 4768 failure 0x2 Server's entry in KDC database has expired
399 4768 failure 0x3 Requested Kerberos version number not supported
400 4768 failure 0x4 Client's key encrypted in old master key
401 4768 failure 0x5 Server's key encrypted in old master key
402 4768 failure 0x6 Client not found in Kerberos database
403 4768 failure 0x7 Server not found in Kerberos database
404 4768 failure 0x8 Multiple principal entries in KDC database
405 4768 failure 0x9 The client or server has a null key (master key)
406 4768 failure 0xA Ticket (TGT) not eligible for postdating
407 4768 failure 0xB Requested start time is later than end time
408 4768 failure 0xC Requested start time is later than end time
409 4768 failure 0xD KDC cannot accommodate requested option
410 4768 failure 0xE KDC has no support for encryption type
411 4768 failure 0xF KDC has no support for checksum type
412 4768 failure 0x10 KDC has no support for PADATA type (pre-authentication data)
413 4768 failure 0x11 KDC has no support for transited type
414 4768 failure 0x12 Client's credentials have been revoked
415 4768 failure 0x13 Credentials for server have been revoked
416 4768 failure 0x14 TGT has been revoked
417 4768 failure 0x15 Client not yet valid-try again later
418 4768 failure 0x16 Server not yet valid-try again later
419 4768 failure 0x17 Password has expired-change password to reset
420 4768 failure 0x18 Pre-authentication information was invalid
421 4768 failure 0x19 Additional pre-authentication required
422 4768 failure 0x1A KDC does not know about the requested server
423 4768 failure 0x1B KDC is unavailable
424 4768 failure 0x1F Integrity check on decrypted field failed
425 4768 failure 0x20 The ticket has expired
426 4768 failure 0x21 The ticket is not yet valid
427 4768 failure 0x22 The request is a replay
428 4768 failure 0x23 The ticket is not for us
429 4768 failure 0x24 The ticket and authenticator do not match
430 4768 failure 0x25 The clock skew is too great
431 4768 failure 0x26 Network address in network layer header doesn't match address inside ticket
432 4768 failure 0x27 Protocol version numbers don't match (PVNO)
433 4768 failure 0x28 Message type is unsupported
434 4768 failure 0x29 Message stream modified and checksum didn't match
435 4768 failure 0x2A Message out of order (possible tampering)
436 4768 failure 0x2C Specified version of key is not available
437 4768 failure 0x2D Service key not available
438 4768 failure 0x2E Mutual authentication failed
439 4768 failure 0x2F Incorrect message direction
440 4768 failure 0x30 Alternative authentication method required
441 4768 failure 0x31 Incorrect sequence number in message
442 4768 failure 0x32 Inappropriate type of checksum in message (checksum may be unsupported)
443 4768 failure 0x33 Desired path is unreachable
444 4768 failure 0x34 Too much data
445 4768 failure 0x3C Generic error
446 4768 failure 0x3D Field is too long for this implementation
447 4768 failure 0x3E The client trust failed or is not implemented
448 4768 failure 0x3F The KDC server trust failed or could not be verified
449 4768 failure 0x40 The signature is invalid
450 4768 failure 0x41 A higher encryption level is needed
451 4768 failure 0x42 User-to-user authorization is required
452 4768 failure 0x43 No TGT was presented or available
453 4768 failure 0x44 Incorrect domain or principal
454 4769 success 0x0 No error
455 4769 failure 0x1 Client's entry in KDC database has expired
456 4769 failure 0x2 Server's entry in KDC database has expired
457 4769 failure 0x3 Requested Kerberos version number not supported
458 4769 failure 0x4 Client's key encrypted in old master key
459 4769 failure 0x5 Server's key encrypted in old master key
460 4769 failure 0x6 Client not found in Kerberos database
461 4769 failure 0x7 Server not found in Kerberos database
462 4769 failure 0x8 Multiple principal entries in KDC database
463 4769 failure 0x9 The client or server has a null key (master key)
464 4769 failure 0xA Ticket (TGT) not eligible for postdating
465 4769 failure 0xB Requested start time is later than end time
466 4769 failure 0xC Requested start time is later than end time
467 4769 failure 0xD KDC cannot accommodate requested option
468 4769 failure 0xE KDC has no support for encryption type
469 4769 failure 0xF KDC has no support for checksum type
470 4769 failure 0x10 KDC has no support for PADATA type (pre-authentication data)
471 4769 failure 0x11 KDC has no support for transited type
472 4769 failure 0x12 Client's credentials have been revoked
473 4769 failure 0x13 Credentials for server have been revoked
474 4769 failure 0x14 TGT has been revoked
475 4769 failure 0x15 Client not yet valid try again later
476 4769 failure 0x16 Server not yet valid try again later
477 4769 failure 0x17 Password has expired change password to reset
478 4769 failure 0x18 Pre-authentication information was invalid
479 4769 failure 0x19 Additional pre-authentication required
480 4769 failure 0x1A KDC does not know about the requested server
481 4769 failure 0x1B KDC is unavailable
482 4769 failure 0x1F Integrity check on decrypted field failed
483 4769 failure 0x20 The ticket has expired
484 4769 failure 0x21 The ticket is not yet valid
485 4769 failure 0x22 The request is a replay
486 4769 failure 0x23 The ticket is not for us
487 4769 failure 0x24 The ticket and authenticator do not match
488 4769 failure 0x25 The clock skew is too great
489 4769 failure 0x26 Network address in network layer header doesn't match address inside ticket
490 4769 failure 0x27 Protocol version numbers don't match (PVNO)
491 4769 failure 0x28 Message type is unsupported
492 4769 failure 0x29 Message stream modified and checksum didn't match
493 4769 failure 0x2A Message out of order (possible tampering)
494 4769 failure 0x2C Specified version of key is not available
495 4769 failure 0x2D Service key not available
496 4769 failure 0x2E Mutual authentication failed
497 4769 failure 0x2F Incorrect message direction
498 4769 failure 0x30 Alternative authentication method required
499 4769 failure 0x31 Incorrect sequence number in message
500 4769 failure 0x32 Inappropriate type of checksum in message (checksum may be unsupported)
501 4769 failure 0x33 Desired path is unreachable
502 4769 failure 0x34 Too much data
503 4769 failure 0x3C Generic error
504 4769 failure 0x3D Field is too long for this implementation
505 4769 failure 0x3E The client trust failed or is not implemented
506 4769 failure 0x3F The KDC server trust failed or could not be verified
507 4769 failure 0x40 The signature is invalid
508 4769 failure 0x41 A higher encryption level is needed
509 4769 failure 0x42 User-to-user authorization is required
510 4769 failure 0x43 No TGT was presented or available
511 4769 failure 0x44 Incorrect domain or principal
512 4771 failure 0x1 Client's entry in database has expired
513 4771 failure 0x2 Server's entry in database has expired
514 4771 failure 0x3 Requested protocol version # not supported
515 4771 failure 0x4 Client's key encrypted in old master key
516 4771 failure 0x5 Server's key encrypted in old master key
517 4771 failure 0x6 Client not found in Kerberos database
518 4771 failure 0x7 Server not found in Kerberos database
519 4771 failure 0x8 Multiple principal entries in database
520 4771 failure 0x9 The client or server has a null key
521 4771 failure 0xA Ticket not eligible for postdating
522 4771 failure 0xB Requested start time is later than end time
523 4771 failure 0xC KDC policy rejects request
524 4771 failure 0xD KDC cannot accommodate requested option
525 4771 failure 0xE KDC has no support for encryption type
526 4771 failure 0xF KDC has no support for checksum type
527 4771 failure 0x10 KDC has no support for padata type
528 4771 failure 0x11 KDC has no support for transited type
529 4771 failure 0x12 Clients credentials have been revoked
530 4771 failure 0x13 Credentials for server have been revoked
531 4771 failure 0x14 TGT has been revoked
532 4771 failure 0x15 Client not yet valid - try again later
533 4771 failure 0x16 Server not yet valid - try again later
534 4771 failure 0x17 Password has expired
535 4771 failure 0x18 Pre-authentication information was invalid
536 4771 failure 0x19 Additional pre-authentication required*
537 4771 failure 0x1F Integrity check on decrypted field failed
538 4771 failure 0x20 Ticket expired
539 4771 failure 0x21 Ticket not yet valid
540 4771 failure 0x22 Request is a replay
541 4771 failure 0x23 The ticket isn't for us
542 4771 failure 0x24 Ticket and authenticator don't match
543 4771 failure 0x25 Clock skew too great
544 4771 failure 0x26 Incorrect net address
545 4771 failure 0x27 Protocol version mismatch
546 4771 failure 0x28 Invalid msg type
547 4771 failure 0x29 Message stream modified
548 4771 failure 0x2A Message out of order
549 4771 failure 0x2C Specified version of key is not available
550 4771 failure 0x2D Service key not available
551 4771 failure 0x2E Mutual authentication failed
552 4771 failure 0x2F Incorrect message direction
553 4771 failure 0x30 Alternative authentication method required*
554 4771 failure 0x31 Incorrect sequence number in message
555 4771 failure 0x32 Inappropriate type of checksum in message
556 4771 failure 0x3C Generic error
557 4771 failure 0x3D Field is too long for this implementation

8
deployment-apps/Splunk_TA_windows/lookups/xmlwindows_severities.csv
Unescape View File

@ -0,0 +1,8 @@
Level,EventCode,severity
0,,informational
1,,critical
2,,high
3,,medium
4,,informational
5,,informational
,4739,high
1 Level EventCode severity
2 0 informational
3 1 critical
4 2 high
5 3 medium
6 4 informational
7 5 informational
8 4739 high

4016
deployment-apps/Splunk_TA_windows/lookups/xmlwindows_task_category.csv
View File

File diff suppressed because it is too large Load Diff

5
deployment-apps/Splunk_TA_windows/metadata/default.meta
Unescape View File

@ -0,0 +1,5 @@
# Application-level permissions
[]
access = read : [ * ], write : [ admin, sc_admin ]
export = system

BIN
deployment-apps/Splunk_TA_windows/static/appIcon.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
deployment-apps/Splunk_TA_windows/static/appIconAlt.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
deployment-apps/Splunk_TA_windows/static/appIconAlt_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
deployment-apps/Splunk_TA_windows/static/appIconLg.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
deployment-apps/Splunk_TA_windows/static/appIconLg_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
deployment-apps/Splunk_TA_windows/static/appIcon_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

Write Preview
Loading…
Cancel
Save