[ { "provider": "AD-FS", "channel": "AD FS/Admin", "event_id": 510, "title": "More information for the event entry with Instance ID %1.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "AD-FS-Auditing", "channel": "Security", "event_id": 307, "title": "", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "AD-FS-Auditing", "channel": "Security", "event_id": 1200, "title": "", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "AD-FS-Auditing", "channel": "Security", "event_id": 1202, "title": "", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Application Error", "channel": "Application", "event_id": 1000, "title": "Faulting application name: %1, version: %2, time stamp: 0x%3 Faulting module name: %4, version: %5, time stamp: 0x%6 Exception code: 0x%7 Fault off...", "note": "Application Crashed", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Application Hang", "channel": "Application", "event_id": 1002, "title": "The program Widgets.", "note": "Application hang", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Application-Error", "channel": "Application", "event_id": 1000, "title": "Faulting application name: %1, version: %2, time stamp: 0x%3 Faulting module name: %4, version: %5, time stamp: 0x%6 Exception code: 0x%7 Fault off...", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Application-Hang", "channel": "Application", "event_id": 1002, "title": "The program Widgets.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "ESENT", "channel": "Application", "event_id": 325, "title": "", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "ESENT", "channel": "Application", "event_id": 326, "title": "", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "ESENT", "channel": "Application", "event_id": 327, "title": "", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "LsaSrv", "channel": "Microsoft-Windows-LSA/Operational", "event_id": 300, "title": "Groups assigned to a new logon.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Application-Experience", "channel": "Microsoft-Windows-Application-Experience/Program-Inventory", "event_id": 903, "title": "A program was installed on the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Application-Experience", "channel": "Microsoft-Windows-Application-Experience/Program-Inventory", "event_id": 904, "title": "A program was installed on the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Application-Experience", "channel": "Microsoft-Windows-Application-Experience/Program-Inventory", "event_id": 905, "title": "A program was updated on the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Application-Experience", "channel": "Microsoft-Windows-Application-Experience/Program-Inventory", "event_id": 906, "title": "A program was updated on the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Application-Experience", "channel": "Microsoft-Windows-Application-Experience/Program-Inventory", "event_id": 907, "title": "A program was removed from the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Application-Experience", "channel": "Microsoft-Windows-Application-Experience/Program-Inventory", "event_id": 908, "title": "A program was removed from the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/EXE and DLL", "event_id": 8000, "title": "AppID policy conversion failed.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/EXE and DLL", "event_id": 8001, "title": "The AppLocker policy was applied successfully to this computer.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/EXE and DLL", "event_id": 8002, "title": "%11 was allowed to run.", "note": "Configured to audit process starts.", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/EXE and DLL", "event_id": 8003, "title": "%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.", "note": "Executable was allowed to run but would have been blocked in enforcing mode", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Applocker.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/EXE and DLL", "event_id": 8004, "title": "%11 was prevented from running.", "note": "Executable was prevented from running", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Applocker.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/MSI and Script", "event_id": 8005, "title": "%11 was allowed to run.", "note": "Scripts and Installers run", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/MSI and Script", "event_id": 8006, "title": "%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.", "note": "File was allowed to run but would have been blocked in enforcing mode", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/MSI and Script", "event_id": 8007, "title": "%11 was prevented from running.", "note": "File was prevented from running", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/EXE and DLL", "event_id": 8008, "title": "%2: AppLocker component not available on this SKU.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/MSI and Script", "event_id": 8009, "title": "%2: AppLocker component not available on this SKU.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8010, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8011, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8012, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8013, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8014, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8015, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8016, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8017, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8018, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Operational", "event_id": 8019, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Packaged app-Execution", "event_id": 8020, "title": "%11 was allowed to run.", "note": "Modern app run", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Packaged app-Execution", "event_id": 8021, "title": "%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Packaged app-Execution", "event_id": 8022, "title": "%11 was prevented from running.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Packaged app-Deployment", "event_id": 8023, "title": "%11 was allowed to be installed.", "note": "Modern app install", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Packaged app-Deployment", "event_id": 8024, "title": "%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Packaged app-Deployment", "event_id": 8025, "title": "%11 was prevented from running.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Packaged app-Deployment", "event_id": 8026, "title": "No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/Packaged app-Execution", "event_id": 8027, "title": "No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/MSI and Script", "event_id": 8029, "title": "%2 was prevented from running due to Config CI policy.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/EXE and DLL", "event_id": 8032, "title": "ManagedInstaller check FAILED during Appid verification of %2.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/MSI and Script", "event_id": 8035, "title": "ManagedInstaller Script check SUCCEEDED during Appid verification of %2.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/MSI and Script", "event_id": 8036, "title": "%2 was prevented from running due to Config CI policy.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-AppLocker", "channel": "Microsoft-Windows-AppLocker/MSI and Script", "event_id": 8040, "title": "Package family name %2 version %3 was prevented from installing or updating due to Config CI policy (Name:%5 ID:%7 Version:%8 GUID:%9).", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 1, "title": "BITS job \"%2\" with ID %1 has been resumed.", "note": "BITS Job has been resumed", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 2, "title": "BITS job \"%2\" with ID %1 has been suspended.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 3, "title": "The BITS service created a new job.", "note": "New BITS Job", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 4, "title": "The transfer job is complete.", "note": "BITS Job completion", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 5, "title": "Job cancelled.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 6, "title": "Command-line command set for job %1 with owner %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 17, "title": "BITS has read the policy parameters for peer-caching.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 18, "title": "The peer list rejected an incoming server announcement.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 23, "title": "An application cleared the peer list.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 59, "title": "BITS started the %2 transfer job that is associated with the %4 URL.", "note": "BITS Job started to transfer file", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 60, "title": "BITS stopped transferring the %2 transfer job that is associated with the %4 URL.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 61, "title": "BITS stopped transferring the %2 transfer job that is associated with the %4 URL.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 62, "title": "The BITS job named \"%1\" belonging to user %2 received inconsistent data while downloading.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 63, "title": "The BITS job %1 is configured to launch %3 after transfer of %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 64, "title": "The BITS job %1 is configured to launch %3 after transfer of %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 78, "title": "BITS has encountered %1 error while reading the peer-cache information.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 79, "title": "BITS has successfully deleted the peer-cache.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 80, "title": "BITS has successfully enabled peer-client and/or peer-server related components.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 81, "title": "BITS has encountered %1 error while starting one or more peer-client or peer-server components.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 201, "title": "The BITS job named \"%1\" was unable to contact any HTTP proxy server in its proxy list.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 202, "title": "While transferring %1, BITS encountered error %7 using %6 as the HTTP proxy server.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 203, "title": "The BITS service provided job credentials in response to an authentication challenge from the %1 server for the %2 transfer job that is associated ...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 204, "title": "The BITS service provided job credentials in response to an authentication challenge from %1 for job %2, url %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 206, "title": "The URL \"%2\" in BITS job \"%1\" does not support the HTTP HEAD verb, which is required for BITS bandwidth throttling.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 207, "title": "The URL \"%2\" in BITS job \"%1\" does not support the HTTP Content-Length header, which is required for BITS bandwidth throttling.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 208, "title": "A flash-Crowd situation is detected for the URL \"%2\" in BITS job \"%1\".", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 209, "title": "High performance property for BITS job \"%1\" with ID \"%2\" %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 210, "title": "The URL \"%2\" in BITS job \"%1\" does not support the HTTP Content-Range header, which is required for BITS bandwidth throttling.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 211, "title": "BITS job \"%2\" with ID \"%1\" encountered an error %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 302, "title": "The BITS service has started successfully, but it was delayed long enough that there may be a problem.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 303, "title": "The peer-cache client startup phase of startup has completed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 306, "title": "The BITS service loaded the job list from disk.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 307, "title": "It took %1 seconds to write a change file to the BITS job list.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 308, "title": "The BITS service shut down successfully, but it was delayed for %1 seconds.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 309, "title": "The BITS peer cache was unable to find any peers in the network.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 310, "title": "The initialization of the peer helper modules failed with the following error.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 311, "title": "The BITS peer transfer with the %1 ID for the %2 transfer job resulted in the following error: %4.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 312, "title": "The Network List Manager Cost Interface is not available on this system.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 313, "title": "The Network List Manager Cost Interface is reporting no network connectivity.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 16384, "title": "The administrator %4 canceled job \"%2\" on behalf of %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 16387, "title": "The administrator %3 modified the %4 property of job \"%2\".", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 16388, "title": "The administrator %4 took ownership of job \"%2\" from %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 16389, "title": "Job \"%2\" owned by %3 was canceled after being inactive for more than %4 days.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 16391, "title": "The BITS job list is not in a recognized format.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 16394, "title": "BITS Peer-caching protocol", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 16395, "title": "Web Services-Discovery protocol", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Bits-Client", "channel": "Microsoft-Windows-Bits-Client/Operational", "event_id": 16403, "title": "", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CAPI2", "channel": "Microsoft-Windows-CAPI2/Operational", "event_id": 11, "title": "For more details for this event, please refer to the \"Details\" section", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CAPI2", "channel": "Microsoft-Windows-CAPI2/Operational", "event_id": 70, "title": "For more details for this event, please refer to the \"Details\" section", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CAPI2", "channel": "Microsoft-Windows-CAPI2/Operational", "event_id": 90, "title": "For more details for this event, please refer to the \"Details\" section", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System", "channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", "event_id": 1001, "title": "A certificate has been replaced.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System", "channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", "event_id": 1002, "title": "A certificate has expired.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System", "channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", "event_id": 1003, "title": "A certificate is about to expire.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System", "channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", "event_id": 1004, "title": "A certificate has been deleted.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System", "channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", "event_id": 1006, "title": "A new certificate has been installed.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System", "channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", "event_id": 1007, "title": "A certificate has been exported.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CertificationAuthority", "channel": "Application", "event_id": 95, "title": "Security permissions are corrupted or missing.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3001, "title": "Code Integrity determined an unsigned kernel module %2 is loaded into the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3002, "title": "Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3003, "title": "Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3004, "title": "Windows is unable to verify the image integrity of the file %2 because file hash could not be found on the system.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3005, "title": "Code Integrity is unable to verify the image integrity of the file %2 because a file hash could not be found on the system.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3010, "title": "Code Integrity was unable to load the %2 catalog.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3021, "title": "Code Integrity determined a revoked kernel module %2 is loaded into the system.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3022, "title": "Code Integrity determined a revoked kernel module %2 is loaded into the system.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3023, "title": "The driver %2 is blocked from loading as the driver has been revoked by Microsoft.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3024, "title": "Windows was unable to update the boot catalog cache file.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3026, "title": "Code Integrity was unable to load the %2 catalog because the signing certificate for this catalog has been revoked.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3032, "title": "Code Integrity determined a revoked image %2 is loaded into the system.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3033, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Code-Integrity.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3034, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3035, "title": "Code Integrity determined a revoked image %2 is loaded into the system.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3036, "title": "Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3037, "title": "Code Integrity determined an unsigned image %2 is loaded into the system.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3050, "title": "Code Integrity completed retrieval of file cache.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3051, "title": "Code Integrity completed retrieval of file cache.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3052, "title": "Code Integrity completed retrieval of file cache.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3057, "title": "Code Integrity completed retrieval of file cache.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3058, "title": "Code Integrity completed retrieval of file cache.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3063, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3065, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Code-Integrity.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3066, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3067, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3068, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3069, "title": "Code Integrity was unable to load the weak crypto policy value from registry.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3070, "title": "Code Integrity was unable to load the weak crypto policy from registry store.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3071, "title": "Code Integrity was unable to load the weak crypto policies.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3072, "title": "Code Integrity determined that the module %2 is not compatible with hypervisor enforcement due to it having non-page aligned sections.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3073, "title": "Code Integrity determined that the module %2 is not compatible with strict mode hypervisor enforcement due to it having an executable section that ...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3074, "title": "Code Integrity was unable to verify a page for a module verified using hypervisor enforcement.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3076, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3077, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3078, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3079, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3080, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3081, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3082, "title": "Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3083, "title": "Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3084, "title": "Code Integrity will enable WHQL driver enforcement for this boot session.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3085, "title": "Code Integrity will disable WHQL driver enforcement for this boot session.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3086, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the signing requirements for Isolated User Mode.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3087, "title": "Code Integrity determined that the kernel module %2 is not compatible with hypervisor enforcement.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3089, "title": "Signature information for another event.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3090, "title": "Code Integrity testing module %2 against policy %11.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3091, "title": "Code Integrity testing module %2 against policy %11.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3092, "title": "Code Integrity testing module %2 against policy %11.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3093, "title": "other (see event data)", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3094, "title": "other (see event data)", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3095, "title": "Code Integrity policy %5 %2 is set to unrefreshable.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3096, "title": "No change in active Code Integrity policy %5 %2 after refresh.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3097, "title": "Not allowed to refresh Code Integrity policy %5 %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3098, "title": "other (see event data)", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3099, "title": "Refreshed and activated Code Integrity policy %5 %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3100, "title": "Refreshed but not activated Code Integrity policy %5 %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3101, "title": "Code Integrity policy refresh started for %1 policies.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3102, "title": "Code Integrity policy refresh finished for %1 policies.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3103, "title": "Ignoring refresh for Code Integrity policy ID %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3104, "title": "Windows blocked file %2 which has been disallowed for protected processes.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3105, "title": "Trying to refresh Code Integrity policy with policy ID %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3108, "title": "Code Integrity successfully switched from %3 mode to %4 mode.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3109, "title": "Code Integrity already switched from %3 mode to %4 mode.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3110, "title": "Code Integrity failed to switch from %3 mode to %4 mode with error code %5.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3111, "title": "Code Integrity determined that a process (%6) attempted to load %2 that is not compatible with hypervisor enforcement.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3112, "title": "Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3113, "title": "Code Integrity could not update the driver.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3114, "title": "Code Integrity determined that %4 is trying to load %2 which failed the dynamic code trust verification with error code of %5.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3115, "title": "Code Integrity determined that %4 is trying to load %2 which failed the dynamic code trust verification with error code of %5.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3116, "title": "Signature information for Code Integrity policy ID %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3117, "title": "Code Integrity determined that a process (%4) attempted to load %2 that violated code integrity policy (Policy ID:%31).", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-CodeIntegrity", "channel": "Microsoft-Windows-CodeIntegrity/Operational", "event_id": 3118, "title": "Smart App Control Block Deteails", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Dhcp-Client", "channel": "Microsoft-Windows-Dhcp-Client/Operational", "event_id": 50028, "title": "Address %1 is plumbed on the interface %2.", "note": "IP address assigned to interface", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DHCPv6-Client", "channel": "Microsoft-Windows-Dhcpv6-Client/Operational", "event_id": 51039, "title": "Address %1 is plumbed on the interface %2.", "note": "IP address assigned to interface", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNS-Client", "channel": "Microsoft-Windows-DNS-Client/Operational", "event_id": 3008, "title": "DNS query is completed for the name %1, type %2, query options %3 with status %4 Results %5.", "note": "DNS Client events query completed", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNS-Client", "channel": "Microsoft-Windows-DNS-Client/Operational", "event_id": 3020, "title": "Query response for name %1, type %2, interface index %3 and network index %4 returned %5 with results %6.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNS-Server-Service", "channel": "DNS Server", "event_id": 6001, "title": "The DNS server successfully completed transfer of version %1 of zone %2 to the DNS server at %3.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 256, "title": "QUERY_RECEIVED: TCP=.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 257, "title": "RESPONSE_SUCCESS: TCP=.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 258, "title": "RESPONSE_FAILURE: TCP=.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 259, "title": "IGNORED_QUERY: TCP=.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 260, "title": "RECURSE_QUERY_OUT: TCP=.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 261, "title": "RECURSE_RESPONSE_IN: TCP=.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 262, "title": "RECURSE_QUERY_TIMEOUT: TCP=.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 263, "title": "DYN_UPDATE_RECV: TCP=.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 264, "title": "DYN_UPDATE_RESPONSE: TCP=.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 277, "title": "DYN_UPDATE_FORWARD: TCP=.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DNSServer", "channel": "Microsoft-Windows-DNSServer/Analytical", "event_id": 278, "title": "DYN_UPDATE_RESPONSE_IN: TCP=.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DriverFrameworks-UserMode", "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "event_id": 2003, "title": "The UMDF Host Process (%1) has been asked to load drivers for device %2.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DriverFrameworks-UserMode", "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "event_id": 2004, "title": "The UMDF Host is loading driver %4 at level %3 for device %2.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DriverFrameworks-UserMode", "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "event_id": 2006, "title": "The UMDF Host successfully loaded the driver at level %3.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DriverFrameworks-UserMode", "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "event_id": 2010, "title": "The UMDF Host Process (%1) has successfully loaded drivers for device %2.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DriverFrameworks-UserMode", "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "event_id": 2100, "title": "Received a Pnp or Power operation (%3, %4) for device %2.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DriverFrameworks-UserMode", "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "event_id": 2101, "title": "Completed a Pnp or Power operation (%3, %4) for device %2 with status %9.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DriverFrameworks-UserMode", "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "event_id": 2105, "title": "Forwarded a Pnp or Power operation (%3, %4) for device %2 to the lower driver with status %9.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-DriverFrameworks-UserMode", "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "event_id": 2106, "title": "Received a Pnp or Power operation (%3, %4) for device %2 which was completed by the lower drivers with status %9.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Eventlog", "channel": "System", "event_id": 104, "title": "The System log file was cleared.", "note": "Event log other than security has been cleared", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Eventlog", "channel": "Security", "event_id": 1100, "title": "The event logging service has shut down.", "note": "(Security Log) Event Log Service Shutdown", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Eventlog", "channel": "Security", "event_id": 1102, "title": "The audit log was cleared.", "note": "Security event log cleared", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Eventlog", "channel": "Security", "event_id": 1104, "title": "The security log is now full.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Log-Deletion-Security.xml", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-FilterManager", "channel": "System", "event_id": 6, "title": "File System Filter 'FileInfo' (6.1, 1.247502111e+09) has successfully loaded and registered with Filter Manager.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-GroupPolicy", "channel": "System", "event_id": 1125, "title": "The processing of Group Policy failed because of an internal system error.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-GroupPolicy", "channel": "System", "event_id": 1126, "title": "Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer b...", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-GroupPolicy", "channel": "System", "event_id": 1129, "title": "The processing of Group Policy failed because of lack of network connectivity to a domain controller.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Kernel-General", "channel": "System", "event_id": 1, "title": "The system time has changed to %1 from %2.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Kernel-General", "channel": "System", "event_id": 12, "title": "The operating system started at system time 1.3825413334687505e+09.", "note": "Windows Startup", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Kernel-General", "channel": "System", "event_id": 13, "title": "The operating system is shutting down at system time StopTime.", "note": "Windows Shutdown", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Kernel-PnP", "channel": "System", "event_id": 219, "title": "The driver %5 failed to load.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Kernel-PnP", "channel": "Microsoft-Windows-Kernel-PnP/Configuration", "event_id": 400, "title": "Device %1 was configured.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Kernel-PnP", "channel": "Microsoft-Windows-Kernel-PnP/Configuration", "event_id": 410, "title": "Device %1 was started.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Kernel-Power", "channel": "System", "event_id": 41, "title": "The last sleep transition was unsuccessful.", "note": "Unexpected Shutdown or Bluescreen", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NetworkProfile", "channel": "Microsoft-Windows-NetworkProfile/Operational", "event_id": 10000, "title": "Network Connected Name: %1 Desc: %2 Type: %4 State: %5 Category: %6.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NetworkProfile", "channel": "Microsoft-Windows-NetworkProfile/Operational", "event_id": 10001, "title": "Network Disconnected Name: %1 Desc: %2 Type: %4 State: %5 Category: %6.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4001, "title": "NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4002, "title": "NTLM server blocked: Incoming NTLM traffic to servers that is blocked Calling process PID: %1 Calling process name: %2 Calling process LUID: %3 Cal...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4003, "title": "NTLM server blocked in the domain: NTLM authentication in this domain that is blocked User: %1 Domain: %2 Workstation: %3 PID: %4 Process: %5 Logon...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4010, "title": "NTLM Minimum Client Security Block: Calling process PID: %1 Calling Process Name: %2 Negotiated Security Flags: %3 Minimum Security Flags: %4.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4011, "title": "NTLM Minimum Server Security Block: Calling process PID: %1 Calling Process Name: %2 Negotiated Security Flags: %3 Minimum Security Flags: %4.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4012, "title": "NTLM client used the domain password.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4013, "title": "Attempt to use NTLMv1 failed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4014, "title": "Attempt to get credential key by call package blocked by Credential Guard.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4015, "title": "NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4020, "title": "This machine attempted to authenticate to a remote resource via NTLM.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4021, "title": "This machine attempted to authenticate to a remote resource via NTLM.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4022, "title": "A remote client is using NTLM to authenticate to this workstation.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4023, "title": "A remote client is using NTLM to authenticate to this workstation.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4024, "title": "Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 4025, "title": "An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 8001, "title": "NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/NTLM.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 8002, "title": "NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked Calling process PID: %1 Calling process name: %2 Calling process LUID:...", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/NTLM.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-NTLM", "channel": "Microsoft-Windows-NTLM/Operational", "event_id": 8003, "title": "NTLM server blocked in the domain audit: Audit NTLM authentication in this domain User: %1 Domain: %2 Workstation: %3 PID: %4 Process: %5 Logon typ...", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/NTLM.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4097, "title": "Computer Name $null or.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4098, "title": "Resolving to default scheme http", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4099, "title": "Remote shell name resolved to default Microsoft.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4100, "title": "%3 Context: %1 User Data: %2.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4101, "title": "%3 Context: %1 User Data: %2.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4102, "title": "%3 Context: %1 User Data: %2.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4103, "title": "%3 Context: %1 User Data: %2.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4104, "title": "Creating Scriptblock text (%1 of %2): %3 ScriptBlock ID: %4 Path: %5.", "note": "Execute a Remote Command (Script Block Logging)", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4105, "title": "Started invocation of ScriptBlock ID: %1 Runspace ID: %2.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 4106, "title": "Completed invocation of ScriptBlock ID: %1 Runspace ID: %2.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 8193, "title": "Creating Runspace object Instance Id.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 8194, "title": "Creating RunspacePool object InstanceId %1 MinRunspaces %2 MaxRunspaces %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 8195, "title": "Opening RunspacePool", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 8196, "title": "Modifying activity Id and correlating", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 8197, "title": "Runspace state changed to %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 8198, "title": "Attempting session creation retry %1 for error code %2 on session Id %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 12039, "title": "Modifying activity Id and correlating", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24577, "title": "Windows PowerShell ISE has started to run script file %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24578, "title": "Windows PowerShell ISE has started to run a user-selected script from file %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24579, "title": "Windows PowerShell ISE is stopping the current command.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24580, "title": "Windows PowerShell ISE is resuming the debugger.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24581, "title": "Windows PowerShell ISE is stopping the debugger.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24582, "title": "Windows PowerShell ISE is stepping into debugging.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24583, "title": "Windows PowerShell ISE is stepping over debugging.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24584, "title": "Windows PowerShell ISE is stepping out of debugging.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24592, "title": "Windows PowerShell ISE is enabling all breakpoints.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24593, "title": "Windows PowerShell ISE is disabling all breakpoints.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24594, "title": "Windows PowerShell ISE is removing all breakpoints.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24595, "title": "Windows PowerShell ISE is setting the breakpoint at line #: %1 of file %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24596, "title": "Windows PowerShell ISE is removing the breakpoint on line #: %1 of file %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24597, "title": "Windows PowerShell ISE is enabling the breakpoint on line #: %1 of file %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24598, "title": "Windows PowerShell ISE is disabling the breakpoint on line #: %1 of file %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 24599, "title": "Windows PowerShell ISE has hit a breakpoint on line #: %1 of file %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 32777, "title": "An unhandled exception occurred in the appdomain.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 32784, "title": "Runspace Id: %1 Pipeline Id: %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 40961, "title": "PowerShell console is starting up", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 40962, "title": "PowerShell console is ready for user input", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 46358, "title": "Persistence store has reached its maximum specified size", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 53249, "title": "Scheduled Job %1 started at %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 53250, "title": "Scheduled Job %1 completed at %2 with state %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 53251, "title": "Scheduled Job Exception %1: Message: %2 StackTrace: %3 InnerException: %4.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 53504, "title": "Windows PowerShell has started an IPC listening thread on process: %1 in AppDomain: %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 53505, "title": "Windows PowerShell has ended an IPC listening thread on process: %1 in AppDomain: %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 53506, "title": "An error has occurred in Windows PowerShell IPC listening thread on process: %1 in AppDomain: %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 53507, "title": "Windows PowerShell IPC connect on process: %1 in AppDomain: %2 for User: %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PowerShell", "channel": "Microsoft-Windows-PowerShell/Operational", "event_id": 53508, "title": "Windows PowerShell IPC disconnect on process: %1 in AppDomain: %2 for User: %3.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-PrintService", "channel": "Microsoft-Windows-PrintService/Operational", "event_id": 307, "title": "Document %1, %2 owned by %3 on %4 was printed on %5 through port %6.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "", "event_id": 1100, "title": "", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4608, "title": "Windows is starting up.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4609, "title": "Windows is shutting down.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4610, "title": "An authentication package has been loaded by the Local Security Authority.", "note": "An authentication package has been loaded by the Local Security Authority", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4611, "title": "A trusted logon process has been registered with the Local Security Authority.", "note": "A trusted logon process has been registered with the Local Security Authority", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4612, "title": "Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4614, "title": "A notification package has been loaded by the Security Account Manager.", "note": "A notification package has been loaded by the Security Account Manager", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4615, "title": "Invalid use of LPC port.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4616, "title": "The system time was changed.", "note": "System time change may be indicative of attempts to tamper with the system.", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4618, "title": "A monitored security event pattern has occurred.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4621, "title": "Administrator recovered system from CrashOnAuditFail.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4622, "title": "A security package has been loaded by the Local Security Authority.", "note": "A security package has been loaded by the Local Security Authority", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4624, "title": "An account was successfully logged on.", "note": "An account was successfully logged on", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "high" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4625, "title": "An account failed to log on.", "note": "An account failed to log on", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "high" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4626, "title": "User / Device claims information.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4627, "title": "Group membership information.", "note": "Group membership information.", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4634, "title": "An account was logged off.", "note": "Logoff event (terminated)", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "high" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4646, "title": "%1", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4647, "title": "User initiated logoff.", "note": "User initiated logoff", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4648, "title": "A logon was attempted using explicit credentials.", "note": "A logon was attempted using explicit credentials", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Explicit-Credentials.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4649, "title": "A replay attack was detected.", "note": "A replay attack was detected (KRB_AP_ERR_REPEAT)", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4650, "title": "An IPsec main mode security association was established.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4651, "title": "An IPsec main mode security association was established.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4652, "title": "An IPsec main mode negotiation failed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4653, "title": "An IPsec main mode negotiation failed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4654, "title": "An IPsec quick mode negotiation failed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4655, "title": "An IPsec main mode security association ended.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4656, "title": "A handle to an object was requested.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Object-Manipulation.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4657, "title": "A registry value was modified.", "note": "A registry value was modified", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4658, "title": "The handle to an object was closed.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4659, "title": "A handle to an object was requested with intent to delete.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4660, "title": "An object was deleted.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4661, "title": "A handle to an object was requested.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4662, "title": "An operation was performed on an object.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4663, "title": "An attempt was made to access an object.", "note": "An attempt was made to access an object", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Object-Manipulation.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4664, "title": "An attempt was made to create a hard link.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4665, "title": "An attempt was made to create an application client context.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4666, "title": "An application attempted an operation: Subject: Client Name: %5 Client Domain: %6 Client Context ID: %7 Object: Object Name: %3 Scope Names: %4 App...", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4667, "title": "An application client context was deleted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4668, "title": "An application was initialized.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4670, "title": "Permissions on an object were changed.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4671, "title": "An application attempted to access a blocked ordinal through the TBS.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4672, "title": "Special privileges assigned to new logon.", "note": "Special Privileges assigned to Logon", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4673, "title": "A privileged service was called.", "note": "A privileged service was called", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Privilege-Use.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4674, "title": "An operation was attempted on a privileged object.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Privilege-Use.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4675, "title": "SIDs were filtered.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4688, "title": "A new process has been created.", "note": "Process Created", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4689, "title": "A process has exited.", "note": "Process Terminated", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Process-Execution.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4690, "title": "An attempt was made to duplicate a handle to an object.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4691, "title": "Indirect access to an object was requested.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4692, "title": "Backup of data protection master key was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4693, "title": "Recovery of data protection master key was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4694, "title": "Protection of auditable protected data was attempted.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4695, "title": "Unprotection of auditable protected data was attempted.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4696, "title": "A primary token was assigned to process.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4697, "title": "A service was installed in the system.", "note": "A service was installed in the system", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Services.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4698, "title": "A scheduled task was created.", "note": "A scheduled task was created", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Task-Scheduler.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4699, "title": "A scheduled task was deleted.", "note": "A scheduled task was deleted", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Task-Scheduler.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4700, "title": "A scheduled task was enabled.", "note": "A scheduled task was enabled", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Task-Scheduler.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4701, "title": "A scheduled task was disabled.", "note": "A scheduled task was disabled", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Task-Scheduler.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4702, "title": "A scheduled task was updated.", "note": "A scheduled task was updated", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4703, "title": "A user right was adjusted.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4704, "title": "A user right was assigned.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4705, "title": "A user right was removed.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4706, "title": "A new trust was created to a domain.", "note": "A new trust was created to a domain.", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4707, "title": "A trust to a domain was removed.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4709, "title": "The IPsec Policy Agent service was started.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4710, "title": "The IPsec Policy Agent service was disabled.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4711, "title": "%1", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4712, "title": "IPsec Policy Agent encountered a potentially serious failure.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4713, "title": "Kerberos policy was changed.", "note": "Kerberos policy changes", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4714, "title": "Data Recovery Agent group policy for Encrypting File System (EFS) has changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4715, "title": "The audit policy (SACL) on an object was changed.", "note": "The audit policy (SACL) on an object was changed", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4716, "title": "Trusted domain information was modified.", "note": "Trusted domain information was modified", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4717, "title": "System security access was granted to an account.", "note": "System security access was granted to an account", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4718, "title": "System security access was removed from an account.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4719, "title": "System audit policy was changed.", "note": "System audit policy was changed.", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4720, "title": "A user account was created.", "note": "New user account created", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4722, "title": "A user account was enabled.", "note": "A user account was enabled", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4723, "title": "An attempt was made to change an account's password.", "note": "An attempt was made to change an account's password", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4724, "title": "An attempt was made to reset an account's password.", "note": "An attempt was made to reset an account's password", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4725, "title": "A user account was disabled.", "note": "User Account Disabled", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4726, "title": "A user account was deleted.", "note": "User Account Deleted", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4727, "title": "A security-enabled global group was created.", "note": "A security-enabled Global group was created", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4728, "title": "A member was added to a security-enabled global group.", "note": "A member was added to a security-enabled Global group", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4729, "title": "A member was removed from a security-enabled global group.", "note": "Account removed from Global Security Group", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4730, "title": "A security-enabled global group was deleted.", "note": "A security-enabled Global group was deleted", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4731, "title": "A security-enabled local group was created.", "note": "A security-enabled Local group was created", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4732, "title": "A member was added to a security-enabled local group.", "note": "A member was added to a security-enabled Local group", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4733, "title": "A member was removed from a security-enabled local group.", "note": "Account removed from Local Security Group", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4734, "title": "A security-enabled local group was deleted.", "note": "A security-enabled Local group was deleted", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4735, "title": "A security-enabled local group was changed.", "note": "A security-enabled Local group was changed", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4737, "title": "A security-enabled global group was changed.", "note": "A security-enabled Global group was changed", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4738, "title": "A user account was changed.", "note": "A user account was changed", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4739, "title": "Domain Policy was changed.", "note": "Domain policy changes", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4740, "title": "A user account was locked out.", "note": "A user account was locked out", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "high" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Lockout.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4741, "title": "A computer account was created.", "note": "A computer account was created", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4742, "title": "A computer account was changed.", "note": "A computer account was changed", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4743, "title": "A computer account was deleted.", "note": "A computer account was deleted", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4744, "title": "A security-disabled local group was created.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4745, "title": "A security-disabled local group was changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4746, "title": "A member was added to a security-disabled local group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4747, "title": "A member was removed from a security-disabled local group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4748, "title": "A security-disabled local group was deleted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4749, "title": "A security-disabled global group was created.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4750, "title": "A security-disabled global group was changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4751, "title": "A member was added to a security-disabled global group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4752, "title": "A member was removed from a security-disabled global group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4753, "title": "A security-disabled global group was deleted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4754, "title": "A security-enabled universal group was created.", "note": "A security-enabled Universal group was created", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4755, "title": "A security-enabled universal group was changed.", "note": "A security-enabled Universal group was changed", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4756, "title": "A member was added to a security-enabled universal group.", "note": "A member was added to a security-enabled Universal group", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4757, "title": "A member was removed from a security-enabled universal group.", "note": "Account removed from Universal Security Group", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4758, "title": "A security-enabled universal group was deleted.", "note": "A security-enabled Universal group was deleted", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4759, "title": "A security-disabled universal group was created.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4760, "title": "A security-disabled universal group was changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4761, "title": "A member was added to a security-disabled universal group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4762, "title": "A member was removed from a security-disabled universal group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4763, "title": "A security-disabled universal group was deleted.", "note": "", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4764, "title": "A group’s type was changed.", "note": "A group’s type was changed", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4765, "title": "SID History was added to an account.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4766, "title": "An attempt to add SID History to an account failed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4767, "title": "A user account was unlocked.", "note": "A user account was unlocked", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4768, "title": "A Kerberos authentication ticket (TGT) was requested.", "note": "A Kerberos authentication ticket (TGT) was requested", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "high" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Kerberos.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4769, "title": "A Kerberos service ticket was requested.", "note": "A Kerberos service ticket was requested", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "high" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Kerberos.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4770, "title": "A Kerberos service ticket was renewed.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4771, "title": "Kerberos pre-authentication failed.", "note": "Kerberos pre-authentication failed", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Kerberos.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4772, "title": "A Kerberos authentication ticket request failed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4773, "title": "A Kerberos service ticket request failed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4774, "title": "An account was mapped for logon.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4775, "title": "An account could not be mapped for logon.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4776, "title": "The domain controller attempted to validate the credentials for an account.", "note": "", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "high" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4777, "title": "The domain controller failed to validate the credentials for an account.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4778, "title": "A session was reconnected to a Window Station.", "note": "TS Session Reconnect", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4779, "title": "A session was disconnected from a Window Station.", "note": "TS Session Disconnect", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4780, "title": "The ACL was set on accounts which are members of administrators groups.", "note": "The ACL was set on accounts which are members of administrators groups", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4781, "title": "The name of an account was changed.", "note": "The name of an account was changed", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4782, "title": "The password hash an account was accessed.", "note": "The password hash of an account was accessed", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4783, "title": "A basic application group was created.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4784, "title": "A basic application group was changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4785, "title": "A member was added to a basic application group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4786, "title": "A member was removed from a basic application group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4787, "title": "A non-member was added to a basic application group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4788, "title": "A non-member was removed from a basic application group.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4789, "title": "A basic application group was deleted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4790, "title": "An LDAP query group was created.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4793, "title": "The Password Policy Checking API was called.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4794, "title": "An attempt was made to set the Directory Services Restore Mode administrator password.", "note": "An attempt was made to set the Directory Services Restore Mode administrator password", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4797, "title": "An attempt was made to query the existence of a blank password for an account.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4798, "title": "A user's local group membership was enumerated.", "note": "A user's local group membership was enumerated", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4799, "title": "A security-enabled local group membership was enumerated.", "note": "A security-enabled local group membership was enumerated", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4800, "title": "The workstation was locked.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4801, "title": "The workstation was unlocked.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4802, "title": "The screen saver was invoked.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4803, "title": "The screen saver was dismissed.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4816, "title": "RPC detected an integrity violation while decrypting an incoming message.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4817, "title": "Auditing settings on object were changed.", "note": "Auditing settings on object were changed", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4820, "title": "A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4821, "title": "A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4822, "title": "NTLM authentication failed because the account was a member of the Protected User group.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4824, "title": "Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4825, "title": "A user was denied the access to Remote Desktop.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4826, "title": "Boot Configuration Data loaded.", "note": "Boot Configuration Data Loaded", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4864, "title": "A namespace collision was detected.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4865, "title": "A trusted forest information entry was added.", "note": "A trusted forest information entry was added", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4866, "title": "A trusted forest information entry was removed.", "note": "A trusted forest information entry was removed", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4867, "title": "A trusted forest information entry was modified.", "note": "A trusted forest information entry was modified", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4868, "title": "The certificate manager denied a pending certificate request.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4869, "title": "Certificate Services received a resubmitted certificate request.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4870, "title": "Certificate Services revoked a certificate.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4871, "title": "Certificate Services received a request to publish the certificate revocation list (CRL).", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4872, "title": "Certificate Services published the certificate revocation list (CRL).", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4873, "title": "A certificate request extension changed.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4874, "title": "One or more certificate request attributes changed.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4875, "title": "Certificate Services received a request to shut down.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4876, "title": "Certificate Services backup started.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4877, "title": "Certificate Services backup completed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4878, "title": "Certificate Services restore started.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4879, "title": "Certificate Services restore completed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4880, "title": "Certificate Services started.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4881, "title": "Certificate Services stopped.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4882, "title": "The security permissions for Certificate Services changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4883, "title": "Certificate Services retrieved an archived key.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4884, "title": "Certificate Services imported a certificate into its database.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4885, "title": "The audit filter for Certificate Services changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4886, "title": "Certificate Services received a certificate request.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4887, "title": "Certificate Services approved a certificate request and issued a certificate.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4888, "title": "Certificate Services denied a certificate request.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4889, "title": "Certificate Services set the status of a certificate request to pending.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4890, "title": "The certificate manager settings for Certificate Services changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4891, "title": "A configuration entry changed in Certificate Services.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4892, "title": "A property of Certificate Services changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4893, "title": "Certificate Services archived a key.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4894, "title": "Certificate Services imported and archived a key.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4895, "title": "Certificate Services published the CA certificate to Active Directory Domain Services.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4896, "title": "One or more rows have been deleted from the certificate database.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4897, "title": "Role separation enabled.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4898, "title": "Certificate Services loaded a template.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4899, "title": "A Certificate Services template was updated.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4900, "title": "Certificate Services template security was updated.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4902, "title": "The Per-user audit policy table was created.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4904, "title": "An attempt was made to register a security event source.", "note": "An attempt was made to register a security event source", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4905, "title": "An attempt was made to unregister a security event source.", "note": "An attempt was made to unregister a security event source", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4906, "title": "The CrashOnAuditFail value has changed.", "note": "The CrashOnAuditFail value has changed", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4907, "title": "Auditing settings on object were changed.", "note": "Auditing settings on object were changed", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4908, "title": "Special Groups Logon table modified.", "note": "Special Groups Logon table modified", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4909, "title": "The local policy settings for the TBS were changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4910, "title": "The group policy settings for the TBS were changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4911, "title": "Resource attributes of the object were changed.", "note": "", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4912, "title": "Per User Audit Policy was changed.", "note": "Per User Audit Policy was changed", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4928, "title": "An Active Directory replica source naming context was established.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4929, "title": "An Active Directory replica source naming context was removed.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4930, "title": "An Active Directory replica source naming context was modified.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4931, "title": "An Active Directory replica destination naming context was modified.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4932, "title": "Synchronization of a replica of an Active Directory naming context has begun.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4933, "title": "Synchronization of a replica of an Active Directory naming context has ended.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4934, "title": "Attributes of an Active Directory object were replicated.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4935, "title": "Replication failure begins.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4936, "title": "Replication failure ends.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4937, "title": "A lingering object was removed from a replica.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4944, "title": "The following policy was active when the Windows Firewall started.", "note": "", "sources": [ { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4945, "title": "A rule was listed when the Windows Firewall started.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4946, "title": "A change has been made to Windows Firewall exception list. A rule was added.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4947, "title": "A change has been made to Windows Firewall exception list. A rule was modified.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4948, "title": "A change has been made to Windows Firewall exception list. A rule was deleted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4949, "title": "Windows Firewall settings were restored to the default values.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4950, "title": "A Windows Firewall setting has changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4951, "title": "A rule has been ignored because its major version number was not recognized by Windows Firewall.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4952, "title": "Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4953, "title": "A rule has been ignored by Windows Firewall because it could not parse the rule.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4954, "title": "Windows Firewall Group Policy settings has changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4956, "title": "Windows Firewall has changed the active profile.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4957, "title": "Windows Firewall did not apply the following rule.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4958, "title": "Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4960, "title": "IPsec dropped an inbound packet that failed an integrity check.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4961, "title": "IPsec dropped an inbound packet that failed a replay check.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4962, "title": "IPsec dropped an inbound packet that failed a replay check.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4963, "title": "IPsec dropped an inbound clear text packet that should have been secured.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4964, "title": "Special groups have been assigned to a new logon.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4965, "title": "IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4976, "title": "During Main Mode negotiation, IPsec received an invalid negotiation packet.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4977, "title": "During Quick Mode negotiation, IPsec received an invalid negotiation packet.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4978, "title": "During Extended Mode negotiation, IPsec received an invalid negotiation packet.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4979, "title": "IPsec Main Mode and Extended Mode security associations were established.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4980, "title": "IPsec Main Mode and Extended Mode security associations were established.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4981, "title": "IPsec Main Mode and Extended Mode security associations were established.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4982, "title": "IPsec Main Mode and Extended Mode security associations were established.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4983, "title": "An IPsec Extended Mode negotiation failed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4984, "title": "An IPsec Extended Mode negotiation failed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 4985, "title": "The state of a transaction has changed.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5024, "title": "The Windows Firewall Service has started successfully.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5025, "title": "The Windows Firewall Service has been stopped.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5027, "title": "The Windows Firewall Service was unable to retrieve the security policy from the local storage.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5028, "title": "The Windows Firewall Service was unable to parse the new security policy.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5029, "title": "The Windows Firewall Service failed to initialize the driver.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5030, "title": "The Windows Firewall Service failed to start.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5031, "title": "The Windows Firewall Service blocked an application from accepting incoming connections on the network.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5032, "title": "Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5033, "title": "The Windows Firewall Driver has started successfully.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5034, "title": "The Windows Firewall Driver has been stopped.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5035, "title": "The Windows Firewall Driver failed to start.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5037, "title": "The Windows Firewall Driver detected critical runtime error.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5038, "title": "Code integrity determined that the image hash of a file is not valid.", "note": "Code integrity determined that the image hash of a file is not valid.", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5039, "title": "A registry key was virtualized.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5040, "title": "A change has been made to IPsec settings. An Authentication Set was added.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5041, "title": "A change has been made to IPsec settings. An Authentication Set was modified.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5042, "title": "A change has been made to IPsec settings. An Authentication Set was deleted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5043, "title": "A change has been made to IPsec settings. A Connection Security Rule was added.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5044, "title": "A change has been made to IPsec settings. A Connection Security Rule was modified.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5045, "title": "A change has been made to IPsec settings. A Connection Security Rule was deleted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5046, "title": "A change has been made to IPsec settings. A Crypto Set was added.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5047, "title": "A change has been made to IPsec settings. A Crypto Set was modified.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5048, "title": "A change has been made to IPsec settings. A Crypto Set was deleted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5049, "title": "An IPsec Security Association was deleted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5050, "title": "An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5051, "title": "A file was virtualized.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5056, "title": "A cryptographic self test was performed.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5057, "title": "A cryptographic primitive operation failed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5058, "title": "Key file operation.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5059, "title": "Key migration operation.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5060, "title": "Verification operation failed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5061, "title": "Cryptographic operation.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5062, "title": "A kernel-mode cryptographic self test was performed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5063, "title": "A cryptographic provider operation was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5064, "title": "A cryptographic context operation was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5065, "title": "A cryptographic context modification was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5066, "title": "A cryptographic function operation was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5067, "title": "A cryptographic function modification was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5068, "title": "A cryptographic function provider operation was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5069, "title": "A cryptographic function property operation was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5070, "title": "A cryptographic function property modification was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5120, "title": "OCSP Responder Service Started.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5121, "title": "OCSP Responder Service Stopped.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5122, "title": "A Configuration entry changed in the OCSP Responder Service.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5123, "title": "A configuration entry changed in the OCSP Responder Service.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5124, "title": "A security setting was updated on OCSP Responder Service.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "high" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5125, "title": "A request was submitted to OCSP Responder Service.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5126, "title": "Signing Certificate was automatically updated by the OCSP Responder Service.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5127, "title": "The OCSP Revocation Provider successfully updated the revocation information.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5136, "title": "A directory service object was modified.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5137, "title": "A directory service object was created.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5138, "title": "A directory service object was undeleted.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5139, "title": "A directory service object was moved.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5140, "title": "A network share object was accessed.", "note": "A network share object was accessed", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Shares.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5141, "title": "A directory service object was deleted.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5142, "title": "A network share object was added.", "note": "A network share object was added", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5143, "title": "A network share object was modified.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5144, "title": "A network share object was deleted.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5145, "title": "A network share object was checked to see whether client can be granted desired access.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Shares.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5148, "title": "The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5149, "title": "The DoS attack has subsided and normal processing is being resumed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5150, "title": "The Windows Filtering Platform has blocked a packet.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5151, "title": "A more restrictive Windows Filtering Platform filter has blocked a packet.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5152, "title": "The Windows Filtering Platform blocked a packet.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5153, "title": "A more restrictive Windows Filtering Platform filter has blocked a packet.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5154, "title": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5155, "title": "The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5156, "title": "The Windows Filtering Platform has permitted a connection.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5157, "title": "The Windows Filtering Platform has blocked a connection.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5158, "title": "The Windows Filtering Platform has permitted a bind to a local port.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5159, "title": "The Windows Filtering Platform has blocked a bind to a local port.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5168, "title": "SPN check for SMB/SMB2 fails.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5376, "title": "Credential Manager credentials were backed up.", "note": "Credential Manager credentials were backed up", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5377, "title": "Credential Manager credentials were restored from a backup.", "note": "Credential Manager credentials were restored from a backup", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5378, "title": "The requested credentials delegation was disallowed by policy.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5379, "title": "Credential Manager credentials were read.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5381, "title": "Vault credentials were read.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5382, "title": "Vault credentials were read.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5440, "title": "The following callout was present when the Windows Filtering Platform Base Filtering Engine started.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5441, "title": "The following filter was present when the Windows Filtering Platform Base Filtering Engine started.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5442, "title": "The following provider was present when the Windows Filtering Platform Base Filtering Engine started.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5443, "title": "The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5444, "title": "The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5446, "title": "A Windows Filtering Platform callout has been changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5447, "title": "A Windows Filtering Platform filter has been changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5448, "title": "A Windows Filtering Platform provider has been changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5449, "title": "A Windows Filtering Platform provider context has been changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5450, "title": "A Windows Filtering Platform sub-layer has been changed.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5451, "title": "An IPsec quick mode security association was established.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5452, "title": "An IPsec quick mode security association ended.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5453, "title": "An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5456, "title": "PAStore Engine applied Active Directory storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5457, "title": "PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5458, "title": "PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5459, "title": "PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5460, "title": "PAStore Engine applied local registry storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5461, "title": "PAStore Engine failed to apply local registry storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5462, "title": "PAStore Engine failed to apply some rules of the active IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5463, "title": "PAStore Engine polled for changes to the active IPsec policy and detected no changes.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5464, "title": "PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5465, "title": "PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5466, "title": "PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5467, "title": "PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5468, "title": "PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5471, "title": "PAStore Engine loaded local storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5472, "title": "PAStore Engine failed to load local storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5473, "title": "PAStore Engine loaded directory storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5474, "title": "PAStore Engine failed to load directory storage IPsec policy on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5477, "title": "PAStore Engine failed to add quick mode filter.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5478, "title": "IPsec Services has started successfully.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5479, "title": "IPsec Services has been shut down successfully.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5480, "title": "IPsec Services failed to get the complete list of network interfaces on the computer.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5483, "title": "IPsec Services failed to initialize RPC server.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5484, "title": "IPsec Services has experienced a critical failure and has been shut down.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5485, "title": "IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5632, "title": "A request was made to authenticate to a wireless network.", "note": "Wireless 802.1X Auth", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5633, "title": "A request was made to authenticate to a wired network.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5712, "title": "A Remote Procedure Call (RPC) was attempted.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5888, "title": "An object in the COM+ Catalog was modified.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5889, "title": "An object was deleted from the COM+ Catalog.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 5890, "title": "An object was added to the COM+ Catalog.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6144, "title": "Security policy in the group policy objects has been applied successfully.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6145, "title": "One or more errors occured while processing security policy in the group policy objects.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6272, "title": "Network Policy Server granted access to a user.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6273, "title": "Network Policy Server denied access to a user.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6274, "title": "Network Policy Server discarded the request for a user.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6275, "title": "Network Policy Server discarded the accounting request for a user.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6276, "title": "Network Policy Server quarantined a user.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6277, "title": "Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6278, "title": "Network Policy Server granted full access to a user because the host met the defined health policy.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6279, "title": "Network Policy Server locked the user account due to repeated failed authentication attempts.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6280, "title": "Network Policy Server unlocked the user account.", "note": "", "sources": [ { "label": "Microsoft-AppendixL", "url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor", "priority": "medium" }, { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6281, "title": "Code Integrity determined that the page hashes of an image file are not valid.", "note": "Code integrity determined that the page hashes of an image file are not valid.", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6410, "title": "Code integrity determined that a file does not meet the security requirements to load into a process.", "note": "Code integrity determined that a file does not meet the security requirements to load into a process.", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6416, "title": "A new external device was recognized by the system.", "note": "A new external device was recognized by the System", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "mdecrevoisier", "url": "https://github.com/mdecrevoisier/Windows-auditing-baseline", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6419, "title": "A request was made to disable a device.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6420, "title": "A device was disabled.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6421, "title": "A request was made to enable a device.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6422, "title": "A device was enabled.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6423, "title": "The installation of this device is forbidden by system policy.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Auditing", "channel": "Security", "event_id": 6424, "title": "The installation of this device was allowed, after having previously been forbidden by policy.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 1, "title": "Process '%2' (PID %5) would have been blocked from generating dynamic code.", "note": "Arbitrary Code Guard Auditing", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 2, "title": "Process '%2' (PID %5) was blocked from generating dynamic code.", "note": "Arbitrary Code Guard Enforcement", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 3, "title": "Process '%2' (PID %5) would have been blocked from creating a child process '%14' with command line '%16'.", "note": "Child Process Creation Auditing", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 4, "title": "Process '%2' (PID %5) was blocked from creating a child process '%14' with command line '%16'.", "note": "Child Process Creation Enforcement", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 5, "title": "Process '%2' (PID %5) would have been blocked from loading the low-integrity binary '%14'.", "note": "Low Integrity Image Load Auditing", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 6, "title": "Process '%2' (PID %5) was blocked from loading the low-integrity binary '%14'.", "note": "Low Integrity Image Load Enforcement", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 7, "title": "Process '%2' (PID %5) would have been blocking from loading a binary from a remote share.", "note": "Remote Image Loads Auditing", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 8, "title": "Process '%2' (PID %5) was blocked from loading a binary from a remote share.", "note": "Remote Image Loads Enforcement", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 9, "title": "Process '%2' (PID %5) would have been blocked from making system calls to Win32k.", "note": "Audit the use of Win32K System Call Table", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 10, "title": "Process '%2' (PID %5) was blocked from making system calls to Win32k.", "note": "Prevent the use of Win32K System Call Table", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 11, "title": "Process '%2' (PID %5) would have been blocked from loading the non-Microsoft-signed binary '%16'.", "note": "A non-Microsoft-signed binary would have been loaded", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/KernelMode", "event_id": 12, "title": "Process '%2' (PID %5) was blocked from loading the non-Microsoft-signed binary '%16'.", "note": "A Non-Microsoft-signed binary was prevented from loading", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 13, "title": "Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'.", "note": "Process would have been blocked from accessing the Export Address Table for module", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 14, "title": "Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'.", "note": "Process was blocked from accessing the Export Address Table for module", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 15, "title": "Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'.", "note": "Process would have been blocked from accessing the Export Address Table for module", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 16, "title": "Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'.", "note": "Process was blocked from accessing the Export Address Table for module", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 17, "title": "Process '%2' (PID %3) would have been blocked from accessing the Import Address Table for API '%10'.", "note": "Process would have been blocked from accessing the import Address Table for API", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 18, "title": "Process '%2' (PID %3) was blocked from accessing the Import Address Table for API '%10'.", "note": "Process was blocked from accessing the Import Address Table for API", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 19, "title": "Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.", "note": "Process would have been blocked from calling the API due to ROP exploit indications", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 20, "title": "Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.", "note": "Process was blocked from calling the API due to ROP exploit indications", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 21, "title": "Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.", "note": "Process would have been blocked from calling the API due to ROP exploit indications", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 22, "title": "Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.", "note": "Process was blocked from calling the API due to ROP exploit indications", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 23, "title": "Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.", "note": "Process would have been blocked from calling the API due to ROP exploit indications", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Security-Mitigations", "channel": "Microsoft-Windows-Security-Mitigations/UserMode", "event_id": 24, "title": "Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.", "note": "Process was blocked from calling the API due to ROP exploit indications", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Servicing", "channel": "Setup", "event_id": 2, "title": "Package %1 was successfully changed to the %2 state.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-SMBClient", "channel": "Microsoft-Windows-SMBClient/Operational", "event_id": 30622, "title": "Session to server {ObjectName} was re-established.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-SMBClient", "channel": "Microsoft-Windows-SMBClient/Operational", "event_id": 30624, "title": "Connection to share {ObjectName} was re-established.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-SoftwareRestrictionPolicies", "channel": "Application", "event_id": 865, "title": "Access to %1 has been restricted by your Administrator by the default software restriction policy level.", "note": "Software Restriction Policies", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-SoftwareRestrictionPolicies", "channel": "Application", "event_id": 866, "title": "Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.", "note": "Software Restriction Policies", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-SoftwareRestrictionPolicies", "channel": "Application", "event_id": 867, "title": "Access to %1 has been restricted by your Administrator by software publisher policy.", "note": "Software Restriction Policies", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-SoftwareRestrictionPolicies", "channel": "Application", "event_id": 868, "title": "Access to %1 has been restricted by your Administrator by policy rule %2.", "note": "Software Restriction Policies", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-SoftwareRestrictionPolicies", "channel": "Application", "event_id": 882, "title": "Access to %1 has been restricted by your Administrator by policy rule %2.", "note": "Software Restriction Policies", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 1, "title": "Process creation", "note": "Process creation", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 2, "title": "A process changed a file creation time", "note": "A process changed a file creation time", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 3, "title": "Network connection", "note": "Network connection", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 4, "title": "Sysmon service state changed", "note": "Sysmon service state changed", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 5, "title": "Process terminated", "note": "Process terminated", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 6, "title": "Driver loaded", "note": "Driver loaded", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 7, "title": "Image loaded", "note": "Image loaded", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 8, "title": "CreateRemoteThread", "note": "CreateRemoteThread", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 9, "title": "RawAccessRead", "note": "RawAccessRead", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 10, "title": "ProcessAccess", "note": "ProcessAccess", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 11, "title": "FileCreate", "note": "FileCreate", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 12, "title": "RegistryEvent (Object create and delete)", "note": "RegisteryEvent (Object create and Delete)", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 13, "title": "RegistryEvent (Value Set)", "note": "RegisteryEvent value set", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 14, "title": "RegistryEvent (Key and Value Rename)", "note": "RegisteryEvent key and value rename", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 15, "title": "FileCreateStreamHash", "note": "FileCreateStreamHash", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 16, "title": "ServiceConfigurationChange", "note": "ServiceConfigurationChange", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 17, "title": "PipeEvent (Pipe Created)", "note": "PipeEvent pipe created", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 18, "title": "PipeEvent (Pipe Connected)", "note": "PipeEvent pipe connected", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 19, "title": "WmiEvent (WmiEventFilter activity detected)", "note": "WMIEvent WMIEvenFilter activity detected", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 20, "title": "WmiEvent (WmiEventConsumer activity detected)", "note": "WMIEvent Consumer activity detected", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 21, "title": "WmiEvent (WmiEventConsumerToFilter activity detected)", "note": "WMIEvent Consumer to filter activity detected", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 22, "title": "DNSEvent (DNS query)", "note": "DNSEvent DNS Query", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 23, "title": "FileDelete (File Delete archived)", "note": "FileDelete a file delete was detected", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 24, "title": "ClipboardChange (New content in the clipboard)", "note": "ClipboardChange new content in clipboard", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 25, "title": "ProcessTampering (Process image change)", "note": "ProcessTampering process image change", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 26, "title": "FileDeleteDetected (File Delete logged)", "note": "File Delete Detected", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Sysmon", "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": 255, "title": "Error report: UtcTime: %1 ID: %2 Description: %3.", "note": "Sysmon error", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 100, "title": "Task Scheduler started \"%3\" instance of the \"%1\" task for user \"%2\".", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 101, "title": "Task Scheduler failed to start \"%1\" task for user \"%2\".", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 102, "title": "Task Scheduler successfully finished \"%3\" instance of the \"%1\" task for user \"%2\".", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 103, "title": "Task Scheduler failed to start instance \"%2\" of \"%1\" task for user \"%3\" .", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 104, "title": "Task Scheduler failed to log on \"%1\" .", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 105, "title": "Task Scheduler failed to impersonate \"%1\" .", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 106, "title": "User \"%2\" registered Task Scheduler task \"%1\".", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 107, "title": "Task Scheduler launched \"%2\" instance of task \"%1\" due to a time trigger condition.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 108, "title": "Task Scheduler launched \"%2\" instance of task \"%1\" according to an event trigger.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 109, "title": "Task Scheduler launched \"%2\" instance of task \"%1\" according to a registration trigger.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 110, "title": "Task Scheduler launched \"%2\" instance of task \"%1\" for user \"%3\" .", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 111, "title": "Task Scheduler terminated \"%2\" instance of the \"%1\" task.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 112, "title": "Task Scheduler could not start task \"%1\" because the network was unavailable.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 113, "title": "Task registered task \"%1\" , but not all specified triggers will start the task.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 114, "title": "Task Scheduler could not launch task \"%1\" as scheduled.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 115, "title": "Task Scheduler failed to roll back a transaction when updating or deleting a task.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 116, "title": "Task Scheduler validated the configuration for task \"%1\" , but credentials could not be stored.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 117, "title": "Task Scheduler launched \"%2\" instance of task \"%1\" due to an idle condition.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 118, "title": "Task Scheduler launched \"%2\" instance of task \"%1\" due to system startup.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 119, "title": "Task Scheduler launched \"%3\" instance of task \"%1\" due to user \"%2\" logon.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 120, "title": "Task Scheduler launched \"%3\" instance of task \"%1\" due to user \"%2\" connecting to the console trigger.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 121, "title": "Task Scheduler launched \"%3\" instance of task \"%1\" due to user \"%2\" disconnecting from the console trigger.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 122, "title": "Task Scheduler launched \"%3\" instance of task \"%1\" due to user \"%2\" remotely connecting trigger.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 123, "title": "Task Scheduler launched \"%3\" instance of task \"%1\" due to user \"%2\" remotely disconnecting trigger.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 124, "title": "Task Scheduler launched \"%3\" instance of task \"%1\" due to user \"%2\" locking the computer trigger.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 125, "title": "Task Scheduler launched \"%3\" instance of task \"%1\" due to user \"%2\" unlocking the computer trigger.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 126, "title": "Task Scheduler failed to execute task \"%1\" .", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 127, "title": "Task Scheduler failed to execute task \"%1\" due to a shutdown race condition.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 128, "title": "Task Scheduler did not launch task \"%1\" , because current time exceeds the configured task end time.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 129, "title": "Task Scheduler launch task \"%1\" , instance \"%2\" with process ID %3.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 130, "title": "Task Scheduler failed to start task \"%1\" due to the service being busy.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 131, "title": "Task Scheduler failed to start task \"%1\" because the number of tasks in the task queue exceeding the quota currently configured to %2.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 132, "title": "Task Scheduler task launching queue quota is approaching its preset limit of tasks currently configured to %1.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 133, "title": "Task Scheduler failed to start task %1\" in TaskEngine \"%2\" for user \"%3\".", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 134, "title": "Task Engine \"%1\" for user \"%2\" is approaching its preset limit of tasks.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 135, "title": "Task Scheduler could not start task \"%1\" because the machine was not idle.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 140, "title": "User \"%2\" updated Task Scheduler task \"%1\".", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 141, "title": "User \"%2\" deleted Task Scheduler task \"%1\".", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 142, "title": "User \"%2\" disabled Task Scheduler task \"%1\".", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 145, "title": "Task Scheduler woke up the computer to run a task.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 146, "title": "Task Scheduler failed to load task \"%1\" at service startup.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 147, "title": "Task Scheduler recovered sucessfully the image of task \"%1\" after a corruption occured during OS upgrade.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 148, "title": "Task Scheduler failed to recover the image of task \"%1\" after a corruption occured during OS upgrade.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 149, "title": "Task \"%1\" is using a combination of properties that is incompatible with the scheduling engine.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 150, "title": "Task Scheduler failed to subscribe for the event trigger for task \"%1\".", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 151, "title": "Task instantiation failed \"%1\".", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 152, "title": "Task \"%1\" was re-directed to legacy scheduling engine.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 153, "title": "Task Scheduler did not launch task \"%1\" as it missed its schedule.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 155, "title": "Task Scheduler is currently waiting on completion of task \"%1\".", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 200, "title": "Task Scheduler launched action \"%2\" in instance \"%3\" of task \"%1\".", "note": "Task Launched", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 201, "title": "Task Scheduler successfully completed task \"%1\" , instance \"%3\" , action \"%2\" .", "note": "Task Scheduler successfully completed task", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 202, "title": "Task Scheduler failed to complete task \"%1\" , instance \"%2\" , action \"%3\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 203, "title": "Task Scheduler failed to launch action \"%3\" in instance \"%2\" of task \"%1\".", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 204, "title": "Task Scheduler failed to retrieve the event triggering values for task \"%1\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 205, "title": "Task Scheduler failed to match the pattern of events for task \"%1\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 300, "title": "Task Scheduler started Task Engine \"%1\" with process ID %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 301, "title": "Task Scheduler is shutting down Task Engine \"%1\".", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 303, "title": "Task Scheduler is shutting down Task Engine \"%1\" due to an error in \"%2\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 304, "title": "Task Scheduler sent \"%1\" task to Task Engine \"%2\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 305, "title": "Task Scheduler did not send \"%1\" task to Task Engine \"%2\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 306, "title": "For Task Scheduler Task Engine \"%1\" , the thread pool failed to process the message.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 307, "title": "Task Scheduler service failed to connect to the Task Engine \"%1\" process.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 308, "title": "Task Scheduler connected to the Task Engine \"%1\" process.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 309, "title": "Task Scheduler %1 tasks orphaned during Task Engine \"%2\" shutdown.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 310, "title": "Task Scheduler started Task Engine \"%1\" process.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 311, "title": "Task Scheduler failed to start Task Engine \"%1\" process due to an error occurring in \"%3\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 312, "title": "Task Scheduler created the Win32 job object for Task Engine \"%1\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 313, "title": "Task Scheduler channel with Task Engine \"%1\" is ready to send and receive messages.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 314, "title": "Task Scheduler has no tasks running for Task Engine \"%1\" , and the idle timer has started.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 315, "title": "Task Engine \"%1\" process failed to connect to the Task Scheduler service.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 316, "title": "Task Engine \"%1\" failed to send a message to the Task Scheduler service.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 317, "title": "Task Scheduler started Task Engine \"%1\" process.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 318, "title": "Task Scheduler shutdown Task Engine \"%1\" process.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 319, "title": "Task Engine \"%1\" received a message from Task Scheduler service requesting to launch task \"%2\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 320, "title": "Task Engine \"%1\" received a message from Task Scheduler service requesting to stop task instance \"%2\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 322, "title": "Task Scheduler did not launch task \"%1\" because instance \"%2\" of the same task is already running.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 323, "title": "Task Scheduler stopped instance \"%2\" of task \"%1\" in order to launch new instance \"%3\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 324, "title": "Task Scheduler queued instance \"%2\" of task \"%1\" and will launch it as soon as instance \"%3\" completes.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 325, "title": "Task Scheduler queued instance \"%2\" of task \"%1\".", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 326, "title": "Task Scheduler did not launch task \"%1\" because computer is running on batteries.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 327, "title": "Task Scheduler stopped instance \"%2\" of task \"%1\" because the computer is switching to battery power.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 328, "title": "Task Scheduler stopped instance \"%2\" of task \"%1\" because computer is no longer idle.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 329, "title": "Task Scheduler terminated \"%2\" instance of the \"%1\" task due to exceeding the time allocated for execution, as configured in the task definition.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 330, "title": "Task Scheduler stopped instance \"%2\" of task \"%1\" as request by user \"%3\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 331, "title": "Task Scheduler will continue to execute Instance \"%2\" of task \"%1\" even after the designated timeout, due to a failure to create the timeout mechan...", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 332, "title": "Task Scheduler did not launch task \"%1\" because user \"%2\" was not logged on when the launching conditions were met.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 333, "title": "Task Scheduler did not launch task \"%1\" because target session is RemoteApp session.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 334, "title": "Task Scheduler did not launch task \"%1\" because target session is a WORKER session.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 400, "title": "Task Scheduler service has started.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 402, "title": "Task Scheduler service is shutting down.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 403, "title": "Task Scheduler service has encountered an error in \"%1\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 410, "title": "Task Scheduler service failed to set a wakeup timer.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 411, "title": "Task Scheduler service received a time system change notification.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 700, "title": "Task Scheduler service started Task Compatibility module.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 706, "title": "Task Compatibility module failed to update task \"%1\" to the required status %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 707, "title": "Task Compatibility module failed to delete task \"%1\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 708, "title": "Task Compatibility module failed to set security descriptor \"%1\" for task \"%2\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 709, "title": "Task Compatibility module failed to update task \"%1\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 710, "title": "Task Compatibility module failed to upgrade existing tasks.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 711, "title": "Task Compatibility module failed to upgrade NetSchedule account \"%1\" .", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 712, "title": "Task Compatibility module failed to read existing store to upgrade tasks.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 713, "title": "Task Compatibility module failed to load task \"%1\" for upgrade.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 714, "title": "Task Compatibility module failed to register task \"%1\" for upgrade.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 715, "title": "Task Compatibility module failed to delete LSA store for upgrade.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TaskScheduler", "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_id": 717, "title": "Task Compatibility module failed to determine if upgrade is needed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore", "channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational", "event_id": 1024, "title": "RDP ClientActiveX is trying to connect to the server", "note": "Outbound TS connection attempt", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore", "channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational", "event_id": 1025, "title": "RDP ClientActiveX has connected to the server", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 16, "title": "Local Multi-User session manager failed to start.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 17, "title": "Remote Desktop Service start failed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 18, "title": "Remote Desktop Service is shutdown for unknown reason.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 19, "title": "Registering with Service Control Manager to monitor Remote Desktop Service status failed with %1, retry in ten minutes.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 20, "title": "Attempt to send %1 message to Windows video subsystem failed.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 21, "title": "Remote Desktop Services: Session logon succeeded: User: %1 Session ID: %2 Source Network Address: %3.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 22, "title": "Remote Desktop Services: Shell start notification received: User: %1 Session ID: %2 Source Network Address: %3.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 23, "title": "Remote Desktop Services: Session logoff succeeded: User: %1 Session ID: %2.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 24, "title": "Remote Desktop Services: Session has been disconnected: User: EC2AMAZ-3NFFVNI\\samurai Session ID: 5 Source Network Address: 219.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 25, "title": "Remote Desktop Services: Session reconnection succeeded: User: EC2AMAZ-3NFFVNI\\samurai Session ID: 4 Source Network Address: 219.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 32, "title": "Plugin RDSAppXPlugin has been successfully initialized", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 33, "title": "Plugin %1 failed to initialize, error code %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 34, "title": "Remote Desktop Services is not accepting logons because setup is running.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 35, "title": "The client process ID %1 could not complete the session change notification event sent by the Remote Desktop service.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 36, "title": "An error occurred when transitioning from %3 in response to %5.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 37, "title": "Invalid state transition from %3 in response to %5.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 39, "title": "Session %1 has been disconnected by session %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 40, "title": "Session 5 has been disconnected, reason code 12", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 41, "title": "Begin session arbitration: User: %1 Session ID: %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 42, "title": "End session arbitration: User: %1 Session ID: %2.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 43, "title": "Windows Subsystem has taken too long to process Connect event for session %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 44, "title": "Windows Subsystem has taken too long to process Disconnect event for session %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 45, "title": "Windows Subsystem has taken too long to process Terminate event for session %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 48, "title": "Remote Connection Manager has taken too long to process logon message for session %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 49, "title": "Remote Connection Manager has taken too long to prepare for session arbitration for session %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 50, "title": "Remote Connection Manager has taken too long to process begin-connect-message for session %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 51, "title": "Remote Connection Manager has taken too long to process end-connect-message for session %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 52, "title": "Remote Connection Manager has taken too long to process begin-disconnect-message for session %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 53, "title": "Remote Connection Manager has taken too long to process end-disconnect-message for session %1.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 54, "title": "Local multi-user session manager received system shutdown message", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 55, "title": "Remote Desktop Service has taken too long to start up", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 56, "title": "Remote Desktop Service has taken too long to shutdown", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 59, "title": "%s from %S( #0x%x/0x%x )", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager", "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "event_id": 60, "title": "Glass session %1 has been reconnected to a remote protocol, this session can now only be reconnect locally or from same remote protocol.", "note": "", "sources": [ { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-User Profiles Service", "channel": "Application", "event_id": 1511, "title": "Windows cannot find the local profile and is logging you on with a temporary profile.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-User Profiles Service", "channel": "Application", "event_id": 1518, "title": "Windows cannot create a local profile and is logging you on with a temporary profile.", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WER-Diag", "channel": "Microsoft-Windows-WER-Diag/Operational", "event_id": 5, "title": "CFG violation is detected.", "note": "Control Flow Guard Violation", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WER-SystemErrorReporting", "channel": "System", "event_id": 1001, "title": "The computer has rebooted from a bugcheck.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Win32k", "channel": "Microsoft-Windows-Win32k/Operational", "event_id": 260, "title": "%1 attempted loading a font that is restricted by font loading policy.", "note": "Attempt to load untrusted font", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1005, "title": "%1 scan has encountered an error and terminated.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1006, "title": "%1 has detected malware or other potentially unwanted software.", "note": "Malware detected", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1007, "title": "%1 has taken action to protect this machine from malware or other potentially unwanted software.", "note": "Malware removal action taken", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1008, "title": "%1 has encountered an error when taking action on malware or other potentially unwanted software.", "note": "Action on malware failed", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1009, "title": "%1 has restored an item from quarantine.", "note": "Restored file from quarantine", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1010, "title": "%1 has encountered an error trying to restore an item from quarantine.", "note": "Failed to remove item from quarantine", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1015, "title": "%1 has detected a suspicious behavior.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1116, "title": "%1 has detected malware or other potentially unwanted software.", "note": "Malware detected", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1117, "title": "%1 has taken action to protect this machine from malware or other potentially unwanted software.", "note": "Malware removal action taken", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1118, "title": "%1 has encountered a non-critical error when taking action on malware or other potentially unwanted software.", "note": "Malware removal action taken with non-critical error", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1119, "title": "%1 has encountered a critical error when taking action on malware or other potentially unwanted software.", "note": "Malware removal action attempted with critical error", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1121, "title": "Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.", "note": "Attack Surface Reduction rule fired in Block-Mode", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1122, "title": "Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.", "note": "Attack Surface Reduction rule fired in Audit-Mode", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1123, "title": "%8 has been blocked from modifying %7 by Controlled Folder Access.", "note": "Blocked Controlled Folder Access", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1124, "title": "%8 would have been blocked from modifying %7 by Controlled Folder Access.", "note": "Audited Controlled Folder Access", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1125, "title": "Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.", "note": "Network Protection fires in Audit-mode", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1126, "title": "Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.", "note": "Network Protection fires in Block-mode", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1127, "title": "Controlled Folder Access blocked %8 from making changes to memory.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 2001, "title": "%1 has encountered an error trying to update security intelligence.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 2003, "title": "%1 has encountered an error trying to update the engine.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 2004, "title": "%1 has encountered an error trying to update security intelligence and will attempt to revert to a previous version.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 3002, "title": "%1 Real-Time Protection feature has encountered an error and failed.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 5001, "title": "%1 Real-time Protection scanning for malware and other potentially unwanted software was disabled.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 5004, "title": "%1 Real-time Protection feature configuration has changed.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 5007, "title": "%1 Configuration has changed.", "note": "Attack Surface Reduction, Controlled Folder Access or Network Protection settings changed", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 5008, "title": "%1 engine has been terminated due to an unexpected error.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 5010, "title": "%1 scanning for spyware and other potentially unwanted software is disabled.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 5012, "title": "%1 scanning for viruses is disabled.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 5013, "title": "Tamper Protection %3 a change to %1.", "note": "", "sources": [ { "label": "Microsoft-Defender", "url": "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Firewall With Advanced Security", "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", "event_id": 2003, "title": "A Windows Defender Firewall setting in the %1 profile has changed.", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Firewall With Advanced Security", "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", "event_id": 2004, "title": "A rule has been added to the Windows Defender Firewall exception list.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Firewall With Advanced Security", "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", "event_id": 2005, "title": "A rule has been modified in the Windows Defender Firewall exception list.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Firewall With Advanced Security", "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", "event_id": 2006, "title": "A rule has been deleted in the Windows Defender Firewall exception list.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Firewall With Advanced Security", "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", "event_id": 2009, "title": "The Windows Defender Firewall service failed to load Group Policy.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows Firewall With Advanced Security", "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", "event_id": 2033, "title": "All rules have been deleted from the Windows Defender Firewall configuration on this computer.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows-Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1006, "title": "%1 has detected malware or other potentially unwanted software.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows-Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1007, "title": "%1 has taken action to protect this machine from malware or other potentially unwanted software.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows-Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1008, "title": "%1 has encountered an error when taking action on malware or other potentially unwanted software.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows-Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1009, "title": "%1 has restored an item from quarantine.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows-Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1116, "title": "%1 has detected malware or other potentially unwanted software.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows-Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1117, "title": "%1 has taken action to protect this machine from malware or other potentially unwanted software.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows-Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1118, "title": "%1 has encountered a non-critical error when taking action on malware or other potentially unwanted software.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows-Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1119, "title": "%1 has encountered a critical error when taking action on malware or other potentially unwanted software.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-Windows-Defender", "channel": "Microsoft-Windows-Windows Defender/Operational", "event_id": 1120, "title": "%1 has deduced the hashes for a threat resource.", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WindowsUpdateClient", "channel": "System", "event_id": 19, "title": "Installation Successful: Windows successfully installed the following update.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WindowsUpdateClient", "channel": "System", "event_id": 20, "title": "Installation Failure: Windows failed to install the following update with error %1: %2.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WindowsUpdateClient", "channel": "System", "event_id": 24, "title": "Uninstallation Failure: Windows failed to uninstall the following update with error %1: %2.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WindowsUpdateClient", "channel": "Microsoft-Windows-WindowsUpdateClient/Operational", "event_id": 25, "title": "Windows Update failed to check for updates with error %1.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WindowsUpdateClient", "channel": "Microsoft-Windows-WindowsUpdateClient/Operational", "event_id": 31, "title": "Windows Update failed to download an update.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WindowsUpdateClient", "channel": "Microsoft-Windows-WindowsUpdateClient/Operational", "event_id": 34, "title": "The Windows Update Client Core component failed to install a self-update with error %1.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WindowsUpdateClient", "channel": "Microsoft-Windows-WindowsUpdateClient/Operational", "event_id": 35, "title": "The Windows Update Client Auxillary component failed to install a self-update with error %1.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WLAN-AutoConfig", "channel": "Microsoft-Windows-WLAN-AutoConfig/Operational", "event_id": 8001, "title": "WLAN AutoConfig service has successfully connected to a wireless network.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WLAN-AutoConfig", "channel": "Microsoft-Windows-WLAN-AutoConfig/Operational", "event_id": 8002, "title": "WLAN AutoConfig service failed to connect to a wireless network.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WLAN-AutoConfig", "channel": "Microsoft-Windows-WLAN-AutoConfig/Operational", "event_id": 8003, "title": "WLAN AutoConfig service has successfully disconnected from a wireless network.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WMI-Activity", "channel": "Microsoft-Windows-WMI-Activity/Operational", "event_id": 5857, "title": "%1 provider started with result code %2.", "note": "A WMI provider was loaded", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/WMI.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WMI-Activity", "channel": "Microsoft-Windows-WMI-Activity/Operational", "event_id": 5858, "title": "Id = %1; ClientMachine = %2; User = %3; ClientProcessId = %4; Component = %5; Operation = %6; ResultCode = %7; PossibleCause = %8.", "note": "A WMI query error has occurred", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/WMI.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WMI-Activity", "channel": "Microsoft-Windows-WMI-Activity/Operational", "event_id": 5859, "title": "Namespace = %1; NotificationQuery = %2; OwnerName = %3; HostProcessID = %4; Provider= %5, queryID = %6; PossibleCause = %7.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/WMI.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WMI-Activity", "channel": "Microsoft-Windows-WMI-Activity/Operational", "event_id": 5860, "title": "Namespace = %1; NotificationQuery = %2; UserName = %3; ClientProcessID = %4, ClientMachine = %5; PossibleCause = %6.", "note": "A temporary WMI event subscription has been created", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/WMI.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Microsoft-Windows-WMI-Activity", "channel": "Microsoft-Windows-WMI-Activity/Operational", "event_id": 5861, "title": "Namespace = %1; Eventfilter = %2 (refer to its activate eventid:5859); Consumer = %3; PossibleCause = %4.", "note": "A permanent WMI event subscription has been created", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/WMI.xml", "priority": "recommended" }, { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "Yamato Security", "url": "https://github.com/Yamato-Security/EventLog-Baseline-Guide", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "MsiInstaller", "channel": "Application", "event_id": 1022, "title": "Product: Microsoft .", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "MsiInstaller", "channel": "Application", "event_id": 1033, "title": "Windows Installer installed the product.", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "PowerShell", "channel": "Windows PowerShell", "event_id": 300, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "PowerShell", "channel": "Windows PowerShell", "event_id": 400, "title": "", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "PowerShell", "channel": "Windows PowerShell", "event_id": 403, "title": "", "note": "", "sources": [ { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "PowerShell", "channel": "Windows PowerShell", "event_id": 800, "title": "", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7000, "title": "", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7022, "title": "", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7023, "title": "", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7024, "title": "", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7026, "title": "", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7031, "title": "", "note": "Service terminated unexpectedly, it has done this %n times", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7032, "title": "", "note": "", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7034, "title": "", "note": "Service terminated unexpectedly, corrective action %x taken", "sources": [ { "label": "NSA", "url": "https://github.com/nsacyber/Event-Forwarding-Guidance", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7036, "title": "The Microsoft Software Shadow Copy Provider service entered the stopped state.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Services.xml", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7040, "title": "The start type of the msdsm service was changed from boot start to demand start.", "note": "Service start type changed", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Services.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" }, { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "Service Control Manager", "channel": "System", "event_id": 7045, "title": "A service was installed in the system.", "note": "", "sources": [ { "label": "Palantir", "url": "https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Services.xml", "priority": "recommended" }, { "label": "Olaf Hartong", "url": "https://github.com/olafhartong/ATTACKdatamap", "priority": "recommended" } ] }, { "provider": "Service-Control-Manager", "channel": "System", "event_id": 7000, "title": "", "note": "", "sources": [ { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" } ] }, { "provider": "Service-Control-Manager", "channel": "System", "event_id": 7045, "title": "A service was installed in the system.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" }, { "label": "ANSSI", "url": "https://github.com/ANSSI-FR/guide-journalisation-microsoft", "priority": "recommended" }, { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "USER32", "channel": "System", "event_id": 1074, "title": "", "note": "", "sources": [ { "label": "Microsoft-WEF", "url": "https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection", "priority": "recommended" } ] }, { "provider": "User32", "channel": "System", "event_id": 1074, "title": "", "note": "Shutdown initiate request", "sources": [ { "label": "JSCU-NL", "url": "https://github.com/JSCU-NL/logging-essentials", "priority": "recommended" } ] }, { "provider": "VSSAudit", "channel": "Security", "event_id": 8222, "title": "", "note": "", "sources": [ { "label": "Splunk-UBA", "url": "https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.4/add-windows-events-to-splunk-uba/which-windows-events-are-used-by-splunk-uba", "priority": "low" } ] }, { "provider": "Windows-Error-Reporting", "channel": "Application", "event_id": 1001, "title": "Fault bucket , type 0 Event Name: crashpad_log Response: Not available Cab Id: 0 Problem signature: P1: MicrosoftEdgeUpdate.", "note": "", "sources": [ { "label": "ASD", "url": "https://www.cyber.gov.au/sites/default/files/2025-05/Priority%20logs%20for%20SIEM%20ingestion%20-%20Practitioner%20guidance.pdf", "priority": "recommended" } ] } ]