ESENT

19 events across 1 channel

Event ID	Title	Channel
102		Application
103		Application
105		Application
210		Application
213		Application
216		Application
220		Application
221		Application
223		Application
225		Application
300		Application
301		Application
302		Application
325		Application
326		Application
327		Application
508		Application
609		Application
612		Application

Event ID 102 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 102
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T17:04:18.031710+00:00'
  event_record_id: 213
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data:
  - DFSRs
  - 2648,P,98
  - '\\.\C:\System Volume Information\DFSR\database_3CDA_D04B_DAD0_2D6\dfsr.db: '
  - '0'
  - '10'
  - '00'
  - '20348'
  - '0000'
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 103 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data_0`	—
`Data_1`	—
`Data_2`	—
`Data_3`	—
`Data_4`	—
`Data_5`	—
`Binary`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 103
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T00:52:50.912506+00:00'
  event_record_id: 1968
  correlation: {}
  execution:
    process_id: 6516
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data_0: avguard
  Data_1: 6516,T,97
  Data_2: 'GaviDB_0: '
  Data_3: '0'
  Data_4: '

    [1] 0.000056 +J(0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)

    [2] 0.002298 +J(0) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)

    [3] 0.001712 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:0K # 0K, P:0K)

    [4] 0.000645 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)

    [5] 0.144663 -0.036786 (7) WT +J(0) +M(C:0K, Fs:84, WS:332K # 0K, PF:0K # 0K,
    P:0K)

    [6] 0.000012 +J(0)

    [7] 0.000079 +J(0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)

    [8] 0.031475 -0.008007 (10) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3804/2) +M(C:0K,
    Fs:23, WS:52K # 0K, PF:-24K # 0K, P:-24K)

    [9] 0.001482 -0.000596 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K,
    Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)

    [10] 0.000036 +J(0)

    [11] 0.008375 -0.001099 (2) WT +J(0)

    [12] 0.000078 +J(0) +M(C:0K, Fs:2, WS:4K # 0K, PF:-4K # 0K, P:-4K)

    [13] 0.000572 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)

    [14] 0.000048 +J(0) +M(C:0K, Fs:1, WS:-12K # 0K, PF:-32K # 0K, P:-32K)

    [15] 0.000012 +J(0).'
  Data_5: '0'
  Binary: ''
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 105 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 105
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T17:04:18.422710+00:00'
  event_record_id: 214
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data:
  - DFSRs
  - 2648,D,0
  - '\\.\C:\System Volume Information\DFSR\database_3CDA_D04B_DAD0_2D6\dfsr.db: '
  - '0'
  - '0'
  - '

    [1] 0.000907 +J(0) +M(C:0K, Fs:207, WS:804K # 804K, PF:2692K # 2592K, P:2692K)

    [2] 0.000228 +J(0) +M(C:16K, Fs:142, WS:556K # 556K, PF:4132K # 4132K, P:4132K)

    [3] 0.000013 +J(0) +M(C:0K, Fs:3, WS:12K # 12K, PF:64K # 64K, P:64K)

    [4] 0.000154 +J(0) +M(C:2032K, Fs:34, WS:128K # 128K, PF:2440K # 2440K, P:2440K)

    [5] 0.000832 +J(0) +M(C:0K, Fs:10, WS:40K # 40K, PF:24K # 24K, P:24K)

    [6] 0.003014 +J(0) +M(C:0K, Fs:21, WS:84K # 84K, PF:12K # 12K, P:12K)

    [7] 0.335559 -0.330052 (11) WT +J(0) +M(C:0K, Fs:1300, WS:5188K # 5188K, PF:5132K
    # 5132K, P:5132K)

    [8] -

    [9] -

    [10] -

    [11] -

    [12] -

    [13] 0.041925 -0.032647 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:616/1) +M(C:0K,
    Fs:6, WS:-5104K # 16K, PF:-5128K # 12K, P:-5128K)

    [14] 0.000023 +J(0)

    [15] 0.000092 +J(0) +M(C:0K, Fs:65, WS:256K # 0K, PF:68K # 0K, P:68K)

    [16] 0.000769 -0.000141 (1) WT +J(0) +M(C:0K, Fs:3, WS:4K # 0K, PF:0K # 0K, P:0K).'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 210 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 210
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T16:22:59+00:00'
  event_record_id: 94
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data:
  Data:
  - WinMail
  - '280'
  - 'WindowsMail0: '
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 213 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 213
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T16:23:00+00:00'
  event_record_id: 99
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data:
  Data:
  - WinMail
  - '280'
  - 'WindowsMail0: '
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 216 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 216
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2021-06-05T19:36:36.537144+00:00'
  event_record_id: 442136
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: rootdc1.offsec.lan
  security:
    user_id: ''
event_data:
  Data:
  - lsass
  - '548'
  - ''
  - C:\Windows\NTDS\ntds.dit
  - \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\NTDS\ntds.dit
message: ''

Sigma Rules

Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 220 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 220
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T16:22:59+00:00'
  event_record_id: 95
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data:
  Data:
  - WinMail
  - '280'
  - 'WindowsMail0: '
  - C:\Users\IEUser\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
  - 2 Mb
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 221 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 221
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T16:22:59+00:00'
  event_record_id: 96
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data:
  Data:
  - WinMail
  - '280'
  - 'WindowsMail0: '
  - C:\Users\IEUser\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 223 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 223
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T16:23:00+00:00'
  event_record_id: 97
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data:
  Data:
  - WinMail
  - '280'
  - 'WindowsMail0: '
  - C:\Users\IEUser\AppData\Local\Microsoft\Windows Mail\edb00001.log
  - C:\Users\IEUser\AppData\Local\Microsoft\Windows Mail\edb00001.log
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 225 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 225
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T16:23:00+00:00'
  event_record_id: 98
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data:
  Data:
  - WinMail
  - '280'
  - 'WindowsMail0: '
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 300 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 300
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-04T07:41:19.840598+00:00'
  event_record_id: 119
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: WIN-TKC15D7KHUR
  security:
    user_id: ''
event_data:
  Data:
  - svchost
  - 988,R,98
  - 'DS_Token_DB: '
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 301 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 301
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-04T07:41:19.914102+00:00'
  event_record_id: 121
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: WIN-TKC15D7KHUR
  security:
    user_id: ''
event_data:
  Data:
  - svchost
  - 988,R,98
  - 'DS_Token_DB: '
  - C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log
  - '

    [1] 0.004883 -0.001369 (7) CM -0.002231 (10) WT +J(CM:7, PgRf:69, Rd:4/0, Dy:16/110,
    Lg:12164/130) +M(C:16K, Fs:11, WS:40K # 0K, PF:16K # 0K, P:16K).'
  - 'Insert   '
  - '39'
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 302 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 302
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-04T07:41:19.946101+00:00'
  event_record_id: 122
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: WIN-TKC15D7KHUR
  security:
    user_id: ''
event_data:
  Data:
  - svchost
  - 988,U,98
  - 'DS_Token_DB: '
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 325 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 325
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T08:15:12.107010+00:00'
  event_record_id: 106
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data:
  - DFSRs
  - 2684,D,35
  - '\\.\C:\System Volume Information\DFSR\database_3CDA_D04B_DAD0_2D6\dfsr.db: '
  - '1'
  - \\.\C:\System Volume Information\DFSR\database_3CDA_D04B_DAD0_2D6\dfsr.db
  - '0'
  - '

    [1] 0.000092 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:8K # 0K, P:8K)

    [2] 0.002221 -0.000629 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K,
    Fs:5, WS:20K # 0K, PF:0K # 0K, P:0K)

    [3] 0.003757 -0.000003 (3) WT +J(0) +M(C:0K, Fs:11, WS:36K # 0K, PF:20K # 0K,
    P:20K)

    [4] 0.000245 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)

    [5] 0.001400 -0.000570 (3) WT +J(CM:0, PgRf:3, Rd:0/0, Dy:3/6, Lg:122/4) +M(C:0K,
    Fs:44, WS:164K # 0K, PF:256K # 0K, P:256K)

    [6] 0.001827 -0.000245 (2) WT +J(CM:0, PgRf:209, Rd:0/0, Dy:12/408, Lg:24454/447)
    +M(C:0K, Fs:76, WS:304K # 0K, PF:224K # 0K, P:224K)

    [7] 0.000703 -0.000290 (3) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4096/3) +M(C:0K,
    Fs:4, WS:8K # 0K, PF:0K # 0K, P:0K)

    [8] 0.000004 +J(0)

    [9] 0.001408 -0.000787 (3) WT +J(0) +M(C:-52K, Fs:8, WS:-28K # 0K, PF:-52K # 0K,
    P:-52K)

    [10] 0.002190 -0.000416 (6) WT +J(CM:0, PgRf:348, Rd:0/0, Dy:7/93, Lg:12509/130)
    +M(C:12K, Fs:46, WS:176K # 0K, PF:96K # 0K, P:96K)

    [11] 0.000004 +J(0).'
  - 0 0
  - 'lgposCreate = 00000001:0001:0268,

    dbv = 1568.180.400 (9360)'
message: ''

Sigma Rules

Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
Dump Ntds.dit To Suspicious Location
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 326 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 326
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T17:04:18.516230+00:00'
  event_record_id: 215
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data:
  - DFSRs
  - 2648,D,50
  - '\\.\C:\System Volume Information\DFSR\database_3CDA_D04B_DAD0_2D6\dfsr.db: '
  - '1'
  - \\.\C:\System Volume Information\DFSR\database_3CDA_D04B_DAD0_2D6\dfsr.db
  - '0'
  - '

    [1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)

    [2] 0.050530 -0.049779 (1) WT +J(0) +M(C:0K, Fs:19, WS:12K # 0K, PF:8K # 0K, P:8K)

    [3] 0.029634 -0.024734 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K,
    Fs:31, WS:116K # 0K, PF:148K # 0K, P:148K)

    [4] 0.000577 +J(0)

    [5] -

    [6] -

    [7] -

    [8] 0.000668 -0.000387 (2) CM -0.000230 (2) WT +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0,
    Lg:54/1) +M(C:-8K, Fs:60, WS:232K # 0K, PF:140K # 0K, P:140K)

    [9] 0.019914 -0.019641 (2) CM -0.019529 (2) WT +J(CM:2, PgRf:23, Rd:0/1, Dy:0/0,
    Lg:0/0) +M(C:-12K, Fs:30, WS:108K # 0K, PF:188K # 0K, P:188K)

    [10] 0.000976 -0.000799 (1) CM -0.000685 (1) WT +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0,
    Lg:0/0) +M(C:-4K, Fs:6, WS:20K # 0K, PF:60K # 0K, P:60K)

    [11] 0.000022 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K #
    0K, PF:0K # 0K, P:0K)

    [12] 0.000027 +J(CM:0, PgRf:36, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:1, WS:4K #
    0K, PF:0K # 0K, P:0K)

    [13] 0.0 +J(0)

    [14] 0.0 +J(0)

    [15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).'
  - 0 0
  - 'lgposAttach = 00000009:011C:0268,

    dbv = 1568.180.400 (9360)'
message: ''

Sigma Rules

Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 327 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 327
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2021-06-05T19:36:58.926651+00:00'
  event_record_id: 442152
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: rootdc1.offsec.lan
  security:
    user_id: ''
event_data:
  Data:
  - NTDS
  - '7148'
  - ''
  - '1'
  - C:\$SNAP_202106051936_VOLUMEC$\Windows\NTDS\ntds.dit
  - '0'
  - '[1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.016, [7] 0.000,
    [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.'
  - 0 0
message: ''

Sigma Rules

Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 508 —

Provider: ESENT
Channel: Application
Level: 3
Samples: 1

Fields

Name	Description
`Data_0`	—
`Data_1`	—
`Data_2`	—
`Data_3`	—
`Data_4`	—
`Data_5`	—
`Data_6`	—
`Binary`	—

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 508
  version: 0
  level: 3
  task: 7
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T00:33:01.744348+00:00'
  event_record_id: 1942
  correlation: {}
  execution:
    process_id: 3160
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data_0: svchost
  Data_1: 3160,D,0
  Data_2: 'SRUJet: '
  Data_3: C:\Windows\system32\SRU\SRU.log
  Data_4: 36864 (0x0000000000009000)
  Data_5: 4096 (0x00001000)
  Data_6: '23'
  Binary: ''
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 609 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 609
  version: 0
  level: 4
  task: 5
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T19:25:31.000000Z'
  event_record_id: 521
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 612 —

Provider: ESENT
Channel: Application
Level: 4
Samples: 1

Example Event

system:
  provider: ESENT
  guid: ''
  event_source_name: ''
  event_id: 612
  version: 0
  level: 4
  task: 5
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T19:25:31.000000Z'
  event_record_id: 522
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline