Microsoft-Windows-ActiveDirectory_DomainService
38 events across 1 channel
Event ID 1000 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1000,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:16.713907+00:00",
"event_record_id": 104,
"correlation": {},
"execution": {
"process_id": 664,
"thread_id": 844
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1004 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1004,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:38:25.822339+00:00",
"event_record_id": 91,
"correlation": {},
"execution": {
"process_id": 624,
"thread_id": 1376
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1138 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Data_6 | — |
Data_7 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1138,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:08:18.465925+00:00",
"event_record_id": 2624,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 4744
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Data_0": "ldap_search",
"Data_1": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"Data_2": "127.0.0.1:61365",
"Data_3": "571",
"Data_4": "",
"Data_5": "4823671",
"Data_6": "",
"Data_7": "",
"Binary": ""
},
"message": ""
}
Event ID 1139 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Data_6 | — |
Data_7 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1139,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:08:18.465925+00:00",
"event_record_id": 2625,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 4744
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Data_0": "ldap_search",
"Data_1": "16",
"Data_2": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"Data_3": "127.0.0.1:61365",
"Data_4": "571",
"Data_5": "",
"Data_6": "4823671",
"Data_7": "4823687",
"Binary": ""
},
"message": ""
}
Event ID 1162 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1162,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-02-28T04:29:14.825169+00:00",
"event_record_id": 287,
"correlation": {},
"execution": {
"process_id": 916,
"thread_id": 628
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "",
"Binary": ""
},
"message": ""
}
Event ID 1215 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1215,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:09:04.536946+00:00",
"event_record_id": 4079,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 7768
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "c060273",
"Binary": ""
},
"message": ""
}
Event ID 1220 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1220,
"version": 0,
"level": 3,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T17:05:18.904081+00:00",
"event_record_id": 367,
"correlation": {},
"execution": {
"process_id": 908,
"thread_id": 3272
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "8009030e",
"Data_1": "No credentials are available in the security package",
"Binary": ""
},
"message": ""
}
Event ID 1221 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1221,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T20:17:39.781219+00:00",
"event_record_id": 453,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 1068
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "",
"Binary": ""
},
"message": ""
}
Event ID 1257 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1257,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:09:14.237882+00:00",
"event_record_id": 4484,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 1084
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "CN=TESTPC02,CN=Computers,DC=ludus,DC=domain",
"Binary": ""
},
"message": ""
}
Event ID 1258 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1258,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:09:14.238473+00:00",
"event_record_id": 4485,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 1084
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "CN=TESTPC02,CN=Computers,DC=ludus,DC=domain",
"Data_1": "1",
"Binary": ""
},
"message": ""
}
Event ID 1394 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1394,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:46.718824+00:00",
"event_record_id": 105,
"correlation": {},
"execution": {
"process_id": 664,
"thread_id": 820
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1404 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 1404,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:15:15.717005+00:00",
"event_record_id": 54,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 2552
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1463 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1463,
"version": 0,
"level": 3,
"task": 7,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:12:33.388787+00:00",
"event_record_id": 24,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 5696
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1535 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1535,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:08:20.338916+00:00",
"event_record_id": 2975,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 3104
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Data_0": "00002121: SvcErr: DSID-03120701, problem 5012 (DIR_ERROR), data 8995\n",
"Binary": ""
},
"message": ""
}
Event ID 1539 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1539,
"version": 0,
"level": 3,
"task": 12,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-06T19:18:38.145706+00:00",
"event_record_id": 331,
"correlation": {
"ActivityID": "028C3802-AD9E-0001-6538-8C029EADDC01"
},
"execution": {
"process_id": 908,
"thread_id": 912
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "c:",
"Binary": ""
},
"message": ""
}
Event ID 1644 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Data_6 | — |
Data_7 | — |
Data_8 | — |
Data_9 | — |
Data_10 | — |
Data_11 | — |
Data_12 | — |
Data_13 | — |
Data_14 | — |
Data_15 | — |
Data_16 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1644,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:09:04.886148+00:00",
"event_record_id": 4101,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 7768
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Data_0": "DC=ludus,DC=domain",
"Data_1": " (servicePrincipalName=*/*) ",
"Data_2": "4159",
"Data_3": "6",
"Data_4": "10.2.10.11:63108",
"Data_5": "subtree",
"Data_6": "servicePrincipalName",
"Data_7": "",
"Data_8": "DNT_index:2317:N;",
"Data_9": "30585",
"Data_10": "0",
"Data_11": "0",
"Data_12": "0",
"Data_13": "0",
"Data_14": "16",
"Data_15": "none",
"Data_16": "ludus\\domainadmin",
"Binary": ""
},
"message": ""
}
Event ID 1869 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1869,
"version": 0,
"level": 4,
"task": 18,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T17:08:18.628934+00:00",
"event_record_id": 114,
"correlation": {},
"execution": {
"process_id": 664,
"thread_id": 820
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"\\\\WIN-FPV0DSIC9O6.lab.local",
"Default-First-Site-Name"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1898 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1898,
"version": 0,
"level": 4,
"task": 24,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:12:40.147333+00:00",
"event_record_id": 32,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 5696
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"CN=sam-domain,CN=Schema,CN=Configuration,DC=sigma,DC=fr"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2013 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 2013,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:19:31.474025+00:00",
"event_record_id": 57,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 7164
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"3",
"link_base_and_data_v2_index +link_base link_bdnt_and_base_and_data_v2_index +backlink_DNT link_dnt_and_base_and_data_v2_index +link_DNT "
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2014 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 2014,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:19:31.474025+00:00",
"event_record_id": 58,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 7164
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"3"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2041 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2041,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-06T19:18:39.145732+00:00",
"event_record_id": 332,
"correlation": {
"ActivityID": "028C3802-AD9E-0001-6538-8C029EADDC01"
},
"execution": {
"process_id": 908,
"thread_id": 912
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "80000603",
"Data_1": "2",
"Binary": ""
},
"message": ""
}
Event ID 2064 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 2064,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:14:30.411027+00:00",
"event_record_id": 40,
"correlation": {
"ActivityID": "7AAB4249-4A57-0000-F449-AB7A574AD801"
},
"execution": {
"process_id": 648,
"thread_id": 652
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2065 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 2065,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:16:41.560674+00:00",
"event_record_id": 55,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 836
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2120 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2120,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:06.664032+00:00",
"event_record_id": 99,
"correlation": {},
"execution": {
"process_id": 664,
"thread_id": 820
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2121 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2121,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:06.617666+00:00",
"event_record_id": 94,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
},
"execution": {
"process_id": 664,
"thread_id": 668
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2168 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2168,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:06.617666+00:00",
"event_record_id": 97,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
},
"execution": {
"process_id": 664,
"thread_id": 668
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"2944722192045242455"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2172 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2172,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:06.617666+00:00",
"event_record_id": 98,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
},
"execution": {
"process_id": 664,
"thread_id": 668
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"2944722192045242455"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2179 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2179,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:38:25.775344+00:00",
"event_record_id": 90,
"correlation": {},
"execution": {
"process_id": 624,
"thread_id": 1376
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"2944722192045242455"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2405 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2405,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:06.664032+00:00",
"event_record_id": 100,
"correlation": {},
"execution": {
"process_id": 664,
"thread_id": 820
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"Recycle Bin Feature"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2406 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2406,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:06.617666+00:00",
"event_record_id": 95,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
},
"execution": {
"process_id": 664,
"thread_id": 668
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"Recycle Bin Feature"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2886 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2886,
"version": 0,
"level": 3,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:16.713907+00:00",
"event_record_id": 102,
"correlation": {},
"execution": {
"process_id": 664,
"thread_id": 844
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2961 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 2961,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:19:31.474025+00:00",
"event_record_id": 56,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 7164
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"8"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2962 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 2962,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:19:31.474025+00:00",
"event_record_id": 59,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 7164
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"8"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3027 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 3027,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T17:08:18.628934+00:00",
"event_record_id": 113,
"correlation": {},
"execution": {
"process_id": 664,
"thread_id": 820
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"3600"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3033 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 3033,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T17:08:18.628934+00:00",
"event_record_id": 112,
"correlation": {},
"execution": {
"process_id": 664,
"thread_id": 820
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3041 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 3041,
"version": 0,
"level": 3,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:16.713907+00:00",
"event_record_id": 103,
"correlation": {},
"execution": {
"process_id": 664,
"thread_id": 844
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3051 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 3051,
"version": 0,
"level": 3,
"task": 2,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:06.149082+00:00",
"event_record_id": 92,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
},
"execution": {
"process_id": 664,
"thread_id": 668
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3054 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 3054,
"version": 0,
"level": 3,
"task": 2,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:06.149082+00:00",
"event_record_id": 93,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
},
"execution": {
"process_id": 664,
"thread_id": 668
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline