detection.wiki

Microsoft-Windows-EDP-Audit-Regular

2 events across 1 channel

Event IDTitleChannel
201DataInfo has been copied (Policy) from SourceAppName (tagged as …Admin
301Object has been changed from SourceName (tagged as SourceEnterpriseId) to …Admin

Event ID 201 — DataInfo has been copied (Policy) from SourceAppName (tagged as SourceEnterpriseId) to DestinationAppName (tagged as DestinationEnterpriseId).

Provider
Microsoft-Windows-EDP-Audit-Regular
Channel
Admin

Description

DataInfo has been copied (Policy) from SourceAppName (tagged as SourceEnterpriseId) to DestinationAppName (tagged as DestinationEnterpriseId).

Message #

%8 has been copied (%2) from %5 (tagged as %4) to %7 (tagged as %6)

Fields #

NameDescription
UserId SID
Policy UnicodeString
Justification UnicodeString
SourceEnterpriseId UnicodeString
SourceAppName UnicodeString
DestinationEnterpriseId UnicodeString
DestinationAppName UnicodeString
DataInfo UnicodeString

Event ID 301 — Object has been changed from SourceName (tagged as SourceEnterpriseId) to DestinationName (tagged as DestinationEnterpriseId) in ApplicationName.

Provider
Microsoft-Windows-EDP-Audit-Regular
Channel
Admin

Description

Object has been changed from SourceName (tagged as SourceEnterpriseId) to DestinationName (tagged as DestinationEnterpriseId) in ApplicationName.

Message #

%3 has been changed from %5 (tagged as %6) to %7 (tagged as %8) in %9

Fields #

NameDescription
UserId SID
Policy UnicodeString
Object UnicodeString
Action UInt32
SourceName UnicodeString
SourceEnterpriseId UnicodeString
DestinationName UnicodeString
DestinationEnterpriseId UnicodeString
ApplicationName UnicodeString