Microsoft-Windows-SenseIR

14 events across 1 channel

Event ID	Title	Channel
1	Starting action ActionType.	Operational
2	Failed to run action ActionType.	Operational
3	Succeeded to run action ActionType.	Operational
4	Windows Defender Advanced Threat Protection Incident Response executable …	Operational
5	Windows Defender Advanced Threat Protection Incident Response executable …	Operational
7	Windows Defender Advanced Threat Protection Incident Response requested …	Operational
8	Encountered unexpected error while getting actions from AIRS server.	Operational
9	Found the caller of Windows Defender Advanced Threat Protection Incident …	Operational
10	Failed to deserialize Windows Defender Advanced Threat Protection Incident …	Operational
11	Finished uploading results of action ActionType.	Operational
12	Failed to deserialize actions, received invalid actions from AIRS server.	Operational
13	Failed to execute AIRS request.	Operational
14	Starting to upload results of action ActionType.	Operational
15	Failure during action ActionType.	Operational

Event ID 1 — Starting action ActionType.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Informational
Opcode: Info

Description

Starting action ActionType. Action ID: ActionId.

Message #

Starting action %1. Action ID: %2

Fields #

Name	Description
`ActionType` UnicodeString	—
`ActionId` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T02:41:59.104484+00:00",
    "event_record_id": 815,
    "correlation": {},
    "execution": {
      "process_id": 1944,
      "thread_id": 12132
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ActionType": "RunPSScriptAction",
    "ActionId": "93514365-7ff3-4f5e-9dfd-7eb9f6b779a7"
  },
  "message": ""
}

Event ID 2 — Failed to run action ActionType.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Warning
Opcode: Info

Description

Failed to run action ActionType. Action ID: ActionId, error code: HRESULT.

Message #

Failed to run action %1. Action ID: %2, error code: %3

Fields #

Name	Description
`ActionType` UnicodeString	—
`ActionId` UnicodeString	—
`HRESULT` HexInt64	—
`error_code`	1. Action ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:02:06.749860+00:00",
    "event_record_id": 1018,
    "correlation": {},
    "execution": {
      "process_id": 8048,
      "thread_id": 992
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ActionType": "CleanResourceAction",
    "ActionId": "iaid_530_quarantine_file__12_1773431280",
    "HRESULT": "0xffffffff80070002"
  },
  "message": ""
}

Event ID 3 — Succeeded to run action ActionType.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Informational
Opcode: Info

Description

Succeeded to run action ActionType. Action ID: ActionId.

Message #

Succeeded to run action %1. Action ID: %2

Fields #

Name	Description
`ActionType` UnicodeString	—
`ActionId` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T02:42:08.083911+00:00",
    "event_record_id": 816,
    "correlation": {},
    "execution": {
      "process_id": 1944,
      "thread_id": 12132
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ActionType": "RunPSScriptAction",
    "ActionId": "93514365-7ff3-4f5e-9dfd-7eb9f6b779a7"
  },
  "message": ""
}

Event ID 4 — Windows Defender Advanced Threat Protection Incident Response executable started.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Informational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Incident Response executable started.

Message #

Windows Defender Advanced Threat Protection Incident Response executable started.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 4,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T02:41:49.103469+00:00",
    "event_record_id": 814,
    "correlation": {},
    "execution": {
      "process_id": 1944,
      "thread_id": 12172
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 5 — Windows Defender Advanced Threat Protection Incident Response executable terminated.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Informational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Incident Response executable terminated. Exit code: HRESULT.

Message #

Windows Defender Advanced Threat Protection Incident Response executable terminated. Exit code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 5,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T03:03:00.145455+00:00",
    "event_record_id": 817,
    "correlation": {},
    "execution": {
      "process_id": 1944,
      "thread_id": 12172
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HRESULT": "0x0"
  },
  "message": ""
}

Event ID 7 — Windows Defender Advanced Threat Protection Incident Response requested registration as an AIRS client.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Informational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Incident Response requested registration as an AIRS client. Result code: HRESULT.

Message #

Windows Defender Advanced Threat Protection Incident Response requested registration as an AIRS client. Result code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 7,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-12T18:57:10.188267+00:00",
    "event_record_id": 187,
    "correlation": {},
    "execution": {
      "process_id": 8368,
      "thread_id": 13932
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HRESULT": "0x0"
  },
  "message": ""
}

Event ID 8 — Encountered unexpected error while getting actions from AIRS server.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Warning
Opcode: Info

Description

Encountered unexpected error while getting actions from AIRS server. Error code: HRESULT.

Message #

Encountered unexpected error while getting actions from AIRS server. Error code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 8,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-11T02:39:06.603116+00:00",
    "event_record_id": 175,
    "correlation": {},
    "execution": {
      "process_id": 4196,
      "thread_id": 6052
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HRESULT": "0x801901f6"
  },
  "message": ""
}

Event ID 9 — Found the caller of Windows Defender Advanced Threat Protection Incident Response executable to be invalid.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Opcode: Info

Description

Found the caller of Windows Defender Advanced Threat Protection Incident Response executable to be invalid. Terminating executable. Error code: HRESULT.

Message #

Found the caller of Windows Defender Advanced Threat Protection Incident Response executable to be invalid. Terminating executable. Error code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 10 — Failed to deserialize Windows Defender Advanced Threat Protection Incident Response parameters.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Opcode: Info

Description

Failed to deserialize Windows Defender Advanced Threat Protection Incident Response parameters. Error code: HRESULT.

Message #

Failed to deserialize Windows Defender Advanced Threat Protection Incident Response parameters. Error code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 11 — Finished uploading results of action ActionType.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Informational
Opcode: Info

Description

Finished uploading results of action ActionType. Action ID: ActionId, upload result code: HRESULT.

Message #

Finished uploading results of action %1. Action ID: %2, upload result code: %3

Fields #

Name	Description
`ActionType` UnicodeString	—
`ActionId` UnicodeString	—
`HRESULT` HexInt64	—
`upload_result_code`	1. Action ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 11,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-12T19:04:10.450886+00:00",
    "event_record_id": 255,
    "correlation": {},
    "execution": {
      "process_id": 8368,
      "thread_id": 11100
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ActionType": "ReadFileAction",
    "ActionId": "iaid_252_read_file__7_1770923045",
    "HRESULT": "0x0"
  },
  "message": ""
}

Event ID 12 — Failed to deserialize actions, received invalid actions from AIRS server.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Opcode: Info

Description

Failed to deserialize actions, received invalid actions from AIRS server. Error code: HRESULT.

Message #

Failed to deserialize actions, received invalid actions from AIRS server. Error code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 13 — Failed to execute AIRS request.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Warning
Opcode: Info

Description

Failed to execute AIRS request. Error code: HRESULT.

Message #

Failed to execute AIRS request. Error code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 13,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-11T02:39:06.603071+00:00",
    "event_record_id": 174,
    "correlation": {},
    "execution": {
      "process_id": 4196,
      "thread_id": 6052
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HRESULT": "0x801901f6"
  },
  "message": ""
}

Event ID 14 — Starting to upload results of action ActionType.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Informational
Opcode: Info

Description

Starting to upload results of action ActionType. Action ID: ActionId.

Message #

Starting to upload results of action %1. Action ID: %2

Fields #

Name	Description
`ActionType` UnicodeString	—
`ActionId` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 14,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-12T19:04:10.220142+00:00",
    "event_record_id": 254,
    "correlation": {},
    "execution": {
      "process_id": 8368,
      "thread_id": 11100
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ActionType": "ReadFileAction",
    "ActionId": "iaid_252_read_file__7_1770923045"
  },
  "message": ""
}

Event ID 15 — Failure during action ActionType.

Provider: Microsoft-Windows-SenseIR
Channel: Operational
Level: Warning
Opcode: Info

Description

Failure during action ActionType. Action ID: ActionId, Action phase: ActionPhase, error code: HRESULT.

Message #

Failure during action %1. Action ID: %2, Action phase: %3, error code: %4

Fields #

Name	Description
`ActionType` UnicodeString	—
`ActionId` UnicodeString	—
`ActionPhase` UnicodeString	—
`HRESULT` HexInt64	—
`Action_phase`	1. Action ID.
`error_code`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SenseIR",
    "guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
    "event_source_name": "",
    "event_id": 15,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-09T01:17:16.046722+00:00",
    "event_record_id": 602,
    "correlation": {},
    "execution": {
      "process_id": 7604,
      "thread_id": 7356
    },
    "channel": "Microsoft-Windows-SenseIR/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ActionType": "RunPSScriptAction",
    "ActionId": "13374ec1-d353-4b0a-bd6d-f19ce96b06c0",
    "ActionPhase": "RunScript",
    "HRESULT": "0xffffffff80090325"
  },
  "message": ""
}