Description

LSP LSPName was installed in the Catalog-bit catalog by Installer (GUID=GUID, Category ID=Category).

Message #

LSP %1 was installed in the %2-bit catalog by %3 (GUID=%4, Category ID=%5)

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-WS2HELP",
    "guid": "D5C25F9A-4D47-493E-9184-40DD397A004D",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-08-23T12:37:38.521158+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 5284,
      "thread_id": 8096
    },
    "channel": "Microsoft-Windows-Winsock-WS2HELP/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "LSPName": "PROXYCAP LSP",
    "Catalog": 32,
    "Installer": "C:\\Windows\\syswow64\\MsiExec.exe",
    "GUID": "7E35F09E-CF45-CF00-3594-397712626D0F",
    "Category": 1021
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Description

LSP LSPName was removed from the Catalog-bit catalog by Installer (GUID=GUID, Category ID=Category).

Message #

LSP %1 was removed from the %2-bit catalog by %3 (GUID=%4, Category ID=%5)

Fields #

Description

LSP LSPName was disabled in the Catalog-bit catalog by Installer (GUID=GUID, Category ID=Category).

Message #

LSP %1 was disabled in the %2-bit catalog by %3 (GUID=%4, Category ID=%5)

Fields #

Description

The Catalog-bit catalog was reset by the administrator.

Message #

The %1-bit catalog was reset by the administrator

Fields #

Description

LSP BinaryName was bypassed as due to legacy technology bypass policy (GUID=GUID).

Message #

LSP %1 was bypassed as due to legacy technology bypass policy (GUID=%2)

Fields #