Collection Priority Reference
965 events across 58 providers from 12 sources.
Download as JSON (965 events)
| Provider / Channel | ID | Title | Sources |
|---|---|---|---|
| AD-FS/Admin | 510 | More information for the event entry with Instance ID %1. | ASD Recommended |
| AD-FS-Auditing/Security | 307 | ASD Recommended | |
| AD-FS-Auditing/Security | 1200 | ASD Recommended | |
| AD-FS-Auditing/Security | 1202 | ASD Recommended | |
| Application Error/Application | 1000 | Faulting application name: %1, version: %2, time stamp: 0x%3 Faulting module name: %4, version: %5, time stamp: 0x%6 Exception code: 0x%7 Fault off... | Microsoft-WEF, JSCU-NL Recommended |
| Application Hang/Application | 1002 | The program Widgets. | Microsoft-WEF, JSCU-NL Recommended |
| Application-Error/Application | 1000 | Faulting application name: %1, version: %2, time stamp: 0x%3 Faulting module name: %4, version: %5, time stamp: 0x%6 Exception code: 0x%7 Fault off... | ANSSI Recommended |
| Application-Hang/Application | 1002 | The program Widgets. | ANSSI Recommended |
| ESENT/Application | 325 | ASD Recommended | |
| ESENT/Application | 326 | ASD Recommended | |
| ESENT/Application | 327 | ASD Recommended | |
| LsaSrv/Operational | 300 | Groups assigned to a new logon. | Microsoft-WEF, ANSSI Recommended |
| Application-Experience/Program-Inventory | 903 | A program was installed on the system. | NSA Recommended |
| Application-Experience/Program-Inventory | 904 | A program was installed on the system. | NSA Recommended |
| Application-Experience/Program-Inventory | 905 | A program was updated on the system. | NSA Recommended |
| Application-Experience/Program-Inventory | 906 | A program was updated on the system. | NSA Recommended |
| Application-Experience/Program-Inventory | 907 | A program was removed from the system. | NSA Recommended |
| Application-Experience/Program-Inventory | 908 | A program was removed from the system. | NSA Recommended |
| AppLocker/EXE and DLL | 8000 | AppID policy conversion failed. | ASD, Olaf Hartong Recommended |
| AppLocker/EXE and DLL | 8001 | The AppLocker policy was applied successfully to this computer. | ASD, Olaf Hartong Recommended |
| AppLocker/EXE and DLL | 8002 | %11 was allowed to run. | NSA, Olaf Hartong, JSCU-NL Recommended |
| AppLocker/EXE and DLL | 8003 | %11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Palantir, Olaf Hartong, JSCU-NL Recommended |
| AppLocker/EXE and DLL | 8004 | %11 was prevented from running. | Palantir, ASD, Olaf Hartong, JSCU-NL Recommended |
| AppLocker/MSI and Script | 8005 | %11 was allowed to run. | NSA, Olaf Hartong, JSCU-NL Recommended |
| AppLocker/MSI and Script | 8006 | %11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | NSA, Olaf Hartong, JSCU-NL Recommended |
| AppLocker/MSI and Script | 8007 | %11 was prevented from running. | NSA, ASD, Olaf Hartong, JSCU-NL Recommended |
| AppLocker/EXE and DLL | 8008 | %2: AppLocker component not available on this SKU. | ASD, Olaf Hartong Recommended |
| AppLocker/MSI and Script | 8009 | %2: AppLocker component not available on this SKU. | Olaf Hartong Recommended |
| AppLocker/Operational | 8010 | Olaf Hartong Recommended | |
| AppLocker/Operational | 8011 | Olaf Hartong Recommended | |
| AppLocker/Operational | 8012 | Olaf Hartong Recommended | |
| AppLocker/Operational | 8013 | Olaf Hartong Recommended | |
| AppLocker/Operational | 8014 | Olaf Hartong Recommended | |
| AppLocker/Operational | 8015 | Olaf Hartong Recommended | |
| AppLocker/Operational | 8016 | Olaf Hartong Recommended | |
| AppLocker/Operational | 8017 | Olaf Hartong Recommended | |
| AppLocker/Operational | 8018 | Olaf Hartong Recommended | |
| AppLocker/Operational | 8019 | Olaf Hartong Recommended | |
| AppLocker/Packaged app-Execution | 8020 | %11 was allowed to run. | NSA, Olaf Hartong, JSCU-NL Recommended |
| AppLocker/Packaged app-Execution | 8021 | %11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Olaf Hartong Recommended |
| AppLocker/Packaged app-Execution | 8022 | %11 was prevented from running. | ASD, Olaf Hartong Recommended |
| AppLocker/Packaged app-Deployment | 8023 | %11 was allowed to be installed. | NSA, Olaf Hartong, JSCU-NL Recommended |
| AppLocker/Packaged app-Deployment | 8024 | %11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Olaf Hartong Recommended |
| AppLocker/Packaged app-Deployment | 8025 | %11 was prevented from running. | ASD, Olaf Hartong Recommended |
| AppLocker/Packaged app-Deployment | 8026 | No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured. | Olaf Hartong Recommended |
| AppLocker/Packaged app-Execution | 8027 | No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured. | ASD, Olaf Hartong Recommended |
| AppLocker/MSI and Script | 8029 | %2 was prevented from running due to Config CI policy. | ASD Recommended |
| AppLocker/EXE and DLL | 8032 | ManagedInstaller check FAILED during Appid verification of %2. | ASD Recommended |
| AppLocker/MSI and Script | 8035 | ManagedInstaller Script check SUCCEEDED during Appid verification of %2. | ASD Recommended |
| AppLocker/MSI and Script | 8036 | %2 was prevented from running due to Config CI policy. | ASD Recommended |
| AppLocker/MSI and Script | 8040 | Package family name %2 version %3 was prevented from installing or updating due to Config CI policy (Name:%5 ID:%7 Version:%8 GUID:%9). | ASD Recommended |
| Bits-Client/Operational | 1 | BITS job "%2" with ID %1 has been resumed. | Yamato Security, JSCU-NL Recommended |
| Bits-Client/Operational | 2 | BITS job "%2" with ID %1 has been suspended. | Yamato Security Recommended |
| Bits-Client/Operational | 3 | The BITS service created a new job. | Yamato Security, JSCU-NL Recommended |
| Bits-Client/Operational | 4 | The transfer job is complete. | Yamato Security, JSCU-NL Recommended |
| Bits-Client/Operational | 5 | Job cancelled. | Yamato Security Recommended |
| Bits-Client/Operational | 6 | Command-line command set for job %1 with owner %2. | Yamato Security Recommended |
| Bits-Client/Operational | 17 | BITS has read the policy parameters for peer-caching. | Yamato Security Recommended |
| Bits-Client/Operational | 18 | The peer list rejected an incoming server announcement. | Yamato Security Recommended |
| Bits-Client/Operational | 23 | An application cleared the peer list. | Yamato Security Recommended |
| Bits-Client/Operational | 59 | BITS started the %2 transfer job that is associated with the %4 URL. | Yamato Security, JSCU-NL Recommended |
| Bits-Client/Operational | 60 | BITS stopped transferring the %2 transfer job that is associated with the %4 URL. | Yamato Security Recommended |
| Bits-Client/Operational | 61 | BITS stopped transferring the %2 transfer job that is associated with the %4 URL. | Yamato Security Recommended |
| Bits-Client/Operational | 62 | The BITS job named "%1" belonging to user %2 received inconsistent data while downloading. | Yamato Security Recommended |
| Bits-Client/Operational | 63 | The BITS job %1 is configured to launch %3 after transfer of %2. | Yamato Security Recommended |
| Bits-Client/Operational | 64 | The BITS job %1 is configured to launch %3 after transfer of %2. | Yamato Security Recommended |
| Bits-Client/Operational | 78 | BITS has encountered %1 error while reading the peer-cache information. | Yamato Security Recommended |
| Bits-Client/Operational | 79 | BITS has successfully deleted the peer-cache. | Yamato Security Recommended |
| Bits-Client/Operational | 80 | BITS has successfully enabled peer-client and/or peer-server related components. | Yamato Security Recommended |
| Bits-Client/Operational | 81 | BITS has encountered %1 error while starting one or more peer-client or peer-server components. | Yamato Security Recommended |
| Bits-Client/Operational | 201 | The BITS job named "%1" was unable to contact any HTTP proxy server in its proxy list. | Yamato Security Recommended |
| Bits-Client/Operational | 202 | While transferring %1, BITS encountered error %7 using %6 as the HTTP proxy server. | Yamato Security Recommended |
| Bits-Client/Operational | 203 | The BITS service provided job credentials in response to an authentication challenge from the %1 server for the %2 transfer job that is associated ... | Yamato Security Recommended |
| Bits-Client/Operational | 204 | The BITS service provided job credentials in response to an authentication challenge from %1 for job %2, url %3. | Yamato Security Recommended |
| Bits-Client/Operational | 206 | The URL "%2" in BITS job "%1" does not support the HTTP HEAD verb, which is required for BITS bandwidth throttling. | Yamato Security Recommended |
| Bits-Client/Operational | 207 | The URL "%2" in BITS job "%1" does not support the HTTP Content-Length header, which is required for BITS bandwidth throttling. | Yamato Security Recommended |
| Bits-Client/Operational | 208 | A flash-Crowd situation is detected for the URL "%2" in BITS job "%1". | Yamato Security Recommended |
| Bits-Client/Operational | 209 | High performance property for BITS job "%1" with ID "%2" %3. | Yamato Security Recommended |
| Bits-Client/Operational | 210 | The URL "%2" in BITS job "%1" does not support the HTTP Content-Range header, which is required for BITS bandwidth throttling. | Yamato Security Recommended |
| Bits-Client/Operational | 211 | BITS job "%2" with ID "%1" encountered an error %3. | Yamato Security Recommended |
| Bits-Client/Operational | 302 | The BITS service has started successfully, but it was delayed long enough that there may be a problem. | Yamato Security Recommended |
| Bits-Client/Operational | 303 | The peer-cache client startup phase of startup has completed. | Yamato Security Recommended |
| Bits-Client/Operational | 306 | The BITS service loaded the job list from disk. | Yamato Security Recommended |
| Bits-Client/Operational | 307 | It took %1 seconds to write a change file to the BITS job list. | Yamato Security Recommended |
| Bits-Client/Operational | 308 | The BITS service shut down successfully, but it was delayed for %1 seconds. | Yamato Security Recommended |
| Bits-Client/Operational | 309 | The BITS peer cache was unable to find any peers in the network. | Yamato Security Recommended |
| Bits-Client/Operational | 310 | The initialization of the peer helper modules failed with the following error. | Yamato Security Recommended |
| Bits-Client/Operational | 311 | The BITS peer transfer with the %1 ID for the %2 transfer job resulted in the following error: %4. | Yamato Security Recommended |
| Bits-Client/Operational | 312 | The Network List Manager Cost Interface is not available on this system. | Yamato Security Recommended |
| Bits-Client/Operational | 313 | The Network List Manager Cost Interface is reporting no network connectivity. | Yamato Security Recommended |
| Bits-Client/Operational | 16384 | The administrator %4 canceled job "%2" on behalf of %3. | Yamato Security Recommended |
| Bits-Client/Operational | 16387 | The administrator %3 modified the %4 property of job "%2". | Yamato Security Recommended |
| Bits-Client/Operational | 16388 | The administrator %4 took ownership of job "%2" from %3. | Yamato Security Recommended |
| Bits-Client/Operational | 16389 | Job "%2" owned by %3 was canceled after being inactive for more than %4 days. | Yamato Security Recommended |
| Bits-Client/Operational | 16391 | The BITS job list is not in a recognized format. | Yamato Security Recommended |
| Bits-Client/Operational | 16394 | BITS Peer-caching protocol | Yamato Security Recommended |
| Bits-Client/Operational | 16395 | Web Services-Discovery protocol | Yamato Security Recommended |
| Bits-Client/Operational | 16403 | Yamato Security Recommended | |
| CAPI2/Operational | 11 | For more details for this event, please refer to the "Details" section | Microsoft-WEF Recommended |
| CAPI2/Operational | 70 | For more details for this event, please refer to the "Details" section | Microsoft-WEF Recommended |
| CAPI2/Operational | 90 | For more details for this event, please refer to the "Details" section | Microsoft-WEF Recommended |
| CertificateServicesClient-Lifecycle-System/Operational | 1001 | A certificate has been replaced. | NSA Recommended |
| CertificateServicesClient-Lifecycle-System/Operational | 1002 | A certificate has expired. | NSA Recommended |
| CertificateServicesClient-Lifecycle-System/Operational | 1003 | A certificate is about to expire. | NSA Recommended |
| CertificateServicesClient-Lifecycle-System/Operational | 1004 | A certificate has been deleted. | NSA Recommended |
| CertificateServicesClient-Lifecycle-System/Operational | 1006 | A new certificate has been installed. | NSA Recommended |
| CertificateServicesClient-Lifecycle-System/Operational | 1007 | A certificate has been exported. | NSA Recommended |
| CertificationAuthority/Application | 95 | Security permissions are corrupted or missing. | NSA Recommended |
| CodeIntegrity/Operational | 3001 | Code Integrity determined an unsigned kernel module %2 is loaded into the system. | NSA, Yamato Security Recommended |
| CodeIntegrity/Operational | 3002 | Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. | NSA, Yamato Security Recommended |
| CodeIntegrity/Operational | 3003 | Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. | NSA, Yamato Security Recommended |
| CodeIntegrity/Operational | 3004 | Windows is unable to verify the image integrity of the file %2 because file hash could not be found on the system. | NSA, Yamato Security Recommended |
| CodeIntegrity/Operational | 3005 | Code Integrity is unable to verify the image integrity of the file %2 because a file hash could not be found on the system. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3010 | Code Integrity was unable to load the %2 catalog. | NSA, Yamato Security Recommended |
| CodeIntegrity/Operational | 3021 | Code Integrity determined a revoked kernel module %2 is loaded into the system. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3022 | Code Integrity determined a revoked kernel module %2 is loaded into the system. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3023 | The driver %2 is blocked from loading as the driver has been revoked by Microsoft. | NSA, Yamato Security Recommended |
| CodeIntegrity/Operational | 3024 | Windows was unable to update the boot catalog cache file. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3026 | Code Integrity was unable to load the %2 catalog because the signing certificate for this catalog has been revoked. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3032 | Code Integrity determined a revoked image %2 is loaded into the system. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3033 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements. | Palantir, ASD, Yamato Security Recommended |
| CodeIntegrity/Operational | 3034 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3035 | Code Integrity determined a revoked image %2 is loaded into the system. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3036 | Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3037 | Code Integrity determined an unsigned image %2 is loaded into the system. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3050 | Code Integrity completed retrieval of file cache. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3051 | Code Integrity completed retrieval of file cache. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3052 | Code Integrity completed retrieval of file cache. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3057 | Code Integrity completed retrieval of file cache. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3058 | Code Integrity completed retrieval of file cache. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3063 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5. | ASD, Yamato Security Recommended |
| CodeIntegrity/Operational | 3065 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5. | Palantir, Yamato Security Recommended |
| CodeIntegrity/Operational | 3066 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3067 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3068 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3069 | Code Integrity was unable to load the weak crypto policy value from registry. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3070 | Code Integrity was unable to load the weak crypto policy from registry store. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3071 | Code Integrity was unable to load the weak crypto policies. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3072 | Code Integrity determined that the module %2 is not compatible with hypervisor enforcement due to it having non-page aligned sections. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3073 | Code Integrity determined that the module %2 is not compatible with strict mode hypervisor enforcement due to it having an executable section that ... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3074 | Code Integrity was unable to verify a page for a module verified using hypervisor enforcement. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3076 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3077 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | ASD, Yamato Security Recommended |
| CodeIntegrity/Operational | 3078 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3079 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3080 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3081 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3082 | Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3083 | Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3084 | Code Integrity will enable WHQL driver enforcement for this boot session. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3085 | Code Integrity will disable WHQL driver enforcement for this boot session. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3086 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the signing requirements for Isolated User Mode. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3087 | Code Integrity determined that the kernel module %2 is not compatible with hypervisor enforcement. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3089 | Signature information for another event. | ASD, Yamato Security Recommended |
| CodeIntegrity/Operational | 3090 | Code Integrity testing module %2 against policy %11. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3091 | Code Integrity testing module %2 against policy %11. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3092 | Code Integrity testing module %2 against policy %11. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3093 | other (see event data) | Yamato Security Recommended |
| CodeIntegrity/Operational | 3094 | other (see event data) | Yamato Security Recommended |
| CodeIntegrity/Operational | 3095 | Code Integrity policy %5 %2 is set to unrefreshable. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3096 | No change in active Code Integrity policy %5 %2 after refresh. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3097 | Not allowed to refresh Code Integrity policy %5 %2. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3098 | other (see event data) | Yamato Security Recommended |
| CodeIntegrity/Operational | 3099 | Refreshed and activated Code Integrity policy %5 %2. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3100 | Refreshed but not activated Code Integrity policy %5 %2. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3101 | Code Integrity policy refresh started for %1 policies. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3102 | Code Integrity policy refresh finished for %1 policies. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3103 | Ignoring refresh for Code Integrity policy ID %1. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3104 | Windows blocked file %2 which has been disallowed for protected processes. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3105 | Trying to refresh Code Integrity policy with policy ID %1. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3108 | Code Integrity successfully switched from %3 mode to %4 mode. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3109 | Code Integrity already switched from %3 mode to %4 mode. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3110 | Code Integrity failed to switch from %3 mode to %4 mode with error code %5. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3111 | Code Integrity determined that a process (%6) attempted to load %2 that is not compatible with hypervisor enforcement. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3112 | Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p... | Yamato Security Recommended |
| CodeIntegrity/Operational | 3113 | Code Integrity could not update the driver. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3114 | Code Integrity determined that %4 is trying to load %2 which failed the dynamic code trust verification with error code of %5. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3115 | Code Integrity determined that %4 is trying to load %2 which failed the dynamic code trust verification with error code of %5. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3116 | Signature information for Code Integrity policy ID %1. | Yamato Security Recommended |
| CodeIntegrity/Operational | 3117 | Code Integrity determined that a process (%4) attempted to load %2 that violated code integrity policy (Policy ID:%31). | Yamato Security Recommended |
| CodeIntegrity/Operational | 3118 | Smart App Control Block Deteails | Yamato Security Recommended |
| Dhcp-Client/Operational | 50028 | Address %1 is plumbed on the interface %2. | JSCU-NL Recommended |
| DHCPv6-Client/Operational | 51039 | Address %1 is plumbed on the interface %2. | JSCU-NL Recommended |
| DNS-Client/Operational | 3008 | DNS query is completed for the name %1, type %2, query options %3 with status %4 Results %5. | Microsoft-WEF, JSCU-NL Recommended |
| DNS-Client/Operational | 3020 | Query response for name %1, type %2, interface index %3 and network index %4 returned %5 with results %6. | NSA Recommended |
| DNS-Server-Service/DNS Server | 6001 | The DNS server successfully completed transfer of version %1 of zone %2 to the DNS server at %3. | ASD Recommended |
| DNSServer/Analytical | 256 | QUERY_RECEIVED: TCP=. | NSA Recommended |
| DNSServer/Analytical | 257 | RESPONSE_SUCCESS: TCP=. | NSA, ASD Recommended |
| DNSServer/Analytical | 258 | RESPONSE_FAILURE: TCP=. | ASD Recommended |
| DNSServer/Analytical | 259 | IGNORED_QUERY: TCP=. | ASD Recommended |
| DNSServer/Analytical | 260 | RECURSE_QUERY_OUT: TCP=. | ASD Recommended |
| DNSServer/Analytical | 261 | RECURSE_RESPONSE_IN: TCP=. | ASD Recommended |
| DNSServer/Analytical | 262 | RECURSE_QUERY_TIMEOUT: TCP=. | ASD Recommended |
| DNSServer/Analytical | 263 | DYN_UPDATE_RECV: TCP=. | ASD Recommended |
| DNSServer/Analytical | 264 | DYN_UPDATE_RESPONSE: TCP=. | ASD Recommended |
| DNSServer/Analytical | 277 | DYN_UPDATE_FORWARD: TCP=. | ASD Recommended |
| DNSServer/Analytical | 278 | DYN_UPDATE_RESPONSE_IN: TCP=. | ASD Recommended |
| DriverFrameworks-UserMode/Operational | 2003 | The UMDF Host Process (%1) has been asked to load drivers for device %2. | ANSSI Recommended |
| DriverFrameworks-UserMode/Operational | 2004 | The UMDF Host is loading driver %4 at level %3 for device %2. | Microsoft-WEF, ANSSI Recommended |
| DriverFrameworks-UserMode/Operational | 2006 | The UMDF Host successfully loaded the driver at level %3. | ANSSI Recommended |
| DriverFrameworks-UserMode/Operational | 2010 | The UMDF Host Process (%1) has successfully loaded drivers for device %2. | ANSSI Recommended |
| DriverFrameworks-UserMode/Operational | 2100 | Received a Pnp or Power operation (%3, %4) for device %2. | ANSSI Recommended |
| DriverFrameworks-UserMode/Operational | 2101 | Completed a Pnp or Power operation (%3, %4) for device %2 with status %9. | ANSSI Recommended |
| DriverFrameworks-UserMode/Operational | 2105 | Forwarded a Pnp or Power operation (%3, %4) for device %2 to the lower driver with status %9. | ANSSI Recommended |
| DriverFrameworks-UserMode/Operational | 2106 | Received a Pnp or Power operation (%3, %4) for device %2 which was completed by the lower drivers with status %9. | ANSSI Recommended |
| Eventlog/System | 104 | The System log file was cleared. | Microsoft-WEF, JSCU-NL, ANSSI Recommended |
| Eventlog/Security | 1100 | The event logging service has shut down. | JSCU-NL Recommended |
| Eventlog/Security | 1102 | The audit log was cleared. | Microsoft-AppendixL High ASD, Olaf Hartong, JSCU-NL, ANSSI, Splunk-UBA Recommended |
| Eventlog/Security | 1104 | The security log is now full. | Palantir Recommended |
| FilterManager/System | 6 | File System Filter 'FileInfo' (6.1, 1.247502111e+09) has successfully loaded and registered with Filter Manager. | NSA Recommended |
| GroupPolicy/System | 1125 | The processing of Group Policy failed because of an internal system error. | NSA Recommended |
| GroupPolicy/System | 1126 | Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer b... | NSA Recommended |
| GroupPolicy/System | 1129 | The processing of Group Policy failed because of lack of network connectivity to a domain controller. | NSA Recommended |
| Kernel-General/System | 1 | The system time has changed to %1 from %2. | NSA Recommended |
| Kernel-General/System | 12 | The operating system started at system time 1.3825413334687505e+09. | Microsoft-WEF, JSCU-NL, ANSSI Recommended |
| Kernel-General/System | 13 | The operating system is shutting down at system time StopTime. | Microsoft-WEF, JSCU-NL Recommended |
| Kernel-PnP/System | 219 | The driver %5 failed to load. | NSA Recommended |
| Kernel-PnP/Configuration | 400 | Device %1 was configured. | NSA Recommended |
| Kernel-PnP/Configuration | 410 | Device %1 was started. | NSA Recommended |
| Kernel-Power/System | 41 | The last sleep transition was unsuccessful. | JSCU-NL Recommended |
| NetworkProfile/Operational | 10000 | Network Connected Name: %1 Desc: %2 Type: %4 State: %5 Category: %6. | NSA Recommended |
| NetworkProfile/Operational | 10001 | Network Disconnected Name: %1 Desc: %2 Type: %4 State: %5 Category: %6. | NSA Recommended |
| NTLM/Operational | 4001 | NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked. | Yamato Security Recommended |
| NTLM/Operational | 4002 | NTLM server blocked: Incoming NTLM traffic to servers that is blocked Calling process PID: %1 Calling process name: %2 Calling process LUID: %3 Cal... | Yamato Security Recommended |
| NTLM/Operational | 4003 | NTLM server blocked in the domain: NTLM authentication in this domain that is blocked User: %1 Domain: %2 Workstation: %3 PID: %4 Process: %5 Logon... | Yamato Security Recommended |
| NTLM/Operational | 4010 | NTLM Minimum Client Security Block: Calling process PID: %1 Calling Process Name: %2 Negotiated Security Flags: %3 Minimum Security Flags: %4. | Yamato Security Recommended |
| NTLM/Operational | 4011 | NTLM Minimum Server Security Block: Calling process PID: %1 Calling Process Name: %2 Negotiated Security Flags: %3 Minimum Security Flags: %4. | Yamato Security Recommended |
| NTLM/Operational | 4012 | NTLM client used the domain password. | Yamato Security Recommended |
| NTLM/Operational | 4013 | Attempt to use NTLMv1 failed. | Yamato Security Recommended |
| NTLM/Operational | 4014 | Attempt to get credential key by call package blocked by Credential Guard. | Yamato Security Recommended |
| NTLM/Operational | 4015 | NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked. | Yamato Security Recommended |
| NTLM/Operational | 4020 | This machine attempted to authenticate to a remote resource via NTLM. | Yamato Security Recommended |
| NTLM/Operational | 4021 | This machine attempted to authenticate to a remote resource via NTLM. | Yamato Security Recommended |
| NTLM/Operational | 4022 | A remote client is using NTLM to authenticate to this workstation. | Yamato Security Recommended |
| NTLM/Operational | 4023 | A remote client is using NTLM to authenticate to this workstation. | Yamato Security Recommended |
| NTLM/Operational | 4024 | Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On. | Yamato Security Recommended |
| NTLM/Operational | 4025 | An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy. | Yamato Security Recommended |
| NTLM/Operational | 8001 | NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked. | Palantir, Yamato Security Recommended |
| NTLM/Operational | 8002 | NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked Calling process PID: %1 Calling process name: %2 Calling process LUID:... | Palantir, Yamato Security Recommended |
| NTLM/Operational | 8003 | NTLM server blocked in the domain audit: Audit NTLM authentication in this domain User: %1 Domain: %2 Workstation: %3 PID: %4 Process: %5 Logon typ... | Palantir, Yamato Security Recommended |
| PowerShell/Operational | 4097 | Computer Name $null or. | Yamato Security Recommended |
| PowerShell/Operational | 4098 | Resolving to default scheme http | Yamato Security Recommended |
| PowerShell/Operational | 4099 | Remote shell name resolved to default Microsoft. | Yamato Security Recommended |
| PowerShell/Operational | 4100 | %3 Context: %1 User Data: %2. | Olaf Hartong, Yamato Security Recommended |
| PowerShell/Operational | 4101 | %3 Context: %1 User Data: %2. | Olaf Hartong, Yamato Security Recommended |
| PowerShell/Operational | 4102 | %3 Context: %1 User Data: %2. | Olaf Hartong, Yamato Security Recommended |
| PowerShell/Operational | 4103 | %3 Context: %1 User Data: %2. | ASD, Olaf Hartong, Yamato Security, ANSSI Recommended Splunk-UBA Low |
| PowerShell/Operational | 4104 | Creating Scriptblock text (%1 of %2): %3 ScriptBlock ID: %4 Path: %5. | ASD, Olaf Hartong, Yamato Security, JSCU-NL, ANSSI Recommended Splunk-UBA Low |
| PowerShell/Operational | 4105 | Started invocation of ScriptBlock ID: %1 Runspace ID: %2. | Microsoft-WEF, Yamato Security, ANSSI Recommended |
| PowerShell/Operational | 4106 | Completed invocation of ScriptBlock ID: %1 Runspace ID: %2. | Microsoft-WEF, Yamato Security, ANSSI Recommended |
| PowerShell/Operational | 8193 | Creating Runspace object Instance Id. | Yamato Security Recommended |
| PowerShell/Operational | 8194 | Creating RunspacePool object InstanceId %1 MinRunspaces %2 MaxRunspaces %3. | Yamato Security Recommended |
| PowerShell/Operational | 8195 | Opening RunspacePool | Yamato Security Recommended |
| PowerShell/Operational | 8196 | Modifying activity Id and correlating | Yamato Security Recommended |
| PowerShell/Operational | 8197 | Runspace state changed to %1. | Yamato Security Recommended |
| PowerShell/Operational | 8198 | Attempting session creation retry %1 for error code %2 on session Id %3. | Yamato Security Recommended |
| PowerShell/Operational | 12039 | Modifying activity Id and correlating | Yamato Security Recommended |
| PowerShell/Operational | 24577 | Windows PowerShell ISE has started to run script file %1. | Yamato Security Recommended |
| PowerShell/Operational | 24578 | Windows PowerShell ISE has started to run a user-selected script from file %1. | Yamato Security Recommended |
| PowerShell/Operational | 24579 | Windows PowerShell ISE is stopping the current command. | Yamato Security Recommended |
| PowerShell/Operational | 24580 | Windows PowerShell ISE is resuming the debugger. | Yamato Security Recommended |
| PowerShell/Operational | 24581 | Windows PowerShell ISE is stopping the debugger. | Yamato Security Recommended |
| PowerShell/Operational | 24582 | Windows PowerShell ISE is stepping into debugging. | Yamato Security Recommended |
| PowerShell/Operational | 24583 | Windows PowerShell ISE is stepping over debugging. | Yamato Security Recommended |
| PowerShell/Operational | 24584 | Windows PowerShell ISE is stepping out of debugging. | Yamato Security Recommended |
| PowerShell/Operational | 24592 | Windows PowerShell ISE is enabling all breakpoints. | Yamato Security Recommended |
| PowerShell/Operational | 24593 | Windows PowerShell ISE is disabling all breakpoints. | Yamato Security Recommended |
| PowerShell/Operational | 24594 | Windows PowerShell ISE is removing all breakpoints. | Yamato Security Recommended |
| PowerShell/Operational | 24595 | Windows PowerShell ISE is setting the breakpoint at line #: %1 of file %2. | Yamato Security Recommended |
| PowerShell/Operational | 24596 | Windows PowerShell ISE is removing the breakpoint on line #: %1 of file %2. | Yamato Security Recommended |
| PowerShell/Operational | 24597 | Windows PowerShell ISE is enabling the breakpoint on line #: %1 of file %2. | Yamato Security Recommended |
| PowerShell/Operational | 24598 | Windows PowerShell ISE is disabling the breakpoint on line #: %1 of file %2. | Yamato Security Recommended |
| PowerShell/Operational | 24599 | Windows PowerShell ISE has hit a breakpoint on line #: %1 of file %2. | Yamato Security Recommended |
| PowerShell/Operational | 32777 | An unhandled exception occurred in the appdomain. | Yamato Security Recommended |
| PowerShell/Operational | 32784 | Runspace Id: %1 Pipeline Id: %2. | Yamato Security Recommended |
| PowerShell/Operational | 40961 | PowerShell console is starting up | Yamato Security Recommended |
| PowerShell/Operational | 40962 | PowerShell console is ready for user input | Yamato Security Recommended |
| PowerShell/Operational | 46358 | Persistence store has reached its maximum specified size | Yamato Security Recommended |
| PowerShell/Operational | 53249 | Scheduled Job %1 started at %2. | Yamato Security Recommended |
| PowerShell/Operational | 53250 | Scheduled Job %1 completed at %2 with state %3. | Yamato Security Recommended |
| PowerShell/Operational | 53251 | Scheduled Job Exception %1: Message: %2 StackTrace: %3 InnerException: %4. | Yamato Security Recommended |
| PowerShell/Operational | 53504 | Windows PowerShell has started an IPC listening thread on process: %1 in AppDomain: %2. | Yamato Security Recommended |
| PowerShell/Operational | 53505 | Windows PowerShell has ended an IPC listening thread on process: %1 in AppDomain: %2. | Yamato Security Recommended |
| PowerShell/Operational | 53506 | An error has occurred in Windows PowerShell IPC listening thread on process: %1 in AppDomain: %2. | Yamato Security Recommended |
| PowerShell/Operational | 53507 | Windows PowerShell IPC connect on process: %1 in AppDomain: %2 for User: %3. | Yamato Security Recommended |
| PowerShell/Operational | 53508 | Windows PowerShell IPC disconnect on process: %1 in AppDomain: %2 for User: %3. | Yamato Security Recommended |
| PrintService/Operational | 307 | Document %1, %2 owned by %3 on %4 was printed on %5 through port %6. | NSA Recommended |
| Security-Auditing | 1100 | ANSSI Recommended | |
| Security-Auditing/Security | 4608 | Windows is starting up. | Yamato Security, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4609 | Windows is shutting down. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4610 | An authentication package has been loaded by the Local Security Authority. | ASD, Yamato Security, mdecrevoisier, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4611 | A trusted logon process has been registered with the Local Security Authority. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4614 | A notification package has been loaded by the Security Account Manager. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4615 | Invalid use of LPC port. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4616 | The system time was changed. | Microsoft-WEF, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4618 | A monitored security event pattern has occurred. | Microsoft-AppendixL High ASD, Yamato Security Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4621 | Administrator recovered system from CrashOnAuditFail. | Microsoft-AppendixL Medium ASD, Yamato Security Recommended |
| Security-Auditing/Security | 4622 | A security package has been loaded by the Local Security Authority. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4624 | An account was successfully logged on. | Splunk-UBA High Palantir, ASD, Olaf Hartong, Yamato Security, mdecrevoisier, JSCU-NL, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4625 | An account failed to log on. | Splunk-UBA High Palantir, ASD, Olaf Hartong, Yamato Security, mdecrevoisier, JSCU-NL, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4626 | User / Device claims information. | Palantir Recommended |
| Security-Auditing/Security | 4627 | Group membership information. | ASD, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4634 | An account was logged off. | Splunk-UBA High Palantir, ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4646 | %1 | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4647 | User initiated logoff. | Palantir, ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4648 | A logon was attempted using explicit credentials. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4649 | A replay attack was detected. | Microsoft-AppendixL High Palantir, ASD, Yamato Security, mdecrevoisier, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4650 | An IPsec main mode security association was established. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4651 | An IPsec main mode security association was established. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4652 | An IPsec main mode negotiation failed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4653 | An IPsec main mode negotiation failed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4654 | An IPsec quick mode negotiation failed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4655 | An IPsec main mode security association ended. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4656 | A handle to an object was requested. | Palantir, ASD, Yamato Security, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4657 | A registry value was modified. | Microsoft-WEF, Olaf Hartong, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4658 | The handle to an object was closed. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4659 | A handle to an object was requested with intent to delete. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4660 | An object was deleted. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4661 | A handle to an object was requested. | ASD, Yamato Security, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4662 | An operation was performed on an object. | ASD, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4663 | An attempt was made to access an object. | Palantir, ASD, Olaf Hartong, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4664 | An attempt was made to create a hard link. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4665 | An attempt was made to create an application client context. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4666 | An application attempted an operation: Subject: Client Name: %5 Client Domain: %6 Client Context ID: %7 Object: Object Name: %3 Scope Names: %4 App... | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4667 | An application client context was deleted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4668 | An application was initialized. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4670 | Permissions on an object were changed. | ASD, Yamato Security, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4671 | An application attempted to access a blocked ordinal through the TBS. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4672 | Special privileges assigned to new logon. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4673 | A privileged service was called. | Palantir, ASD, Yamato Security, mdecrevoisier, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4674 | An operation was attempted on a privileged object. | Palantir, ASD, Yamato Security Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4675 | SIDs were filtered. | Microsoft-AppendixL Medium Palantir, ASD, Yamato Security Recommended |
| Security-Auditing/Security | 4688 | A new process has been created. | ASD, Olaf Hartong, Yamato Security, mdecrevoisier, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4689 | A process has exited. | Palantir, ASD, Olaf Hartong, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4690 | An attempt was made to duplicate a handle to an object. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4691 | Indirect access to an object was requested. | ASD, Yamato Security, mdecrevoisier Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4692 | Backup of data protection master key was attempted. | Microsoft-AppendixL Medium Splunk-UBA Low |
| Security-Auditing/Security | 4693 | Recovery of data protection master key was attempted. | Microsoft-AppendixL Medium Splunk-UBA Low |
| Security-Auditing/Security | 4694 | Protection of auditable protected data was attempted. | ASD Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4695 | Unprotection of auditable protected data was attempted. | ASD Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4696 | A primary token was assigned to process. | ASD, Yamato Security Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4697 | A service was installed in the system. | Palantir, ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4698 | A scheduled task was created. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4699 | A scheduled task was deleted. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4700 | A scheduled task was enabled. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4701 | A scheduled task was disabled. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4702 | A scheduled task was updated. | ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4703 | A user right was adjusted. | ASD, mdecrevoisier Recommended |
| Security-Auditing/Security | 4704 | A user right was assigned. | NSA, ASD Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4705 | A user right was removed. | ASD Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4706 | A new trust was created to a domain. | Microsoft-AppendixL Medium NSA, ASD, Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4707 | A trust to a domain was removed. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4709 | The IPsec Policy Agent service was started. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4710 | The IPsec Policy Agent service was disabled. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4711 | %1 | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4712 | IPsec Policy Agent encountered a potentially serious failure. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4713 | Kerberos policy was changed. | Microsoft-AppendixL Medium NSA, ASD, Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4714 | Data Recovery Agent group policy for Encrypting File System (EFS) has changed. | Microsoft-AppendixL Medium NSA Recommended |
| Security-Auditing/Security | 4715 | The audit policy (SACL) on an object was changed. | Microsoft-AppendixL Medium Yamato Security, mdecrevoisier, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4716 | Trusted domain information was modified. | Microsoft-AppendixL Medium NSA, ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4717 | System security access was granted to an account. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4718 | System security access was removed from an account. | ASD, Yamato Security Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4719 | System audit policy was changed. | Microsoft-AppendixL High ASD, Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4720 | A user account was created. | Palantir, ASD, Yamato Security, mdecrevoisier, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4722 | A user account was enabled. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4723 | An attempt was made to change an account's password. | Palantir, ASD, Yamato Security, mdecrevoisier, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4724 | An attempt was made to reset an account's password. | Microsoft-AppendixL Medium Palantir, ASD, Olaf Hartong, Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4725 | A user account was disabled. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4726 | A user account was deleted. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4727 | A security-enabled global group was created. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4728 | A member was added to a security-enabled global group. | Palantir, ASD, Olaf Hartong, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4729 | A member was removed from a security-enabled global group. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4730 | A security-enabled global group was deleted. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4731 | A security-enabled local group was created. | NSA, ASD, Yamato Security, mdecrevoisier, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4732 | A member was added to a security-enabled local group. | Palantir, ASD, Olaf Hartong, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4733 | A member was removed from a security-enabled local group. | Microsoft-WEF, ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4734 | A security-enabled local group was deleted. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4735 | A security-enabled local group was changed. | Microsoft-AppendixL Medium NSA, ASD, Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4737 | A security-enabled global group was changed. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4738 | A user account was changed. | ASD, Olaf Hartong, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4739 | Domain Policy was changed. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4740 | A user account was locked out. | Splunk-UBA High Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4741 | A computer account was created. | ASD, Yamato Security, mdecrevoisier, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4742 | A computer account was changed. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4743 | A computer account was deleted. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4744 | A security-disabled local group was created. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4745 | A security-disabled local group was changed. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4746 | A member was added to a security-disabled local group. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4747 | A member was removed from a security-disabled local group. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4748 | A security-disabled local group was deleted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4749 | A security-disabled global group was created. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4750 | A security-disabled global group was changed. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4751 | A member was added to a security-disabled global group. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4752 | A member was removed from a security-disabled global group. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4753 | A security-disabled global group was deleted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4754 | A security-enabled universal group was created. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4755 | A security-enabled universal group was changed. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4756 | A member was added to a security-enabled universal group. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4757 | A member was removed from a security-enabled universal group. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4758 | A security-enabled universal group was deleted. | ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4759 | A security-disabled universal group was created. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4760 | A security-disabled universal group was changed. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4761 | A member was added to a security-disabled universal group. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4762 | A member was removed from a security-disabled universal group. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4763 | A security-disabled universal group was deleted. | Splunk-UBA Low |
| Security-Auditing/Security | 4764 | A group’s type was changed. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4765 | SID History was added to an account. | Microsoft-AppendixL High ASD, Yamato Security Recommended |
| Security-Auditing/Security | 4766 | An attempt to add SID History to an account failed. | Microsoft-AppendixL High ASD, Yamato Security Recommended |
| Security-Auditing/Security | 4767 | A user account was unlocked. | NSA, ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4768 | A Kerberos authentication ticket (TGT) was requested. | Splunk-UBA High Palantir, ASD, mdecrevoisier, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4769 | A Kerberos service ticket was requested. | Splunk-UBA High Palantir, ASD, Olaf Hartong, Yamato Security, mdecrevoisier, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4770 | A Kerberos service ticket was renewed. | ASD, Yamato Security Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4771 | Kerberos pre-authentication failed. | Palantir, ASD, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4772 | A Kerberos authentication ticket request failed. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4773 | A Kerberos service ticket request failed. | Yamato Security Recommended |
| Security-Auditing/Security | 4774 | An account was mapped for logon. | Palantir, Yamato Security, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4775 | An account could not be mapped for logon. | Palantir, Yamato Security, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4776 | The domain controller attempted to validate the credentials for an account. | Splunk-UBA High Palantir, ASD, Yamato Security, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4777 | The domain controller failed to validate the credentials for an account. | Palantir, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4778 | A session was reconnected to a Window Station. | Palantir, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4779 | A session was disconnected from a Window Station. | Palantir, ASD, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4780 | The ACL was set on accounts which are members of administrators groups. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4781 | The name of an account was changed. | NSA, ASD, Yamato Security, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4782 | The password hash an account was accessed. | NSA, mdecrevoisier, JSCU-NL Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4783 | A basic application group was created. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4784 | A basic application group was changed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4785 | A member was added to a basic application group. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4786 | A member was removed from a basic application group. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4787 | A non-member was added to a basic application group. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4788 | A non-member was removed from a basic application group. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4789 | A basic application group was deleted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4790 | An LDAP query group was created. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4793 | The Password Policy Checking API was called. | NSA Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4794 | An attempt was made to set the Directory Services Restore Mode administrator password. | Microsoft-AppendixL High ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4797 | An attempt was made to query the existence of a blank password for an account. | Yamato Security Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4798 | A user's local group membership was enumerated. | Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4799 | A security-enabled local group membership was enumerated. | Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4800 | The workstation was locked. | Palantir, Yamato Security Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4801 | The workstation was unlocked. | Palantir, Yamato Security Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4802 | The screen saver was invoked. | Palantir, Yamato Security Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4803 | The screen saver was dismissed. | Palantir, Yamato Security Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4816 | RPC detected an integrity violation while decrypting an incoming message. | Microsoft-AppendixL Medium Yamato Security Recommended |
| Security-Auditing/Security | 4817 | Auditing settings on object were changed. | Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4820 | A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions. | ASD Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4821 | A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions. | ASD Recommended |
| Security-Auditing/Security | 4822 | NTLM authentication failed because the account was a member of the Protected User group. | ASD Recommended |
| Security-Auditing/Security | 4824 | Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group. | ASD Recommended |
| Security-Auditing/Security | 4825 | A user was denied the access to Remote Desktop. | Yamato Security, mdecrevoisier Recommended |
| Security-Auditing/Security | 4826 | Boot Configuration Data loaded. | JSCU-NL Recommended |
| Security-Auditing/Security | 4864 | A namespace collision was detected. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4865 | A trusted forest information entry was added. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4866 | A trusted forest information entry was removed. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4867 | A trusted forest information entry was modified. | Microsoft-AppendixL Medium ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4868 | The certificate manager denied a pending certificate request. | Microsoft-AppendixL Medium Yamato Security, mdecrevoisier Recommended |
| Security-Auditing/Security | 4869 | Certificate Services received a resubmitted certificate request. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4870 | Certificate Services revoked a certificate. | Microsoft-AppendixL Medium NSA, Yamato Security Recommended |
| Security-Auditing/Security | 4871 | Certificate Services received a request to publish the certificate revocation list (CRL). | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4872 | Certificate Services published the certificate revocation list (CRL). | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4873 | A certificate request extension changed. | NSA, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4874 | One or more certificate request attributes changed. | NSA, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4875 | Certificate Services received a request to shut down. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4876 | Certificate Services backup started. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4877 | Certificate Services backup completed. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4878 | Certificate Services restore started. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4879 | Certificate Services restore completed. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4880 | Certificate Services started. | Microsoft-WEF, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4881 | Certificate Services stopped. | Microsoft-WEF, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4882 | The security permissions for Certificate Services changed. | Microsoft-AppendixL Medium NSA, Yamato Security Recommended |
| Security-Auditing/Security | 4883 | Certificate Services retrieved an archived key. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4884 | Certificate Services imported a certificate into its database. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4885 | The audit filter for Certificate Services changed. | Microsoft-AppendixL Medium NSA, Yamato Security Recommended |
| Security-Auditing/Security | 4886 | Certificate Services received a certificate request. | Microsoft-WEF, ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4887 | Certificate Services approved a certificate request and issued a certificate. | Microsoft-WEF, ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4888 | Certificate Services denied a certificate request. | Microsoft-WEF, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4889 | Certificate Services set the status of a certificate request to pending. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4890 | The certificate manager settings for Certificate Services changed. | Microsoft-AppendixL Medium NSA, Yamato Security Recommended |
| Security-Auditing/Security | 4891 | A configuration entry changed in Certificate Services. | NSA, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4892 | A property of Certificate Services changed. | Microsoft-AppendixL Medium NSA, Yamato Security Recommended |
| Security-Auditing/Security | 4893 | Certificate Services archived a key. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4894 | Certificate Services imported and archived a key. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4895 | Certificate Services published the CA certificate to Active Directory Domain Services. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4896 | One or more rows have been deleted from the certificate database. | Microsoft-AppendixL Medium Microsoft-WEF, Yamato Security Recommended |
| Security-Auditing/Security | 4897 | Role separation enabled. | Microsoft-AppendixL High ASD, Yamato Security Recommended |
| Security-Auditing/Security | 4898 | Certificate Services loaded a template. | Microsoft-WEF, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4899 | A Certificate Services template was updated. | NSA, ASD Recommended |
| Security-Auditing/Security | 4900 | Certificate Services template security was updated. | NSA, ASD Recommended |
| Security-Auditing/Security | 4902 | The Per-user audit policy table was created. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4904 | An attempt was made to register a security event source. | Yamato Security, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4905 | An attempt was made to unregister a security event source. | Yamato Security, JSCU-NL Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4906 | The CrashOnAuditFail value has changed. | Microsoft-AppendixL Medium Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4907 | Auditing settings on object were changed. | Microsoft-AppendixL Medium Yamato Security, JSCU-NL Recommended Splunk-UBA Low |
| Security-Auditing/Security | 4908 | Special Groups Logon table modified. | Microsoft-AppendixL Medium Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4909 | The local policy settings for the TBS were changed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4910 | The group policy settings for the TBS were changed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4911 | Resource attributes of the object were changed. | Splunk-UBA Low |
| Security-Auditing/Security | 4912 | Per User Audit Policy was changed. | Microsoft-AppendixL Medium Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 4928 | An Active Directory replica source naming context was established. | ASD, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4929 | An Active Directory replica source naming context was removed. | ASD Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4930 | An Active Directory replica source naming context was modified. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4931 | An Active Directory replica destination naming context was modified. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4932 | Synchronization of a replica of an Active Directory naming context has begun. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4933 | Synchronization of a replica of an Active Directory naming context has ended. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4934 | Attributes of an Active Directory object were replicated. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4935 | Replication failure begins. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4936 | Replication failure ends. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4937 | A lingering object was removed from a replica. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4944 | The following policy was active when the Windows Firewall started. | mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 4945 | A rule was listed when the Windows Firewall started. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4946 | A change has been made to Windows Firewall exception list. A rule was added. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4947 | A change has been made to Windows Firewall exception list. A rule was modified. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4949 | Windows Firewall settings were restored to the default values. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4950 | A Windows Firewall setting has changed. | Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4953 | A rule has been ignored by Windows Firewall because it could not parse the rule. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4954 | Windows Firewall Group Policy settings has changed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4956 | Windows Firewall has changed the active profile. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4957 | Windows Firewall did not apply the following rule. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4960 | IPsec dropped an inbound packet that failed an integrity check. | Microsoft-AppendixL Medium ASD Recommended |
| Security-Auditing/Security | 4961 | IPsec dropped an inbound packet that failed a replay check. | Microsoft-AppendixL Medium ASD Recommended |
| Security-Auditing/Security | 4962 | IPsec dropped an inbound packet that failed a replay check. | Microsoft-AppendixL Medium ASD Recommended |
| Security-Auditing/Security | 4963 | IPsec dropped an inbound clear text packet that should have been secured. | Microsoft-AppendixL Medium ASD Recommended |
| Security-Auditing/Security | 4964 | Special groups have been assigned to a new logon. | Microsoft-AppendixL High Palantir, ASD, Yamato Security, mdecrevoisier Recommended |
| Security-Auditing/Security | 4965 | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). | Microsoft-AppendixL Medium ASD Recommended |
| Security-Auditing/Security | 4976 | During Main Mode negotiation, IPsec received an invalid negotiation packet. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 4978 | During Extended Mode negotiation, IPsec received an invalid negotiation packet. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 4979 | IPsec Main Mode and Extended Mode security associations were established. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4980 | IPsec Main Mode and Extended Mode security associations were established. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4981 | IPsec Main Mode and Extended Mode security associations were established. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4982 | IPsec Main Mode and Extended Mode security associations were established. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 4983 | An IPsec Extended Mode negotiation failed. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 4984 | An IPsec Extended Mode negotiation failed. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 4985 | The state of a transaction has changed. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5024 | The Windows Firewall Service has started successfully. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5025 | The Windows Firewall Service has been stopped. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5028 | The Windows Firewall Service was unable to parse the new security policy. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5029 | The Windows Firewall Service failed to initialize the driver. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5030 | The Windows Firewall Service failed to start. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5032 | Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5033 | The Windows Firewall Driver has started successfully. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5034 | The Windows Firewall Driver has been stopped. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5035 | The Windows Firewall Driver failed to start. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5037 | The Windows Firewall Driver detected critical runtime error. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5038 | Code integrity determined that the image hash of a file is not valid. | Microsoft-AppendixL Medium NSA, ASD, Olaf Hartong, Yamato Security, mdecrevoisier, JSCU-NL Recommended |
| Security-Auditing/Security | 5039 | A registry key was virtualized. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5040 | A change has been made to IPsec settings. An Authentication Set was added. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5041 | A change has been made to IPsec settings. An Authentication Set was modified. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5042 | A change has been made to IPsec settings. An Authentication Set was deleted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5043 | A change has been made to IPsec settings. A Connection Security Rule was added. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5044 | A change has been made to IPsec settings. A Connection Security Rule was modified. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5045 | A change has been made to IPsec settings. A Connection Security Rule was deleted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5046 | A change has been made to IPsec settings. A Crypto Set was added. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5047 | A change has been made to IPsec settings. A Crypto Set was modified. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5048 | A change has been made to IPsec settings. A Crypto Set was deleted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5049 | An IPsec Security Association was deleted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5050 | An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5051 | A file was virtualized. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5056 | A cryptographic self test was performed. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5057 | A cryptographic primitive operation failed. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5058 | Key file operation. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5059 | Key migration operation. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5060 | Verification operation failed. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5061 | Cryptographic operation. | ASD, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5062 | A kernel-mode cryptographic self test was performed. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5063 | A cryptographic provider operation was attempted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5064 | A cryptographic context operation was attempted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5065 | A cryptographic context modification was attempted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5066 | A cryptographic function operation was attempted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5067 | A cryptographic function modification was attempted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5068 | A cryptographic function provider operation was attempted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5069 | A cryptographic function property operation was attempted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5070 | A cryptographic function property modification was attempted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5120 | OCSP Responder Service Started. | Microsoft-AppendixL Medium Yamato Security, mdecrevoisier Recommended |
| Security-Auditing/Security | 5121 | OCSP Responder Service Stopped. | Microsoft-AppendixL Medium Yamato Security Recommended |
| Security-Auditing/Security | 5122 | A Configuration entry changed in the OCSP Responder Service. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5123 | A configuration entry changed in the OCSP Responder Service. | Microsoft-AppendixL Medium Yamato Security Recommended |
| Security-Auditing/Security | 5124 | A security setting was updated on OCSP Responder Service. | Microsoft-AppendixL High ASD, Yamato Security Recommended |
| Security-Auditing/Security | 5125 | A request was submitted to OCSP Responder Service. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5126 | Signing Certificate was automatically updated by the OCSP Responder Service. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5127 | The OCSP Revocation Provider successfully updated the revocation information. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5136 | A directory service object was modified. | NSA, ASD, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5137 | A directory service object was created. | NSA, ASD Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5138 | A directory service object was undeleted. | NSA, ASD Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5139 | A directory service object was moved. | NSA, ASD Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5140 | A network share object was accessed. | Palantir, Olaf Hartong, Yamato Security, mdecrevoisier, JSCU-NL, ANSSI Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 5141 | A directory service object was deleted. | NSA, ASD Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5142 | A network share object was added. | Microsoft-WEF, Yamato Security, JSCU-NL, ANSSI Recommended Splunk-UBA Low |
| Security-Auditing/Security | 5143 | A network share object was modified. | Yamato Security Recommended |
| Security-Auditing/Security | 5144 | A network share object was deleted. | Microsoft-WEF, Yamato Security, ANSSI Recommended Splunk-UBA Low |
| Security-Auditing/Security | 5145 | A network share object was checked to see whether client can be granted desired access. | Palantir, Olaf Hartong, mdecrevoisier, ANSSI Recommended Splunk-UBA Low |
| Security-Auditing/Security | 5148 | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode. | Yamato Security, mdecrevoisier Recommended |
| Security-Auditing/Security | 5149 | The DoS attack has subsided and normal processing is being resumed. | Yamato Security Recommended |
| Security-Auditing/Security | 5150 | The Windows Filtering Platform has blocked a packet. | Yamato Security Recommended |
| Security-Auditing/Security | 5151 | A more restrictive Windows Filtering Platform filter has blocked a packet. | Yamato Security Recommended |
| Security-Auditing/Security | 5152 | The Windows Filtering Platform blocked a packet. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5156 | The Windows Filtering Platform has permitted a connection. | Olaf Hartong, Yamato Security Recommended Microsoft-AppendixL, Splunk-UBA Low |
| Security-Auditing/Security | 5157 | The Windows Filtering Platform has blocked a connection. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5158 | The Windows Filtering Platform has permitted a bind to a local port. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5159 | The Windows Filtering Platform has blocked a bind to a local port. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5168 | SPN check for SMB/SMB2 fails. | Yamato Security Recommended |
| Security-Auditing/Security | 5376 | Credential Manager credentials were backed up. | Microsoft-AppendixL Medium NSA, ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 5377 | Credential Manager credentials were restored from a backup. | Microsoft-AppendixL Medium NSA, ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 5378 | The requested credentials delegation was disallowed by policy. | Palantir, Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5379 | Credential Manager credentials were read. | Yamato Security Recommended Splunk-UBA Low |
| Security-Auditing/Security | 5381 | Vault credentials were read. | Yamato Security Recommended |
| Security-Auditing/Security | 5382 | Vault credentials were read. | Yamato Security Recommended |
| Security-Auditing/Security | 5440 | The following callout was present when the Windows Filtering Platform Base Filtering Engine started. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5441 | The following filter was present when the Windows Filtering Platform Base Filtering Engine started. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5442 | The following provider was present when the Windows Filtering Platform Base Filtering Engine started. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5443 | The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5444 | The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5446 | A Windows Filtering Platform callout has been changed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5447 | A Windows Filtering Platform filter has been changed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5448 | A Windows Filtering Platform provider has been changed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5449 | A Windows Filtering Platform provider context has been changed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5450 | A Windows Filtering Platform sub-layer has been changed. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5451 | An IPsec quick mode security association was established. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5452 | An IPsec quick mode security association ended. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5453 | An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5456 | PAStore Engine applied Active Directory storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5457 | PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5458 | PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5459 | PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5460 | PAStore Engine applied local registry storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5461 | PAStore Engine failed to apply local registry storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5462 | PAStore Engine failed to apply some rules of the active IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5463 | PAStore Engine polled for changes to the active IPsec policy and detected no changes. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5464 | PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5465 | PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5466 | PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5467 | PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5468 | PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5471 | PAStore Engine loaded local storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5472 | PAStore Engine failed to load local storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5473 | PAStore Engine loaded directory storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5474 | PAStore Engine failed to load directory storage IPsec policy on the computer. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5477 | PAStore Engine failed to add quick mode filter. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5478 | IPsec Services has started successfully. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5479 | IPsec Services has been shut down successfully. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5480 | IPsec Services failed to get the complete list of network interfaces on the computer. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5483 | IPsec Services failed to initialize RPC server. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5484 | IPsec Services has experienced a critical failure and has been shut down. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5485 | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 5632 | A request was made to authenticate to a wireless network. | Microsoft-WEF, Yamato Security, JSCU-NL, ANSSI Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5633 | A request was made to authenticate to a wired network. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5712 | A Remote Procedure Call (RPC) was attempted. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 5888 | An object in the COM+ Catalog was modified. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5889 | An object was deleted from the COM+ Catalog. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 5890 | An object was added to the COM+ Catalog. | Yamato Security Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 6144 | Security policy in the group policy objects has been applied successfully. | Microsoft-AppendixL Low |
| Security-Auditing/Security | 6145 | One or more errors occured while processing security policy in the group policy objects. | Microsoft-AppendixL Medium |
| Security-Auditing/Security | 6272 | Network Policy Server granted access to a user. | Microsoft-WEF, mdecrevoisier Recommended Microsoft-AppendixL Low |
| Security-Auditing/Security | 6273 | Network Policy Server denied access to a user. | Microsoft-AppendixL Medium Microsoft-WEF Recommended Splunk-UBA Low |
| Security-Auditing/Security | 6274 | Network Policy Server discarded the request for a user. | Microsoft-AppendixL Medium Microsoft-WEF Recommended |
| Security-Auditing/Security | 6275 | Network Policy Server discarded the accounting request for a user. | Microsoft-AppendixL Medium Microsoft-WEF Recommended |
| Security-Auditing/Security | 6276 | Network Policy Server quarantined a user. | Microsoft-AppendixL Medium Microsoft-WEF Recommended Splunk-UBA Low |
| Security-Auditing/Security | 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. | Microsoft-AppendixL Medium Microsoft-WEF Recommended Splunk-UBA Low |
| Security-Auditing/Security | 6278 | Network Policy Server granted full access to a user because the host met the defined health policy. | Microsoft-AppendixL Medium Microsoft-WEF Recommended |
| Security-Auditing/Security | 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts. | Microsoft-AppendixL Medium Microsoft-WEF Recommended |
| Security-Auditing/Security | 6280 | Network Policy Server unlocked the user account. | Microsoft-AppendixL Medium Microsoft-WEF Recommended |
| Security-Auditing/Security | 6281 | Code Integrity determined that the page hashes of an image file are not valid. | NSA, ASD, Olaf Hartong, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 6410 | Code integrity determined that a file does not meet the security requirements to load into a process. | ASD, Yamato Security, JSCU-NL Recommended |
| Security-Auditing/Security | 6416 | A new external device was recognized by the system. | Yamato Security, mdecrevoisier, JSCU-NL, ANSSI Recommended Splunk-UBA Low |
| Security-Auditing/Security | 6419 | A request was made to disable a device. | Yamato Security Recommended |
| Security-Auditing/Security | 6420 | A device was disabled. | Yamato Security Recommended |
| Security-Auditing/Security | 6421 | A request was made to enable a device. | Yamato Security Recommended |
| Security-Auditing/Security | 6422 | A device was enabled. | Yamato Security Recommended |
| Security-Auditing/Security | 6423 | The installation of this device is forbidden by system policy. | Yamato Security Recommended |
| Security-Auditing/Security | 6424 | The installation of this device was allowed, after having previously been forbidden by policy. | Yamato Security Recommended |
| Security-Mitigations/KernelMode | 1 | Process '%2' (PID %5) would have been blocked from generating dynamic code. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 2 | Process '%2' (PID %5) was blocked from generating dynamic code. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 3 | Process '%2' (PID %5) would have been blocked from creating a child process '%14' with command line '%16'. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 4 | Process '%2' (PID %5) was blocked from creating a child process '%14' with command line '%16'. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 5 | Process '%2' (PID %5) would have been blocked from loading the low-integrity binary '%14'. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 6 | Process '%2' (PID %5) was blocked from loading the low-integrity binary '%14'. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 7 | Process '%2' (PID %5) would have been blocking from loading a binary from a remote share. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 8 | Process '%2' (PID %5) was blocked from loading a binary from a remote share. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 9 | Process '%2' (PID %5) would have been blocked from making system calls to Win32k. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 10 | Process '%2' (PID %5) was blocked from making system calls to Win32k. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 11 | Process '%2' (PID %5) would have been blocked from loading the non-Microsoft-signed binary '%16'. | JSCU-NL Recommended |
| Security-Mitigations/KernelMode | 12 | Process '%2' (PID %5) was blocked from loading the non-Microsoft-signed binary '%16'. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 13 | Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 14 | Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 15 | Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 16 | Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 17 | Process '%2' (PID %3) would have been blocked from accessing the Import Address Table for API '%10'. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 18 | Process '%2' (PID %3) was blocked from accessing the Import Address Table for API '%10'. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 19 | Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 20 | Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 21 | Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 22 | Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 23 | Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. | JSCU-NL Recommended |
| Security-Mitigations/UserMode | 24 | Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications. | JSCU-NL Recommended |
| Servicing/Setup | 2 | Package %1 was successfully changed to the %2 state. | NSA Recommended |
| SMBClient/Operational | 30622 | Session to server {ObjectName} was re-established. | Microsoft-WEF Recommended |
| SMBClient/Operational | 30624 | Connection to share {ObjectName} was re-established. | Microsoft-WEF Recommended |
| SoftwareRestrictionPolicies/Application | 865 | Access to %1 has been restricted by your Administrator by the default software restriction policy level. | NSA, JSCU-NL Recommended |
| SoftwareRestrictionPolicies/Application | 866 | Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3. | NSA, JSCU-NL, ANSSI Recommended |
| SoftwareRestrictionPolicies/Application | 867 | Access to %1 has been restricted by your Administrator by software publisher policy. | NSA, JSCU-NL Recommended |
| SoftwareRestrictionPolicies/Application | 868 | Access to %1 has been restricted by your Administrator by policy rule %2. | NSA, JSCU-NL Recommended |
| SoftwareRestrictionPolicies/Application | 882 | Access to %1 has been restricted by your Administrator by policy rule %2. | NSA, JSCU-NL Recommended |
| Sysmon/Operational | 1 | Process creation | ASD, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 2 | A process changed a file creation time | Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 3 | Network connection | Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 4 | Sysmon service state changed | Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 5 | Process terminated | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 6 | Driver loaded | Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 7 | Image loaded | Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 8 | CreateRemoteThread | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 9 | RawAccessRead | JSCU-NL Recommended |
| Sysmon/Operational | 10 | ProcessAccess | JSCU-NL Recommended |
| Sysmon/Operational | 11 | FileCreate | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 12 | RegistryEvent (Object create and delete) | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 13 | RegistryEvent (Value Set) | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 14 | RegistryEvent (Key and Value Rename) | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 15 | FileCreateStreamHash | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 16 | ServiceConfigurationChange | Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 17 | PipeEvent (Pipe Created) | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 18 | PipeEvent (Pipe Connected) | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 19 | WmiEvent (WmiEventFilter activity detected) | Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 20 | WmiEvent (WmiEventConsumer activity detected) | Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 21 | WmiEvent (WmiEventConsumerToFilter activity detected) | Olaf Hartong, JSCU-NL Recommended |
| Sysmon/Operational | 22 | DNSEvent (DNS query) | JSCU-NL Recommended |
| Sysmon/Operational | 23 | FileDelete (File Delete archived) | Palantir, JSCU-NL Recommended |
| Sysmon/Operational | 24 | ClipboardChange (New content in the clipboard) | JSCU-NL Recommended |
| Sysmon/Operational | 25 | ProcessTampering (Process image change) | Palantir, JSCU-NL Recommended |
| Sysmon/Operational | 26 | FileDeleteDetected (File Delete logged) | JSCU-NL Recommended |
| Sysmon/Operational | 255 | Error report: UtcTime: %1 ID: %2 Description: %3. | JSCU-NL Recommended |
| TaskScheduler/Operational | 100 | Task Scheduler started "%3" instance of the "%1" task for user "%2". | Olaf Hartong, Yamato Security, ANSSI Recommended |
| TaskScheduler/Operational | 101 | Task Scheduler failed to start "%1" task for user "%2". | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 102 | Task Scheduler successfully finished "%3" instance of the "%1" task for user "%2". | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 103 | Task Scheduler failed to start instance "%2" of "%1" task for user "%3" . | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 104 | Task Scheduler failed to log on "%1" . | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 105 | Task Scheduler failed to impersonate "%1" . | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 106 | User "%2" registered Task Scheduler task "%1". | Microsoft-WEF, Olaf Hartong, Yamato Security, ANSSI Recommended |
| TaskScheduler/Operational | 107 | Task Scheduler launched "%2" instance of task "%1" due to a time trigger condition. | Olaf Hartong, Yamato Security, ANSSI Recommended |
| TaskScheduler/Operational | 108 | Task Scheduler launched "%2" instance of task "%1" according to an event trigger. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 109 | Task Scheduler launched "%2" instance of task "%1" according to a registration trigger. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 110 | Task Scheduler launched "%2" instance of task "%1" for user "%3" . | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 111 | Task Scheduler terminated "%2" instance of the "%1" task. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 112 | Task Scheduler could not start task "%1" because the network was unavailable. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 113 | Task registered task "%1" , but not all specified triggers will start the task. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 114 | Task Scheduler could not launch task "%1" as scheduled. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 115 | Task Scheduler failed to roll back a transaction when updating or deleting a task. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 116 | Task Scheduler validated the configuration for task "%1" , but credentials could not be stored. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 117 | Task Scheduler launched "%2" instance of task "%1" due to an idle condition. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 118 | Task Scheduler launched "%2" instance of task "%1" due to system startup. | ASD, Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 119 | Task Scheduler launched "%3" instance of task "%1" due to user "%2" logon. | ASD, Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 120 | Task Scheduler launched "%3" instance of task "%1" due to user "%2" connecting to the console trigger. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 121 | Task Scheduler launched "%3" instance of task "%1" due to user "%2" disconnecting from the console trigger. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 122 | Task Scheduler launched "%3" instance of task "%1" due to user "%2" remotely connecting trigger. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 123 | Task Scheduler launched "%3" instance of task "%1" due to user "%2" remotely disconnecting trigger. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 124 | Task Scheduler launched "%3" instance of task "%1" due to user "%2" locking the computer trigger. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 125 | Task Scheduler launched "%3" instance of task "%1" due to user "%2" unlocking the computer trigger. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 126 | Task Scheduler failed to execute task "%1" . | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 127 | Task Scheduler failed to execute task "%1" due to a shutdown race condition. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 128 | Task Scheduler did not launch task "%1" , because current time exceeds the configured task end time. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 129 | Task Scheduler launch task "%1" , instance "%2" with process ID %3. | ASD, Olaf Hartong, Yamato Security, ANSSI Recommended |
| TaskScheduler/Operational | 130 | Task Scheduler failed to start task "%1" due to the service being busy. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 131 | Task Scheduler failed to start task "%1" because the number of tasks in the task queue exceeding the quota currently configured to %2. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 132 | Task Scheduler task launching queue quota is approaching its preset limit of tasks currently configured to %1. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 133 | Task Scheduler failed to start task %1" in TaskEngine "%2" for user "%3". | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 134 | Task Engine "%1" for user "%2" is approaching its preset limit of tasks. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 135 | Task Scheduler could not start task "%1" because the machine was not idle. | Olaf Hartong, Yamato Security Recommended |
| TaskScheduler/Operational | 140 | User "%2" updated Task Scheduler task "%1". | Yamato Security, ANSSI Recommended |
| TaskScheduler/Operational | 141 | User "%2" deleted Task Scheduler task "%1". | Microsoft-WEF, Yamato Security, ANSSI Recommended |
| TaskScheduler/Operational | 142 | User "%2" disabled Task Scheduler task "%1". | Microsoft-WEF, Yamato Security, ANSSI Recommended |
| TaskScheduler/Operational | 145 | Task Scheduler woke up the computer to run a task. | Yamato Security Recommended |
| TaskScheduler/Operational | 146 | Task Scheduler failed to load task "%1" at service startup. | Yamato Security Recommended |
| TaskScheduler/Operational | 147 | Task Scheduler recovered sucessfully the image of task "%1" after a corruption occured during OS upgrade. | Yamato Security Recommended |
| TaskScheduler/Operational | 148 | Task Scheduler failed to recover the image of task "%1" after a corruption occured during OS upgrade. | Yamato Security Recommended |
| TaskScheduler/Operational | 149 | Task "%1" is using a combination of properties that is incompatible with the scheduling engine. | Yamato Security Recommended |
| TaskScheduler/Operational | 150 | Task Scheduler failed to subscribe for the event trigger for task "%1". | Yamato Security Recommended |
| TaskScheduler/Operational | 151 | Task instantiation failed "%1". | Yamato Security Recommended |
| TaskScheduler/Operational | 152 | Task "%1" was re-directed to legacy scheduling engine. | Yamato Security Recommended |
| TaskScheduler/Operational | 153 | Task Scheduler did not launch task "%1" as it missed its schedule. | Yamato Security Recommended |
| TaskScheduler/Operational | 155 | Task Scheduler is currently waiting on completion of task "%1". | Yamato Security Recommended |
| TaskScheduler/Operational | 200 | Task Scheduler launched action "%2" in instance "%3" of task "%1". | NSA, ASD, Olaf Hartong, Yamato Security, JSCU-NL, ANSSI Recommended |
| TaskScheduler/Operational | 201 | Task Scheduler successfully completed task "%1" , instance "%3" , action "%2" . | Yamato Security, JSCU-NL Recommended |
| TaskScheduler/Operational | 202 | Task Scheduler failed to complete task "%1" , instance "%2" , action "%3" . | Yamato Security Recommended |
| TaskScheduler/Operational | 203 | Task Scheduler failed to launch action "%3" in instance "%2" of task "%1". | Yamato Security Recommended |
| TaskScheduler/Operational | 204 | Task Scheduler failed to retrieve the event triggering values for task "%1" . | Yamato Security Recommended |
| TaskScheduler/Operational | 205 | Task Scheduler failed to match the pattern of events for task "%1" . | Yamato Security Recommended |
| TaskScheduler/Operational | 300 | Task Scheduler started Task Engine "%1" with process ID %2. | Yamato Security Recommended |
| TaskScheduler/Operational | 301 | Task Scheduler is shutting down Task Engine "%1". | Yamato Security Recommended |
| TaskScheduler/Operational | 303 | Task Scheduler is shutting down Task Engine "%1" due to an error in "%2" . | Yamato Security Recommended |
| TaskScheduler/Operational | 304 | Task Scheduler sent "%1" task to Task Engine "%2" . | Yamato Security Recommended |
| TaskScheduler/Operational | 305 | Task Scheduler did not send "%1" task to Task Engine "%2" . | Yamato Security Recommended |
| TaskScheduler/Operational | 306 | For Task Scheduler Task Engine "%1" , the thread pool failed to process the message. | Yamato Security Recommended |
| TaskScheduler/Operational | 307 | Task Scheduler service failed to connect to the Task Engine "%1" process. | Yamato Security Recommended |
| TaskScheduler/Operational | 308 | Task Scheduler connected to the Task Engine "%1" process. | Yamato Security Recommended |
| TaskScheduler/Operational | 309 | Task Scheduler %1 tasks orphaned during Task Engine "%2" shutdown. | Yamato Security Recommended |
| TaskScheduler/Operational | 310 | Task Scheduler started Task Engine "%1" process. | Yamato Security Recommended |
| TaskScheduler/Operational | 311 | Task Scheduler failed to start Task Engine "%1" process due to an error occurring in "%3" . | Yamato Security Recommended |
| TaskScheduler/Operational | 312 | Task Scheduler created the Win32 job object for Task Engine "%1" . | Yamato Security Recommended |
| TaskScheduler/Operational | 313 | Task Scheduler channel with Task Engine "%1" is ready to send and receive messages. | Yamato Security Recommended |
| TaskScheduler/Operational | 314 | Task Scheduler has no tasks running for Task Engine "%1" , and the idle timer has started. | Yamato Security Recommended |
| TaskScheduler/Operational | 315 | Task Engine "%1" process failed to connect to the Task Scheduler service. | Yamato Security Recommended |
| TaskScheduler/Operational | 316 | Task Engine "%1" failed to send a message to the Task Scheduler service. | Yamato Security Recommended |
| TaskScheduler/Operational | 317 | Task Scheduler started Task Engine "%1" process. | Yamato Security Recommended |
| TaskScheduler/Operational | 318 | Task Scheduler shutdown Task Engine "%1" process. | Yamato Security Recommended |
| TaskScheduler/Operational | 319 | Task Engine "%1" received a message from Task Scheduler service requesting to launch task "%2" . | Yamato Security Recommended |
| TaskScheduler/Operational | 320 | Task Engine "%1" received a message from Task Scheduler service requesting to stop task instance "%2" . | Yamato Security Recommended |
| TaskScheduler/Operational | 322 | Task Scheduler did not launch task "%1" because instance "%2" of the same task is already running. | Yamato Security Recommended |
| TaskScheduler/Operational | 323 | Task Scheduler stopped instance "%2" of task "%1" in order to launch new instance "%3" . | Yamato Security Recommended |
| TaskScheduler/Operational | 324 | Task Scheduler queued instance "%2" of task "%1" and will launch it as soon as instance "%3" completes. | Yamato Security Recommended |
| TaskScheduler/Operational | 325 | Task Scheduler queued instance "%2" of task "%1". | Yamato Security Recommended |
| TaskScheduler/Operational | 326 | Task Scheduler did not launch task "%1" because computer is running on batteries. | Yamato Security Recommended |
| TaskScheduler/Operational | 327 | Task Scheduler stopped instance "%2" of task "%1" because the computer is switching to battery power. | Yamato Security Recommended |
| TaskScheduler/Operational | 328 | Task Scheduler stopped instance "%2" of task "%1" because computer is no longer idle. | Yamato Security Recommended |
| TaskScheduler/Operational | 329 | Task Scheduler terminated "%2" instance of the "%1" task due to exceeding the time allocated for execution, as configured in the task definition. | Yamato Security Recommended |
| TaskScheduler/Operational | 330 | Task Scheduler stopped instance "%2" of task "%1" as request by user "%3" . | Yamato Security Recommended |
| TaskScheduler/Operational | 331 | Task Scheduler will continue to execute Instance "%2" of task "%1" even after the designated timeout, due to a failure to create the timeout mechan... | Yamato Security Recommended |
| TaskScheduler/Operational | 332 | Task Scheduler did not launch task "%1" because user "%2" was not logged on when the launching conditions were met. | Yamato Security Recommended |
| TaskScheduler/Operational | 333 | Task Scheduler did not launch task "%1" because target session is RemoteApp session. | Yamato Security Recommended |
| TaskScheduler/Operational | 334 | Task Scheduler did not launch task "%1" because target session is a WORKER session. | Yamato Security Recommended |
| TaskScheduler/Operational | 400 | Task Scheduler service has started. | Yamato Security Recommended |
| TaskScheduler/Operational | 402 | Task Scheduler service is shutting down. | Yamato Security Recommended |
| TaskScheduler/Operational | 403 | Task Scheduler service has encountered an error in "%1" . | Yamato Security Recommended |
| TaskScheduler/Operational | 410 | Task Scheduler service failed to set a wakeup timer. | Yamato Security Recommended |
| TaskScheduler/Operational | 411 | Task Scheduler service received a time system change notification. | Yamato Security Recommended |
| TaskScheduler/Operational | 700 | Task Scheduler service started Task Compatibility module. | Yamato Security Recommended |
| TaskScheduler/Operational | 706 | Task Compatibility module failed to update task "%1" to the required status %2. | Yamato Security Recommended |
| TaskScheduler/Operational | 707 | Task Compatibility module failed to delete task "%1" . | Yamato Security Recommended |
| TaskScheduler/Operational | 708 | Task Compatibility module failed to set security descriptor "%1" for task "%2" . | Yamato Security Recommended |
| TaskScheduler/Operational | 709 | Task Compatibility module failed to update task "%1" . | Yamato Security Recommended |
| TaskScheduler/Operational | 710 | Task Compatibility module failed to upgrade existing tasks. | Yamato Security Recommended |
| TaskScheduler/Operational | 711 | Task Compatibility module failed to upgrade NetSchedule account "%1" . | Yamato Security Recommended |
| TaskScheduler/Operational | 712 | Task Compatibility module failed to read existing store to upgrade tasks. | Yamato Security Recommended |
| TaskScheduler/Operational | 713 | Task Compatibility module failed to load task "%1" for upgrade. | Yamato Security Recommended |
| TaskScheduler/Operational | 714 | Task Compatibility module failed to register task "%1" for upgrade. | Yamato Security Recommended |
| TaskScheduler/Operational | 715 | Task Compatibility module failed to delete LSA store for upgrade. | Yamato Security Recommended |
| TaskScheduler/Operational | 717 | Task Compatibility module failed to determine if upgrade is needed. | Yamato Security Recommended |
| TerminalServices-ClientActiveXCore/Operational | 1024 | RDP ClientActiveX is trying to connect to the server | Microsoft-WEF, JSCU-NL, ANSSI Recommended |
| TerminalServices-ClientActiveXCore/Operational | 1025 | RDP ClientActiveX has connected to the server | ANSSI Recommended |
| TerminalServices-LocalSessionManager/Operational | 16 | Local Multi-User session manager failed to start. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 17 | Remote Desktop Service start failed. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 18 | Remote Desktop Service is shutdown for unknown reason. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 19 | Registering with Service Control Manager to monitor Remote Desktop Service status failed with %1, retry in ten minutes. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 20 | Attempt to send %1 message to Windows video subsystem failed. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 21 | Remote Desktop Services: Session logon succeeded: User: %1 Session ID: %2 Source Network Address: %3. | ASD, Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 22 | Remote Desktop Services: Shell start notification received: User: %1 Session ID: %2 Source Network Address: %3. | ASD, Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 23 | Remote Desktop Services: Session logoff succeeded: User: %1 Session ID: %2. | ASD, Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 24 | Remote Desktop Services: Session has been disconnected: User: EC2AMAZ-3NFFVNI\samurai Session ID: 5 Source Network Address: 219. | ASD, Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 25 | Remote Desktop Services: Session reconnection succeeded: User: EC2AMAZ-3NFFVNI\samurai Session ID: 4 Source Network Address: 219. | ASD, Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 32 | Plugin RDSAppXPlugin has been successfully initialized | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 33 | Plugin %1 failed to initialize, error code %2. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 34 | Remote Desktop Services is not accepting logons because setup is running. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 35 | The client process ID %1 could not complete the session change notification event sent by the Remote Desktop service. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 36 | An error occurred when transitioning from %3 in response to %5. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 37 | Invalid state transition from %3 in response to %5. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 39 | Session %1 has been disconnected by session %2. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 40 | Session 5 has been disconnected, reason code 12 | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 41 | Begin session arbitration: User: %1 Session ID: %2. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 42 | End session arbitration: User: %1 Session ID: %2. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 43 | Windows Subsystem has taken too long to process Connect event for session %1. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 44 | Windows Subsystem has taken too long to process Disconnect event for session %1. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 45 | Windows Subsystem has taken too long to process Terminate event for session %1. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 48 | Remote Connection Manager has taken too long to process logon message for session %1. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 49 | Remote Connection Manager has taken too long to prepare for session arbitration for session %1. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 50 | Remote Connection Manager has taken too long to process begin-connect-message for session %1. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 51 | Remote Connection Manager has taken too long to process end-connect-message for session %1. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 52 | Remote Connection Manager has taken too long to process begin-disconnect-message for session %1. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 53 | Remote Connection Manager has taken too long to process end-disconnect-message for session %1. | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 54 | Local multi-user session manager received system shutdown message | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 55 | Remote Desktop Service has taken too long to start up | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 56 | Remote Desktop Service has taken too long to shutdown | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 59 | %s from %S( #0x%x/0x%x ) | Yamato Security Recommended |
| TerminalServices-LocalSessionManager/Operational | 60 | Glass session %1 has been reconnected to a remote protocol, this session can now only be reconnect locally or from same remote protocol. | Yamato Security Recommended |
| User Profiles Service/Application | 1511 | Windows cannot find the local profile and is logging you on with a temporary profile. | Microsoft-WEF Recommended |
| User Profiles Service/Application | 1518 | Windows cannot create a local profile and is logging you on with a temporary profile. | Microsoft-WEF Recommended |
| WER-Diag/Operational | 5 | CFG violation is detected. | JSCU-NL Recommended |
| WER-SystemErrorReporting/System | 1001 | The computer has rebooted from a bugcheck. | NSA Recommended |
| Win32k/Operational | 260 | %1 attempted loading a font that is restricted by font loading policy. | JSCU-NL Recommended |
| Windows Defender/Operational | 1005 | %1 scan has encountered an error and terminated. | NSA, Olaf Hartong Recommended |
| Windows Defender/Operational | 1006 | %1 has detected malware or other potentially unwanted software. | Microsoft-Defender, Olaf Hartong, JSCU-NL Recommended |
| Windows Defender/Operational | 1007 | %1 has taken action to protect this machine from malware or other potentially unwanted software. | Microsoft-Defender, JSCU-NL Recommended |
| Windows Defender/Operational | 1008 | %1 has encountered an error when taking action on malware or other potentially unwanted software. | Microsoft-Defender, Olaf Hartong, JSCU-NL Recommended |
| Windows Defender/Operational | 1009 | %1 has restored an item from quarantine. | Microsoft-WEF, JSCU-NL Recommended |
| Windows Defender/Operational | 1010 | %1 has encountered an error trying to restore an item from quarantine. | NSA, Olaf Hartong, JSCU-NL Recommended |
| Windows Defender/Operational | 1015 | %1 has detected a suspicious behavior. | Microsoft-Defender Recommended |
| Windows Defender/Operational | 1116 | %1 has detected malware or other potentially unwanted software. | Microsoft-Defender, Olaf Hartong, JSCU-NL Recommended |
| Windows Defender/Operational | 1117 | %1 has taken action to protect this machine from malware or other potentially unwanted software. | Microsoft-Defender, Olaf Hartong, JSCU-NL Recommended |
| Windows Defender/Operational | 1118 | %1 has encountered a non-critical error when taking action on malware or other potentially unwanted software. | Microsoft-Defender, JSCU-NL Recommended |
| Windows Defender/Operational | 1119 | %1 has encountered a critical error when taking action on malware or other potentially unwanted software. | Microsoft-Defender, JSCU-NL Recommended |
| Windows Defender/Operational | 1121 | Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. | Microsoft-Defender, JSCU-NL Recommended |
| Windows Defender/Operational | 1122 | Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator. | JSCU-NL Recommended |
| Windows Defender/Operational | 1123 | %8 has been blocked from modifying %7 by Controlled Folder Access. | JSCU-NL Recommended |
| Windows Defender/Operational | 1124 | %8 would have been blocked from modifying %7 by Controlled Folder Access. | JSCU-NL Recommended |
| Windows Defender/Operational | 1125 | Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection. | JSCU-NL Recommended |
| Windows Defender/Operational | 1126 | Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection. | JSCU-NL Recommended |
| Windows Defender/Operational | 1127 | Controlled Folder Access blocked %8 from making changes to memory. | Microsoft-Defender Recommended |
| Windows Defender/Operational | 2001 | %1 has encountered an error trying to update security intelligence. | Microsoft-Defender, Olaf Hartong Recommended |
| Windows Defender/Operational | 2003 | %1 has encountered an error trying to update the engine. | NSA, Olaf Hartong Recommended |
| Windows Defender/Operational | 2004 | %1 has encountered an error trying to update security intelligence and will attempt to revert to a previous version. | NSA, Olaf Hartong Recommended |
| Windows Defender/Operational | 3002 | %1 Real-Time Protection feature has encountered an error and failed. | Microsoft-Defender, Olaf Hartong Recommended |
| Windows Defender/Operational | 5001 | %1 Real-time Protection scanning for malware and other potentially unwanted software was disabled. | Microsoft-Defender Recommended |
| Windows Defender/Operational | 5004 | %1 Real-time Protection feature configuration has changed. | Microsoft-Defender Recommended |
| Windows Defender/Operational | 5007 | %1 Configuration has changed. | Microsoft-Defender, JSCU-NL Recommended |
| Windows Defender/Operational | 5008 | %1 engine has been terminated due to an unexpected error. | Microsoft-Defender, Olaf Hartong Recommended |
| Windows Defender/Operational | 5010 | %1 scanning for spyware and other potentially unwanted software is disabled. | Microsoft-Defender Recommended |
| Windows Defender/Operational | 5012 | %1 scanning for viruses is disabled. | Microsoft-Defender Recommended |
| Windows Defender/Operational | 5013 | Tamper Protection %3 a change to %1. | Microsoft-Defender Recommended |
| Windows Firewall With Advanced Security/Firewall | 2003 | A Windows Defender Firewall setting in the %1 profile has changed. | Olaf Hartong Recommended |
| Windows Firewall With Advanced Security/Firewall | 2004 | A rule has been added to the Windows Defender Firewall exception list. | NSA Recommended |
| Windows Firewall With Advanced Security/Firewall | 2005 | A rule has been modified in the Windows Defender Firewall exception list. | NSA Recommended |
| Windows Firewall With Advanced Security/Firewall | 2006 | A rule has been deleted in the Windows Defender Firewall exception list. | NSA Recommended |
| Windows Firewall With Advanced Security/Firewall | 2009 | The Windows Defender Firewall service failed to load Group Policy. | NSA Recommended |
| Windows Firewall With Advanced Security/Firewall | 2033 | All rules have been deleted from the Windows Defender Firewall configuration on this computer. | NSA Recommended |
| Windows-Defender/Operational | 1006 | %1 has detected malware or other potentially unwanted software. | ANSSI Recommended |
| Windows-Defender/Operational | 1007 | %1 has taken action to protect this machine from malware or other potentially unwanted software. | ANSSI Recommended |
| Windows-Defender/Operational | 1008 | %1 has encountered an error when taking action on malware or other potentially unwanted software. | ANSSI Recommended |
| Windows-Defender/Operational | 1009 | %1 has restored an item from quarantine. | ANSSI Recommended |
| Windows-Defender/Operational | 1116 | %1 has detected malware or other potentially unwanted software. | ANSSI Recommended |
| Windows-Defender/Operational | 1117 | %1 has taken action to protect this machine from malware or other potentially unwanted software. | ANSSI Recommended |
| Windows-Defender/Operational | 1118 | %1 has encountered a non-critical error when taking action on malware or other potentially unwanted software. | ANSSI Recommended |
| Windows-Defender/Operational | 1119 | %1 has encountered a critical error when taking action on malware or other potentially unwanted software. | ANSSI Recommended |
| Windows-Defender/Operational | 1120 | %1 has deduced the hashes for a threat resource. | ANSSI Recommended |
| WindowsUpdateClient/System | 19 | Installation Successful: Windows successfully installed the following update. | NSA Recommended |
| WindowsUpdateClient/System | 20 | Installation Failure: Windows failed to install the following update with error %1: %2. | NSA Recommended |
| WindowsUpdateClient/System | 24 | Uninstallation Failure: Windows failed to uninstall the following update with error %1: %2. | NSA Recommended |
| WindowsUpdateClient/Operational | 25 | Windows Update failed to check for updates with error %1. | NSA Recommended |
| WindowsUpdateClient/Operational | 31 | Windows Update failed to download an update. | NSA Recommended |
| WindowsUpdateClient/Operational | 34 | The Windows Update Client Core component failed to install a self-update with error %1. | NSA Recommended |
| WindowsUpdateClient/Operational | 35 | The Windows Update Client Auxillary component failed to install a self-update with error %1. | NSA Recommended |
| WLAN-AutoConfig/Operational | 8001 | WLAN AutoConfig service has successfully connected to a wireless network. | NSA Recommended |
| WLAN-AutoConfig/Operational | 8002 | WLAN AutoConfig service failed to connect to a wireless network. | NSA Recommended |
| WLAN-AutoConfig/Operational | 8003 | WLAN AutoConfig service has successfully disconnected from a wireless network. | NSA Recommended |
| WMI-Activity/Operational | 5857 | %1 provider started with result code %2. | Palantir, ASD, Yamato Security, JSCU-NL Recommended |
| WMI-Activity/Operational | 5858 | Id = %1; ClientMachine = %2; User = %3; ClientProcessId = %4; Component = %5; Operation = %6; ResultCode = %7; PossibleCause = %8. | Palantir, ASD, Yamato Security, JSCU-NL Recommended |
| WMI-Activity/Operational | 5859 | Namespace = %1; NotificationQuery = %2; OwnerName = %3; HostProcessID = %4; Provider= %5, queryID = %6; PossibleCause = %7. | Palantir, ASD, Yamato Security Recommended |
| WMI-Activity/Operational | 5860 | Namespace = %1; NotificationQuery = %2; UserName = %3; ClientProcessID = %4, ClientMachine = %5; PossibleCause = %6. | Palantir, ASD, Yamato Security, JSCU-NL Recommended |
| WMI-Activity/Operational | 5861 | Namespace = %1; Eventfilter = %2 (refer to its activate eventid:5859); Consumer = %3; PossibleCause = %4. | Palantir, ASD, Olaf Hartong, Yamato Security, JSCU-NL Recommended |
| MsiInstaller/Application | 1022 | Product: Microsoft . | NSA Recommended |
| MsiInstaller/Application | 1033 | Windows Installer installed the product. | NSA Recommended |
| PowerShell/Windows PowerShell | 300 | Olaf Hartong Recommended | |
| PowerShell/Windows PowerShell | 400 | ASD, Olaf Hartong Recommended | |
| PowerShell/Windows PowerShell | 403 | Olaf Hartong Recommended | |
| PowerShell/Windows PowerShell | 800 | Microsoft-WEF, ANSSI Recommended | |
| Service Control Manager/System | 7000 | Microsoft-WEF Recommended | |
| Service Control Manager/System | 7022 | NSA Recommended | |
| Service Control Manager/System | 7023 | NSA Recommended | |
| Service Control Manager/System | 7024 | NSA Recommended | |
| Service Control Manager/System | 7026 | NSA Recommended | |
| Service Control Manager/System | 7031 | NSA, JSCU-NL Recommended | |
| Service Control Manager/System | 7032 | NSA Recommended | |
| Service Control Manager/System | 7034 | NSA, JSCU-NL Recommended | |
| Service Control Manager/System | 7036 | The Microsoft Software Shadow Copy Provider service entered the stopped state. | Palantir Recommended |
| Service Control Manager/System | 7040 | The start type of the msdsm service was changed from boot start to demand start. | Palantir, Olaf Hartong, JSCU-NL Recommended |
| Service Control Manager/System | 7045 | A service was installed in the system. | Palantir, Olaf Hartong Recommended |
| Service-Control-Manager/System | 7000 | ANSSI Recommended | |
| Service-Control-Manager/System | 7045 | A service was installed in the system. | ASD, ANSSI Recommended Splunk-UBA Low |
| USER32/System | 1074 | Microsoft-WEF Recommended | |
| User32/System | 1074 | JSCU-NL Recommended | |
| VSSAudit/Security | 8222 | Splunk-UBA Low | |
| Windows-Error-Reporting/Application | 1001 | Fault bucket , type 0 Event Name: crashpad_log Response: Not available Cab Id: 0 Problem signature: P1: MicrosoftEdgeUpdate. | ASD Recommended |