74 lines
3.2 KiB
Plaintext
74 lines
3.2 KiB
Plaintext
eventid,event_title,detect_flg,comment
|
|
1100,Event logging service was shut down,,Good for finding signs of anti-forensics but most likely false positives when the system shuts down.
|
|
1101,Audit Events Have Been Dropped By The Transport,,
|
|
1102,Event log was cleared,Yes,Should not happen normally so this is a good event to look out for.
|
|
1107,Event processing error,,
|
|
4608,Windows started up,,
|
|
4610,An authentication package has been loaded by the Local Security Authority,,
|
|
4611,A trusted logon process has been registered with the Local Security Authority,,
|
|
4614,A notification package has been loaded by the Security Account Manager,,
|
|
4616,System time was changed,,
|
|
4622,A security package has been loaded by the Local Security Authority,,
|
|
4624,Account logon,Yes,
|
|
4625,Failed logon,Yes,
|
|
4634,Logoff,Yes,
|
|
4647,Logoff,Yes,
|
|
4648,Explicit logon,Yes,
|
|
4672,Admin logon,Yes,
|
|
4688,New process started,,
|
|
4696,Primary token assigned to process,,
|
|
4692,Backup of data protection master key was attempted,,
|
|
4697,Service installed,,
|
|
4717,System security access was granted to an account,,
|
|
4719,System audit policy was changed,,
|
|
4720,User account created,Yes,
|
|
4722,User account enabled,,
|
|
4724,Password reset,,
|
|
4725,User account disabled,,
|
|
4726,User account deleted,,
|
|
4728,User added to security global group,,
|
|
4729,User removed from security global group,,
|
|
4732,User added to security local group,,
|
|
4733,User removed from security local group,,
|
|
4735,Security local group was changed,,
|
|
4727,Security global group was changed,,
|
|
4738,User accounts properties changed,,
|
|
4739,Domain policy changed,,
|
|
4776,NTLM logon to local user,,
|
|
4778,RDP session reconnected or user switched back through Fast User Switching,,
|
|
4779,RDP session disconnected or user switched away through Fast User Switching,,
|
|
4797,Attempt to query the account for a blank password,,
|
|
4798,Users local group membership was enumerated,,
|
|
4799,Local group membership was enumerated,,
|
|
4781,User name was changed,,
|
|
4800,Workstation was locked,,
|
|
4801,Workstation was unlocked,,
|
|
4826,Boot configuration data loaded,,
|
|
4902,Per-user audit policy table was created,,
|
|
4904,Attempt to register a security event source,,
|
|
4905,Attempt to unregister a security event source,,
|
|
4907,Auditing settings on object was changed,,
|
|
4944,Policy active when firewall started,,
|
|
4945,Rule listed when the firewall started,,Too much noise when firewall starts
|
|
4946,Rule added to firewall exception list,,
|
|
4947,Rule modified in firewall exception list,,
|
|
4948,Rule deleted in firewall exception list,,
|
|
4954,New setting applied to firewall group policy,,
|
|
4956,Firewall active profile changed,,
|
|
5024,Firewall started,,
|
|
5033,Firewall driver started,,
|
|
5038,Code integrity determined that the image hash of a file is not valid,,
|
|
5058,Key file operation,,
|
|
5059,Key migration operation,,
|
|
5061,Cryptographic operation,,
|
|
5140,Network share object was accessed,,
|
|
5142,A network share object was added,,
|
|
5144,A network share object was deleted,,
|
|
5379,Credential Manager credentials were read,,
|
|
5381,Vault credentials were read,,
|
|
5382,Vault credentials were read,,
|
|
5478,IPsec Services started,,
|
|
5889,An object was deleted to the COM+ Catalog,,
|
|
5890,An object was added to the COM+ Catalog,,
|
|
unregistered_event_id,Unknown,,
|