The table below provides an overview of the events further described in section Recommendations. From left to right the table contains the event category, a short summary of what the category entails and an estimate of the volume you can expect during collection.
| Category | Description | Estimated Volume |
|---|---|---|
Tracks account usage, creation, modification, privileges and group information. |
High |
|
Records the clearing of event logs. |
Low |
|
Records the use of external devices such as USB or storage devices. |
Low |
|
Network activity on the host which wasn’t included in other categories, e.g. DHCP leases, DNS, Remote Desktop use and BITS jobs. |
Low |
|
Records the creation and modification of Scheduled Tasks. |
Low |
|
Records the creation and modification of services. |
Low |
|
Provides additional detection capabilities such as information about process creations, network activity, loading of drivers and more. |
Depends on rule sets |
|
Records the loading of extension packages such as Security Support Providers (SSP) or Password Filters into the Local Security Authority (LSA) process. |
Low |
|
Records startup and shutdown of systems. Records application crashes and hangs. |
Low |
|
Records access to network shares and objects that have system access control lists (SACL) specified. |
High |
|
Records changes made to auditing policies. |
Low |
|
Records various PowerShell activity, including interactive usage. |
Medium to High |
|
Records the use of sensitive privileges. |
High |
|
Provides visibility into which processes are created including command line arguments, accessed or terminated. In case of AppLocker also logs which processes (might) have been blocked. |
Medium |
|
Windows Defender can detect malware and mitigate certain exploitation attempts. |
Low |
|
Records the use of Windows Management Instrumentation subscriptions and providers. |
Low |
For each category set out in section Overview, this section contains the recommended group policy settings to configure. Every group policy is accompanied by the option that should be set and the systems you should configure the policy for. Policies can be configured for one or more of the following: Clients, Member Servers, Domain Controllers or All.
We’ve provided a JSON mapping that gives insight into which Event ID gets generated by which Group Policy Setting. For each of the group policies configured you may refer to this mapping to determine which event IDs should be monitored and centrally collected.
|
Warning
|
The JSON mapping of the Event IDs does not contain every possible event that could be generated by a particular policy. It contains the event IDs which, by our assessment, provide the most value for detection or forensic purposes. |
If you prefer a standard table format, you may find one at the end of this document, which is also derived from the JSON mapping.
Assists in tracking down the unauthorized use or modification of an account. Can also be used to identify suspicious lateral movement through the network and indicate brute-forcing or privilege escalation attempts.
Events in this category are related to ticket operations (Ticket Granting Ticket and Service Ticket requests) for the Kerberos authentication protocol.
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Logon
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit Kerberos Authentication Service |
Success & Failure |
Domain Controllers |
Audit Kerberos Service Ticket Operations |
Success & Failure |
Domain Controllers |
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit Logon |
Success & Failure |
All |
Audit Logoff |
Success |
All |
Audit Special Logon |
Success |
All |
Audit Other Logon/Logoff events |
Success & Failure |
All |
Audit Account Lockout |
Failure |
All |
Audit Group Membership |
Success |
All |
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit User Account Management |
Success & Failure |
All |
Audit Security Group Management |
Success |
All |
Audit Computer Account Management |
Success |
Domain Controllers |
Audit Other Account Management |
Success |
Domain Controllers |
Some organizations have guidelines or policies in place to limit the use of external devices. You can use the events in this category to keep track of which external devices are being used in your network. This can be especially helpful to identify rogue devices in sensitive environments.
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Detailed Tracking
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit PNP Activity |
Success |
All |
The events described here are aimed at providing additional context during analysis such as having a history of DHCP leases or domain names that may have been resolved in the past.
Records the assignment of IP addresses to interfaces. This information can be useful during analysis to determine which IP address was assigned to a system at some point in time.
For these events to be available the DHCP-Client and DHCPv6-Client channel must be enabled. There are multiple ways these channels can be enabled but we found that using PowerShell provides the most reliable result.
$logs = Get-WinEvent -ListLog "Microsoft-Windows-Dhcp*-Client/Operational"
Foreach($log in $logs) {
$log.IsEnabled = $true
$log.MaximumSizeInBytes = $10MB
$log.SaveChanges()
}You should distribute these commands across your domain according to your company’s deployment strategy using elevated privileges. Deployment using configuration management software is preferred. Alternatively you can use something like an apply once scheduled task using group policies[1].
Malware may attempt to resolve domain names for the retrieval of additional files or communicating with Command & Control servers. Collecting DNS queries can be helpful in order to enable the discovery of compromise or intrusion during analysis.
Computer Configuration → Preferences → Windows Settings → Registry → New → Registry Item
DNS-Client: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNS-Client/Operational
| Value Name | Value Type | Value data | Configure for |
|---|---|---|---|
Enabled |
REG_DWORD |
1 |
Domain Controllers Member Servers |
Clients generate many DNS events during normal operations and have therefore been excluded. You may consider enabling it depending on your environment
Events related to object access can help identify unauthorized access to sensitive files, registry locations or processes (like LSASS). You may audit these objects using System Access Control Lists (SACLs).
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access
Records creation and access attempts of network shares.
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit File Share |
Success & Failure |
All |
Recording network share activity can amount to considerable volume. Refer to the JSON mapping or subscription file to see how we reduce the noise by filtering common share activity
Configuring this policy only generates events for registry objects that have a SACL specified.
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit Registry |
Success |
All |
Kernel objects such as processes, file systems and registry objects can be audited. Events for these objects are only generated if the object has a SACLs defined. Configuring this group policy will by default record read and write access to the memory of the Local Security Authority Subsystem Service (LSASS.EXE) process. Monitoring LSASS is essential for the detection of unauthorized access to credentials.
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit Kernel Object |
Success |
All |
Events in this category are related to changes being made to the auditing and authentication policies. Many of the events are enabled by default. Configuring the policies below further increases the visibility into unauthorized or unusual policy changes.
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Policy Change
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit Audit Policy Change |
Success |
All |
Audit Authentication Policy Change |
Success |
All |
Script Block Logging produces an audit trail of executed code and is included in PowerShell version 5. PowerShell is often used by administrators but may also be abused for malicious purposes such as downloading and executing malware, lateral movement through the network and evading defense mechanisms.
Computer Configuration → Policies → Administrative Templates → Windows Components → Windows PowerShell
| Group Policy Setting | Option | Configure for |
|---|---|---|
Turn on PowerShell Script Block Logging |
Enabled |
All |
Records the use of sensitive privileges such as impersonating another account after authentication, debugging programs and the loading/unloading of device drivers[2].
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Privilege Use
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit Sensitive Privilege Use |
Success & Failure |
All |
Events in this category are related to the creation of malicious processes, suspicious access to sensitive processes or misuse of legitimate tools to assist in defense evasion. If application whitelisting is being used in your organisation this category also includes events that indicate a program has been prevented from running.
Logs the creation and termination of processes. It’s important to include command line process auditing[3].
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Detailed Tracking
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit Process Creation |
Success |
All |
Audit Process Termination |
Success |
All |
Computer Configuration → Policies → Administrative Templates → System → Audit Process Creation
| Group Policy Setting | Option | Configure for |
|---|---|---|
Include Command Line in process creation events |
Enabled |
All |
Event Logging related to Application Whitelisting provides historical data of which applications (would) have been blocked from execution. These logs will only be available if AppLocker[4] or Software Restriction Policies[5] are configured in the environment. Once configured no additional changes are needed for logs to be available.
| Channel | Action |
|---|---|
Microsoft-Windows-AppLocker |
Validate if configured |
Microsoft-Windows-SoftwareRestrictionPolicies |
Validate if configured |
Events in this category are related to the creation, activation and modification of Scheduled Tasks. Scheduled Tasks may be abused to facilitate automatic and recurring execution of malicious code for persistence.
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit Other Object Access Events |
Success |
All |
Events in this category are related to the loading of an authentication package, notification package or security package. These extensions are used to register with the Local Security Authority and will be used to authenticate logon attempts or submit logon requests. Example extensions include Security Support Providers such as Kerberos and NTLM. Tracking these events allows one to identify malicious packages being loaded into the LSA process which can be used to gain access to credentials and establish persistence to the network.
Configuring this policy also records the installation of a new service. New services may be created or existing services modified to facilitate persistence to the network. Services may also be used to escalate privileges.
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit Security System Extension |
Success |
All |
Code Integrity Guard detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software. Events are generated when page hashes or the hash of an image file are not valid.
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System
| Group Policy Setting | Option | Configure for |
|---|---|---|
Audit System Integrity |
Failure |
All |
Configuring this policy enables you to audit untrusted or attacker-controlled font files. The audit mode for this setting turns on event logging, but does not block fonts from loading.
Computer Configuration → Policies → Administrative Templates → System → Mitigation Options
| Group Policy Setting | Option | Configure for |
|---|---|---|
Untrusted Font Blocking |
Enabled: Log events without blocking untrusted fonts |
All |
The event log sources below are available by default and should be collected as they provide additional context when investigating suspicious behavior. You should verify these log sources are active and enable them if they have been disabled in the past. The relevant Event IDs for each of the mentioned providers can be identified using the JSON mapping or the table at the end of this document.
When event log archiving or forwarding is set up, it is unlikely that during normal operations the event logs are cleared. If this happens it could be an indication of someone covering their tracks. The events in this provider record when logs are cleared.
Events in this category can be used for the detection of unusual network activity by or against hosts for purposes such as lateral movement or achieving persistence.
Events related to the usage of Remote Desktop. Unusual network activity can for example include remote logins to systems which are unexpected or do not typically occur during normal operations.
In addition to the Object Access policy, events in the dedicated TaskScheduler channel provide additional context surrounding the starting and finishing of scheduled tasks.
Records failures and crashes of Windows Services. The installation of new services is tracked by System Security Extension.
Microsoft Sysmon provides additional detection capabilities, based on a user-specified configuration. If you have Sysmon configured in your environment, you should add the events to your collection strategy. If you are using our default subscription file, the events are already included.
Our current advice does not cover the deployment or configuration of Sysmon. If you have deployed Sysmon, you should tweak your configuration for your environment to prevent spamming of events.
Events in this category include: startup and shutdown of a system, application crashes and modifications to the system time. Tracking the startup and shutdown events of a system can provide additional context during analysis. Unstable or crashing applications may be an indication of malicious activity or exploitation attempts.
Windows Defender is an antispyware and antivirus solution developed by Microsoft. Besides its Antivirus capability Windows Defender consists of several components to detect or prevent malicious behavior. One of these components, Exploit Protection, applies a number of exploit mitigation techniques to operating system processes and applications[6]. By default some critical processes are already being monitored. Whenever Microsoft Defender detects or prevents exploitation attempts it generates an event in the Microsoft-Windows-Security-Mitigations\* channel.
Another noteworthy component of Windows Defender, Attack Surface Reduction (ASR) uses rules to reduce the places (vulnerabilities) adversaries can use to compromise the organization[7][8]. If your organization currently does not have ASR configured, we recommend configuring ASR rules in audit mode to record suspicious activity when rules are triggered. Using audit mode you can evaluate the impact ASR rules would have on your organization when ASR is configured in block mode or add exclusions to reduce noise. ASR alerts, just like regular malware detections, are recorded in the Microsoft-Windows-Windows Defender/Operational channel.
If third party solutions are being used instead of Windows Defender you should consider collecting logs for those instead.
Below is a generated table based on the JSON mapping which events you should collect. This table can be used to configure your central collection.
| Channel | Provider | EventID | On by default |
|---|---|---|---|
Application |
Application Error |
1000 |
True |
Application |
Application Hang |
1002 |
True |
Application |
Microsoft-Windows-SoftwareRestrictionPolicies |
865 |
True |
Application |
Microsoft-Windows-SoftwareRestrictionPolicies |
866 |
True |
Application |
Microsoft-Windows-SoftwareRestrictionPolicies |
867 |
True |
Application |
Microsoft-Windows-SoftwareRestrictionPolicies |
868 |
True |
Application |
Microsoft-Windows-SoftwareRestrictionPolicies |
882 |
True |
Microsoft-Windows-AppLocker/EXE and DLL |
Microsoft-Windows-AppLocker |
8002 |
True |
Microsoft-Windows-AppLocker/EXE and DLL |
Microsoft-Windows-AppLocker |
8003 |
True |
Microsoft-Windows-AppLocker/EXE and DLL |
Microsoft-Windows-AppLocker |
8004 |
True |
Microsoft-Windows-AppLocker/MSI and Script |
Microsoft-Windows-AppLocker |
8005 |
True |
Microsoft-Windows-AppLocker/MSI and Script |
Microsoft-Windows-AppLocker |
8006 |
True |
Microsoft-Windows-AppLocker/MSI and Script |
Microsoft-Windows-AppLocker |
8007 |
True |
Microsoft-Windows-AppLocker/Packaged app-Deployment |
Microsoft-Windows-AppLocker |
8023 |
True |
Microsoft-Windows-AppLocker/Packaged app-Execution |
Microsoft-Windows-AppLocker |
8020 |
True |
Microsoft-Windows-Bits-Client/Operational |
Microsoft-Windows-Bits-Client |
1 |
True |
Microsoft-Windows-Bits-Client/Operational |
Microsoft-Windows-Bits-Client |
3 |
True |
Microsoft-Windows-Bits-Client/Operational |
Microsoft-Windows-Bits-Client |
4 |
True |
Microsoft-Windows-Bits-Client/Operational |
Microsoft-Windows-Bits-Client |
59 |
True |
Microsoft-Windows-DHCPv6-Client/Operational |
Microsoft-Windows-DHCPv6-Client |
51039 |
False |
Microsoft-Windows-DNS-Client/Operational |
Microsoft-Windows-DNS-Client |
3008 |
False |
Microsoft-Windows-Dhcp-Client/Operational |
Microsoft-Windows-Dhcp-Client |
50028 |
False |
Microsoft-Windows-PowerShell/Operational |
Microsoft-Windows-PowerShell |
4104 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
1 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
2 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
3 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
4 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
5 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
6 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
7 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
8 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
9 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
10 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
11 |
True |
Microsoft-Windows-Security-Mitigations/KernelMode |
Microsoft-Windows-Security-Mitigations |
12 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
13 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
14 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
15 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
16 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
17 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
18 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
19 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
20 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
21 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
22 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
23 |
True |
Microsoft-Windows-Security-Mitigations/UserMode |
Microsoft-Windows-Security-Mitigations |
24 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
0 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
1 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
2 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
3 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
4 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
5 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
6 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
7 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
8 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
9 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
10 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
11 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
14 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
15 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
16 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
18 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
21 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
22 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
23 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
24 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
25 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
26 |
True |
Microsoft-Windows-Sysmon/Operational |
Microsoft-Windows-Sysmon |
255 |
True |
Microsoft-Windows-TaskScheduler/Operational |
Microsoft-Windows-TaskScheduler |
200 |
True |
Microsoft-Windows-TaskScheduler/Operational |
Microsoft-Windows-TaskScheduler |
201 |
True |
Microsoft-Windows-TerminalServices-RDPClient/Operational |
Microsoft-Windows-TerminalServices-ClientActiveXCore |
1024 |
True |
Microsoft-Windows-WMI-Activity/Operational |
Microsoft-Windows-WMI-Activity |
5857 |
True |
Microsoft-Windows-WMI-Activity/Operational |
Microsoft-Windows-WMI-Activity |
5858 |
True |
Microsoft-Windows-WMI-Activity/Operational |
Microsoft-Windows-WMI-Activity |
5860 |
True |
Microsoft-Windows-WMI-Activity/Operational |
Microsoft-Windows-WMI-Activity |
5861 |
True |
Microsoft-Windows-Win32k/Operational |
Microsoft-Windows-Win32k |
260 |
False |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1006 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1007 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1008 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1009 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1010 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1116 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1117 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1118 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1119 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1121 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1122 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1123 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1124 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1125 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
1126 |
True |
Microsoft-Windows-Windows Defender/Operational |
Microsoft-Windows-Windows Defender |
5007 |
True |
Security |
Microsoft-Windows-EventLog |
1100 |
True |
Security |
Microsoft-Windows-EventLog |
1102 |
True |
Security |
Microsoft-Windows-Security-Auditing |
4610 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4611 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4614 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4616 |
True |
Security |
Microsoft-Windows-Security-Auditing |
4622 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4624 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4625 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4627 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4634 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4647 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4648 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4649 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4657 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4663 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4672 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4673 |
True |
Security |
Microsoft-Windows-Security-Auditing |
4688 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4689 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4697 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4698 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4699 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4700 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4701 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4702 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4706 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4713 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4715 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4716 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4717 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4719 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4720 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4722 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4723 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4724 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4725 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4726 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4727 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4728 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4729 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4730 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4731 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4732 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4733 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4734 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4735 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4737 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4738 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4739 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4740 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4741 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4742 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4743 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4754 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4755 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4756 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4757 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4758 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4764 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4767 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4768 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4769 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4771 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4778 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4779 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4780 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4781 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4782 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4794 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4798 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4799 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4817 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4826 |
True |
Security |
Microsoft-Windows-Security-Auditing |
4865 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4866 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4867 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4904 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4905 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4906 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4907 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4908 |
False |
Security |
Microsoft-Windows-Security-Auditing |
4912 |
False |
Security |
Microsoft-Windows-Security-Auditing |
5038 |
False |
Security |
Microsoft-Windows-Security-Auditing |
5140 |
False |
Security |
Microsoft-Windows-Security-Auditing |
5142 |
False |
Security |
Microsoft-Windows-Security-Auditing |
5376 |
False |
Security |
Microsoft-Windows-Security-Auditing |
5377 |
False |
Security |
Microsoft-Windows-Security-Auditing |
5632 |
False |
Security |
Microsoft-Windows-Security-Auditing |
6281 |
False |
Security |
Microsoft-Windows-Security-Auditing |
6410 |
False |
Security |
Microsoft-Windows-Security-Auditing |
6416 |
False |
System |
Microsoft-Windows-EventLog |
104 |
True |
System |
Microsoft-Windows-Kernel-General |
12 |
True |
System |
Microsoft-Windows-Kernel-General |
13 |
True |
System |
Microsoft-Windows-Kernel-Power |
41 |
True |
System |
Microsoft-Windows-WER-Diag |
5 |
True |
System |
Service Control Manager |
7031 |
True |
System |
Service Control Manager |
7034 |
True |
System |
Service Control Manager |
7040 |
True |
System |
User32 |
1074 |
True |