HPESecurity ArcSight Connectors...4725 53 4726 53 4727 53 WindowsSecurityEventMappings HPEConnectors Page6of173 4728 54 4729 54 4730 55 4731 55 4732 56 4733 56 4734 57 4735 57 4737

HPE Security ArcSight Connectors

SmartConnector for Microsoft Windows Event Log –Native

Windows Security Event Mappings

March 15, 2017

Legal Notices

WarrantyThe only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statementsaccompanying such products and services. Nothing herein should be construed as constituting an additional warranty.Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

The network information used in the examples in this document (including IP addresses and hostnames) is for illustrationpurposes only.

HPE Security ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, andconfidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good securitypractices.

This document is confidential.

Restricted Rights LegendConfidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying.Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and TechnicalData for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice© Copyright 2008-2017 Hewlett Packard Enterprise Development, LP

Follow this link to see a complete statement of copyrights and acknowledgements:https://www.protect724.hpe.com/docs/DOC-13026

Revision History

Date Description

03/15/2017 Updated mappings for Event 4624. Removed Windows Server 2003 dueto end of support for that product.

11/30/2016 Added support for Windows Server 2016.

10/31/2016 Added mappings to Event 4738.

05/16/2016 Added mappings to Event 5156.

02/15/2016 Added Windows 10 support. Added fields to security event 4648mappings.

02/16/2015 First generally available edition of this guide.


HPE Connectors Page 2 of 173

https://www.protect724.hpe.com/docs/DOC-13026

Support

Phone A list of phone numbers is available on the HPE Security ArcSight Technical Support

Page: https://softwaresupport.hpe.com/documents/10180/14684/esp-support-contact-list

Support Web Site https://softwaresupport.hpe.com

Protect 724 Community https://www.protect724.hpe.com

Contact Information



https://softwaresupport.hpe.com/documents/10180/14684/esp-support-contact-list

https://softwaresupport.hpe.com/documents/10180/14684/esp-support-contact-list

https://softwaresupport.hpe.com/

https://www.protect724.hpe.com/welcome

Contents

About This Book 17

Windows Common Security Mappings 18

Specific Windows Security Event Mappings 20

1100 20

1101 20

1102 20

1104 20

1105 21

4608 21

4609 21

4610 21

4611 22

4612 22

4614 22

4615 23

4616 23

4618 24

4621 24

4622 24

4624 25

4625 26

4626 27

4627 27

4634 28

4646 28

4647 29

4648 29


4649 30

4650 30

4651 30

4652 31

4653 31

4654 31

4655 32

4656 32

4657 33

4658 33

4659 34

4660 34

4661 35

4662 35

4663 36

4664 36

4665 36

4666 37

4667 37

4668 37

4670 37

4671 38

4672 38

4673 38

4674 39

4675 39

4688 39

4689 40

4690 41

4691 41

4692 41

4693 42



4694 42

4695 42

4696 43

4697 43

4698 44

4699 44

4700 44

4701 45

4702 45

4703 45

4704 46

4705 46

4706 47

4707 47

4709 47

4710 47

4711 48

4712 48

4713 48

4714 48

4715 49

4716 49

4717 50

4718 50

4719 51

4720 51

4722 51

4723 52

4724 52

4725 53

4726 53

4727 53



4728 54

4729 54

4730 55

4731 55

4732 56

4733 56

4734 57

4735 57

4737 58

4738 58

4739 59

4740 59

4741 60

4742 60

4743 61

4744 61

4745 62

4746 62

4747 63

4748 63

4749 64

4750 64

4751 65

4752 65

4753 66

4754 66

4755 67

4756 67

4757 68

4758 68

4759 69

4760 69



4761 70

4762 70

4763 71

4764 71

4765 72

4766 72

4767 73

4768 73

4769 74

4770 74

4771 75

4772 75

4773 76

4774 76

4775 76

4776 76

4777 77

4778 77

4779 78

4780 78

4781 79

4782 79

4783 80

4784 80

4785 81

4786 81

4787 82

4788 82

4789 83

4790 83

4791 84

4792 84



4793 85

4794 85

4797 85

4798 86

4799 86

4800 87

4801 87

4802 87

4803 88

4816 88

4817 88

4818 89

4819 89

4820 89

4821 90

4822 91

4823 91

4824 92

4826 92

4864 93

4865 93

4866 93

4867 94

4868 94

4869 94

4870 95

4871 95

4872 95

4873 96

4874 96

4875 96

4876 97



4877 97

4878 97

4879 97

4880 98

4881 98

4882 98

4883 98

4884 99

4885 99

4886 99

4887 99

4888 100

4889 100

4890 100

4891 100

4892 101

4893 101

4894 101

4895 101

4896 101

4897 102

4898 102

4899 102

4900 102

4902 102

4904 103

4905 103

4906 103

4907 104

4908 104

4909 104

4910 105



4911 105

4912 105

4913 106

4928 106

4929 106

4930 106

4931 107

4932 107

4933 107

4934 107

4935 107

4936 107

4937 108

4944 108

4945 108

4946 108

4947 108

4948 109

4949 109

4950 109

4951 109

4952 109

4953 110

4954 110

4956 110

4957 110

4958 110

4960 111

4961 111

4962 111

4963 111

4964 112



4965 112

4976 112

4977 113

4978 113

4979 113

4980 113

4981 114

4982 114

4983 114

4984 115

4985 115

5024 115

5025 115

5027 116

5028 116

5029 116

5030 116

5031 117

5032 117

5033 117

5034 117

5035 117

5037 118

5038 118

5039 118

5040 118

5041 119

5042 119

5043 119

5044 119

5045 119

5046 120



5047 120

5048 120

5049 120

5050 120

5051 121

5056 121

5057 121

5058 122

5059 122

5060 123

5061 123

5062 123

5063 123

5064 124

5065 124

5066 124

5067 125

5068 125

5069 125

5070 126

5071 126

5120 126

5121 126

5122 127

5123 127

5124 127

5125 127

5126 128

5127 128

5136 128

5137 128

5138 129



5139 129

5140 130

5141 130

5142 131

5143 131

5144 131

5145 132

5146 132

5147 133

5152 133

5153 133

5154 134

5155 134

5156 134

5157 135

5158 135

5159 135

5168 136

5376 136

5377 137

5378 137

5440 137

5441 137

5442 138

5443 138

5444 138

5446 138

5447 138

5448 139

5449 139

5450 139

5451 139



5452 140

5453 140

5456 140

5457 140

5458 140

5459 141

5460 141

5461 141

5462 141

5463 141

5464 142

5465 142

5466 142

5467 142

5468 143

5471 143

5472 143

5473 143

5474 143

5477 144

5478 144

5479 144

5480 144

5483 144

5484 145

5632 145

5633 145

5712 146

5888 146

5889 146

5890 147

6144 147



6145 147

6272 147

6273 148

6274 149

6275 149

6276 149

6277 149

6278 149

6279 150

6280 150

6281 151

6409 151

6410 151

6416 151

8191 152

Windows Event Log Event Descriptions by Category 153

Send Documentation Feedback 173



About This BookThis guide provides the specific events generated by the various policies and their mappings to HPArcSight fields.

The SmartConnector for Microsoft Windows Event Log – Unified and the SmartConnector forMicrosoft Windows Event Log – Native can connect to local or remote machines, inside a single domainor from multiple domains, to retrieve events from all types of event logs.

This connector supports event collection from these Microsoft Windows versions:

l Microsoft Windows Server 2008

l Microsoft Windows Server 2008 R2


l Microsoft Windows Server 2012 R2


Note that Security events are not audited by default. Be sure to specify the type of security events to beaudited (see "Enable Microsoft Windows Event Log Audit Policies" in the configuration guide for theSmartConnector for Microsoft Windows Event Log -- Native).

There are three default Windows event logs:

l Application log (tracks events that occur in a registered application)

l Security log (tracks security changes and possible breaches in security)

l System log (tracks system events)

Windows Security Event MappingsAbout This Book


Windows Common Security MappingsThe following security event mappings generally apply to all Windows Server 2008, Windows Server2012, Windows Server 2016, and Windows 10 Windows Event Log Security Events. For the cases inwhich specific security events have differing or extended mappings, see "Specific 2008 WindowsSecurity Event Mappings."

HP ArcSight ESM Field Device-Specific Field

Agent (Connector) Severity Medium when Device Severity = Error or Warning; Low when DeviceSeverity = Information or Audit_success

Destination Host Name One of (Target Server Name, Computer Name, Target Server:TargetServer Name)

Destination NT Domain One of (Domain Name, Subject:Account Domain, New TokenInformation:Account Domain, Subject:Domain Name)

Destination Port Network Information:Destination Port

Destination Process Name One of (Process Information:New Process Name, ProcessInformation:Process Name)

Destination Service Name Service Information:Service Name

Destination User ID One of (Subject:Logon ID, New Token Information:Logon ID)

Destination User Name One of (Account Name, Subject:Account Name, Subject:Security ID, User,New Token Information:Account Name)

Destination User Privileges One of (Additional Information:Privileges, New Right:User Right,Removed Right:User Right, Access Granted:Access Right, AccessRemoved:Access Right)

Device Action One of (Account Action, Allowed, ‘No’, ‘Blocked’)

Device Custom IPv6 Address 2 Source IPv6 Address

Device Custom Number 1 Logon Type

Device Custom Number 2 Value of CrashOnAuditFail

Device Custom Number 3 Count

Device Custom String 1 One of (Access Request Information:Access Mask, Operation:Accesses,Operation:Access Mask)

Device Custom String 2 EventCategory

Windows Security Event MappingsWindows Common Security Mappings



Device Custom String 4 One of (Error Code, Additional Information:Failure Code, AdditionalInformation:Reason Code, Additional Information:Error Code, FailureInformation:Failure Reason, Audit Events Dropped:Reason, Reason,Reason for Rejection, Error Information:Reason, Error Information:Error,Process Information:Exit Status)

Device Custom String 5 One of (Authentication Package Name, Authentication Package,Authentication, Detailed Authentication Information:authenticationPackage)

Device Event Category Event logType

Device Event Class ID Both (Event Source , Event ID)

Device Host Name Computer Name

Device NT Domain One of (Domain Name, Subject:Account Domain)

Device Product 'Microsoft Windows'

Device Receipt Time DetectTime

Device Severity EventType

Device Vendor 'Microsoft'

External ID Event ID

File ID One of (Object Handle ID, Object:Object Handle)

File Name Object:Object Name

File Type One of (Object Type, Object:Object Type)

Message Message

Name Description

Source Address One of (Network Information:Source Network Address, Local NetworkAddress, Additional Information:Client Address)

Source Host Name One of (Subject:Client Name, Network Information:Workstation Name,Source Workstation, Additional Information:Client Name)

Source NT Domain Subject:Client Domain

Source Port One of (Network Information:Source Port, Network Information:Port,Network Information:Client Port)

Source Process Name One of (Logon Process Name, process Information:Caller Process ID)

Windows Security Event MappingsWindows Common Security Mappings


Specific Windows Security Event Mappings

1100


Name ‘The event logging service has shut down.’

1101


Name ‘Audit events have been dropped by the transport. The real timebackup file was corrupt due to improper shutdown.’

Device Custom Number 3 Reason

1102


Name ‘The audit log was cleared.’

Destination NT Domain SubjectDomainName

Destination User Name One of (SubjectUserName, SubjectUserSid)

Destination User ID SubjectLogonId

1104


Name ‘The security log is now full.’

Windows Security Event MappingsSpecific Windows Security Event Mappings


1105


Name ‘Event log automatic backup.’

File Type Channel

File Name BackupPath

4608


Name ‘Windows is starting up. This event is logged when LSASS.EXE startsand the auditing subsystem is initialized.’

4609


Name ‘Windows is shutting down. All logon sessions will be terminated bythis shut down.’

4610


Name ‘An authentication package has been loaded by the Local SecurityAuthority. This authentication package will be used to authenticatelogon attempts.’

Device Custom String 5 AuthenticationPackageName



4611


Name ‘A trusted logon process has been registered with the Local SecurityAuthority. This logon process will be trusted to submit logon requests.’

Destination Process Name LogonProcessName

Source Process Name LogonProcessName




Device NT Domain SubjectDomainName

4612


Name ‘Internal resources allocated for the queuing of audit messages havebeen exhausted, leading to the loss of some audits.’

Device Custom Number 3 AuditsDiscarded

Message ‘This event is generated when audit queues are filled and events mustbe discarded. This most commonly occurs when security events arebeing generated faster than they are being written to disk, or whenthe auditing system loses connectivity to the event log, such as whenthe event log service is stopped.’

4614


Name ‘A notification package has been loaded by the Security AccountManager. This package will be notified of any account or passwordchanges.’

Device Custom String 5 ‘NotificationPackageName’



4615


Name ‘Invalid use of LPC port.’





Message ‘Windows Local Security Authority (LSA) communicates with theWindows kernel using Local Procedure Call (LPC) ports. If you see thisevent, an application has inadvertently or intentionally accessed thisport which is reserved exclusively for LSA's use. The application(process) should be investigated to ensure that it is not attempting totamper with this communications channel.’

4616


Name ‘The system time was changed.’





Device Custom Date 1 Both (PreviousDate, PreviousTime)

Device Custom Date 2 Both (NewDate, NewTime)

Device Custom String 3 ProcessId

Destination process Name ProcessName

Message ‘This event is generated when the system time is changed. It is normalfor the Windows Time Service, which runs with System privilege, tochange the system time on a regular basis. Other system time changesmay be indicative of attempts to tamper with the computer.’



4618


Name ‘A monitored security event pattern has occurred.’

Destination User ID TargetLogonId

Destination User Name One of (TargetUserName, TargetUserSid)

Destination NT Domain TargetUserDomain

Device NT Domain TargetUserDomain

Message ‘This event is generated when Windows is configured to generatealerts in accordance with the Common Criteria Security Audit Analysisrequirements (FAU_SAA) and an auditable event pattern occurs.’

4621


Name ‘Administrator recovered system from CrashOnAuditFail. Users who arenot administrators will now be allowed to log on. Some auditableactivity might not have been recorded.’

Device Custom Number 2 CrashOnAuditFail value.

Message ‘This event is logged after a system reboots followingCarshOnAuditFail.’

4622


Name ‘A security package has been loaded by the Local Security Authority.’

File Path SecurityPackageName

Device Custom String 5 SecurityPackageName



4624


Name ‘An account was successfully logged on.’

Additional data TargetOutboundUserName

Additional data TargetOutboundDomainName


Source Address IpAddress

Device Custom IPv6 Address 2 IpAddress (Source IPv6 Address)

Destination Process Name ProcessName

Destination User Name TargetUserName

Destination NT Domain TargetDomainName


Device Custom String 1 ImpersonationLevel


Device Custom String 4 RestrictedAdminMode

Device Process Name LogonProcessName

Device Custom String 6 LogonGuid

Source Host Name One of (IpAddress, ‘localhost’)

Source Port IpPort


Device Custom Number 1 LogonType

File Type VirtualAccount

File ID TargetLinkedLogonId

File Name ElevatedToken

Message ‘This event is generated when a logon session is created. It isgenerated on the computer that was accessed.’



4625


Name ‘An account failed to log on.’






Reason FailureReason

Device Process Name LogonProcessName

Destination User ID ‘ ‘

Source Host Name WorkstationName

Source Port IpPort

Source Process Name ProcessId

Device Custom String 4 FailureReason



Destination UserName TargetUserName

Message ‘This event is generated when a logon request fails. It is generated onthe computer where access was attempted. The Subject fields indicatethe account on the local system which requested the logon. This is mostcommonly a service such as the Server service, or a local process such asWinlogon.exe or Services.exe. The Logon Type field indicates the kindof logon that was requested. The most common types are 2(interactive) and 3 (network).The Process Information fields indicatewhich account and process on the system requested the logon. TheNetwork Information fields indicate where a remote logon requestoriginated. Workstation name is not always available and may be leftblank in some cases. The authentication information fields providedetailed information about this specific logon request.- Transited services indicate which intermediate services haveparticipated in this logon request.- Package name indicates which sub-protocol was used among theNTLM protocols.- Key length indicates the length of the generated session key. Thiswill be 0 if no session key was requested.’



4626


Name ‘User/Device claims information.’






Message ‘The subject fields indicate the account on the local system whichrequested the logon. This is most commonly a service such as theServer service, or a local process such as Winlogon.exe or Services.exe.The logon type field indicates the kind of logon that occurred. Themost common types are 2 (interactive) and 3 (network). The NewLogon fields indicate the account for whom the new logon was created,i.e. the account that was logged on. This event is generated when theAudit User/Device claims subcategory is configured and the user'slogon token contains user/device claims information. The Logon IDfield can be used to correlate this event with the corresponding userlogon event as well as to any other security audit events generatedduring this logon session.’

4627


Name ‘Group membership information.’

Source User Name One of (SubjectUserName, SubjectUserSid)

Source NT Domain SubjectDomainName

Source User ID SubjectLogonId





Device Custom Number 2 EventIdx




Device Custom Number 3 EventCountTotal

Device Custom String 1 GroupMembership

Message ‘This event is generated when the Audit Group Membershipsubcategory is configured. The subject fields indicate the account onthe local system which requested the logon. This is most commonly aservice such as the Server service, or a local process such asWinlogon.exe or Services.exe. The logon type field indicates the kindof logon that occurred. The most common types are 2 (interactive) and3 (network). The New Logon fields indicate the account for whom thenew logon was created, i.e. the account that was logged on. The LogonID field can be used to correlate this event with the corresponding userlogon event as well as to any other security audit events generatedduring this logon session.’

4634


Name ‘An account was logged off.’





Device NT Domain TargetDomainName

Message ‘This event is generated when a logon session is destroyed. It may bepositively correlated with a logon event using the Logon ID value.Logon IDs are only unique between reboots on the same computer.’

4646


Name ‘IKE DoS-prevention mode started.’



4647


Name ‘User initiated logoff.’





Message ‘This event is generated when a logoff is initiated but the tokenreference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can beinterpreted as a logoff event.’

4648


Name ‘A logon was attempted using explicit credentials.’






Device Custom String 6 TargetLogonGuid (Logon GUID)

Device Custom String 3 ProcessId (Process ID)

Source Port IpPort



Message ‘This event is generated when a process attempts to log on an accountby explicitly specifying that account's credentials. This mostcommonly occurs in batch-type configurations such as scheduled tasks,or when using the RUNAS command.’

Device Custom String 5 TargetServerName



4649


Name ‘A replay attack was detected.’

Source Host Name WorkstationName



Device Custom String 5 AuthenticationPackage




Message ‘This event indicates that a Kerberos replay attack was detected- arequest was received twice with identical information. This conditioncould be caused by network misconfiguration.’

4650


Name ‘An IPsec Main Mode security association was established. ExtendedMode was not enabled. Certificate authentication was not used.’

4651


Name ‘An IPsec Main Mode security association was established. ExtendedMode was not enabled. A certificate was used for authentication.’

Source Address LocalAddress

Source Port LocalKeyModPort

Destination Address RemoteAddress

Destination Port RemoteKeyModPort



4652


Name ‘An IPsec Main Mode negotiation failed.’






Message FailureReason

4653


Name ‘An IPsec Main Mode negotiation failed.’







4654


Name ‘An IPsec Quick Mode negotiation failed.’



Source Port LocalPort





Destination Port RemotePort


4655


Name ‘An IPsec Main Mode security association ended.’


4656


Name ‘A handle to an object was requested.’



Device Custom String 1 AccessList





Destination User Privileges PrivilegeList

File ID HandleId

File Name ObjectName

File Type ObjectType



4657


Name ‘A registry value was modified.’

Device Custom String 6 ObjectValueName

Device Action OperationType

Old File Type OldValueType

Device Custom String 4 OldValue

File Type NewValueType

File ID HandleId


Device Custom String 5 NewValue







4658


Name ‘The handle to an object was closed.’




File ID HandleId






4659


Name ‘A handle to an object was requested with intent to delete.’





File ID HandleId





4660


Name ‘An object was detected.’




File ID HandleId






4661


Name ‘A handle to an object was requested.’







File ID HandleId





4662


Name ‘An operation was performed on an object.’

Device Custom String 5 ObjectType


Device Custom String 1 One of (AccessList, AccessMask)


File ID HandleId







4663


Name ‘An attempt was made to access an object.’






File ID HandleId





4664


Name ‘An attempt was made to create a hard link.’


Destination User Name SubjectUserName



4665


Name ‘An attempt was made to create an application client context.’

Source Host Name ClientName

Source NT Domain ClientDomain



4666


Name ‘An application attempted an operation.’


4667


Name ‘An application client context was deleted.’



4668


Name ‘An application was initialized.’



4670


Name ‘Permissions on an object were changed.’

Device Custom String 4 OldSd

Device Custom String 5 NewSd




File ID HandleId








4671


Name ‘An application attempted to access a blockied ordinal through theTBS.’

Destination User ID CallerLogonId

Destination User Name One of (CallerUserName, CallerUserSid)

Destination NT Domain CallerDomainName

Device NT Domain CallerDomainName

4672


Name ‘Special privileges assigned to new logon.’

Destination User privileges PrivilegeList





4673


Name ‘A privileged service was called.’








4674


Name ‘An operation was attempted on a privileged object.’










File ID HandleId

4675


Name ‘SIDs were filtered.’

4688


Name ‘A new process has been created.’

Destination User Name One of (SubjectUserName, SubjectUserSid, TargetUserName,TargetUserSid)




Destination NT Domain One of (SubjectDomainName, desinationNtDomain)

Destination User ID One of (SubjectLogonId, TargetLogonId)

Device Custom String 1 MandatoryLabel

Device Custom String 3 NewProcessId

Device Custom String 6 TokenElevationType


Device Custom String 4 CommandLine

Destination Process Name NewProcessName


File Path ParentProcessName

Message ‘Token Elevation Type indicates the type of token that was assignedto the new process in accordance with User Account Controlpolicy.Type 1 is a full token with no privileges removed or groupsdisabled. Type 2 is an elevated token with no privileges removed orgroups disabled.Type 3 is a limited token with administrativeprivileges removed and administrative groups disabled.’

4689


Name ‘A process has exited.’




Device Custom String 4 Status






4690


Name ‘An attempt was made to duplicate a handle to an object.’

Old File ID SourceHandleId

Device Custom String 5 SourceProcessId

File ID TargetHandleId

Device Custom String 3 TargetProcessId





4691


Name ‘Indirect access to an object was requested.’


Device Custom String 1 AccessMask






4692


Name ‘Backup of data protection master key was attempted.’








4693


Name ‘Recovery of data protection master key was attempted.’





4694


Name ‘Protection of auditable protected data was attempted.’





4695


Name ‘Unprotection of auditable protected data was attempted.’







4696


Name ‘A primary token was assigned to process.’

Device Custom String 3 TargetProcessId

Destination Process Name TargetProcessName


Source Process Name ProcessName








4697


Name ‘A service was installed in the system.’

File Path ServiceFileName

File Type ServiceType

Device Custom String 5 ServiceStartType

Device Custom String 6 ServiceAccount


Destination Service Name ServiceName






4698


Name ‘A scheduled task was created.’

Device Custom String 6 TaskName





4699


Name ‘A scheduled task was deleted.’






4700


Name ‘A scheduled task was enabled.’








4701


Name ‘A scheduled task was disabled.’






4702


Name ‘A scheduled task was updated.’






4703


Name ‘A user right was adjusted.’












Device Custom String 1 EnabledPrivilegeList

Device Custom String 4 DisabledPrivilegeList

Message ‘A user right was adjusted.’

4704


Name ‘A user right was assigned.’

Source User Name One of (SubjectUserSid, SubjectUserName)



Destination User Name TargetSid





4705


Name ‘A user right was removed.’

Source User Name One of (SubjectUserSid, SubjectUserName)










4706


Name ‘A new trust was created to a domain.’

Device Custom String 6 One of (DomainName, DomainSid)

Device Custom String 5 TdoType (Trust Type)

Device Custom String 3 TdoDirection (Trust Direction)





4707


Name ‘A trust to a domain was removed.’






4709


Name ‘IPsec Services was started.’

4710


Name ‘The IPsec Policy Agent service was disabled.’



4711


Name ‘PAStore Engine applied locally cached copy of Active Directorystorage IPsec policy on the computer.’

4712


Name ‘IPsec Policy Agent encountered a potentially serious failure.’

4713


Name ‘Kerberos policy was changed.’

Message All of ((KerberosPolicyChange, ‘””, “(‘—‘ means no changes, otherwiseeach change is shown as: (Parameter Name): (new value) (old value))





4714


Name ‘Data Recovery Agent group policy for Encrypting File System (EFS)has changed. The new changes have been applied.’

Message All of (EfsPolicyChange," ","Changes Made('--' means no changes,otherwise each change is shown as:(Parameter Name): (new value) (oldvalue))")








4715


Name ‘The audit policy (SACL) on an object was changed.’

Device Custom String 6 NewSd





4716


Name ‘Trusted domain information was modified.’


Device Custom String 5 TdoType (Trust Type)

Device Custom String 3 TdoDirection (Trust Direction)







4717


Name ‘System security access was granted to an account.’

Source User ID SubjectLogonid







Destination User Privileges AccessGranted

4718


Name ‘System security access was removed from an account.’








Destination User Privileges AccessRemoved



4719


Name ‘System audit policy was changed.’

Device Custom String 5 SubcategoryId

Device Custom String 6 CategoryId

Device Action AuditPolicyChanges





4720


Name ‘A user account was created.’

Source User Name SubjectUserName








4722


Name ‘A user account was enabled.’











4723


Name ‘An attempt was made to change an account’s password.’









4724


Name ‘An attempt was made to reset an account’s password.’










4725


Name ‘A user account was disabled.’








4726


Name ‘A user account was deleted.’









4727


Name ‘A security-enabled global group was created.’







Device Custom String 6 Both (TargetDomainName, TargetUserName)





Destination User Privilege PrivilegeList

4728


Name ‘A member was added to a security-enabled global group.’




Destination User Name MemberSid

Destination NT Domain MemberSid


Destination User ID MemberName



4729


Name ‘A member was removed from a security-enabled global group.’













4730


Name ‘A security-enabled global group was deleted.’










4731


Name ‘A security-enabled local group was created.’













4732


Name ‘A member was added to a security-enabled local group.’










4733


Name ‘A member was removed from a security-enabled local group.’













4734


Name ‘A security-enabled local group was deleted.’










4735


Name ‘A security-enabled local group was changed.’












4737


Name ‘A security-enabled global group was changed.’










4738


Name ‘A user account was changed.’







Device Custom String 4 OldUacValue (Old User Account Control Value)

Device Custom String 5 NewUacValue (New User Account Control Value)

Device Custom String 6 UserAccountControl (Change in User Account Control)





4739


Name ‘Domain Policy was changed.’




Destination NT Domain DomainName

Destination User Name ‘ ‘


Message DomainPolicyChanged

Device Custom String 6 Changed Attributes



4740


Name ‘A user account was locked out.’


Source Host Name TargetDomainName

Destination NT Domain TargetSid








4741


Name ‘A computer account was created.’










4742


Name ‘A computer account was changed.’












4743


Name ‘A computer account was deleted.’










4744


Name ‘A security-disabled local group was created.’












4745


Name ‘A security-disabled local group was changed.’










4746


Name ‘A member was added to a security-disabled local group.’












4747


Name ‘A member was removed from a security-disabled local group.’









4748


Name ‘A security-disabled local group was deleted.’












4749


Name ‘A security-disabled global group was created.’










4750


Name ‘A security-disabled global group was changed.’












4751


Name ‘A member was added to a security-disabled global group.’






Destination User Name One of (MemberSid, MemberName)




4752


Name ‘A member was removed from a security-disabled global group.’












4753


Name ‘A security-disabled global group was deleted.’










4754


Name ‘A security-enabled universal group was created.’












4755


Name ‘A security-enabled universal group was changed.’










4756


Name ‘A member was added to a security-enabled universal group.’












4757


Name ‘A member was removed from a security-enabled universal group.’










4758


Name ‘A security-enabled universal group was deleted.’












4759


Name ‘A security-disabled universal group was created.’










4760


Name ‘A security-disabled universal group was changed.’












4761


Name ‘A member was added to a security-disabled universal group.’










4762


Name ‘A member was removed from a security-disabled universal group.’












4763


Name ‘A security-disabled universal group was deleted.’










4764


Name ‘A group’s type was changed.’





Device Custom String 5 GroupTypeChange








4765


Name ‘SID History was added to an account.’




Device Custom String 6 SourceUserName






4766


Name ‘An attempt to add SID History to an account failed.’




Device Custom String 6 SourceUserName








4767


Name ‘A user account was unlocked.’








4768


Name ‘A Kerberos authentication ticket (TGT) was requested.’



Device Custom String 3 IpAddress (Client Address)




Device Custom String 5 PreAuthType

Source Port IpPort


Message ‘Certificate information is only provided if a certificate was used forpre-authentication.Pre-authentication types, ticket options, encryptiontypes and result codes are defined in RFC 4120.’



4769


Name ‘A Kerberos service ticket was requested.’







Device Custom String 6 LogonGuid

Source Port IpPort


Message ‘This event is generated every time access is requested to a resourcesuch as a computer or a Windows service. The service name indicatesthe resource to which access was requested.This event can becorrelated with Windows logon events by comparing the Logon GUIDfields in each event. The logon event occurs on the machine that wasaccessed, which is often a different machine than the domaincontroller which issued the service ticket.Ticket options, encryptiontypes, and failure codes are defined in RFC 4120.’

4770


Name ‘A Kerberos service ticket was renewed.’






Source Port IpPort

Message ‘Ticket options and encryption types are defined in RFC 4120.’



4771


Name ‘Kerberos pre-autheitication failed.’




Destination NT Domain TargetSid


Reason Status

Source Port IpPort


Message ‘Certificate information is only provided if a certificate was used forpre-authentication.Pre-authentication types, ticket options and failurecodes are defined in RFC 4120.If the ticket was malformed or damagedduring transit and could not be decrypted, then many fields in thisevent might not be present.’

4772


Name ‘A Kerberos authentication ticket request failed.’


Source Port IpPort


Device Custom String 4 FailureCode

Message ‘Ticket options and failure codes are defined in RFC 4120.”



4773


Name ‘A Kerberos service ticket request failed.’


Source Port IpPort


Device Custom String 4 FailureCode

Message ‘Ticket options and failure codes are defined in RFC 4120.’

4774


Name ‘An account was mapped for logon.’

Destination User Name MappedName

Device Custom String 5 One of (MappedName, MappingBy)

4775


Name ‘An accouont could not be mapped for logon.’

Destination User Name MappingBy

Device Custom String 5 ClientUserName

4776


Name ‘The domain controller attempted to validate the credentials for anaccount.’





Reason Status

Source Host Name Workstation


Device Custom String 5 PackageName

4777


Name ‘The domain controller failed to validate the credentials for anaccount.’




Device Custom String 5 ClientUserName

4778


Name ‘A session was reconnected to a Window Station.’

Device Custom String 6 SessionName


Source Address ClientAddress

Destination User ID LogonID

Destination User Name AccountName

Destination NT Domain AccountDomain

Device NT Domain Account Domain

Message ‘This event is generated when a user reconnects to an existingTerminal Services session, or when a user switches to an existingdesktop using Fast User Switching.’



4779


Name ‘A session was disconnected from a Window Station.’

Device Custom String 6 SessionName


Source Address ClientAddress

Destination User ID LogonID


Destination NT Domain AccountDomain

Device NT Domain Account Domain

Message ‘This event is generated when a user disconnects from an existingTerminal Services session, or when a user switches away from anexisting desktop using Fast User Switching.’

4780


Name ‘The ACL was set on accounts which are members of administratorsgroup.’












Message ‘Every hour, the Windows domain controller that holds the primarydomain controller (PDC) Flexible Single Master Operation (FSMO) rolecompares the ACL on all security principal accounts (users, groups, andmachine accounts) present for its domain in Active Directory and thatare in administrative groups against the ACL on the AdminSDHolderobject. If the ACL on the principal account differs from the ACL on theAdminSDHolder object, then the ACL on the principal account is resetto match the ACL on the AdminSDHolder object and this event isgenerated.’

4781


Name ‘The name of an account was changed.’




Destination User Name OldTargetUserName

Device Custom String 6 NewTargetUserName





4782


Name ‘The password hash account was accessed.’











4783


Name ‘A basic application group was created.’




Destination User Name One of (TargetUserName, TargetSid)





4784


Name ‘A basic application group was changed.’











4785


Name ‘A member was added to a basic application group.’










4786


Name ‘A member was removed from a basic application group.’












4787


Name ‘A non-member was added to a basic application group.’










Message ‘A non-member is an account that is explicitly excluded frommembership in a basic application group. Even if the account isspecified as a member of the application group, either explicitly orthrough nested group membership, the account will not be treated as agroup member if it is listed as a non-member.’

4788


Name ‘A non-member was removed from a basic application group.’













Message ‘A non-member is an account that is explicitly excluded frommembership in a basic application group. Even if the account isspecified as a member of the application group, either explicitly orthrough nested group membership, the account will not be treated as agroup member if it is listed as a non-member.’

4789


Name ‘A basic application group was deleted.’




Destination User Name One of (TargetSid, TargetUserName)




4790


Name ‘An LDAP query group was created.’











4791


Name ‘A basic application group was changed.’









4792


Name ‘An LDAP query group was deleted.’











4793


Name ‘The Password Policy Checking API was called.’


Source User Name TargetUserName

Device Custom String 4 Stataus





4794


Name ‘An attempt was made to set the Directory Services RestoreModeadministrator password.’





4797


Name ‘An attempt was made to query the existence of a blank password foran account.’









4798


Name ‘A user’s local group membership was enumerated.’






File Name CallerProcessId

File Path CallerProcessName

Message ‘A user’s local group membership was enumerated.’

4799


Name ‘A security-enabled local group membership was enumerated.’






File Name CallerProcessId

File Path CallerProcessName

Message ‘A security-enabled local group membership was enumerated.’



4800


Name ‘The workstation was locked.’

Device Custom String 6 SessionId





4801


Name ‘The workstation was unlocked.’






4802


Name ‘The screen saver was invoked.’








4803


Name ‘The screen saver was dismissed.’






4816


Name ‘RPC detected an integrity violation while decrypting an incomingmessage.’

4817


Name ‘Auditing settings on object were changed.’









4818


Name ‘Proposed Central Access Policy does not grant in the same accesspermissions as the current Central Access Policy.’

Destination Process ID ProcessId





File ID HandleId




4819


Name ‘Central Access Policies on the machine have been changed.’






4820


Name ‘A Kerberos Ticket-granting ticket \\(TGT\\) was denied because thedevicwe does not meet the access control restrictions.’





Source DNS Domain TargetDomainName

Source User ID TargetSid

Device Custom String 5 ServiceSid

Device Custom String 1 All of ( PreAuthType,, Status, TicketEncryptionType, TicketOptions)


Device Custom String 4 All of (CertIssuerName,CertSerialNumber, CertThumbprint)

Device Custom String 3 SiloName

Device Custom String 6 PolicyName


Source Port IpPort

Message ‘Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryptiontypes and result codes are defined in RFC 4120.’

4821


Name ‘A Kerberos service ticket was denied because the user, device, or bothdoes not meet the access control restrictions.’


Source DNS Domain TargetDomainName

Destination Process ID ServiceSid

Device Custom String 1 All of (Status, TicketEncryptionType, TicketOptions, TransitedServices)


Source User ID LogonGuid



Source Port IpPort






Message ‘This event is generated every time access is requested to a resourcesuch as a computer or a Windows service. The service name indicatesthe resource to which access was requested. This event can becorrelated with Windows logon events by comparing the Logon GUIDfields in each event. The logon event occurs on the machine that wasaccessed, which is often a different machine than the domaincontroller which issued the service ticket. Ticket options, encryptiontypes, and failure codes are defined in RFC 4120.’

4822


Name ‘NTLM authentication failed because the account was a member of theProtected User group.’

Reason Status



4823


Name ‘NTLM authentication failed because access control restrictions arerequired.’

Reason Status







4824


Name ‘Kerberos preauthentication by using DES or RC4 failed because theaccount was a member of the Protected User group.’


Source User ID TargetSid

Device Custom String 1 All of (PreAuthType, Status, TicketOptions)


Device Custom String 4 All of (CertIssuerName, CertSerialNumber, CertThumbprint)

Source Port IpPort


4826


Name ‘Boot Configuration Data loaded.’




Message ‘Boot Configuration Data loaded.’

Additional data LoadOptions

Additional data AdvancedOptions

Additional data ConfigAccessPolicy

Additional data RemoteEventLogging

Additional data KernelDebug

Additional data VsmLaunchType

Additional data TestSigning

Additional data FlightSigning

Additional data DisableIntegrityChecks




Additional data HypervisorLoadOptions

Additional data HypervisorLaunchType

Additional data HypervisorDebug

4864


Name ‘A namespace collision was detected.’

4865


Name ‘A trusted forest information entry was added.’

Device Custom String 6 ForestRoot

Device Custom String 3 OperationId

Device Custom String 5 TopLevelName





4866


Name ‘A trusted forest information entry was removed.’











4867


Name ‘A trusted forest information entry was modified.’








4868


Name ‘The certificate manager denied a pending certificate request.’





4869


Name ‘Certificate Services received a resubmitted certificate request.’








4870


Name ‘Certificate Services revoked a certificate.’


Device Custom String 4 RevocationReason




4871


Name ‘Certificate Services received a request to publish the certificaterevocation list (CRL).’





4872


Name ‘Certificate Services received a request to publish the certificaterevocation list (CRL).’



4873


Name ‘A certificate request extension changed.’





4874


Name ‘One or more certificate request attributes changed.’





4875


Name ‘Cerftificate Services received a request to shutdown.’







4876


Name ‘Certificate Services backup started.’





4877


Name ‘Certificate Services backup completed.’





4878


Name ‘Certificate Services restore started.’

4879


Name ‘Certificate Services restore completed.’



4880


Name ‘Certificate Services started.’

4881


Name ‘Certificate Services stopped.’

4882


Name ‘The security permissions for Certificate Services changed.’





4883


Name ‘Certificate Services retrieved an archived key.’







4884


Name ‘Certificate Services imported a certificate into its database.’





4885


Name ‘The audit filter for Certificate Services changed.’





4886


Name ‘Certificate Services received a certificate request.’

4887


Name ‘Certificate Services approved a certificate request and issued acertificate.’



4888


Name ‘Certificate Services denied a certificate request.’

4889


Name ‘Certificate Services set th status of a certificate request to pending.’

4890


Name ‘The certificate manager settings for Certificate Services changed.’





4891


Name ‘A configuration entry changed in Certificate Services.’







4892


Name ‘A property of Certificate Services changed.’





4893


Name ‘Certificate Services archived a key.’

4894


Name ‘Certificate Services imported and archived a key.’

4895


Name ‘Certificate Services published the CA certificate toActive DirectoryDomain Services.’

4896


Name ‘One or more rows have been deleted from the certificate database.’








4897


Name ‘Role separation enabled.’

4898


Name ‘Certificate Services loaded a template.’

4899


Name ‘A Certificate Services template was updated.’

4900


Name ‘Certificate Services template security was updated.’

4902


Name ‘The Per-user audit policy table was created.’

Device Custom Number 3 PuaCount

Device Custom Number 6 PuaPolicyId



4904


Name ‘An attempt was made to register a security event source.’

Device Custom String 6 AuditSourceName

Device Custom String 5 EventSourceId







4905


Name ‘An attempt was made to unregister a security event source.’

Device Custom String 6 AuditSourceName

Device Custom String 5 EventSourceId







4906


Name ‘The CrashOnAuditFail value has changed.’

Device Custom Number 2 CrashOnAuditFailValue



4907


Name ‘Auditing settings on object were changed.’






File ID HandleId





4908


Name ‘Special Groups Logon table modified.’

Device Custom String 6 SidList

Message ‘This event is generated when the list of special groups is updated inthe registry or through security policy. The updated list of specialgroups is indicated in the event.’

4909


Name ‘The local policy settings for the TBS were changed.’



4910


Name ‘The group policy settings for the TBS were changed.’

4911


Name ‘Resource attributes of the object were changed.’





File ID HandleId



Destination Process ID ProcessId


4912


Name ‘Per User Audit Policy was changed.’

Device Custom String 6 TargetUserSid

Device Custom String 5 SubcategoryId

Device Action AuditPolicyChanges







4913


Name ‘Central Access Policy on the object was changed.’

Destination User Name One of (SubjectUserName,SubjectUserSid)




File ID HandleId



Destination process ID ProcessId

Destination process Name ProcessName

4928


Name ‘An Active Directory replica source naming context was established.’

4929


Name ‘An Active Directory replica source naming context was removed.’

4930


Name ‘An Active Directory replica source naming context was modified.’



4931


Name ‘An Active Directory replica destination naming context was modified.’

4932


Name ‘Synchronization of a replica of an Active Directory naming context hasbegun.’

4933


Name ‘Synchronization of a replica of an Active Directory naming context hasended.’

4934


Name ‘Attributes of an Active Directory object were replicated.’

4935


Name ‘Replication failure begins.’

4936


Name ‘Replication failure ends.’



4937


Name ‘A lingering object was removed from a replica.’

4944


Name ‘The following policy was active when the Windows Firewall started..’

4945


Name ‘A rule was listed when the Windows Firewall started.’

4946


Name ‘A change has been made to Windows Firewall exception list. A fulewas added.’

4947


Name ‘A change has been made to Windows Firewall exception list. A rulewas modified.’



4948


Name ‘A change has been made to Windows Firewall excpeptino list. A rulewas deleted.’

4949


Name ‘Windows Firewall settings were restored to the default values.’

4950


Name ‘A Windows Firewall setting has changed.’

4951


Name ‘A rule has been ignored because its major version number was notrecognized by Windows Firewall.’

4952


Name ‘Parts of a rule have bween ignored because its minor version numberwas not recognized by Windows Firewall. The other parts of the rulewill be enforced.’



4953


Name ‘A rule has been ignored by Windows Firewall because it could notparse the rule.’

Device Custom String 4 ReasonForRejection

4954


Name ‘Windows Firewall Group Policy settings has changed. The newsettings have been applied.’

4956


Name ‘Windows Firewall has changed the active profile.’

4957


Name ‘Windows Firewall did not apply the following rule.’

Device Custom String 6 RuleName

Device Custom String 4 RuleAttr (Error Information)

4958


Name ‘Windows Firewall did not apply the following rule because the rulereferred to items not configured on this computer.’

Device Custom String 4 Error



4960


Name ‘IPsec dropped an inbound packet that failed an integrity check. If thisproblem persists, it could indicate a network issue or that packets arebeing modified in transit to this computer. Verify that the packetssent from the remote computer are the same as those received by thiscomputer. This error might also indicate interoperability problems withother IPsec implementations.’

4961


Name ‘IPsec dropped an inbound packet that failed a replay check. If thisproblem persists, it could indicate a replay attack against thiscomputer.’

4962


Name ‘IPsec dropped an inbound packet that failed a replay check. Theinbound packet had too low a sequence number to ensure it was not areplay.’

4963


Name ‘IPsec dropped an inbound clear text packet that should have beensecured. This is usually due to the remote computer changing its IPsecpolicy without informing this computer. This could also be a spoofingattack attempt.’



4964


Name ‘Special groups have been assigned to a new login.’







Device Custom String 3 TargetLogonGuid

Device Custom String 6 SidList


4965


Name ‘IPsec received a packet from a remote computer with an incorrectSecurity Parameter Index (SPI). This is usually caused bymalfunctioning hardware that is corrupting packets. If these errorspersist, verify that the packets sent from the remote computer are thesame as those received by this computer. This error may also indicateinteroperabiolity problems with other IPsec implementations. In thatcase, if connectivity is not impeded, then these events can be ignored.’

4976


Name ‘During Main Mode negotiation, IPsec received an invalid negotiationpacket. If this problem persists, it could indicate a network issue or anattempt to modify or replay this negotiation.’




4977


Name ‘During Quick Mode negotiation, IPsec received an invalid negotiationpacket. If this problem persists, it could indicate a network issue or anattempt to modify or replay this negotiation.’


4978


Name ‘During Extended Mode negotiation, IPsec received an invalidnegotiation packet. If this problem persists, it could indicate a networkissue or an attempt to modify or replay this negotiation.’


4979


Name ‘IPsec Main Mode and Extended Mode security associations wereestablished.’

4980





4981







4982






4983


Name ‘An IPsec Extended Mode negotiation failed. The corresponding MainMode security association has been deleted.’






Device Custom String 4 Failure



4984


Name ‘An IPsec Extended Mode negotiation failed. The corresponding MainMode security association has been deleted.’






Device Custom String 4 Failure

4985


Name ‘The state of a transaction has changed.’






5024


Name ‘The Windows Firewall Service has started successfully.’

5025


Name ‘The Windows Firewall Service has been stopped.’



5027


Name ‘The Windows Firewall Service was unable to retrieve the securitypolicy from the local storage. The service will continue enforcing thecurrent policy.’

Device Custom String 4 ErrorCode

5028


Name ‘The Windows Firewall Service was unable to parse the new securitypolicy. The service will continue with currently enforced policy.’


5029


Name ‘The Windows Firewall Service failed to initialize the driver.l Theservice will continue to enforce the current policy.’


5030


Name ‘The Windows Firewall Service failed to start.’




5031


Name ‘The Windows Firewall Service blocked an application from acceptingincoming connections on the network.’

5032


Name ‘Windows Firewall was unable to notify the user that it blocked anapplication from accepting incoming connections on the network.’


5033


Name ‘The Windows Firewall Driver has started successfully.’

Message “ “

5034


Name ‘The Windows Firewall Driver has been stopped..’

5035


Name ‘The Windows Firewall Driver failed to start.’




5037


Name ‘The Windows Firewall Driver detected critical runtime error.Terminating.’


5038


Name ‘Code integrity determined that the image hash of a file is not valid.The file could be corrupt due to unauthorized modification or theinvalid hash could indicate a potential disk device error.’

5039


Name ‘A registry key was virtualized.’






5040


Name ‘A change has been made to IPsec settings. An Authentication Set wasadded.’



5041


Name ‘A change has been made to IPsec settings. An Authentication Set wasmodified.’

5042


Name ‘A change has been made to IPsec settings. An Authentication Set wasdeleted.’

5043


Name ‘A change has been made to IPsec settings. A Connection SecurityRule was added.’

5044


Name ‘A change has been made to IPsec settings. A Connection SecurityRuloe was modified.’

5045


Name ‘A change has been made to IPsec settings. A Connection SecurityRule was deleted.’



5046


Name ‘A change has been made to IPsec settings. A Crypto Set was added.’

5047


Name ‘A change has been made to IPsec settings. A Crypto Set wasmodified.’

5048


Name ‘A change has been made to IPsec settings. A Crypto Set was deleted.’

5049


Name ‘An IPsec Security Association was deleted.’

5050


Name ‘An attempt to programmatically disable the Windows Firewall using acall to INetFwProfile.FirewallEnabled(FALSE) interface was rejectedbecause this API is not supported on Windows Vista. This has mostlikely occurred due to a program which is incompatible with WindowsVista. Please contact the program’s manufacturer to make sure you havea Windows Vista compatible program version.’



5051


Name ‘A file was virtualized.’






5056


Name ‘A cryptographic self test was performed.’





5057


Name ‘A cryptographic primitive operation failed.’





Message Reason

Reason ReturnCode



5058


Name ‘Key file operation.’

File Name KeyName

File Type KeyType

File Path KeyFilePath

Device Action Operation

Device Custom String 4 ReturnCode





5059


Name ‘Key migration operation.’

File Name KeyName

File Type KeyType

Device Action Operation

Device Custom String 4 ReturnCode







5060


Name ‘Verification operation failed.’





5061


Name ‘Cryptographic operation.’





5062


Name ‘A kernel-mode cryptographic self test was performed.’

5063


Name ‘A cryptographic provider opration was attempted.’







5064


Name ‘A cryptographic context operation was attempted.’





5065


Name ‘A cryptographic context modification was attempted.’





5066


Name ‘A cryptographic function operation was attempted.’







5067


Name ‘A cryptographic function modification was attempted.’





5068


Name ‘A cryptographic function provider operation was attempted.’





5069


Name ‘A cryptographic function property operation was attempted.’







5070


Name ‘A cryptographic function property modification was attempted.’





5071


Name ‘Key access denied by Microsoft key distribution service.’

Device Custom String 5 SecurityDescriptor





5120


Name ‘OCSP Responder Service Started.’

5121


Name ‘OCSP Responder Service Stopped.’



5122


Name ‘A Configuration entry changed in the OCSP Responder Service.’





5123


Name ‘A configuration entry changed in the OCSP Responder Service.’





5124


Name ‘A security setting was updated on OCSP Responder Service.’

5125


Name ‘A request was submitted to OCSP Responder Service.’



5126


Name ‘Signing Certificate was automatically updated by the OCSPResponder Service.’

5127


Name ‘The OCSP Revocation provider successfully updated the revocationinformation.’

5136


Name ‘A directory service object was modified.’

Device Custom String 6 ObjectDN

Device Custom String 5 ObjectClass





Device Custom String 4 OperationType

5137


Name ‘A directory service object was created.’










5138


Name ‘A directory service object was undeleted.’

Device Custom String 6 NewObjectDN






5139


Name ‘A directory service object was moved.’

Device Custom String 6 NewObjectDN








5140


Name ‘A network share object was accessed.’



File Path ShareName


Device Custom String 6 ShareName


Source Port IpPort





5141


Name ‘A directory service object was deleted.’





Destination NT Domain SubjetDomainName




5142


Name ‘A network share object was added.’

File Path ShareName






5143


Name ‘A network share object was modified.’

File Path ShareName







5144


Name ‘A network share object was deleted.’

File Path ShareName









5145


Name ‘A network share object was checked to see whether client can begranted desired access.’










Source Port IpPort

5146


Name ‘The Windows Filtering Platform has blocked a packet.’

Device Direction Direction

Source Address SourceAddress

Device Custom IPv6 Address 2 SourceAddress (Source IPv6 Address)

Destination Address DestAddress

Device Custom IPv6 Address 3 DestAddress (Destination IPv6 Address)

Source Port SourceSwitchPort

Destination Port DestinationvSwitchPort



5147


Name ‘A more restrictive Windows Filtering Platform filter has blocked apacket.’






Source Port SourceSwitchPort

Destination Port DestinationvSwitchPort

5152


Name ‘The Windows Filtering Platform blocked a packet.’


Source Port SourcePort


Destination Port DestPort

5153


Name ‘A more restrictive Windows Filtering Platform filter has blocked apacket.’





5154


Name ‘The Windows Filtering platform has permitted an application orservice to listen on a port for incoming connections.’




5155


Name ‘The Windows Filtering Platform has blocked an application or servicefrom listening on a port for incoming connections.’


5156


Name ‘The Windows Filtering Platform has allowed a connection.’


Source Address One of (SourceAddress)



Destination Address One of (DestAddress)



Transport Protocol Protocol



5157


Name ‘The Windows Filtering Platform has blocked a connection.’



5158


Name ‘The Windows Filtering Platform has permitted a bind to a local port.’




5159


Name ‘The Windows Filtering Platform has blocked a bind to a local port.’

Source Process ID ProcessId

File Name Application

File Path Application

File Type Application


Destination Address SourceAddress

Transport Protocol Protocol

Device Custom Number 2 FilterRTID

Device Custom String 6 LayerName

Device Custom Number 3 LayerRTID




5168


Name ‘Spn check for SMB/SMB2 fails.’



Destination NT Domain ‘ ‘




Destination Service Name SpnName



Reason ErrorCode

5376


Name ‘Credential Manager credentials were backed up.’





Message ‘This event occurs when a user backs up their own Credential Managercredentials. A user (even an Administrator) cannot back up thecredentials of an account other than his own.’



5377


Name ‘Credential Manager credentials were restored from a backup.’





Message ‘This event occurs when a user restores his Credential Managercredentials from a backup. A user (even an Administrator) cannotrestore the credentials of an account other than his own.’

5378


Name ‘The requested credentials delegation was disallowed by policy.’





5440


Name ‘The following callout was present when the Windows FilteringPlatform Base Filtering Engine started.’

5441


Name ‘The following filter was present when the Windows Filtering PlatformBase Filtering Engine started.’



5442


Name ‘The following provider was present when the Windows FilteringPlatform Base Filtering Engine started.’

5443


Name ‘The following provider context was present when the WindowsFiltering Platform Base Filtering Engine started.’

5444


Name ‘The following sub-layer was present when the Windows FitleringPlatform Base Filtering Engine started.’

5446


Name ‘A Windows Filtering Platform callout has been changed.’

Destination User Name One of (UserName, UserSid)

5447


Name ‘A Windows Filtering Platform filter has been changed.’




5448


Name ‘A Windows Filtering Platform provider has been changed.’


5449


Name ‘A Windows Filtering Platform provider context has been changed.’


5450


Name ‘A Windows Filtering Platform sub-layer has been changed.’


5451


Name ‘An IPsec Quick Mode security association was established.’







5452


Name ‘An IPsec Quick Mode security association ended.’





5453


Name ‘An IPsec negotiation with a remote computer failed because the IKEand AuthIP IPsec Keying Modules (IKEEXT) service is not started.’

5456


Name ‘PAStore Engine applied Active Directory storage IPsec policy on thecomputer.’

5457


Name ‘PAStore Engine failed to apply Active Directory storage IPsec policyon the computer.’

5458


Name ‘PAStore Engine applied locally cached copy of Active Directorystorage IPsec on the computer.’



5459


Name ‘PAStore Engine failed to apply locally cached copy of Active Directorystorage IPsec policy on the computer.’


5460


Name ‘PAStore Engine applied local registry storage IPsec policy on thecomputer.’

5461


Name ‘PAStore Engine failed to apply local registry storage IPsec policy onthe computer.’


5462


Name ‘PAStore Engine failed to apply some rules of the active IPsec policyon the computer. Use the IP Security Monitor snap-in to diagnose theproblem.’


5463


Name ‘PAStore Engine Polled for changes to the active IPsec policy anddetected no changes.’



5464


Name ‘PAStore Engine polled for changes to the active IPsec policy, detectedchanges, and applied them to IPsec Services.’

5465


Name ‘PAStore Engine received a control for forced reloading of IPsec policyand processed the control successfully.’

5466


Name ‘PAStore Engine polled for changes to the Active Directory IPsecpolicy, determined that Active Directory cannot be reached, and willuse the cached copy of the Active Directory IPsec policy instead. Anychanges made to the Active Directory IPsec policy since the last pollcould not be applied.’

5467


Name ‘PAStore Engine polled for changes to the Active Directory IPsecpolicy, determined that Active Directory can be reached, and found nochanges to the policy. The cached copy of the Active Directory IPsecpolicy is no longer being used.’



5468


Name ‘PAStore Engine polled for changes to the Active Directory IPsecpolicy, determined that Active Directory can be reached, foundchanges to the policy, and applied those changes. The cached copy ofthe Active Directory IPsec policy is no longer being used.’

5471


Name ‘PAStore Engine loaded local storage IPsec policy on the computer.’

5472


Name ‘PAStore Engine failed to load local storage IPsec policy on thecomputer.’


5473


Name ‘PAStore Engine loaded directory storage IPsec policy on thecomputer.’

5474


Name ‘PAStore Engine failed to load directory storage IPsec policy on thecomputer.’




5477


Name ‘PAStore Engine failed to add quick mode filter.’


5478


Name ‘IPsec Services has started successfully.’

5479


Name ‘IPsec Services has been shut down successfully. The shutdown ofIPsec Services can put the computer at greater risk of network attack orexpose the computer to potential security risks.’

5480


Name ‘IPsec Services fialed to get the complete list of network interfaces onthe computer. This poses a potential security risk because some of thenetwork interfaces may not get the protection provided by theapplied IPsec filters. Use the IP Security Monitor snap-in to diagnosethe problem.’

5483


Name ‘IPsec Services failed to initialize RPC server. IPsec Services could notbe started.’




5484


Name ‘IPsec Services has experienced a critical failure and has been shutdown. The shutdown of IPsec Services can put the computer at greaterrisk of network attack or expose the computer to potential securityrisks.’


5632


Name ‘A request was made to authenticate to a wireless network.’


Destination User Name One of (SubjectUserName, Identity)



Device Custom String 4 One of (ReasonCode, ErrorCode)

Reason One of (EAPErrorCode, EAPReasonCode, ErrorCode, both (ReasonText,ReasonCode)

5633


Name ‘A request was made to authenticate to a wired network.’


Destination User Name One of (SubjectUserName, Identity)



Device Outbound Interface InterfaceName

Device Custom String 4 One of (ReasonCode, ErrorCode)

Reason One of (ErrorCode, both (ReasonText, ReasonCode)



5712


Name ‘A Remote Procedure Call (RPC) was attempted.’



5888


Name ‘An object in the COM+ Catalog was modified.’


File Name ObjectIdentifyingProperties

Destination user Name One of (SubjectUserName, SubjectUserSid)

Destination NT Domain SubjectUserDomainName

Device NT Domain SubjectUserDomain Name

5889


Name ‘An object was deleted from the COM+ Catalog.’






Message ‘This event occurs when an object is deleted from the COM+ catalog.’



5890


Name ‘An object was added to the COM+ Catalog.’






6144


Name ‘Security policy in the group policy objects has been appliedsuccessfully.’

6145


Name ‘One or more errors occurred while processing security policy I nthegroup policy objects.’


6272


Name ‘Network Policy Server granted access to a user.’



Destination User ID FullyQualifiedSubjectUserName

Destination Address NASIPv4Address




Destination Port NASPort

Source User Name SubjectMachineName

Source User ID FullyQualifiedSubjectMachineName

Source Address CallingStationID

Device Custom String 1 ProxyPolicyName

Device Custom String 3 ClientIPAddress

Device Custom String 5 AuthenticationType

Device Custom String 6 AccountSessionIdentifier

Destination User Privileges QuarantineState

6273


Name ‘Network Policy Server denied access to a user. Contact the NetworkPolicy Server administrator for more information.’











Device Custom String 4 Reason





6274


Name ‘Network Policy Server discarded the request for a user. . Contact theNetwork Policy Server administrator for more information.’

6275


Name ‘Network Policy Server discarded the accounting request for a user. .Contact the Network Policy Server administrator for more information.’

6276


Name ‘Network Policy Server quarantined a user. . Contact the Network PolicyServer administrator for more information.’

6277


Name ‘Network Policy Server granted access to a user but put it on probationbecause the host did not meet the defined health policy . Contact theNetwork Policy Server administrator for more information.’

6278


Name ‘Network Policy Server granted full access to a user because the host metthe defined health policy.’
















Destination User Privileges QuarantineState

6279


Name ‘Network Policy Server locked the user account due to repeated failedauthentication attempts.’




6280


Name ‘Network Policy Server unlocked the user account.’






6281


Name ‘Code Integrity determined that the page hashes or an image file arenot valid.’

File Path Param1

Message ‘The file could be improperly signed without page hashes or corruptdue to unauthorized modification. The invalid hashes could indicate apotential disk device error.’

6409


Name ‘BranchCache: A service connection point object could not be parsed.’

6410


Name ‘Code integrity determined that a file does not meet the securityrequirements to load into a process.’

Message ‘This could be due to the use of shared sections or other issues.’

File Name param1

6416


Name ‘A new external device was recognized by the system.’

Source UJser Name One of (SubjectUserName, SubjectUserSid)



File ID ClassId




Device Custom String 1 VendorIds

Device Custom String 4 CompatibleIds

Device Custom String 5 LocationInformation

Message ‘A new external device was recognized by the system.’

8191


Name ‘Highest System-Defined Audit Message Value.’



Windows Event Log Event Descriptions byCategory

Category Subcategory ID Message Summary

AccountLogon

CredentialValidation

4774 An account was mapped for logon.


4775 An account could not be mapped for logon.


4776 The domain controller attempted to validate the credentials for an account.


4777 The domain controller failed to validate the credentials for an account.

KerberosAuthenticationService

4768 A Kerberos authentication ticket (TGT) was requested.


4771 Kerberos pre-authentication failed.


4772 A Kerberos authentication ticket request failed.

KerberosService TicketOperations

4769 A Kerberos service ticket was requested.

KerberosService TicketOperations

4770 A Kerberos service ticket was renewed.

Windows Security Event MappingsWindows Event Log Event Descriptions by Category



AccountManagement

ApplicationGroupManagement

4783 A basic application group was created.

4784 A basic application group was changed.

4785 A member was added to a basic application group.

4786 A member was removed from a basic application group.

4787 A non-member was added to a basic application group.

4788 A non-member was removed from a basic application group.

4789 A basic application group was deleted.

4790 An LDAP query group was created.

ComputerAccountManagement

4742 A computer account was changed.

4743 A computer account was deleted.

AccountManagement

DistributionGroupManagement

4744 A security-disabled local group was created.

4745 A security-disabled local group was changed.

4746 A member was added to a security-disabled local group.

4747 A member was removed from a security-disabled local group.

4748 A security-disabled local group was deleted.

4749 A security-disabled global group was created.

4750 A security-disabled global group was changed.

4751 A member was added to a security-disabled global group.

4752 A member was removed from a security-disabled global group.

4753 A security-disabled global group was deleted.

4759 A security-disabled universal group was created.

4760 A security-disabled universal group was changed.

4761 A member was added to a security-disabled universal group.

4762 A member was removed from a security-disabled universal group.

4763 A security-disabled universal group was deleted.

AccountManagement

Other AccountManagementEvents

4782 The password hash an account was accessed.

4793 The Password Policy Checking API was called.

4797 An attempt was made to query the existence of a blank password for anaccount.




AccountManagement

Security GroupManagement

4727 A security-enabled global group was created.

4728 A member was added to a security-enabled global group.

4729 A member was removed from a security-enabled global group.

4730 A security-enabled global group was deleted.

4731 A security-enabled local group was created.

4732 A member was added to a security-enabled local group.

4733 A member was removed from a security-enabled local group.

4734 A security-enabled local group was deleted.

4735 A security-enabled local group was changed.

4737 A security-enabled global group was changed.

4754 A security-enabled universal group was created.

4755 A security-enabled universal group was changed.

4756 A member was added to a security-enabled universal group.

4757 A member was removed from a security-enabled universal group.

4799 A security-enabled local group membership was enumerated

AccountManagement

User AccountManagement

4758 A security-enabled universal group was deleted.

4764 A group’s type was changed.




4720 A user account was created.

4722 A user account was enabled.

4723 An attempt was made to change an account's password.

4724 An attempt was made to reset an account's password.

4725 A user account was disabled.

4726 A user account was deleted.

4738 A user account was changed.

4740 A user account was locked out.

4765 SID History was added to an account.

4766 An attempt to add SID History to an account failed.

4767 A user account was unlocked.

4780 The ACL was set on accounts which are members of administrators groups.

4781 The name of an account was changed:

4794 An attempt was made to set the Directory Services Restore Mode.

4798 A user’s local group membership was enumerated.

5376 Credential Manager credentials were backed up.

5377 Credential Manager credentials were restored from a backup.

DetailedTracking

DPAPI Activity 4692 Backup of data protection master key was attempted.

4693 Recovery of data protection master key was attempted.

4694 Protection of auditable protected data was attempted.

4695 Unprotection of auditable protected data was attempted.

ProcessCreation

4688 A new process has been created.

4696 A primary token was assigned to process.

ProcessTermination

4689 A process has exited.

RPC Events 5712 A Remote Procedure Call (RPC) was attempted.




DS Access DetailedDirectoryServiceReplication

4928 An Active Directory replica source naming context was established.

4929 An Active Directory replica source naming context was removed.

4930 An Active Directory replica source naming context was modified.

4931 An Active Directory replica destination naming context was modified.

4934 Attributes of an Active Directory object were replicated.

4935 Replication failure begins.

4936 Replication failure ends.

4937 A lingering object was removed from a replica.

DS Access DirectoryService Access

4662 An operation was performed on an object.

DirectoryServiceChanges

5136 A directory service object was modified.

5137 A directory service object was created.

5138 A directory service object was undeleted.

5139 A directory service object was moved.

5141 A directory service object was deleted.

DirectoryServiceReplication

4932 Synchronization of a replica of an Active Directory naming context has begun.

4933 Synchronization of a replica of an Active Directory naming context has ended.

Logon/Logoff AccountLockout

4625 An account failed to logon

IPsecExtendedMode

4978 During Extended Mode negotiation, IPsec received an invalid negotiationpacket. If this problem persists, it could indicate a network issue or an attemptto modify or replay this negotiation.

4979 IPsec Main Mode and Extended Mode security associations were established.

4980

4981

4982

4983 An IPsec Extended Mode negotiation failed. The corresponding Main Modesecurity association has been deleted.

4984 An IPsec Extended Mode negotiation failed. The corresponding Main Modesecurity association has been deleted.




Logon/Logoff IPsec MainMode

4646 IKE DoS-prevention mode started.

4650 An IPsec Main Mode security association was established. Extended Mode wasnot enabled. Certificate authentication was not used.

4651 An IPsec Main Mode security association was established. Extended Mode wasnot enabled. A certificate was used for authentication.

IPsec MainMode

4652 An IPsec Main Mode negotiation failed.

4653 An IPsec Main Mode negotiation failed.

4655 An IPsec Main Mode security association ended.

4976 During Main Mode negotiation, IPsec received an invalid negotiation packet. Ifthis problem persists, it could indicate a network issue or an attempt to modifyor replay this negotiation.

5049 An IPsec Security Association was deleted.

5453 An IPsec negotiation with a remote computer failed because the IKE andAuthIP IPsec Keying Modules (IKEEXT) service is not started.

IPsec QuickMode

4654 An IPsec Quick Mode negotiation failed.

4977 During Quick Mode negotiation, IPsec received an invalid negotiation packet. Ifthis problem persists, it could indicate a network issue or an attempt to modifyor replay this negotiation.

5451 An IPsec Quick Mode security association was established.

5452 An IPsec Quick Mode security association ended.




Logon/Logoff Logoff 4634 An account was logged off.

4647 User initiated logoff.

Logon 4624 An account was successfully logged on.

4625 An account failed to log on.

4626 User/Device claims information.

4627 Group membership information.

4648 A logon was attempted using explicit credentials.

4675 SIDs were filtered.

Network PolicyServer

6272 Network Policy Server granted access to a user.

6273 Network Policy Server denied access to a user.

6274 Network Policy Server discarded the request for a user.

6275 Network Policy Server discarded the accounting request for a user.

6276 Network Policy Server quarantined a user.

6277 Network Policy Server granted access to a user but put it on probation becausethe host did not meet the defined health policy.

6278 Network Policy Server granted full access to a user because the host met thedefined health policy.

6279 Network Policy Server locked the user account due to repeated failedauthentication attempts.

6280 Network Policy Server unlocked the user account.




Logon/Logoff OtherLogon/LogoffEvents

4649 A replay attack was detected.

4778 A session was reconnected to a Window Station.

4779 A session was disconnected from a Window Station.

4800 The workstation was locked.

4801 The workstation was unlocked.

4802 The screen saver was invoked.

4803 The screen saver was dismissed.

OtherLogon/LogoffEvents

5378 The requested credentials delegation was disallowed by policy.

5632 A request was made to authenticate to a wireless network.

5633 A request was made to authenticate to a wired network.

Special Logon 4964 Special groups have been assigned to a new logon.




Object Access ApplicationGenerated

4665 An attempt was made to create an application client context.

4666 An application attempted an operation:

4667 An application client context was deleted.

4668 An application was initialized.

Central PolicyStaging

4818 Proposed Central Access Policy does not grant the same access permissions asthe current Central Access Policy

CertificationServices

4868 The certificate manager denied a pending certificate request.

4869 Certificate Services received a resubmitted certificate request.

4870 Certificate Services revoked a certificate.

4871 Certificate Services received a request to publish the certificate revocation list(CRL).

4872 Certificate Services published the certificate revocation list (CRL).

4873 A certificate request extension changed.

4874 One or more certificate request attributes changed.

4875 Certificate Services received a request to shutdown.

4876 Certificate Services backup started.

4877 Certificate Services backup completed.

4878 Certificate Services restore started.

4879 Certificate Services restore completed.

4880 Certificate Services started.

4881 Certificate Services stopped.

4882 The security permissions for Certificate Services changed.




Object Access CertificationServices

4883 Certificate Services retrieved an archived key.

4884 Certificate Services imported a certificate into its database.

4885 The audit filter for Certificate Services changed.

4886 Certificate Services received a certificate request.

4887 Certificate Services approved a certificate request and issued a certificate.

4888 Certificate Services denied a certificate request.

4889 Certificate Services set the status of a certificate request to pending.

4890 The certificate manager settings for Certificate Services changed.

4891 A configuration entry changed in Certificate Services.

4892 A property of Certificate Services changed.

4893 Certificate Services archived a key.

4894 Certificate Services imported and archived a key.

CertificationServices

4895 Certificate Services published the CA certificate to Active Directory DomainServices.

4896 One or more rows have been deleted from the certificate database.

4897 Role separation enabled.

4898 Certificate Services loaded a template.




Object Access Detailed FileShare

5145 A network share object was checked to see whether the client can be granteddesired access.

File Share 5140 A network share object was accessed.

5142 A network share object was added.

5143 A network share object was modified.

5144 A network share object was deleted.

5168 Spn check for SMB/SMB2 failed.

File System 4664 An attempt was made to create a hard link.

4985 The state of a transaction has changed.

5051 A file was virtualized.

FilteringPlatformConnection

5031 The Windows Firewall Service blocked an application from accepting incomingconnections on the network.

5146 The Windows Filtering Platform has blocked a packet.

5147 A more restrictive Windows Filtering Platform filter has blocked a packet.

5150 The Windows Filtering Platform has blocked a packet.


5154 The Windows Filtering Platform has permitted an application or service tolisten on a port for incoming connections.

5155 The Windows Filtering Platform has blocked an application or service fromlistening on a port for incoming connections.

5156 The Windows Filtering Platform has allowed a connection.

5157 The Windows Filtering Platform has blocked a connection.

5158 The Windows Filtering Platform has permitted a bind to a local port.

5159 The Windows Filtering Platform has blocked a bind to a local port.

Object Access FilteringPlatformPacket Drop

5152 The Windows Filtering Platform blocked a packet.


Object Access HandleManipulation

4656 A handle to an object was requested.

4658 The handle to an object was closed.

4690 An attempt was made to duplicate a handle to an object.

Object Access Other ObjectAccess Events

4671 An application attempted to access a blocked ordinal through the TBS.




4691 Indirect access to an object was requested.

4698 A scheduled task was created.

4699 A scheduled task was deleted.

4700 A scheduled task was enabled.

4701 A scheduled task was disabled.

4702 A scheduled task was updated.

Object Access Other ObjectAccess Events

5148 The Windows Filtering Platform has detected a DoS attack and entered adefensive mode; packets associated with this attack will be discarded.

5149 The DoS attack has subsided and normal processing is being resumed.

5888 An object in the COM+ Catalog was modified.

5889 An object was deleted from the COM+ Catalog.

5890 An object was added to the COM+ Catalog.

Object Access Registry 4657 A registry value was modified.

5039 A registry key was virtualized.

Object Access Special 4659 A handle to an object was requested with intent to delete.

4660 An object was deleted.

4661 A handle to an object was requested.

4663 An attempt was made to access an object.

PolicyChange

Audit PolicyChange

4715 The audit policy (SACL) on an object was changed.

4719 System audit policy was changed.

4817 Auditing settings on an object were changed.

4902 The Per-user audit policy table was created.

4904 An attempt was made to register a security event source.

4905 An attempt was made to unregister a security event source.

4906 The CrashOnAuditFail value has changed.

4907 Auditing settings on object were changed.

4908 Special Groups Logon table modified.

4912 Per User Audit Policy was changed.




PolicyChange

AuthenticationPolicy Change

4713 Kerberos policy was changed.

4716 Trusted domain information was modified.

4717 System security access was granted to an account.

4718 System security access was removed from an account.

4739 Domain Policy was changed.

4864 A namespace collision was detected.

4865 A trusted forest information entry was added.

4866 A trusted forest information entry was removed.

4867 A trusted forest information entry was modified.

4703 A user right was adjusted.

PolicyChange

AuthorizationPolicy Change

4704 A user right was assigned.

4705 A user right was removed.

4706 A new trust was created to a domain.

4707 A trust to a domain was removed.

4714 Encrypted data recovery policy was changed.

4911 Resource attributes of the object were changed.

4913 Central Access Policy on the object was changed.

PolicyChange

FilteringPlatformPolicy Change

4709 IPsec Services was started.

4710 IPsec Services was disabled.




PolicyChange


4711 May contain any one of the following: PAStore Engine applied locally cachedcopy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storageIPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on thecomputer.PAStore Engine failed to apply local registry storage IPsec policy on thecomputer.PAStore Engine failed to apply some rules of the active IPsec policy on thecomputer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected nochanges.

PolicyChange


4712 IPsec Services encountered a potentially serious failure.

5040 A change has been made to IPsec settings. An Authentication Set was added.

5041 A change has been made to IPsec settings. An Authentication Set wasmodified.

5042 A change has been made to IPsec settings. An Authentication Set was deleted.

5043 A change has been made to IPsec settings. A Connection Security Rule wasadded.

5044 A change has been made to IPsec settings. A Connection Security Rule wasmodified.

5045 A change has been made to IPsec settings. A Connection Security Rule wasdeleted.

5046 A change has been made to IPsec settings. A Crypto Set was added.

5047 A change has been made to IPsec settings. A Crypto Set was modified.

5048 A change has been made to IPsec settings. A Crypto Set was deleted.

PolicyChange


5440 The following callout was present when the Windows Filtering Platform BaseFiltering Engine started.

5441 The following filter was present when the Windows Filtering Platform BaseFiltering Engine started.

5442 The following provider was present when the Windows Filtering Platform BaseFiltering Engine started.




5443 The following provider context was present when the Windows FilteringPlatform Base Filtering Engine started.

5444 The following sub-layer was present when the Windows Filtering PlatformBase Filtering Engine started.

5446 A Windows Filtering Platform callout has been changed.

PolicyChange


5448 A Windows Filtering Platform provider has been changed.

5449 A Windows Filtering Platform provider context has been changed.

5450 A Windows Filtering Platform sub-layer has been changed.

5456 PAStore Engine applied Active Directory storage IPsec policy on the computer.

5457 PAStore Engine failed to apply Active Directory storage IPsec policy on thecomputer.

5458 PAStore Engine applied locally cached copy of Active Directory storage IPsecpolicy on the computer.

5459 PAStore Engine failed to apply locally cached copy of Active Directory storageIPsec policy on the computer.

5460 PAStore Engine applied local registry storage IPsec policy on the computer.

5461 PAStore Engine failed to apply local registry storage IPsec policy on thecomputer.

5462 PAStore Engine failed to apply some rules of the active IPsec policy on thecomputer. Use the IP Security Monitor snap-in to diagnose the problem.

5463 PAStore Engine polled for changes to the active IPsec policy and detected nochanges.

5464 PAStore Engine polled for changes to the active IPsec policy, detectedchanges, and applied them to IPsec Services.

5465 PAStore Engine received a control for forced reloading of IPsec policy andprocessed the control successfully.

5466 PAStore Engine polled for changes to the Active Directory IPsec policy,determined that Active Directory cannot be reached, and will use the cachedcopy of the Active Directory IPsec policy instead. Any changes made to theActive Directory IPsec policy since the last poll could not be applied.




PolicyChange


5467 PAStore Engine polled for changes to the Active Directory IPsec policy,determined that Active Directory can be reached, and found no changes to thepolicy. The cached copy of the Active Directory IPsec policy is no longer beingused.

5468 PAStore Engine polled for changes to the Active Directory IPsec policy,determined that Active Directory can be reached, found changes to the policy,and applied those changes. The cached copy of the Active Directory IPsecpolicy is no longer being used.

5471 PAStore Engine loaded local storage IPsec policy on the computer.

5472 PAStore Engine failed to load local storage IPsec policy on the computer.

5473 PAStore Engine loaded directory storage IPsec policy on the computer.

5474 PAStore Engine failed to load directory storage IPsec policy on the computer.

5477 PAStore Engine failed to add quick mode filter.

PolicyChange

MPSSVC Rule-Level PolicyChange

4944 The following policy was active when the Windows Firewall started.

4945 A rule was listed when the Windows Firewall started.

4946 A change has been made to Windows Firewall exception list. A rule was added.

4947 A change has been made to Windows Firewall exception list. A rule wasmodified.

4948 A change has been made to Windows Firewall exception list. A rule wasdeleted.

4949 Windows Firewall settings were restored to the default values.

4950 A Windows Firewall setting has changed.

4951 A rule has been ignored because its major version number was not recognizedby Windows Firewall.

4952 Parts of a rule have been ignored because its minor version number was notrecognized by Windows Firewall. The other parts of the rule will be enforced.

4953 A rule has been ignored by Windows Firewall because it could not parse therule.

4954 Windows Firewall Group Policy settings have changed. The new settings havebeen applied.

4956 Windows Firewall has changed the active profile.

4957 Windows Firewall did not apply the following rule:

4958 Windows Firewall did not apply the following rule because the rule referred toitems not configured on this computer:




PolicyChange

Other PolicyChangeEvents

4819 Central Access Policies on the machine have been changed.

4909 The local policy settings for the TBS were changed.

4910 The group policy settings for the TBS were changed.

5063 A cryptographic provider operation was attempted.

5064 A cryptographic context operation was attempted.

5065 A cryptographic context modification was attempted.

5066 A cryptographic function operation was attempted.

5067 A cryptographic function modification was attempted.

5068 A cryptographic function provider operation was attempted.

5069 A cryptographic function property operation was attempted.

5070 A cryptographic function property modification was attempted.

5447 A Windows Filtering Platform filter has been changed.

6144 Security policy in the group policy objects has been applied successfully.

6145 One or more errors occurred while processing security policy in the grouppolicy objects.

PolicyChange

Subcategory(special)

4670 Permissions on an object were changed.

Privilege Use SensitivePrivilege Use /Non SensitivePrivilege Use

4672 Special privileges assigned to new logon.

4673 A privileged service was called.

4674 An operation was attempted on a privileged object.

System IPsec Driver 4960 IPsec dropped an inbound packet that failed an integrity check. If thisproblem persists, it could indicate a network issue or that packets are beingmodified in transit to this computer. Verify that the packets sent from theremote computer are the same as those received by this computer. This errormight also indicate interoperability problems with other IPsecimplementations.

4961 IPsec dropped an inbound packet that failed a replay check. If this problempersists, it could indicate a replay attack against this computer.

4962 IPsec dropped an inbound packet that failed a replay check. The inboundpacket had too low a sequence number to ensure it was not a replay.




System IPsec Driver 4963 IPsec dropped an inbound clear text packet that should have been secured.This is usually due to the remote computer changing its IPsec policy withoutinforming this computer. This could also be a spoofing attack attempt.

4965 IPsec received a packet from a remote computer with an incorrect SecurityParameter Index (SPI). This is usually caused by malfunctioning hardware thatis corrupting packets. If these errors persist, verify that the packets sent fromthe remote computer are the same as those received by this computer. Thiserror may also indicate interoperability problems with other IPsecimplementations. In that case, if connectivity is not impeded, then theseevents can be ignored.

5478 IPsec Services has started successfully.

5479 IPsec Services has been shut down successfully. The shutdown of IPsecServices can put the computer at greater risk of network attack or expose thecomputer to potential security risks.

5480 IPsec Services failed to get the complete list of network interfaces on thecomputer. This poses a potential security risk because some of the networkinterfaces may not get the protection provided by the applied IPsec filters. Usethe IP Security Monitor snap-in to diagnose the problem.

5483 IPsec Services failed to initialize RPC server. IPsec Services could not be started.

5484 IPsec Services has experienced a critical failure and has been shut down. Theshutdown of IPsec Services can put the computer at greater risk of networkattack or expose the computer to potential security risks.

5485 IPsec Services failed to process some IPsec filters on a plug-and-play event fornetwork interfaces. This poses a potential security risk because some of thenetwork interfaces may not get the protection provided by the applied IPsecfilters. Use the IP Security Monitor snap-in to diagnose the problem.

System Other SystemEvents

4820 A Kerberos Ticket-granting-ticket (TGT) was denied because the device doesnot meet the access control restrictions.

4821 A Kerberos service ticket was denied because the user, device, or both does notmeet the access control restrictions.

4822 NTLM authentication failed because the account was a member of theProtected User group.





4823 NTLM authentication failed because access control restrictions are required.

4824 Kerberos preauthenti9cation by using DES or RC4 failed bedause the accountwas a member of the Protected User group

4826 Boot Configuration Data Loaded.

5024 The Windows Firewall Service has started successfully.

5025 The Windows Firewall Service has been stopped.

5027 The Windows Firewall Service was unable to retrieve the security policy fromthe local storage. The service will continue enforcing the current policy.


5028 The Windows Firewall Service was unable to parse the new security policy. Theservice will continue with currently enforced policy.

5029 The Windows Firewall Service failed to initialize the driver. The service willcontinue to enforce the current policy.

5030 The Windows Firewall Service failed to start.

5032 Windows Firewall was unable to notify the user that it blocked an applicationfrom accepting incoming connections on the network.

5033 The Windows Firewall Driver has started successfully.

5034 The Windows Firewall Driver has been stopped.

5035 The Windows Firewall Driver failed to start.

5037 The Windows Firewall Driver detected critical runtime error. Terminating.

5058 Key file operation.

5059 Key migration operation.

6400 BranchCache: Received an incorrectly formatted response while discoveringavailability of content.

6401 BranchCache: Received invalid data from a peer. Data discarded.

6402 BranchCache: The message to the hosted cache offering it data is incorrectlyformatted.


6403 BranchCache: The hosted cache sent an incorrectly formatted response to theclient.

6404 BranchCache: Hosted cache could not be authenticated using the provisionedSSL certificate.

6405 BranchCache: %2 instance(s) of event id %1 occurred.

6406 %1 registered to Windows Firewall to control filtering for the following: %2

6407 1%

6408 Registered product %1 failed and Windows Firewall is now controlling thefiltering for %2




System Security StateChange

4608 Windows is starting up.

4609 Windows is shutting down.

4616 The system time was changed.

4621 Administrator recovered system from CrashOnAuditFail. Users who are notadministrators will now be allowed to log on. Some auditable activity might nothave been recorded.

System SecuritySystemExtension

4610 An authentication package has been loaded by the Local Security Authority.

Native Connector:

An authentication package has been loaded by the Local Security Authority.This authentication package will be used to authenticate logon attempts.

4611 This logon process will be trusted to submit logon requests.

4614 A notification package has been loaded by the Security Account Manager.

4622 A security package has been loaded by the Local Security Authority.

4697 A service was installed in the system.

System SystemIntegrity

4612 Internal resources allocated for the queuing of audit messages have beenexhausted, leading to the loss of some audits.

4615 Invalid use of LPC port.

4618 A monitored security event pattern has occurred.

4816 RPC detected an integrity violation while decrypting an incoming message.

5038 Code integrity determined that the image hash of a file is not valid. The filecould be corrupt due to unauthorized modification or the invalid hash couldindicate a potential disk device error.

5056 A cryptographic self test was performed.

5057 A cryptographic primitive operation failed.

5060 Verification operation failed.

5061 Cryptographic operation.

5062 A kernel-mode cryptographic self test was performed.

6281 Code Integrity determined that the page hashes of an image file are not valid.The file could be improperly signed without page hashes or corrupt due tounauthorized modification. The invalid hashes could indicate a potential diskdevice error



Send Documentation FeedbackIf you have comments about this document, you can contact the documentation team by email. If anemail client is configured on this system, click the link above and an email window opens with thefollowing information in the subject line:

Feedback on Windows Security Event Mappings (Connectors )

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and sendyour feedback to [email protected].

We appreciate your feedback!


mailto:[email protected]?subject=Feedback on Windows Security Event Mappings (Connectors )

Documents

HPESecurity ArcSight Connectors...4725 53 4726 53 4727 53 WindowsSecurityEventMappings HPEConnectors Page6of173 4728 54 4729 54 4730 55 4731 55 4732 56 4733 56 4734 57 4735 57 4737