# ATT&CK DS Event Mappings
|Data Source|Component|Source|Relationship|Target|EventID|Event Name|Event Platform|Log Provider|Log Channel|Audit Category|Audit Sub-Category|Enable Commands| GPO Audit Policy|
| :---| :---| :---| :---| :---| :---| :---| :---| :---| :---| :---| :---| :---| :---|
|User Account|user account authentication|application|attempted to authenticate|user|ConsoleLogin|ConsoleLogin|AWS|CloudTrail|None|AwsConsoleSignin|None|None|None|
|Driver|driver load|driver|loaded|None|6|Driver loaded.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|DriverLoad|None| `` |None|
|Driver|driver load|driver|loaded|None|DriverLoaded|DriverLoaded|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Firewall|firewall disable|firewall|disabled|None|5025|The Windows Firewall Service has been stopped.|Windows|Microsoft-Windows-Security-Auditing|Security|System|Other System Events| `auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events |
|Firewall|firewall enable|firewall|enabled|None|5024|The Windows Firewall Service has started successfully.|Windows|Microsoft-Windows-Security-Auditing|Security|System|Other System Events| `auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events |
|Firewall|firewall rule modification|firewall rule|added|None|4946|A change has been made to Windows Firewall exception list. A rule was added.|Windows|Microsoft-Windows-Security-Auditing|Security|Policy Change|MPSSVC Rule-Level Policy Change| `auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit MPSSVC Rule-Level Policy Change |
|Firewall|firewall rule modification|firewall rule|modified|None|4947|A change has been made to Windows Firewall exception list. A rule was modified.|Windows|Microsoft-Windows-Security-Auditing|Security|Policy Change|MPSSVC Rule-Level Policy Change| `auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit MPSSVC Rule-Level Policy Change |
|Firewall|firewall rule modification|firewall rule|removed|None|4948|A change has been made to Windows Firewall exception list. A rule was deleted.|Windows|Microsoft-Windows-Security-Auditing|Security|Policy Change|MPSSVC Rule-Level Policy Change| `auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit MPSSVC Rule-Level Policy Change |
|Network Traffic|network connection creation|host|blocked connection from|ip|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked connection from|ip|FirewallInboundConnectionBlocked|FirewallInboundConnectionBlocked|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Network Traffic|network connection creation|host|blocked connection from|port|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked connection from|port|FirewallInboundConnectionBlocked|FirewallInboundConnectionBlocked|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Network Traffic|network connection creation|host|blocked connection from|process|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked connection to|ip|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked connection to|ip|FirewallOutboundConnectionBlocked|FirewallOutboundConnectionBlocked|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Network Traffic|network connection creation|host|blocked connection to|port|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked connection to|port|FirewallOutboundConnectionBlocked|FirewallOutboundConnectionBlocked|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Network Traffic|network connection creation|host|blocked connection to|process|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked connection to|process|5031|The Windows Firewall Service blocked an application from accepting incoming connections on the network.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked connection to|process|FirewallInboundConnectionToAppBlocked|FirewallInboundConnectionToAppBlocked|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Network Traffic|network connection creation|host|blocked listener on|ip|5155|The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked listener on|port|5155|The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked listener on|process|5155|The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked port bind on|ip|5159|The Windows Filtering Platform has blocked a bind to a local port.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked port bind on|port|5159|The Windows Filtering Platform has blocked a bind to a local port.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|blocked port bind on|process|5159|The Windows Filtering Platform has blocked a bind to a local port.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|permitted listener on|ip|5154|The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|permitted listener on|port|5154|The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|host|permitted listener on|process|5154|The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Logon Session|logon session modification|logon session|modified|None|4672|Special privileges assigned to new logon.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Special Logon| `auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon |
|File|file access|process|accessed|file|4663|An attempt was made to access an object.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File System| `auditpol /set /subcategory:"File System" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
|Process|process access|process|accessed|process|10|ProcessAccess.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|ProcessAccess|None| `` |None|
|Process|process access|process|accessed|process|4663|An attempt was made to access an object.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Kernel Object| `auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object |
|Process|process access|process|accessed|process|OpenProcessApiCall|OpenProcessApiCall|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Windows Registry|windows registry key access|process|accessed|windows registry key|4663|An attempt was made to access an object.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Network Traffic|network connection creation|process|attempted connection from|ip|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|attempted connection from|ip|ConnectionRequest|ConnectionRequest|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|attempted connection from|port|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|attempted connection from|port|ConnectionRequest|ConnectionRequest|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|attempted connection to|ip|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|attempted connection to|ip|ConnectionAttempt|ConnectionAttempt|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|attempted connection to|port|5157|The Windows Filtering Platform has blocked a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|attempted connection to|port|ConnectionAttempt|ConnectionAttempt|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|attempted to bind on|port|5159|The Windows Filtering Platform has blocked a bind to a local port.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|attempted to listen on|port|5155|The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|bound to|port|5158|The Windows Filtering Platform has permitted a bind to a local port.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|bound to|port|ListeningConnectionCreated|ListeningConnectionCreated|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|connected from|host|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|process|connected from|host|InboundConnectionAccepted|InboundConnectionAccepted|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|connected from|ip|5156|The Windows Filtering Platform has permitted a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|connected from|ip|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|process|connected from|ip|InboundConnectionAccepted|InboundConnectionAccepted|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|connected from|port|5156|The Windows Filtering Platform has permitted a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|connected from|port|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|process|connected from|port|InboundConnectionAccepted|InboundConnectionAccepted|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|connected to|host|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|process|connected to|host|ConnectionSuccess|ConnectionSuccess|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|connected to|ip|5156|The Windows Filtering Platform has permitted a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|connected to|ip|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|process|connected to|ip|ConnectionSuccess|ConnectionSuccess|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|process|connected to|port|5156|The Windows Filtering Platform has permitted a connection.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|connected to|port|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|process|connected to|port|ConnectionSuccess|ConnectionSuccess|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|File|file creation|process|created|file|11|FileCreate.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|FileCreate|None| `` |None|
|File|file creation|process|created|file|FileCreated|FileCreated|Windows|Microsoft Defender for Endpoint|DeviceFileEvents|None|None|None|None|
|Process|process creation|process|created|process|4688|A new process has been created.|Windows|Microsoft-Windows-Security-Auditing|Security|Detailed Tracking|Process Creation| `auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation |
|Process|process creation|process|created|process|1|Process Creation.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|ProcessCreate|None| `` |None|
|Process|process creation|process|created|process|ProcessCreated|ProcessCreated|Windows|Microsoft Defender for Endpoint|DeviceProcessEvents|None|None|None|None|
|Process|process creation|process|created|thread|8|CreateRemoteThread.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|CreateRemoteThread|None| `` |None|
|Process|process creation|process|created|thread|CreateRemoteThreadApiCall|CreateRemoteThreadApiCall|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Windows Registry|windows registry key creation|process|created|windows registry key|12|RegistryEvent (Object create and delete).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|RegistryEvent|None| `` |None|
|Windows Registry|windows registry key creation|process|created|windows registry key|RegistryKeyCreated|RegistryKeyCreated|Windows|Microsoft Defender for Endpoint|DeviceRegistryEvents|None|None|None|None|
|Windows Registry|windows registry key creation|process|created|windows registry key value|12|RegistryEvent (Object create and delete).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|RegistryEvent|None| `` |None|
|Windows Registry|windows registry key creation|process|created|windows registry key value|RegistryValueSet|RegistryValueSet|Windows|Microsoft Defender for Endpoint|DeviceRegistryEvents|None|None|None|None|
|File|file deletion|process|deleted|file|23|File Delete archived.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|FileDelete|None| `` |None|
|File|file deletion|process|deleted|file|26|File Delete logged.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|FileDeleteDetected|None| `` |None|
|File|file deletion|process|deleted|file|4660|An object was deleted.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File System| `auditpol /set /subcategory:"File System" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
|File|file deletion|process|deleted|file|FileDeleted|FileDeleted|Windows|Microsoft Defender for Endpoint|DeviceFileEvents|None|None|None|None|
|Windows Registry|windows registry key deletion|process|deleted|windows registry key|12|RegistryEvent (Object create and delete).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|RegistryEvent|None| `` |None|
|Windows Registry|windows registry key deletion|process|deleted|windows registry key|4660|An object was deleted.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Windows Registry|windows registry key deletion|process|deleted|windows registry key|RegistryKeyDeleted|RegistryKeyDeleted|Windows|Microsoft Defender for Endpoint|DeviceRegistryEvents|None|None|None|None|
|Windows Registry|windows registry key deletion|process|deleted|windows registry key value|12|RegistryEvent (Object create and delete).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|RegistryEvent|None| `` |None|
|Windows Registry|windows registry key deletion|process|deleted|windows registry key value|RegistryValueDeleted|RegistryValueDeleted|Windows|Microsoft Defender for Endpoint|DeviceRegistryEvents|None|None|None|None|
|Process|OS api execution|process|executed|api call|8|CreateRemoteThread.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|CreateRemoteThread|None| `` |None|
|Process|OS api execution|process|executed|api call|CreateRemoteThreadApiCall|CreateRemoteThreadApiCall|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Command|command execution|process|executed|command|4688|A new process has been created.|Windows|Microsoft-Windows-Security-Auditing|Security|Detailed Tracking|Process Creation| `auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation |
|Command|command execution|process|executed|command|1|Process Creation.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|ProcessCreate|None| `` |None|
|Command|command execution|process|executed|command|4103|Module logging.|Windows|Microsoft-Windows-PowerShell|Microsoft-Windows-PowerShell/Operational|Executing Pipeline|None|None|None|
|Command|command execution|process|executed|command|ProcessCreated|ProcessCreated|Windows|Microsoft Defender for Endpoint|DeviceProcessEvents|None|None|None|None|
|Script|script execution|process|executed|Script|4103|Module logging.|Windows|Microsoft-Windows-PowerShell|Microsoft-Windows-PowerShell/Operational|Executing Pipeline|None|None|None|
|Script|script execution|process|executed|Script|4104|Script Block Logging.|Windows|Microsoft-Windows-PowerShell|Microsoft-Windows-PowerShell/Operational|Execute a Remote Command|None|None|None|
|Script|script execution|process|executed|Script|ScriptContent|ScriptContent|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Script|script execution|process|executed|Script|PowerShellCommand|PowerShellCommand|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Script|script execution|process|executed|Script|AmsiScriptDetection|AmsiScriptDetection|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Network Traffic|network connection creation|process|listened on|port|5154|The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Filtering Platform Connection| `auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
|Network Traffic|network connection creation|process|listened on|port|ListeningConnectionCreated|ListeningConnectionCreated|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Module|module load|process|loaded|module|7|Image loaded.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|ImageLoad|None| `` |None|
|Module|module load|process|loaded|module|ImageLoaded|ImageLoaded|Windows|Microsoft Defender for Endpoint|DeviceImageLoadEvents|None|None|None|None|
|File|file modification|process|modified|file|2|A process changed a file creation time.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|FileCreateTime|None| `` |None|
|File|file modification|process|modified|file|11|FileCreate.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|FileCreate|None| `` |None|
|File|file modification|process|modified|file|4670|Permissions on an object were changed.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File System| `auditpol /set /subcategory:"File System" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
|File|file modification|process|modified|file|FileModified|FileModified|Windows|Microsoft Defender for Endpoint|DeviceFileEvents|None|None|None|None|
|File|file modification|process|modified|file|FileRenamed|FileRenamed|Windows|Microsoft Defender for Endpoint|DeviceFileEvents|None|None|None|None|
|Process|process modification|process|modified|process|8|CreateRemoteThread.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|CreateRemoteThread|None| `` |None|
|Process|process modification|process|modified|process|CreateRemoteThreadApiCall|CreateRemoteThreadApiCall|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Windows Registry|windows registry key modification|process|modified|windows registry key|13|RegistryEvent (Value Set).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|RegistryEvent|None| `` |None|
|Windows Registry|windows registry key modification|process|modified|windows registry key|14|RegistryEvent (Key and Value Rename).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|RegistryEvent|None| `` |None|
|Windows Registry|windows registry key modification|process|modified|windows registry key|4670|Permissions on an object were changed.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Windows Registry|windows registry key modification|process|modified|windows registry key|RegistryKeyCreated|RegistryKeyCreated|Windows|Microsoft Defender for Endpoint|DeviceRegistryEvents|None|None|None|None|
|Windows Registry|windows registry key modification|process|modified|windows registry key value|13|RegistryEvent (Value Set).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|RegistryEvent|None| `` |None|
|Windows Registry|windows registry key modification|process|modified|windows registry key value|14|RegistryEvent (Key and Value Rename).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|RegistryEvent|None| `` |None|
|Windows Registry|windows registry key modification|process|modified|windows registry key value|4657|A registry value was modified.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Windows Registry|windows registry key modification|process|modified|windows registry key value|RegistryValueSet|RegistryValueSet|Windows|Microsoft Defender for Endpoint|DeviceRegistryEvents|None|None|None|None|
|File|file access|process|requested access to|file|4656|A handle to an object was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File System| `auditpol /set /subcategory:"File System" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
|Process|process access|process|requested access to|process|4656|A handle to an object was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Kernel Object| `auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object |
|Process|process access|process|requested access to|process|10|Process Access.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|ProcessAccess|None| `` |None|
|Process|process access|process|requested access to|process|OpenProcessApiCall|OpenProcessApiCall|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Windows Registry|windows registry key access|process|requested access to|windows registry key|4656|A handle to an object was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Service|service metadata|service|started|None|4|Sysmon service state changed.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|ServiceStateChange|None| `` |None|
|Service|service metadata|service|stopped|None|4|Sysmon service state changed.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|ServiceStateChange|None| `` |None|
|Active Directory|active directory object access|user|accessed|ad object|4662|An operation was performed on an object.|Windows|Microsoft-Windows-Security-Auditing|Security|DS Access|Directory Service Access| `auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access |
|File|file access|user|accessed|file|4663|An attempt was made to access an object.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File System| `auditpol /set /subcategory:"File System" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
|Process|process access|user|accessed|process|4663|An attempt was made to access an object.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Kernel Object| `auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object |
|Process|process access|user|accessed|process|OpenProcessApiCall|OpenProcessApiCall|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Windows Registry|windows registry key access|user|accessed|windows registry key|4663|An attempt was made to access an object.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Firewall|firewall rule modification|user|added|firewall rule|2004|A rule has been added to the Windows Defender Firewall exception list|Windows|Microsoft-Windows-Windows Firewall With Advanced Security|Microsoft-Windows-Windows Firewall With Advanced Security/Firewall|None|None|None|None|
|Firewall|firewall rule modification|user|added|firewall rule|CreateRuleGroup|CreateRuleGroup|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Network Share|network share access|user|attempted to access|network share|5140|A network share object was accessed.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File Share| `auditpol /set /subcategory:"File Share" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
|Network Share|network share access|user|attempted to access|network share|5145|A network share object was checked to see whether client can be granted desired access.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Detailed File Share| `auditpol /set /subcategory:"Detailed File Share" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Detailed File Share |
|Network Share|network share access|user|attempted to access|network share|LogonSuccess|LogonSuccess|Windows|Microsoft Defender for Endpoint|DeviceLogonEvents|None|None|None|None|
|User Account|user account authentication|user|attempted to authenticate from|ip|4624|An account was successfully logged on.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Logon| `auditpol /set /subcategory:"Logon" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
|User Account|user account authentication|user|attempted to authenticate from|ip|4625|An account failed to log on.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Account Lockout| `auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout |
|User Account|user account authentication|user|attempted to authenticate from|ip|4648|A logon was attempted using explicit credentials.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Logon| `auditpol /set /subcategory:"Logon" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
|User Account|user account authentication|user|attempted to authenticate from|ip|LogonSuccess|LogonSuccess|Windows|Microsoft Defender for Endpoint|DeviceLogonEvents|None|None|None|None|
|User Account|user account authentication|user|attempted to authenticate from|ip|ConsoleLogin|ConsoleLogin|AWS|CloudTrail|None|AwsConsoleSignin|None|None|None|
|User Account|user account authentication|user|attempted to authenticate from|port|4624|An account was successfully logged on.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Logon| `auditpol /set /subcategory:"Logon" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
|User Account|user account authentication|user|attempted to authenticate from|port|4625|An account failed to log on.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Account Lockout| `auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout |
|User Account|user account authentication|user|attempted to authenticate from|port|4648|A logon was attempted using explicit credentials.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Logon| `auditpol /set /subcategory:"Logon" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
|User Account|user account authentication|user|attempted to authenticate from|port|LogonSuccess|LogonSuccess|Windows|Microsoft Defender for Endpoint|DeviceLogonEvents|None|None|None|None|
|User Account|user account authentication|user|attempted to authenticate to|application|ConsoleLogin|ConsoleLogin|AWS|CloudTrail|None|AwsConsoleSignin|None|None|None|
|Network Traffic|network connection creation|user|connected from|host|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|user|connected from|host|InboundConnectionAccepted|InboundConnectionAccepted|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|user|connected from|ip|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|user|connected from|ip|InboundConnectionAccepted|InboundConnectionAccepted|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|user|connected from|port|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|user|connected from|port|InboundConnectionAccepted|InboundConnectionAccepted|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|user|connected to|host|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|user|connected to|host|ConnectionSuccess|ConnectionSuccess|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|user|connected to|ip|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|user|connected to|ip|ConnectionSuccess|ConnectionSuccess|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Network Traffic|network connection creation|user|connected to|port|3|Network connection.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|NetworkConnect|None| `` |None|
|Network Traffic|network connection creation|user|connected to|port|ConnectionSuccess|ConnectionSuccess|Windows|Microsoft Defender for Endpoint|DeviceNetworkEvents|None|None|None|None|
|Active Directory|active directory object creation|user|created|ad object|5137|A directory service object was created.|Windows|Microsoft-Windows-Security-Auditing|Security|DS Access|Directory Service Changes| `auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes |
|File|file creation|user|created|file|DeviceFileEvents|DeviceFileEvents|Windows|Windows Defender Advanced Threat Protection|None|None|None|None|None|
|Instance|instance creation|user|created|instance|RunInstances|RunInstances|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Instance|instance creation|user|created instance from|ip|RunInstances|RunInstances|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Logon Session|logon session creation|user|created|logon session|4624|An account was successfully logged on.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Logon| `auditpol /set /subcategory:"Logon" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
|Logon Session|logon session creation|user|created|logon session|4778|A session was reconnected to a Window Station.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Other Logon/Logoff Events| `auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events |
|Logon Session|logon session creation|user|created|logon session|4964|Special groups have been assigned to a new logon.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Special Logon| `auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon |
|Logon Session|logon session creation|user|created|logon session|LogonSuccess|LogonSuccess|Windows|Microsoft Defender for Endpoint|DeviceLogonEvents|None|None|None|None|
|Logon Session|logon session creation|user|created logon session from|ip|4624|An account was successfully logged on.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Logon| `auditpol /set /subcategory:"Logon" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
|Logon Session|logon session creation|user|created logon session from|ip|4778|A session was reconnected to a Window Station.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Other Logon/Logoff Events| `auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events |
|Logon Session|logon session creation|user|created logon session from|ip|LogonSuccess|LogonSuccess|Windows|Microsoft Defender for Endpoint|DeviceLogonEvents|None|None|None|None|
|Logon Session|logon session creation|user|created logon session from|port|4624|An account was successfully logged on.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Logon| `auditpol /set /subcategory:"Logon" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
|Logon Session|logon session creation|user|created logon session from|port|LogonSuccess|LogonSuccess|Windows|Microsoft Defender for Endpoint|DeviceLogonEvents|None|None|None|None|
|Network Share|network share creation|user|created|network share|5142|A network share object was added.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File Share| `auditpol /set /subcategory:"File Share" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
|Process|process creation|user|created|process|4688|A new process has been created.|Windows|Microsoft-Windows-Security-Auditing|Security|Detailed Tracking|Process Creation| `auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation |
|Process|process creation|user|created|process|1|Process Creation.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|ProcessCreate|None| `` |None|
|Process|process creation|user|created|process|ProcessCreated|ProcessCreated|Windows|Microsoft Defender for Endpoint|DeviceProcessEvents|None|None|None|None|
|Scheduled Job|scheduled job creation|user|created|scheduled job|4698|A scheduled task was created.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Other Object Access Events| `auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
|Scheduled Job|scheduled job creation|user|created|scheduled job|ScheduledTaskCreated|ScheduledTaskCreated|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Service|service creation|user|created|service|4697|A service was installed in the system.|Windows|Microsoft-Windows-Security-Auditing|Security|System|Security System Extension| `auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Security System Extension |
|Service|service creation|user|created|service|7045|A new service was installed in the system.|Windows|Service Control Manager|System|None|None|None|None|
|Service|service creation|user|created|service|ServiceInstalled|ServiceInstalled|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|User Account|user account creation|user|created|user|4720|A user account was created.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Management|User Account Management| `auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
|User Account|user account creation|user|created|user|UserAccountCreated|UserAccountCreated|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|WMI|wmi creation|user|created|wmi object|19|WmiEvent (WmiEventFilter activity detected).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|WmiEvent|None| `` |None|
|WMI|wmi creation|user|created|wmi object|20|WmiEvent (WmiEventConsumer activity detected).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|WmiEvent|None| `` |None|
|WMI|wmi creation|user|created|wmi object|21|WmiEvent (WmiEventConsumerToFilter activity detected).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|WmiEvent|None| `` |None|
|WMI|wmi creation|user|created|wmi object|WmiBindEventFilterToConsumer|WmiBindEventFilterToConsumer|Windows|Microsoft Defender for Endpoint|DeviceREvents|None|None|None|None|
|Active Directory|active directory object deletion|user|deleted|ad object|5141|A directory service object was deleted.|Windows|Microsoft-Windows-Security-Auditing|Security|DS Access|Directory Service Changes| `auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes |
|File|file deletion|user|deleted|file|23|File Delete archived.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|FileDelete|None| `` |None|
|File|file deletion|user|deleted|file|26|File Delete logged.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|FileDeleteDetected|None| `` |None|
|File|file deletion|user|deleted|file|4660|An object was deleted.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File System| `auditpol /set /subcategory:"File System" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
|File|file deletion|user|deleted|file|FileDeleted|FileDeleted|Windows|Microsoft Defender for Endpoint|DeviceFileEvents|None|None|None|None|
|Network Share|network share deletion|user|deleted|network share|5144|A network share object was deleted.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File Share| `auditpol /set /subcategory:"File Share" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
|Scheduled Job|scheduled job deletion|user|deleted|scheduled job|4699|A scheduled task was deleted.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Other Object Access Events| `auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
|Scheduled Job|scheduled job deletion|user|deleted|scheduled job|ScheduledTaskDeleted|ScheduledTaskDeleted|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|User Account|user account deletion|user|deleted|user|4726|A user account was deleted.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Management|User Account Management| `auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
|User Account|user account deletion|user|deleted|user|UserAccountDeleted|UserAccountDeleted|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Windows Registry|windows registry key deletion|user|deleted|windows registry key|4660|An object was deleted.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Windows Registry|windows registry key deletion|user|deleted|windows registry key|RegistryKeyDeleted|RegistryKeyDeleted|Windows|Microsoft Defender for Endpoint|DeviceRegistryEvents|None|None|None|None|
|WMI|wmi deletion|user|deleted|wmi object|19|WmiEvent (WmiEventFilter activity detected).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|WmiEvent|None| `` |None|
|WMI|wmi deletion|user|deleted|wmi object|20|WmiEvent (WmiEventConsumer activity detected).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|WmiEvent|None| `` |None|
|WMI|wmi deletion|user|deleted|wmi object|21|WmiEvent (WmiEventConsumerToFilter activity detected).|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|WmiEvent|None| `` |None|
|Scheduled Job|scheduled job modification|user|disabled|scheduled job|4701|A scheduled task was disabled.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Other Object Access Events| `auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
|Scheduled Job|scheduled job modification|user|disabled|scheduled job|ScheduledTaskModified|ScheduledTaskModified|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|User Account|user account modification|user|disabled|user|4725|A user account was disabled.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Management|User Account Management| `auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
|User Account|user account modification|user|disabled|user|UserAccountModified|UserAccountModified|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Scheduled Job|scheduled job modification|user|enabled|scheduled job|4700|A scheduled task was enabled.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Other Object Access Events| `auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
|Scheduled Job|scheduled job modification|user|enabled|scheduled job|ScheduledTaskModified|ScheduledTaskModified|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|User Account|user account modification|user|enabled|user|4722|A user account was enabled.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Management|User Account Management| `auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
|User Account|user account modification|user|enabled|user|UserAccountModified|UserAccountModified|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Command|command execution|user|executed|command|4688|A new process has been created.|Windows|Microsoft-Windows-Security-Auditing|Security|Detailed Tracking|Process Creation| `auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation |
|Command|command execution|user|executed|command|1|Process Creation.|Windows|Microsoft-Windows-Sysmon|Microsoft-Windows-Sysmon/Operational|ProcessCreate|None| `` |None|
|Command|command execution|user|executed|command|4103|Module logging.|Windows|Microsoft-Windows-PowerShell|Microsoft-Windows-PowerShell/Operational|Executing Pipeline|None|None|None|
|Command|command execution|user|executed|command|ProcessCreated|ProcessCreated|Windows|Microsoft Defender for Endpoint|DeviceProcessEvents|None|None|None|None|
|User Account|user account modification|user|granted access to|user|4717|System security access was granted to an account.|Windows|Microsoft-Windows-Security-Auditing|Security|Policy Change|Authentication Policy Change| `auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change |
|Firewall|firewall enumeration|user|listed|firewall rule|ListRuleGroups|ListRuleGroups|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|User Account|user account modification|user|locked|user|4740|A user account was locked out.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Management|User Account Management| `auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
|Active Directory|active directory object modification|user|modified|ad object|5136|A directory service object was modified.|Windows|Microsoft-Windows-Security-Auditing|Security|DS Access|Directory Service Changes| `auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes |
|Active Directory|active directory object modification|user|modified|ad object|5139|A directory service object was moved.|Windows|Microsoft-Windows-Security-Auditing|Security|DS Access|Directory Service Changes| `auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes |
|Cloud Service|cloud service modification|user|modified|cloud service|UpdateTrail|UpdateTrail|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|File|file modification|user|modified|file|4670|Permissions on an object were changed.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File System| `auditpol /set /subcategory:"File System" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
|File|file modification|user|modified|file|DeviceFileEvents|DeviceFileEvents|Windows|Windows Defender Advanced Threat Protection|None|None|None|None|None|
|Firewall|firewall rule modification|user|modified|firewall rule|2005|A rule has been modified in the Windows Defender Firewall exception list.|Windows|Microsoft-Windows-Windows Firewall With Advanced Security|Microsoft-Windows-Windows Firewall With Advanced Security/Firewall|None|None|None|None|
|Firewall|firewall rule modification|user|modified|firewall rule|UpdateRuleGroup|UpdateRuleGroup|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Instance|instance modification|user|modified|instance|ModifyInstanceAttribute|ModifyInstanceAttribute|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Network Share|network share modification|user|modified|network share|5143|A network share object was modified.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File Share| `auditpol /set /subcategory:"File Share" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
|Scheduled Job|scheduled job modification|user|modified|schedule job|4702|A scheduled task was updated.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Other Object Access Events| `auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
|Scheduled Job|scheduled job modification|user|modified|schedule job|ScheduledTaskUpdated|ScheduledTaskUpdated|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|User Account|user account modification|user|modified|user|4738|A user account was changed.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Management|User Account Management| `auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
|User Account|user account modification|user|modified|user|4781|The name of an account was changed.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Management|User Account Management| `auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
|User Account|user account modification|user|modified|user|UserAccountModified|UserAccountModified|Windows|Microsoft Defender for Endpoint|DeviceEvents|None|None|None|None|
|Windows Registry|windows registry key modification|user|modified|windows registry key|4670|Permissions on an object were changed.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Windows Registry|windows registry key modification|user|modified|windows registry key|RegistryKeySet|RegistryKeySet|Windows|Microsoft Defender for Endpoint|DeviceRegistryEvents|None|None|None|None|
|Windows Registry|windows registry key modification|user|modified|windows registry key value|4657|A registry value was modified.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Windows Registry|windows registry key modification|user|modified|windows registry key value|RegistryValueSet|RegistryValueSet|Windows|Microsoft Defender for Endpoint|DeviceRegistryEvents|None|None|None|None|
|User Account|user account modification|user|removed access from|user|4718|System security access was removed from an account.|Windows|Microsoft-Windows-Security-Auditing|Security|Policy Change|Authentication Policy Change| `auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change |
|Firewall|firewall rule modification|user|removed|firewall rule|2006|A rule has been deleted in the Windows Defender Firewall exception list|Windows|Microsoft-Windows-Windows Firewall With Advanced Security|Microsoft-Windows-Windows Firewall With Advanced Security/Firewall|None|None|None|None|
|Firewall|firewall rule modification|user|removed|firewall rule|DeleteRuleGroup|DeleteRuleGroup|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Active Directory|active directory object access|user|requested access to|ad object|4661|A handle to an object was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|DS Access|Directory Service Access| `auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access |
|File|file access|user|requested access to|file|4656|A handle to an object was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|File System| `auditpol /set /subcategory:"File System" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
|File|file access|user|requested access to|file|4661|A handle to an object was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|SAM| `auditpol /set /subcategory:"SAM" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit SAM |
|Service|service access|user|requested access to|service|4656|A handle to an object was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Other Object Access Events| `auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
|Windows Registry|windows registry key access|user|requested access to|windows registry key|4656|A handle to an object was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|Object Access|Registry| `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
|Active Directory|active directory credential request|user|requested|ad credential|4768|A Kerberos authentication ticket (TGT) was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Logon|Kerberos Authentication Service| `auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Authentication Service |
|Active Directory|active directory credential request|user|requested|ad credential|4769|A Kerberos service ticket was requested.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Logon|Kerberos Service Ticket Operations| `auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations |
|Cloud Service|cloud service metadata|user|retrieved information about|cloud service|GetTrail|GetTrail|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Cloud Service|cloud service metadata|user|retrieved information about|cloud service|GetTrailStatus|GetTrailStatus|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Cloud Service|cloud service metadata|user|retrieved information about|cloud service|DescribeTrails|DescribeTrails|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Cloud Service|cloud service metadata|user|retrieved information about|cloud service|GetEventSelectors|GetEventSelectors|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Cloud Service|cloud service metadata|user|retrieved information about|cloud service|GetInsightSelectors|GetInsightSelectors|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Cloud Service|cloud service metadata|user|retrieved information about cloud service from|ip|GetTrail|GetTrail|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Cloud Service|cloud service metadata|user|retrieved information about cloud service from|ip|GetTrailStatus|GetTrailStatus|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Cloud Service|cloud service metadata|user|retrieved information about cloud service from|ip|DescribeTrails|DescribeTrails|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Cloud Service|cloud service metadata|user|retrieved information about cloud service from|ip|GetEventSelectors|GetEventSelectors|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Cloud Service|cloud service metadata|user|retrieved information about cloud service from|ip|GetInsightSelectors|GetInsightSelectors|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Firewall|firewall metadata|user|retrieved information about|firewall|DescribeFirewall|DescribeFirewall|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Firewall|firewall metadata|user|retrieved information about|firewall|DescribeFirewallPolicy|DescribeFirewallPolicy|AWS|CloudTrail|None|AwsApiCall|None|None|None|
|Logon Session|logon session termination|user|terminated|logon session|4634|An account was logged off.|Windows|Microsoft-Windows-Security-Auditing|Security|Logon/Logoff|Logoff| `auditpol /set /subcategory:"Logoff" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logoff |
|Process|process termination|user|terminated|process|4689|A process has exited.|Windows|Microsoft-Windows-Security-Auditing|Security|Detailed Tracking|Process Termination| `auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Termination |
|User Account|user account modification|user|unlocked|user|4767|A user account was unlocked.|Windows|Microsoft-Windows-Security-Auditing|Security|Account Management|User Account Management| `auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable` | Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |