ATT&CK DS Event Mappings

ATT&CK DS Event MappingsΒΆ

Data Source

Component

Source

Relationship

Target

EventID

Event Name

Event Platform

Log Provider

Log Channel

Audit Category

Audit Sub-Category

Enable Commands

GPO Audit Policy

User Account

user account authentication

application

attempted to authenticate

user

ConsoleLogin

ConsoleLogin

AWS

CloudTrail

None

AwsConsoleSignin

None

None

None

Driver

driver load

driver

loaded

None

6

Driver loaded.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

DriverLoad

None

<DriverLoad onmatch="exclude" />

None

Driver

driver load

driver

loaded

None

DriverLoaded

DriverLoaded

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Firewall

firewall disable

firewall

disabled

None

5025

The Windows Firewall Service has been stopped.

Windows

Microsoft-Windows-Security-Auditing

Security

System

Other System Events

auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events

Firewall

firewall enable

firewall

enabled

None

5024

The Windows Firewall Service has started successfully.

Windows

Microsoft-Windows-Security-Auditing

Security

System

Other System Events

auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events

Firewall

firewall rule modification

firewall rule

added

None

4946

A change has been made to Windows Firewall exception list. A rule was added.

Windows

Microsoft-Windows-Security-Auditing

Security

Policy Change

MPSSVC Rule-Level Policy Change

auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit MPSSVC Rule-Level Policy Change

Firewall

firewall rule modification

firewall rule

modified

None

4947

A change has been made to Windows Firewall exception list. A rule was modified.

Windows

Microsoft-Windows-Security-Auditing

Security

Policy Change

MPSSVC Rule-Level Policy Change

auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit MPSSVC Rule-Level Policy Change

Firewall

firewall rule modification

firewall rule

removed

None

4948

A change has been made to Windows Firewall exception list. A rule was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Policy Change

MPSSVC Rule-Level Policy Change

auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit MPSSVC Rule-Level Policy Change

Network Traffic

network connection creation

host

blocked connection from

ip

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked connection from

ip

FirewallInboundConnectionBlocked

FirewallInboundConnectionBlocked

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Network Traffic

network connection creation

host

blocked connection from

port

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked connection from

port

FirewallInboundConnectionBlocked

FirewallInboundConnectionBlocked

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Network Traffic

network connection creation

host

blocked connection from

process

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked connection to

ip

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked connection to

ip

FirewallOutboundConnectionBlocked

FirewallOutboundConnectionBlocked

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Network Traffic

network connection creation

host

blocked connection to

port

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked connection to

port

FirewallOutboundConnectionBlocked

FirewallOutboundConnectionBlocked

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Network Traffic

network connection creation

host

blocked connection to

process

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked connection to

process

5031

The Windows Firewall Service blocked an application from accepting incoming connections on the network.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked connection to

process

FirewallInboundConnectionToAppBlocked

FirewallInboundConnectionToAppBlocked

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Network Traffic

network connection creation

host

blocked listener on

ip

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked listener on

port

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked listener on

process

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked port bind on

ip

5159

The Windows Filtering Platform has blocked a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked port bind on

port

5159

The Windows Filtering Platform has blocked a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

blocked port bind on

process

5159

The Windows Filtering Platform has blocked a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

permitted listener on

ip

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

permitted listener on

port

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

host

permitted listener on

process

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Logon Session

logon session modification

logon session

modified

None

4672

Special privileges assigned to new logon.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Special Logon

auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon

File

file access

process

accessed

file

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

Process

process access

process

accessed

process

10

ProcessAccess.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessAccess

None

<ProcessAccess onmatch="exclude" />

None

Process

process access

process

accessed

process

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Kernel Object

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object

Process

process access

process

accessed

process

OpenProcessApiCall

OpenProcessApiCall

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Windows Registry

windows registry key access

process

accessed

windows registry key

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Network Traffic

network connection creation

process

attempted connection from

ip

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

attempted connection from

ip

ConnectionRequest

ConnectionRequest

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

attempted connection from

port

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

attempted connection from

port

ConnectionRequest

ConnectionRequest

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

attempted connection to

ip

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

attempted connection to

ip

ConnectionAttempt

ConnectionAttempt

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

attempted connection to

port

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

attempted connection to

port

ConnectionAttempt

ConnectionAttempt

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

attempted to bind on

port

5159

The Windows Filtering Platform has blocked a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

attempted to listen on

port

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

bound to

port

5158

The Windows Filtering Platform has permitted a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

bound to

port

ListeningConnectionCreated

ListeningConnectionCreated

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

connected from

host

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

process

connected from

host

InboundConnectionAccepted

InboundConnectionAccepted

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

connected from

ip

5156

The Windows Filtering Platform has permitted a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

connected from

ip

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

process

connected from

ip

InboundConnectionAccepted

InboundConnectionAccepted

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

connected from

port

5156

The Windows Filtering Platform has permitted a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

connected from

port

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

process

connected from

port

InboundConnectionAccepted

InboundConnectionAccepted

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

connected to

host

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

process

connected to

host

ConnectionSuccess

ConnectionSuccess

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

connected to

ip

5156

The Windows Filtering Platform has permitted a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

connected to

ip

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

process

connected to

ip

ConnectionSuccess

ConnectionSuccess

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

process

connected to

port

5156

The Windows Filtering Platform has permitted a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

connected to

port

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

process

connected to

port

ConnectionSuccess

ConnectionSuccess

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

File

file creation

process

created

file

11

FileCreate.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileCreate

None

<FileCreate onmatch="exclude" />

None

File

file creation

process

created

file

FileCreated

FileCreated

Windows

Microsoft Defender for Endpoint

DeviceFileEvents

None

None

None

None

Process

process creation

process

created

process

4688

A new process has been created.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

Process

process creation

process

created

process

1

Process Creation.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

None

<ProcessCreate onmatch="exclude" />

None

Process

process creation

process

created

process

ProcessCreated

ProcessCreated

Windows

Microsoft Defender for Endpoint

DeviceProcessEvents

None

None

None

None

Process

process creation

process

created

thread

8

CreateRemoteThread.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

CreateRemoteThread

None

<CreateRemoteThread onmatch="exclude" />

None

Process

process creation

process

created

thread

CreateRemoteThreadApiCall

CreateRemoteThreadApiCall

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Windows Registry

windows registry key creation

process

created

windows registry key

12

RegistryEvent (Object create and delete).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

Windows Registry

windows registry key creation

process

created

windows registry key

RegistryKeyCreated

RegistryKeyCreated

Windows

Microsoft Defender for Endpoint

DeviceRegistryEvents

None

None

None

None

Windows Registry

windows registry key creation

process

created

windows registry key value

12

RegistryEvent (Object create and delete).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

Windows Registry

windows registry key creation

process

created

windows registry key value

RegistryValueSet

RegistryValueSet

Windows

Microsoft Defender for Endpoint

DeviceRegistryEvents

None

None

None

None

File

file deletion

process

deleted

file

23

File Delete archived.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDelete

None

<FileDelete onmatch="exclude" />

None

File

file deletion

process

deleted

file

26

File Delete logged.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDeleteDetected

None

<FileDeleteDetected onmatch="exclude" />

None

File

file deletion

process

deleted

file

4660

An object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file deletion

process

deleted

file

FileDeleted

FileDeleted

Windows

Microsoft Defender for Endpoint

DeviceFileEvents

None

None

None

None

Windows Registry

windows registry key deletion

process

deleted

windows registry key

12

RegistryEvent (Object create and delete).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

Windows Registry

windows registry key deletion

process

deleted

windows registry key

4660

An object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows Registry

windows registry key deletion

process

deleted

windows registry key

RegistryKeyDeleted

RegistryKeyDeleted

Windows

Microsoft Defender for Endpoint

DeviceRegistryEvents

None

None

None

None

Windows Registry

windows registry key deletion

process

deleted

windows registry key value

12

RegistryEvent (Object create and delete).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

Windows Registry

windows registry key deletion

process

deleted

windows registry key value

RegistryValueDeleted

RegistryValueDeleted

Windows

Microsoft Defender for Endpoint

DeviceRegistryEvents

None

None

None

None

Process

OS api execution

process

executed

api call

8

CreateRemoteThread.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

CreateRemoteThread

None

<CreateRemoteThread onmatch="exclude" />

None

Process

OS api execution

process

executed

api call

CreateRemoteThreadApiCall

CreateRemoteThreadApiCall

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Command

command execution

process

executed

command

4688

A new process has been created.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

Command

command execution

process

executed

command

1

Process Creation.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

None

<ProcessCreate onmatch="exclude" />

None

Command

command execution

process

executed

command

4103

Module logging.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Executing Pipeline

None

None

None

Command

command execution

process

executed

command

ProcessCreated

ProcessCreated

Windows

Microsoft Defender for Endpoint

DeviceProcessEvents

None

None

None

None

Script

script execution

process

executed

Script

4103

Module logging.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Executing Pipeline

None

None

None

Script

script execution

process

executed

Script

4104

Script Block Logging.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Execute a Remote Command

None

None

None

Script

script execution

process

executed

Script

ScriptContent

ScriptContent

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Script

script execution

process

executed

Script

PowerShellCommand

PowerShellCommand

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Script

script execution

process

executed

Script

AmsiScriptDetection

AmsiScriptDetection

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Network Traffic

network connection creation

process

listened on

port

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Network Traffic

network connection creation

process

listened on

port

ListeningConnectionCreated

ListeningConnectionCreated

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Module

module load

process

loaded

module

7

Image loaded.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ImageLoad

None

<ImageLoad onmatch="exclude" />

None

Module

module load

process

loaded

module

ImageLoaded

ImageLoaded

Windows

Microsoft Defender for Endpoint

DeviceImageLoadEvents

None

None

None

None

File

file modification

process

modified

file

2

A process changed a file creation time.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileCreateTime

None

<FileCreateTime onmatch="exclude" />

None

File

file modification

process

modified

file

11

FileCreate.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileCreate

None

<FileCreate onmatch="exclude" />

None

File

file modification

process

modified

file

4670

Permissions on an object were changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file modification

process

modified

file

FileModified

FileModified

Windows

Microsoft Defender for Endpoint

DeviceFileEvents

None

None

None

None

File

file modification

process

modified

file

FileRenamed

FileRenamed

Windows

Microsoft Defender for Endpoint

DeviceFileEvents

None

None

None

None

Process

process modification

process

modified

process

8

CreateRemoteThread.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

CreateRemoteThread

None

<CreateRemoteThread onmatch="exclude" />

None

Process

process modification

process

modified

process

CreateRemoteThreadApiCall

CreateRemoteThreadApiCall

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Windows Registry

windows registry key modification

process

modified

windows registry key

13

RegistryEvent (Value Set).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

Windows Registry

windows registry key modification

process

modified

windows registry key

14

RegistryEvent (Key and Value Rename).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

Windows Registry

windows registry key modification

process

modified

windows registry key

4670

Permissions on an object were changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows Registry

windows registry key modification

process

modified

windows registry key

RegistryKeyCreated

RegistryKeyCreated

Windows

Microsoft Defender for Endpoint

DeviceRegistryEvents

None

None

None

None

Windows Registry

windows registry key modification

process

modified

windows registry key value

13

RegistryEvent (Value Set).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

Windows Registry

windows registry key modification

process

modified

windows registry key value

14

RegistryEvent (Key and Value Rename).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

Windows Registry

windows registry key modification

process

modified

windows registry key value

4657

A registry value was modified.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows Registry

windows registry key modification

process

modified

windows registry key value

RegistryValueSet

RegistryValueSet

Windows

Microsoft Defender for Endpoint

DeviceRegistryEvents

None

None

None

None

File

file access

process

requested access to

file

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

Process

process access

process

requested access to

process

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Kernel Object

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object

Process

process access

process

requested access to

process

10

Process Access.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessAccess

None

<ProcessAccess onmatch="exclude" />

None

Process

process access

process

requested access to

process

OpenProcessApiCall

OpenProcessApiCall

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Windows Registry

windows registry key access

process

requested access to

windows registry key

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Service

service metadata

service

started

None

4

Sysmon service state changed.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ServiceStateChange

None

<ServiceStateChange onmatch="exclude" />

None

Service

service metadata

service

stopped

None

4

Sysmon service state changed.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ServiceStateChange

None

<ServiceStateChange onmatch="exclude" />

None

Active Directory

active directory object access

user

accessed

ad object

4662

An operation was performed on an object.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

File

file access

user

accessed

file

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

Process

process access

user

accessed

process

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Kernel Object

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object

Process

process access

user

accessed

process

OpenProcessApiCall

OpenProcessApiCall

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Windows Registry

windows registry key access

user

accessed

windows registry key

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Firewall

firewall rule modification

user

added

firewall rule

2004

A rule has been added to the Windows Defender Firewall exception list

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

Firewall

firewall rule modification

user

added

firewall rule

CreateRuleGroup

CreateRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

Network Share

network share access

user

attempted to access

network share

5140

A network share object was accessed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

Network Share

network share access

user

attempted to access

network share

5145

A network share object was checked to see whether client can be granted desired access.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Detailed File Share

auditpol /set /subcategory:"Detailed File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Detailed File Share

Network Share

network share access

user

attempted to access

network share

LogonSuccess

LogonSuccess

Windows

Microsoft Defender for Endpoint

DeviceLogonEvents

None

None

None

None

User Account

user account authentication

user

attempted to authenticate from

ip

4624

An account was successfully logged on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

User Account

user account authentication

user

attempted to authenticate from

ip

4625

An account failed to log on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Account Lockout

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout

User Account

user account authentication

user

attempted to authenticate from

ip

4648

A logon was attempted using explicit credentials.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

User Account

user account authentication

user

attempted to authenticate from

ip

LogonSuccess

LogonSuccess

Windows

Microsoft Defender for Endpoint

DeviceLogonEvents

None

None

None

None

User Account

user account authentication

user

attempted to authenticate from

ip

ConsoleLogin

ConsoleLogin

AWS

CloudTrail

None

AwsConsoleSignin

None

None

None

User Account

user account authentication

user

attempted to authenticate from

port

4624

An account was successfully logged on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

User Account

user account authentication

user

attempted to authenticate from

port

4625

An account failed to log on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Account Lockout

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout

User Account

user account authentication

user

attempted to authenticate from

port

4648

A logon was attempted using explicit credentials.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

User Account

user account authentication

user

attempted to authenticate from

port

LogonSuccess

LogonSuccess

Windows

Microsoft Defender for Endpoint

DeviceLogonEvents

None

None

None

None

User Account

user account authentication

user

attempted to authenticate to

application

ConsoleLogin

ConsoleLogin

AWS

CloudTrail

None

AwsConsoleSignin

None

None

None

Network Traffic

network connection creation

user

connected from

host

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

user

connected from

host

InboundConnectionAccepted

InboundConnectionAccepted

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

user

connected from

ip

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

user

connected from

ip

InboundConnectionAccepted

InboundConnectionAccepted

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

user

connected from

port

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

user

connected from

port

InboundConnectionAccepted

InboundConnectionAccepted

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

user

connected to

host

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

user

connected to

host

ConnectionSuccess

ConnectionSuccess

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

user

connected to

ip

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

user

connected to

ip

ConnectionSuccess

ConnectionSuccess

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Network Traffic

network connection creation

user

connected to

port

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

Network Traffic

network connection creation

user

connected to

port

ConnectionSuccess

ConnectionSuccess

Windows

Microsoft Defender for Endpoint

DeviceNetworkEvents

None

None

None

None

Active Directory

active directory object creation

user

created

ad object

5137

A directory service object was created.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

File

file creation

user

created

file

DeviceFileEvents

DeviceFileEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

Instance

instance creation

user

created

instance

RunInstances

RunInstances

AWS

CloudTrail

None

AwsApiCall

None

None

None

Instance

instance creation

user

created instance from

ip

RunInstances

RunInstances

AWS

CloudTrail

None

AwsApiCall

None

None

None

Logon Session

logon session creation

user

created

logon session

4624

An account was successfully logged on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon Session

logon session creation

user

created

logon session

4778

A session was reconnected to a Window Station.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Other Logon/Logoff Events

auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events

Logon Session

logon session creation

user

created

logon session

4964

Special groups have been assigned to a new logon.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Special Logon

auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon

Logon Session

logon session creation

user

created

logon session

LogonSuccess

LogonSuccess

Windows

Microsoft Defender for Endpoint

DeviceLogonEvents

None

None

None

None

Logon Session

logon session creation

user

created logon session from

ip

4624

An account was successfully logged on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon Session

logon session creation

user

created logon session from

ip

4778

A session was reconnected to a Window Station.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Other Logon/Logoff Events

auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events

Logon Session

logon session creation

user

created logon session from

ip

LogonSuccess

LogonSuccess

Windows

Microsoft Defender for Endpoint

DeviceLogonEvents

None

None

None

None

Logon Session

logon session creation

user

created logon session from

port

4624

An account was successfully logged on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon Session

logon session creation

user

created logon session from

port

LogonSuccess

LogonSuccess

Windows

Microsoft Defender for Endpoint

DeviceLogonEvents

None

None

None

None

Network Share

network share creation

user

created

network share

5142

A network share object was added.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

Process

process creation

user

created

process

4688

A new process has been created.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

Process

process creation

user

created

process

1

Process Creation.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

None

<ProcessCreate onmatch="exclude" />

None

Process

process creation

user

created

process

ProcessCreated

ProcessCreated

Windows

Microsoft Defender for Endpoint

DeviceProcessEvents

None

None

None

None

Scheduled Job

scheduled job creation

user

created

scheduled job

4698

A scheduled task was created.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Scheduled Job

scheduled job creation

user

created

scheduled job

ScheduledTaskCreated

ScheduledTaskCreated

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Service

service creation

user

created

service

4697

A service was installed in the system.

Windows

Microsoft-Windows-Security-Auditing

Security

System

Security System Extension

auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Security System Extension

Service

service creation

user

created

service

7045

A new service was installed in the system.

Windows

Service Control Manager

System

None

None

None

None

Service

service creation

user

created

service

ServiceInstalled

ServiceInstalled

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

User Account

user account creation

user

created

user

4720

A user account was created.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account creation

user

created

user

UserAccountCreated

UserAccountCreated

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

WMI

wmi creation

user

created

wmi object

19

WmiEvent (WmiEventFilter activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

WMI

wmi creation

user

created

wmi object

20

WmiEvent (WmiEventConsumer activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

WMI

wmi creation

user

created

wmi object

21

WmiEvent (WmiEventConsumerToFilter activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

WMI

wmi creation

user

created

wmi object

WmiBindEventFilterToConsumer

WmiBindEventFilterToConsumer

Windows

Microsoft Defender for Endpoint

DeviceREvents

None

None

None

None

Active Directory

active directory object deletion

user

deleted

ad object

5141

A directory service object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

File

file deletion

user

deleted

file

23

File Delete archived.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDelete

None

<FileDelete onmatch="exclude" />

None

File

file deletion

user

deleted

file

26

File Delete logged.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDeleteDetected

None

<FileDeleteDetected onmatch="exclude" />

None

File

file deletion

user

deleted

file

4660

An object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file deletion

user

deleted

file

FileDeleted

FileDeleted

Windows

Microsoft Defender for Endpoint

DeviceFileEvents

None

None

None

None

Network Share

network share deletion

user

deleted

network share

5144

A network share object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

Scheduled Job

scheduled job deletion

user

deleted

scheduled job

4699

A scheduled task was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Scheduled Job

scheduled job deletion

user

deleted

scheduled job

ScheduledTaskDeleted

ScheduledTaskDeleted

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

User Account

user account deletion

user

deleted

user

4726

A user account was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account deletion

user

deleted

user

UserAccountDeleted

UserAccountDeleted

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Windows Registry

windows registry key deletion

user

deleted

windows registry key

4660

An object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows Registry

windows registry key deletion

user

deleted

windows registry key

RegistryKeyDeleted

RegistryKeyDeleted

Windows

Microsoft Defender for Endpoint

DeviceRegistryEvents

None

None

None

None

WMI

wmi deletion

user

deleted

wmi object

19

WmiEvent (WmiEventFilter activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

WMI

wmi deletion

user

deleted

wmi object

20

WmiEvent (WmiEventConsumer activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

WMI

wmi deletion

user

deleted

wmi object

21

WmiEvent (WmiEventConsumerToFilter activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

Scheduled Job

scheduled job modification

user

disabled

scheduled job

4701

A scheduled task was disabled.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Scheduled Job

scheduled job modification

user

disabled

scheduled job

ScheduledTaskModified

ScheduledTaskModified

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

User Account

user account modification

user

disabled

user

4725

A user account was disabled.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account modification

user

disabled

user

UserAccountModified

UserAccountModified

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Scheduled Job

scheduled job modification

user

enabled

scheduled job

4700

A scheduled task was enabled.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Scheduled Job

scheduled job modification

user

enabled

scheduled job

ScheduledTaskModified

ScheduledTaskModified

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

User Account

user account modification

user

enabled

user

4722

A user account was enabled.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account modification

user

enabled

user

UserAccountModified

UserAccountModified

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Command

command execution

user

executed

command

4688

A new process has been created.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

Command

command execution

user

executed

command

1

Process Creation.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

None

<ProcessCreate onmatch="exclude" />

None

Command

command execution

user

executed

command

4103

Module logging.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Executing Pipeline

None

None

None

Command

command execution

user

executed

command

ProcessCreated

ProcessCreated

Windows

Microsoft Defender for Endpoint

DeviceProcessEvents

None

None

None

None

User Account

user account modification

user

granted access to

user

4717

System security access was granted to an account.

Windows

Microsoft-Windows-Security-Auditing

Security

Policy Change

Authentication Policy Change

auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change

Firewall

firewall enumeration

user

listed

firewall rule

ListRuleGroups

ListRuleGroups

AWS

CloudTrail

None

AwsApiCall

None

None

None

User Account

user account modification

user

locked

user

4740

A user account was locked out.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

Active Directory

active directory object modification

user

modified

ad object

5136

A directory service object was modified.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

Active Directory

active directory object modification

user

modified

ad object

5139

A directory service object was moved.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

Cloud Service

cloud service modification

user

modified

cloud service

UpdateTrail

UpdateTrail

AWS

CloudTrail

None

AwsApiCall

None

None

None

File

file modification

user

modified

file

4670

Permissions on an object were changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file modification

user

modified

file

DeviceFileEvents

DeviceFileEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

Firewall

firewall rule modification

user

modified

firewall rule

2005

A rule has been modified in the Windows Defender Firewall exception list.

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

Firewall

firewall rule modification

user

modified

firewall rule

UpdateRuleGroup

UpdateRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

Instance

instance modification

user

modified

instance

ModifyInstanceAttribute

ModifyInstanceAttribute

AWS

CloudTrail

None

AwsApiCall

None

None

None

Network Share

network share modification

user

modified

network share

5143

A network share object was modified.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

Scheduled Job

scheduled job modification

user

modified

schedule job

4702

A scheduled task was updated.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Scheduled Job

scheduled job modification

user

modified

schedule job

ScheduledTaskUpdated

ScheduledTaskUpdated

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

User Account

user account modification

user

modified

user

4738

A user account was changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account modification

user

modified

user

4781

The name of an account was changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account modification

user

modified

user

UserAccountModified

UserAccountModified

Windows

Microsoft Defender for Endpoint

DeviceEvents

None

None

None

None

Windows Registry

windows registry key modification

user

modified

windows registry key

4670

Permissions on an object were changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows Registry

windows registry key modification

user

modified

windows registry key

RegistryKeySet

RegistryKeySet

Windows

Microsoft Defender for Endpoint

DeviceRegistryEvents

None

None

None

None

Windows Registry

windows registry key modification

user

modified

windows registry key value

4657

A registry value was modified.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows Registry

windows registry key modification

user

modified

windows registry key value

RegistryValueSet

RegistryValueSet

Windows

Microsoft Defender for Endpoint

DeviceRegistryEvents

None

None

None

None

User Account

user account modification

user

removed access from

user

4718

System security access was removed from an account.

Windows

Microsoft-Windows-Security-Auditing

Security

Policy Change

Authentication Policy Change

auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change

Firewall

firewall rule modification

user

removed

firewall rule

2006

A rule has been deleted in the Windows Defender Firewall exception list

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

Firewall

firewall rule modification

user

removed

firewall rule

DeleteRuleGroup

DeleteRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

Active Directory

active directory object access

user

requested access to

ad object

4661

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

File

file access

user

requested access to

file

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file access

user

requested access to

file

4661

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

SAM

auditpol /set /subcategory:"SAM" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit SAM

Service

service access

user

requested access to

service

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Windows Registry

windows registry key access

user

requested access to

windows registry key

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Active Directory

active directory credential request

user

requested

ad credential

4768

A Kerberos authentication ticket (TGT) was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Logon

Kerberos Authentication Service

auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Authentication Service

Active Directory

active directory credential request

user

requested

ad credential

4769

A Kerberos service ticket was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Logon

Kerberos Service Ticket Operations

auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations

Cloud Service

cloud service metadata

user

retrieved information about

cloud service

GetTrail

GetTrail

AWS

CloudTrail

None

AwsApiCall

None

None

None

Cloud Service

cloud service metadata

user

retrieved information about

cloud service

GetTrailStatus

GetTrailStatus

AWS

CloudTrail

None

AwsApiCall

None

None

None

Cloud Service

cloud service metadata

user

retrieved information about

cloud service

DescribeTrails

DescribeTrails

AWS

CloudTrail

None

AwsApiCall

None

None

None

Cloud Service

cloud service metadata

user

retrieved information about

cloud service

GetEventSelectors

GetEventSelectors

AWS

CloudTrail

None

AwsApiCall

None

None

None

Cloud Service

cloud service metadata

user

retrieved information about

cloud service

GetInsightSelectors

GetInsightSelectors

AWS

CloudTrail

None

AwsApiCall

None

None

None

Cloud Service

cloud service metadata

user

retrieved information about cloud service from

ip

GetTrail

GetTrail

AWS

CloudTrail

None

AwsApiCall

None

None

None

Cloud Service

cloud service metadata

user

retrieved information about cloud service from

ip

GetTrailStatus

GetTrailStatus

AWS

CloudTrail

None

AwsApiCall

None

None

None

Cloud Service

cloud service metadata

user

retrieved information about cloud service from

ip

DescribeTrails

DescribeTrails

AWS

CloudTrail

None

AwsApiCall

None

None

None

Cloud Service

cloud service metadata

user

retrieved information about cloud service from

ip

GetEventSelectors

GetEventSelectors

AWS

CloudTrail

None

AwsApiCall

None

None

None

Cloud Service

cloud service metadata

user

retrieved information about cloud service from

ip

GetInsightSelectors

GetInsightSelectors

AWS

CloudTrail

None

AwsApiCall

None

None

None

Firewall

firewall metadata

user

retrieved information about

firewall

DescribeFirewall

DescribeFirewall

AWS

CloudTrail

None

AwsApiCall

None

None

None

Firewall

firewall metadata

user

retrieved information about

firewall

DescribeFirewallPolicy

DescribeFirewallPolicy

AWS

CloudTrail

None

AwsApiCall

None

None

None

Logon Session

logon session termination

user

terminated

logon session

4634

An account was logged off.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logoff

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logoff

Process

process termination

user

terminated

process

4689

A process has exited.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Termination

auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Termination

User Account

user account modification

user

unlocked

user

4767

A user account was unlocked.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management