Relationships to Events

Source

Relationship

Target

EventID

Event Name

Event Platform

Log Provider

Log Channel

Audit Category

Audit Sub-Category

Enable Commands

GPO Audit Policy

application

authenticated

user

ConsoleLogin

ConsoleLogin

AWS

CloudTrail

None

AwsConsoleSignin

None

None

None

application domain

started

None

53504

Windows PowerShell has started an IPC listening thread on a process in AppDomain.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

PowerShell Named Pipe IPC

None

None

None

application host

started

None

400

Engine state is changed from None to Available.

Windows

PowerShell

Windows PowerShell

Engine Lifecycle

None

None

None

driver

loaded

None

6

Driver loaded.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

DriverLoad

None

<DriverLoad onmatch="exclude" />

None

firewall

started

None

5024

The Windows Firewall Service has started successfully.

Windows

Microsoft-Windows-Security-Auditing

Security

System

Other System Events

auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events

firewall

stopped

None

5025

The Windows Firewall Service has been stopped.

Windows

Microsoft-Windows-Security-Auditing

Security

System

Other System Events

auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events

host

blocked connection from

ip

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked connection from

port

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked connection from

process

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked connection to

ip

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked connection to

port

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked connection to

process

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked connection to

process

5031

The Windows Firewall Service blocked an application from accepting incoming connections on the network.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked listener on

ip

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked listener on

port

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked listener on

process

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked port bind on

ip

5159

The Windows Filtering Platform has blocked a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked port bind on

port

5159

The Windows Filtering Platform has blocked a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

blocked port bind on

process

5159

The Windows Filtering Platform has blocked a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

permitted listener on

ip

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

permitted listener on

port

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

permitted listener on

process

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

permitted port bind on

process

5158

The Windows Filtering Platform has permitted a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

permitted port bind on

ip

5158

The Windows Filtering Platform has permitted a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

host

permitted port bind on

port

5158

The Windows Filtering Platform has permitted a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

logon session

modified

None

4672

Special privileges assigned to new logon.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Special Logon

auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon

process

attempted to access

file

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

process

accessed

process

10

ProcessAccess.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessAccess

None

<ProcessAccess onmatch="exclude" />

None

process

added

firewall rule

2004

A rule has been added to the Windows Defender Firewall exception list

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

process

attempted connection from

ip

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

attempted connection from

port

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

attempted connection to

ip

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

attempted connection to

port

5157

The Windows Filtering Platform has blocked a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

attempted to access

process

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Kernel Object

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object

process

attempted to access

windows registry key

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

process

attempted to bind on

port

5159

The Windows Filtering Platform has blocked a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

attempted to listen on

port

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

bound to

port

5158

The Windows Filtering Platform has permitted a bind to a local port.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

connected from

host

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

process

connected from

ip

5156

The Windows Filtering Platform has permitted a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

connected from

ip

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

process

connected from

port

5156

The Windows Filtering Platform has permitted a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

connected from

port

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

process

connected to

host

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

process

connected to

ip

5156

The Windows Filtering Platform has permitted a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

connected to

ip

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

process

connected to

pipe

18

PipeEvent (Pipe Connected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

PipeEvent

None

<PipeEvent onmatch="exclude" />

None

process

connected to

port

5156

The Windows Filtering Platform has permitted a connection.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

connected to

port

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

process

created

file

11

FileCreate.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileCreate

None

<FileCreate onmatch="exclude" />

None

process

created

file

DeviceFileEvents

DeviceFileEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

process

created

pipe

17

PipeEvent (Pipe Created).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

PipeEvent

None

<PipeEvent onmatch="exclude" />

None

process

created

process

4688

A new process has been created.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

process

created

process

1

Process Creation.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

None

<ProcessCreate onmatch="exclude" />

None

process

created

process

DeviceProcessEvents

DeviceProcessEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

process

created

thread

8

CreateRemoteThread.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

CreateRemoteThread

None

<CreateRemoteThread onmatch="exclude" />

None

process

created

windows registry key

12

RegistryEvent (Object create and delete).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

process

created

windows registry key

DeviceRegistryEvents

DeviceRegistryEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

process

created

windows registry key value

12

RegistryEvent (Object create and delete).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

process

created

windows registry key value

DeviceRegistryEvents

DeviceRegistryEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

process

deleted

file

23

File Delete archived.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDelete

None

<FileDelete onmatch="exclude" />

None

process

deleted

file

26

File Delete logged.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDeleteDetected

None

<FileDeleteDetected onmatch="exclude" />

None

process

deleted

file

4660

An object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

process

deleted

windows registry key

12

RegistryEvent (Object create and delete).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

process

deleted

windows registry key

4660

An object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

process

deleted

windows registry key value

12

RegistryEvent (Object create and delete).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

process

executed

command

4688

A new process has been created.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

process

executed

command

1

Process Creation.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

None

<ProcessCreate onmatch="exclude" />

None

process

executed

command

4103

Module logging.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Executing Pipeline

None

None

None

process

executed

command

DeviceProcessEvents

DeviceProcessEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

process

executed

dns query

22

DNSEvent (DNS query).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

DNSQuery

None

<DNSQuery onmatch="exclude" />

None

process

executed

Script

4103

Module logging.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Executing Pipeline

None

None

None

process

executed

Script

4104

Script Block Logging.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Execute a Remote Command

None

None

None

process

listened on

port

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

process

loaded

module

7

Image loaded.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ImageLoad

None

<ImageLoad onmatch="exclude" />

None

process

loaded

module

DeviceImageLoadEvents

DeviceImageLoadEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

process

modified

file

2

A process changed a file creation time.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileCreateTime

None

<FileCreateTime onmatch="exclude" />

None

process

modified

file

11

FileCreate.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileCreate

None

<FileCreate onmatch="exclude" />

None

process

modified

file

4670

Permissions on an object were changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

process

modified

file

DeviceFileEvents

DeviceFileEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

process

modified

firewall

2002

A Windows Defender Firewall setting has changed.

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

process

modified

firewall

2003

A Windows Defender Firewall setting in the Private profile has changed.

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

process

modified

firewall rule

2005

A rule has been modified in the Windows Defender Firewall exception list.

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

process

modified

windows registry key

13

RegistryEvent (Value Set).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

process

modified

windows registry key

14

RegistryEvent (Key and Value Rename).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

process

modified

windows registry key

4670

Permissions on an object were changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

process

modified

windows registry key

DeviceRegistryEvents

DeviceRegistryEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

process

modified

windows registry key value

13

RegistryEvent (Value Set).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

process

modified

windows registry key value

14

RegistryEvent (Key and Value Rename).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

None

<RegistryEvent onmatch="exclude" />

None

process

modified

windows registry key value

4657

A registry value was modified.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

process

modified

windows registry key value

DeviceRegistryEvents

DeviceRegistryEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

process

removed

firewall rule

2006

A rule has been deleted in the Windows Defender Firewall exception list

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

process

requested access to

ad object

4661

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

process

requested access to

file

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

process

requested access to

file

4661

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

SAM

auditpol /set /subcategory:"SAM" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit SAM

process

requested access to

process

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Kernel Object

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object

process

requested access to

windows registry key

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

process

terminated

None

5

Process terminated.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessTerminate

None

<ProcessTerminate onmatch="exclude" />

None

service

started

None

4

Sysmon service state changed.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ServiceStateChange

None

<ServiceStateChange onmatch="exclude" />

None

service

stopped

None

4

Sysmon service state changed.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ServiceStateChange

None

<ServiceStateChange onmatch="exclude" />

None

user

added

firewall rule

2004

A rule has been added to the Windows Defender Firewall exception list

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

user

added

firewall rule

CreateRuleGroup

CreateRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

added firewall rule from

ip

CreateRuleGroup

CreateRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

attempted to access

ad object

4662

An operation was performed on an object.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

user

attempted to access

file

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

user

attempted to access

file

4692

Backup of data protection master key was attempted.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

DPAPI Activity

auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit DPAPI Activity

user

attempted to access

network share

5140

A network share object was accessed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

user

attempted to access

network share

5145

A network share object was checked to see whether client can be granted desired access.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Detailed File Share

auditpol /set /subcategory:"Detailed File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Detailed File Share

user

attempted to access

process

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Kernel Object

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object

user

attempted to access

windows registry key

4663

An attempt was made to access an object.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

user

attempted to authenticate from

ip

4625

An account failed to log on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

user

attempted to authenticate from

ip

4625

An account failed to log on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Account Lockout

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout

user

attempted to authenticate from

ip

4648

A logon was attempted using explicit credentials.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

user

attempted to authenticate from

ip

ConsoleLogin

ConsoleLogin

AWS

CloudTrail

None

AwsConsoleSignin

None

None

None

user

attempted to authenticate from

port

4625

An account failed to log on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

user

attempted to authenticate from

port

4625

An account failed to log on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Account Lockout

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout

user

attempted to authenticate from

port

4648

A logon was attempted using explicit credentials.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

user

attempted to authenticate to

application

ConsoleLogin

ConsoleLogin

AWS

CloudTrail

None

AwsConsoleSignin

None

None

None

user

attempted to authenticate to

host

4625

An account failed to log on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

user

attempted to authenticate to

host

4625

An account failed to log on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Account Lockout

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout

user

attempted to authenticate to

host

4648

A logon was attempted using explicit credentials.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

user

attempted to log off from

host

4647

User initiated logoff.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logoff

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logoff

user

attempted to modify

user

4723

An attempt was made to change an account’s password.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

user

attempted to modify

user

4724

An attempt was made to reset an account’s password.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

user

authenticated from

ip

ConsoleLogin

ConsoleLogin

AWS

CloudTrail

None

AwsConsoleSignin

None

None

None

user

connected from

host

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

user

connected from

ip

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

user

connected from

port

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

user

connected to

host

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

user

connected to

ip

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

user

connected to

port

3

Network connection.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

None

<NetworkConnect onmatch="exclude" />

None

user

created

ad object

5137

A directory service object was created.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

user

created

file

DeviceFileEvents

DeviceFileEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

created

instance

RunInstances

RunInstances

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

created instance from

ip

RunInstances

RunInstances

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

created

logon session

4624

An account was successfully logged on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

user

created

logon session

4778

A session was reconnected to a Window Station.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Other Logon/Logoff Events

auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events

user

created

logon session

4964

Special groups have been assigned to a new logon.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Special Logon

auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon

user

created

logon session

DeviceLogonEvents

DeviceLogonEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

created logon session from

ip

4624

An account was successfully logged on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

user

created logon session from

ip

4778

A session was reconnected to a Window Station.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Other Logon/Logoff Events

auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events

user

created logon session from

ip

DeviceLogonEvents

DeviceLogonEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

created logon session from

port

4624

An account was successfully logged on.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

user

created logon session from

port

DeviceLogonEvents

DeviceLogonEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

created

network share

5142

A network share object was added.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

user

created

process

4688

A new process has been created.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

user

created

process

1

Process Creation.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

None

<ProcessCreate onmatch="exclude" />

None

user

created

process

DeviceProcessEvents

DeviceProcessEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

created

schedule job

4698

A scheduled task was created.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

user

created

service

4697

A service was installed in the system.

Windows

Microsoft-Windows-Security-Auditing

Security

System

Security System Extension

auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Security System Extension

user

created

service

7045

A new service was installed in the system.

Windows

Service Control Manager

System

None

None

None

None

user

created

user

4720

A user account was created.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

user

created

windows registry key

DeviceRegistryEvents

DeviceRegistryEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

created

windows registry key value

DeviceRegistryEvents

DeviceRegistryEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

created

wmi object

19

WmiEvent (WmiEventFilter activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

user

created

wmi object

20

WmiEvent (WmiEventConsumer activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

user

created

wmi object

21

WmiEvent (WmiEventConsumerToFilter activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

user

deleted

ad object

5141

A directory service object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

user

deleted

file

23

File Delete archived.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDelete

None

<FileDelete onmatch="exclude" />

None

user

deleted

file

26

File Delete logged.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDeleteDetected

None

<FileDeleteDetected onmatch="exclude" />

None

user

deleted

file

4660

An object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

user

deleted

network share

5144

A network share object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

user

deleted

schedule job

4699

A scheduled task was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

user

deleted

user

4726

A user account was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

user

deleted

windows registry key

4660

An object was deleted.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

user

deleted

wmi object

19

WmiEvent (WmiEventFilter activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

user

deleted

wmi object

20

WmiEvent (WmiEventConsumer activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

user

deleted

wmi object

21

WmiEvent (WmiEventConsumerToFilter activity detected).

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

None

<WmiEvent onmatch="exclude" />

None

user

disabled

schedule job

4701

A scheduled task was disabled.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

user

disabled

user

4725

A user account was disabled.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

user

enabled

schedule job

4700

A scheduled task was enabled.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

user

enabled

user

4722

A user account was enabled.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

user

executed

command

4688

A new process has been created.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

user

executed

command

1

Process Creation.

Windows

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

None

<ProcessCreate onmatch="exclude" />

None

user

executed

command

4103

Module logging.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Executing Pipeline

None

None

None

user

executed

command

DeviceProcessEvents

DeviceProcessEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

granted access to

user

4717

System security access was granted to an account.

Windows

Microsoft-Windows-Security-Auditing

Security

Policy Change

Authentication Policy Change

auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change

user

listed

firewall rule

ListRuleGroups

ListRuleGroups

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

listed firewall rule from

ip

ListRuleGroups

ListRuleGroups

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

loaded

module

DeviceImageLoadEvents

DeviceImageLoadEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

locked

user

4740

A user account was locked out.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

user

modified

None

PasswordUpdated

PasswordUpdated

AWS

CloudTrail

None

AwsConsoleSignin

None

None

None

user

modified

ad object

5136

A directory service object was modified.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

user

modified

ad object

5139

A directory service object was moved.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

user

modified

cloud service

UpdateTrail

UpdateTrail

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

modified cloud service from

ip

UpdateTrail

UpdateTrail

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

modified

file

4670

Permissions on an object were changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

user

modified

file

DeviceFileEvents

DeviceFileEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

modified

firewall

2002

A Windows Defender Firewall setting has changed.

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

user

modified

firewall

2003

A Windows Defender Firewall setting in the Private profile has changed.

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

user

modified

firewall rule

2005

A rule has been modified in the Windows Defender Firewall exception list.

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

user

modified

firewall rule

UpdateRuleGroup

UpdateRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

modified firewall rule from

ip

UpdateRuleGroup

UpdateRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

modified

instance

ModifyInstanceAttribute

ModifyInstanceAttribute

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

modified instance from

ip

ModifyInstanceAttribute

ModifyInstanceAttribute

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

modified

network share

5143

A network share object was modified.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

user

modified

schedule job

4702

A scheduled task was updated.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

user

modified

user

4738

A user account was changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

user

modified

user

4781

The name of an account was changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

user

modified

windows registry key

4670

Permissions on an object were changed.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

user

modified

windows registry key

DeviceRegistryEvents

DeviceRegistryEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

modified

windows registry key value

4657

A registry value was modified.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

user

modified

windows registry key value

DeviceRegistryEvents

DeviceRegistryEvents

Windows

Windows Defender Advanced Threat Protection

None

None

None

None

None

user

removed access from

user

4718

System security access was removed from an account.

Windows

Microsoft-Windows-Security-Auditing

Security

Policy Change

Authentication Policy Change

auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change

user

removed

firewall rule

2006

A rule has been deleted in the Windows Defender Firewall exception list

Windows

Microsoft-Windows-Windows Firewall With Advanced Security

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

None

None

None

None

user

removed

firewall rule

DeleteRuleGroup

DeleteRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

removed firewall rule from

ip

DeleteRuleGroup

DeleteRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

requested access to

ad object

4661

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

user

requested access to

file

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

user

requested access to

file

4661

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

SAM

auditpol /set /subcategory:"SAM" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit SAM

user

requested access to

service

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

user

requested access to

windows registry key

4656

A handle to an object was requested.

Windows

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

user

restored

ad object

5138

A directory service object was undeleted.

Windows

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

user

retrieved information about

cloud service

GetTrail

GetTrail

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about

cloud service

GetTrailStatus

GetTrailStatus

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about

cloud service

DescribeTrails

DescribeTrails

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about

cloud service

GetEventSelectors

GetEventSelectors

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about

cloud service

GetInsightSelectors

GetInsightSelectors

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about cloud service from

ip

GetTrail

GetTrail

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about cloud service from

ip

GetTrailStatus

GetTrailStatus

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about cloud service from

ip

DescribeTrails

DescribeTrails

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about cloud service from

ip

GetEventSelectors

GetEventSelectors

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about cloud service from

ip

GetInsightSelectors

GetInsightSelectors

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about

firewall

DescribeFirewall

DescribeFirewall

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about

firewall

DescribeFirewallPolicy

DescribeFirewallPolicy

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about firewall from

ip

DescribeFirewall

DescribeFirewall

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about firewall from

ip

DescribeFirewallPolicy

DescribeFirewallPolicy

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about

firewall rule

DescribeRuleGroup

DescribeRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

retrieved information about firewall rule from

ip

DescribeRuleGroup

DescribeRuleGroup

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

started

application host

4103

Module logging.

Windows

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Executing Pipeline

None

None

None

user

started

cloud service

StartLogging

StartLogging

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

started cloud service from

ip

StartLogging

StartLogging

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

stopped

cloud service

StopLogging

StopLogging

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

stopped cloud service from

ip

StopLogging

StopLogging

AWS

CloudTrail

None

AwsApiCall

None

None

None

user

terminated

logon session

4634

An account was logged off.

Windows

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logoff

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logoff

user

terminated

process

4689

A process has exited.

Windows

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Termination

auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Termination

user

unlocked

user

4767

A user account was unlocked.

Windows

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

wmi object

created

None

5861

WMI permanent event created.

Windows

Microsoft-Windows-WMI-Activity

Microsoft-Windows-WMI-Activity/Operational

None

None

None

None