Relationships to Events
Relationships to EventsΒΆ
Source |
Relationship |
Target |
EventID |
Event Name |
Event Platform |
Log Provider |
Log Channel |
Audit Category |
Audit Sub-Category |
Enable Commands |
GPO Audit Policy |
|---|---|---|---|---|---|---|---|---|---|---|---|
application |
attempted to authenticate |
user |
ConsoleLogin |
ConsoleLogin |
AWS |
CloudTrail |
None |
AwsConsoleSignin |
None |
None |
None |
application domain |
started |
None |
53504 |
Windows PowerShell has started an IPC listening thread on a process in AppDomain. |
Windows |
Microsoft-Windows-PowerShell |
Microsoft-Windows-PowerShell/Operational |
PowerShell Named Pipe IPC |
None |
None |
None |
application host |
started |
None |
400 |
Engine state is changed from None to Available. |
Windows |
PowerShell |
Windows PowerShell |
Engine Lifecycle |
None |
None |
None |
driver |
loaded |
None |
6 |
Driver loaded. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
DriverLoad |
None |
|
None |
driver |
loaded |
None |
DriverLoaded |
DriverLoaded |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
firewall |
disabled |
None |
5025 |
The Windows Firewall Service has been stopped. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
System |
Other System Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events |
firewall |
enabled |
None |
5024 |
The Windows Firewall Service has started successfully. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
System |
Other System Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events |
firewall rule |
added |
None |
4946 |
A change has been made to Windows Firewall exception list. A rule was added. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Policy Change |
MPSSVC Rule-Level Policy Change |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit MPSSVC Rule-Level Policy Change |
firewall rule |
modified |
None |
4947 |
A change has been made to Windows Firewall exception list. A rule was modified. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Policy Change |
MPSSVC Rule-Level Policy Change |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit MPSSVC Rule-Level Policy Change |
firewall rule |
removed |
None |
4948 |
A change has been made to Windows Firewall exception list. A rule was deleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Policy Change |
MPSSVC Rule-Level Policy Change |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit MPSSVC Rule-Level Policy Change |
host |
blocked connection from |
ip |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked connection from |
ip |
FirewallInboundConnectionBlocked |
FirewallInboundConnectionBlocked |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
host |
blocked connection from |
port |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked connection from |
port |
FirewallInboundConnectionBlocked |
FirewallInboundConnectionBlocked |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
host |
blocked connection from |
process |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked connection to |
ip |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked connection to |
ip |
FirewallOutboundConnectionBlocked |
FirewallOutboundConnectionBlocked |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
host |
blocked connection to |
port |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked connection to |
port |
FirewallOutboundConnectionBlocked |
FirewallOutboundConnectionBlocked |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
host |
blocked connection to |
process |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked connection to |
process |
5031 |
The Windows Firewall Service blocked an application from accepting incoming connections on the network. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked connection to |
process |
FirewallInboundConnectionToAppBlocked |
FirewallInboundConnectionToAppBlocked |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
host |
blocked listener on |
ip |
5155 |
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked listener on |
port |
5155 |
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked listener on |
process |
5155 |
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked port bind on |
ip |
5159 |
The Windows Filtering Platform has blocked a bind to a local port. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked port bind on |
port |
5159 |
The Windows Filtering Platform has blocked a bind to a local port. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
blocked port bind on |
process |
5159 |
The Windows Filtering Platform has blocked a bind to a local port. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
permitted listener on |
ip |
5154 |
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
permitted listener on |
port |
5154 |
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
permitted listener on |
process |
5154 |
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
permitted port bind on |
process |
5158 |
The Windows Filtering Platform has permitted a bind to a local port. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
permitted port bind on |
ip |
5158 |
The Windows Filtering Platform has permitted a bind to a local port. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
host |
permitted port bind on |
port |
5158 |
The Windows Filtering Platform has permitted a bind to a local port. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
logon session |
modified |
None |
4672 |
Special privileges assigned to new logon. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Special Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon |
process |
accessed |
file |
4663 |
An attempt was made to access an object. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File System |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
process |
accessed |
process |
10 |
ProcessAccess. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ProcessAccess |
None |
|
None |
process |
accessed |
process |
4663 |
An attempt was made to access an object. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Kernel Object |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object |
process |
accessed |
process |
OpenProcessApiCall |
OpenProcessApiCall |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
process |
accessed |
windows registry key |
4663 |
An attempt was made to access an object. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
process |
added |
firewall rule |
2004 |
A rule has been added to the Windows Defender Firewall exception list |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
process |
attempted connection from |
ip |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
attempted connection from |
ip |
ConnectionRequest |
ConnectionRequest |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
attempted connection from |
port |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
attempted connection from |
port |
ConnectionRequest |
ConnectionRequest |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
attempted connection to |
ip |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
attempted connection to |
ip |
ConnectionAttempt |
ConnectionAttempt |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
attempted connection to |
port |
5157 |
The Windows Filtering Platform has blocked a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
attempted connection to |
port |
ConnectionAttempt |
ConnectionAttempt |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
attempted to bind on |
port |
5159 |
The Windows Filtering Platform has blocked a bind to a local port. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
attempted to listen on |
port |
5155 |
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
bound to |
port |
5158 |
The Windows Filtering Platform has permitted a bind to a local port. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
bound to |
port |
ListeningConnectionCreated |
ListeningConnectionCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
connected from |
host |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
process |
connected from |
host |
InboundConnectionAccepted |
InboundConnectionAccepted |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
connected from |
ip |
5156 |
The Windows Filtering Platform has permitted a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
connected from |
ip |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
process |
connected from |
ip |
InboundConnectionAccepted |
InboundConnectionAccepted |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
connected from |
port |
5156 |
The Windows Filtering Platform has permitted a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
connected from |
port |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
process |
connected from |
port |
InboundConnectionAccepted |
InboundConnectionAccepted |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
connected to |
host |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
process |
connected to |
host |
ConnectionSuccess |
ConnectionSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
connected to |
ip |
5156 |
The Windows Filtering Platform has permitted a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
connected to |
ip |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
process |
connected to |
ip |
ConnectionSuccess |
ConnectionSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
connected to |
pipe |
18 |
PipeEvent (Pipe Connected). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
PipeEvent |
None |
|
None |
process |
connected to |
port |
5156 |
The Windows Filtering Platform has permitted a connection. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
connected to |
port |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
process |
connected to |
port |
ConnectionSuccess |
ConnectionSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
created |
file |
11 |
FileCreate. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
FileCreate |
None |
|
None |
process |
created |
file |
FileCreated |
FileCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceFileEvents |
None |
None |
None |
None |
process |
created |
pipe |
17 |
PipeEvent (Pipe Created). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
PipeEvent |
None |
|
None |
process |
created |
process |
4688 |
A new process has been created. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Detailed Tracking |
Process Creation |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation |
process |
created |
process |
1 |
Process Creation. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ProcessCreate |
None |
|
None |
process |
created |
process |
ProcessCreated |
ProcessCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceProcessEvents |
None |
None |
None |
None |
process |
created |
thread |
8 |
CreateRemoteThread. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
CreateRemoteThread |
None |
|
None |
process |
created |
thread |
CreateRemoteThreadApiCall |
CreateRemoteThreadApiCall |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
process |
created |
windows registry key |
12 |
RegistryEvent (Object create and delete). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
RegistryEvent |
None |
|
None |
process |
created |
windows registry key |
RegistryKeyCreated |
RegistryKeyCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
process |
created |
windows registry key value |
12 |
RegistryEvent (Object create and delete). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
RegistryEvent |
None |
|
None |
process |
created |
windows registry key value |
RegistryValueSet |
RegistryValueSet |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
process |
deleted |
file |
23 |
File Delete archived. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
FileDelete |
None |
|
None |
process |
deleted |
file |
26 |
File Delete logged. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
FileDeleteDetected |
None |
|
None |
process |
deleted |
file |
4660 |
An object was deleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File System |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
process |
deleted |
file |
FileDeleted |
FileDeleted |
Windows |
Microsoft Defender for Endpoint |
DeviceFileEvents |
None |
None |
None |
None |
process |
deleted |
windows registry key |
12 |
RegistryEvent (Object create and delete). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
RegistryEvent |
None |
|
None |
process |
deleted |
windows registry key |
4660 |
An object was deleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
process |
deleted |
windows registry key |
RegistryKeyDeleted |
RegistryKeyDeleted |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
process |
deleted |
windows registry key value |
12 |
RegistryEvent (Object create and delete). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
RegistryEvent |
None |
|
None |
process |
deleted |
windows registry key value |
RegistryValueDeleted |
RegistryValueDeleted |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
process |
executed |
api call |
8 |
CreateRemoteThread. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
CreateRemoteThread |
None |
|
None |
process |
executed |
api call |
CreateRemoteThreadApiCall |
CreateRemoteThreadApiCall |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
process |
executed |
command |
4688 |
A new process has been created. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Detailed Tracking |
Process Creation |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation |
process |
executed |
command |
1 |
Process Creation. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ProcessCreate |
None |
|
None |
process |
executed |
command |
4103 |
Module logging. |
Windows |
Microsoft-Windows-PowerShell |
Microsoft-Windows-PowerShell/Operational |
Executing Pipeline |
None |
None |
None |
process |
executed |
command |
ProcessCreated |
ProcessCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceProcessEvents |
None |
None |
None |
None |
process |
executed |
dns query |
22 |
DNSEvent (DNS query). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
DNSQuery |
None |
|
None |
process |
executed |
dns query |
DnsQueryResponse |
DnsQueryResponse |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
process |
executed |
Script |
4103 |
Module logging. |
Windows |
Microsoft-Windows-PowerShell |
Microsoft-Windows-PowerShell/Operational |
Executing Pipeline |
None |
None |
None |
process |
executed |
Script |
4104 |
Script Block Logging. |
Windows |
Microsoft-Windows-PowerShell |
Microsoft-Windows-PowerShell/Operational |
Execute a Remote Command |
None |
None |
None |
process |
executed |
Script |
ScriptContent |
ScriptContent |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
process |
executed |
Script |
PowerShellCommand |
PowerShellCommand |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
process |
executed |
Script |
AmsiScriptDetection |
AmsiScriptDetection |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
process |
listened on |
port |
5154 |
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Filtering Platform Connection |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection |
process |
listened on |
port |
ListeningConnectionCreated |
ListeningConnectionCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
process |
loaded |
module |
7 |
Image loaded. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ImageLoad |
None |
|
None |
process |
loaded |
module |
ImageLoaded |
ImageLoaded |
Windows |
Microsoft Defender for Endpoint |
DeviceImageLoadEvents |
None |
None |
None |
None |
process |
modified |
file |
2 |
A process changed a file creation time. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
FileCreateTime |
None |
|
None |
process |
modified |
file |
11 |
FileCreate. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
FileCreate |
None |
|
None |
process |
modified |
file |
4670 |
Permissions on an object were changed. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File System |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
process |
modified |
file |
FileModified |
FileModified |
Windows |
Microsoft Defender for Endpoint |
DeviceFileEvents |
None |
None |
None |
None |
process |
modified |
file |
FileRenamed |
FileRenamed |
Windows |
Microsoft Defender for Endpoint |
DeviceFileEvents |
None |
None |
None |
None |
process |
modified |
firewall |
2002 |
A Windows Defender Firewall setting has changed. |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
process |
modified |
firewall |
2003 |
A Windows Defender Firewall setting in the Private profile has changed. |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
process |
modified |
firewall rule |
2005 |
A rule has been modified in the Windows Defender Firewall exception list. |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
process |
modified |
process |
8 |
CreateRemoteThread. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
CreateRemoteThread |
None |
|
None |
process |
modified |
process |
CreateRemoteThreadApiCall |
CreateRemoteThreadApiCall |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
process |
modified |
windows registry key |
13 |
RegistryEvent (Value Set). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
RegistryEvent |
None |
|
None |
process |
modified |
windows registry key |
14 |
RegistryEvent (Key and Value Rename). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
RegistryEvent |
None |
|
None |
process |
modified |
windows registry key |
4670 |
Permissions on an object were changed. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
process |
modified |
windows registry key |
RegistryKeyCreated |
RegistryKeyCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
process |
modified |
windows registry key value |
13 |
RegistryEvent (Value Set). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
RegistryEvent |
None |
|
None |
process |
modified |
windows registry key value |
14 |
RegistryEvent (Key and Value Rename). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
RegistryEvent |
None |
|
None |
process |
modified |
windows registry key value |
4657 |
A registry value was modified. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
process |
modified |
windows registry key value |
RegistryValueSet |
RegistryValueSet |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
process |
removed |
firewall rule |
2006 |
A rule has been deleted in the Windows Defender Firewall exception list |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
process |
requested access to |
ad object |
4661 |
A handle to an object was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
DS Access |
Directory Service Access |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access |
process |
requested access to |
file |
4656 |
A handle to an object was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File System |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
process |
requested access to |
process |
4656 |
A handle to an object was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Kernel Object |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object |
process |
requested access to |
process |
10 |
Process Access. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ProcessAccess |
None |
|
None |
process |
requested access to |
process |
OpenProcessApiCall |
OpenProcessApiCall |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
process |
requested access to |
windows registry key |
4656 |
A handle to an object was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
process |
terminated |
None |
5 |
Process terminated. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ProcessTerminate |
None |
|
None |
service |
started |
None |
4 |
Sysmon service state changed. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ServiceStateChange |
None |
|
None |
service |
stopped |
None |
4 |
Sysmon service state changed. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ServiceStateChange |
None |
|
None |
user |
accessed |
ad object |
4662 |
An operation was performed on an object. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
DS Access |
Directory Service Access |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access |
user |
accessed |
file |
4663 |
An attempt was made to access an object. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File System |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
user |
accessed |
process |
4663 |
An attempt was made to access an object. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Kernel Object |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object |
user |
accessed |
process |
OpenProcessApiCall |
OpenProcessApiCall |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
accessed |
windows registry key |
4663 |
An attempt was made to access an object. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
user |
added |
firewall rule |
2004 |
A rule has been added to the Windows Defender Firewall exception list |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
user |
added |
firewall rule |
CreateRuleGroup |
CreateRuleGroup |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
added firewall rule from |
ip |
CreateRuleGroup |
CreateRuleGroup |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
attempted to access |
file |
4692 |
Backup of data protection master key was attempted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Detailed Tracking |
DPAPI Activity |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit DPAPI Activity |
user |
attempted to access |
network share |
5140 |
A network share object was accessed. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File Share |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
user |
attempted to access |
network share |
5145 |
A network share object was checked to see whether client can be granted desired access. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Detailed File Share |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Detailed File Share |
user |
attempted to access |
network share |
LogonSuccess |
LogonSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceLogonEvents |
None |
None |
None |
None |
user |
attempted to authenticate from |
ip |
4624 |
An account was successfully logged on. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
user |
attempted to authenticate from |
ip |
4625 |
An account failed to log on. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Account Lockout |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout |
user |
attempted to authenticate from |
ip |
4648 |
A logon was attempted using explicit credentials. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
user |
attempted to authenticate from |
ip |
LogonSuccess |
LogonSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceLogonEvents |
None |
None |
None |
None |
user |
attempted to authenticate from |
ip |
ConsoleLogin |
ConsoleLogin |
AWS |
CloudTrail |
None |
AwsConsoleSignin |
None |
None |
None |
user |
attempted to authenticate from |
port |
4624 |
An account was successfully logged on. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
user |
attempted to authenticate from |
port |
4625 |
An account failed to log on. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Account Lockout |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout |
user |
attempted to authenticate from |
port |
4648 |
A logon was attempted using explicit credentials. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
user |
attempted to authenticate from |
port |
LogonSuccess |
LogonSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceLogonEvents |
None |
None |
None |
None |
user |
attempted to authenticate to |
application |
ConsoleLogin |
ConsoleLogin |
AWS |
CloudTrail |
None |
AwsConsoleSignin |
None |
None |
None |
user |
attempted to authenticate to |
host |
4624 |
An account was successfully logged on. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
user |
attempted to authenticate to |
host |
4625 |
An account failed to log on. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Account Lockout |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout |
user |
attempted to authenticate to |
host |
4648 |
A logon was attempted using explicit credentials. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
user |
attempted to log off from |
host |
4647 |
User initiated logoff. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logoff |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logoff |
user |
attempted to modify |
user |
4723 |
An attempt was made to change an accountβs password. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
user |
attempted to modify |
user |
4724 |
An attempt was made to reset an accountβs password. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
user |
authenticated from |
ip |
ConsoleLogin |
ConsoleLogin |
AWS |
CloudTrail |
None |
AwsConsoleSignin |
None |
None |
None |
user |
connected from |
host |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
user |
connected from |
host |
InboundConnectionAccepted |
InboundConnectionAccepted |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
user |
connected from |
ip |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
user |
connected from |
ip |
InboundConnectionAccepted |
InboundConnectionAccepted |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
user |
connected from |
port |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
user |
connected from |
port |
InboundConnectionAccepted |
InboundConnectionAccepted |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
user |
connected to |
host |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
user |
connected to |
host |
ConnectionSuccess |
ConnectionSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
user |
connected to |
ip |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
user |
connected to |
ip |
ConnectionSuccess |
ConnectionSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
user |
connected to |
port |
3 |
Network connection. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
NetworkConnect |
None |
|
None |
user |
connected to |
port |
ConnectionSuccess |
ConnectionSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceNetworkEvents |
None |
None |
None |
None |
user |
created |
ad object |
5137 |
A directory service object was created. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
DS Access |
Directory Service Changes |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes |
user |
created |
file |
DeviceFileEvents |
DeviceFileEvents |
Windows |
Windows Defender Advanced Threat Protection |
None |
None |
None |
None |
None |
user |
created |
instance |
RunInstances |
RunInstances |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
created instance from |
ip |
RunInstances |
RunInstances |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
created |
logon session |
4624 |
An account was successfully logged on. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
user |
created |
logon session |
4778 |
A session was reconnected to a Window Station. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Other Logon/Logoff Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events |
user |
created |
logon session |
4964 |
Special groups have been assigned to a new logon. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Special Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon |
user |
created |
logon session |
LogonSuccess |
LogonSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceLogonEvents |
None |
None |
None |
None |
user |
created logon session from |
ip |
4624 |
An account was successfully logged on. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
user |
created logon session from |
ip |
4778 |
A session was reconnected to a Window Station. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Other Logon/Logoff Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events |
user |
created logon session from |
ip |
LogonSuccess |
LogonSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceLogonEvents |
None |
None |
None |
None |
user |
created logon session from |
port |
4624 |
An account was successfully logged on. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logon |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
user |
created logon session from |
port |
LogonSuccess |
LogonSuccess |
Windows |
Microsoft Defender for Endpoint |
DeviceLogonEvents |
None |
None |
None |
None |
user |
created |
network share |
5142 |
A network share object was added. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File Share |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
user |
created |
process |
4688 |
A new process has been created. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Detailed Tracking |
Process Creation |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation |
user |
created |
process |
1 |
Process Creation. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ProcessCreate |
None |
|
None |
user |
created |
process |
ProcessCreated |
ProcessCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceProcessEvents |
None |
None |
None |
None |
user |
created |
scheduled job |
4698 |
A scheduled task was created. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Other Object Access Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
user |
created |
scheduled job |
ScheduledTaskCreated |
ScheduledTaskCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
created |
service |
4697 |
A service was installed in the system. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
System |
Security System Extension |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Security System Extension |
user |
created |
service |
7045 |
A new service was installed in the system. |
Windows |
Service Control Manager |
System |
None |
None |
None |
None |
user |
created |
service |
ServiceInstalled |
ServiceInstalled |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
created |
user |
4720 |
A user account was created. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
user |
created |
user |
UserAccountCreated |
UserAccountCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
created |
windows registry key |
RegistryKeyCreated |
RegistryKeyCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
user |
created |
windows registry key value |
RegistryValueSet |
RegistryValueSet |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
user |
created |
wmi object |
19 |
WmiEvent (WmiEventFilter activity detected). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
WmiEvent |
None |
|
None |
user |
created |
wmi object |
20 |
WmiEvent (WmiEventConsumer activity detected). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
WmiEvent |
None |
|
None |
user |
created |
wmi object |
21 |
WmiEvent (WmiEventConsumerToFilter activity detected). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
WmiEvent |
None |
|
None |
user |
created |
wmi object |
WmiBindEventFilterToConsumer |
WmiBindEventFilterToConsumer |
Windows |
Microsoft Defender for Endpoint |
DeviceREvents |
None |
None |
None |
None |
user |
deleted |
ad object |
5141 |
A directory service object was deleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
DS Access |
Directory Service Changes |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes |
user |
deleted |
file |
23 |
File Delete archived. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
FileDelete |
None |
|
None |
user |
deleted |
file |
26 |
File Delete logged. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
FileDeleteDetected |
None |
|
None |
user |
deleted |
file |
4660 |
An object was deleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File System |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
user |
deleted |
file |
FileDeleted |
FileDeleted |
Windows |
Microsoft Defender for Endpoint |
DeviceFileEvents |
None |
None |
None |
None |
user |
deleted |
network share |
5144 |
A network share object was deleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File Share |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
user |
deleted |
scheduled job |
4699 |
A scheduled task was deleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Other Object Access Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
user |
deleted |
scheduled job |
ScheduledTaskDeleted |
ScheduledTaskDeleted |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
deleted |
user |
4726 |
A user account was deleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
user |
deleted |
user |
UserAccountDeleted |
UserAccountDeleted |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
deleted |
windows registry key |
4660 |
An object was deleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
user |
deleted |
windows registry key |
RegistryKeyDeleted |
RegistryKeyDeleted |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
user |
deleted |
wmi object |
19 |
WmiEvent (WmiEventFilter activity detected). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
WmiEvent |
None |
|
None |
user |
deleted |
wmi object |
20 |
WmiEvent (WmiEventConsumer activity detected). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
WmiEvent |
None |
|
None |
user |
deleted |
wmi object |
21 |
WmiEvent (WmiEventConsumerToFilter activity detected). |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
WmiEvent |
None |
|
None |
user |
disabled |
scheduled job |
4701 |
A scheduled task was disabled. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Other Object Access Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
user |
disabled |
scheduled job |
ScheduledTaskModified |
ScheduledTaskModified |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
disabled |
user |
4725 |
A user account was disabled. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
user |
disabled |
user |
UserAccountModified |
UserAccountModified |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
enabled |
scheduled job |
4700 |
A scheduled task was enabled. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Other Object Access Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
user |
enabled |
scheduled job |
ScheduledTaskModified |
ScheduledTaskModified |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
enabled |
user |
4722 |
A user account was enabled. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
user |
enabled |
user |
UserAccountModified |
UserAccountModified |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
executed |
command |
4688 |
A new process has been created. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Detailed Tracking |
Process Creation |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation |
user |
executed |
command |
1 |
Process Creation. |
Windows |
Microsoft-Windows-Sysmon |
Microsoft-Windows-Sysmon/Operational |
ProcessCreate |
None |
|
None |
user |
executed |
command |
4103 |
Module logging. |
Windows |
Microsoft-Windows-PowerShell |
Microsoft-Windows-PowerShell/Operational |
Executing Pipeline |
None |
None |
None |
user |
executed |
command |
ProcessCreated |
ProcessCreated |
Windows |
Microsoft Defender for Endpoint |
DeviceProcessEvents |
None |
None |
None |
None |
user |
granted access to |
user |
4717 |
System security access was granted to an account. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Policy Change |
Authentication Policy Change |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change |
user |
listed |
firewall rule |
ListRuleGroups |
ListRuleGroups |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
listed firewall rule from |
ip |
ListRuleGroups |
ListRuleGroups |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
loaded |
module |
ImageLoaded |
ImageLoaded |
Windows |
Microsoft Defender for Endpoint |
DeviceImageLoadEvents |
None |
None |
None |
None |
user |
locked |
user |
4740 |
A user account was locked out. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
user |
modified |
None |
PasswordUpdated |
PasswordUpdated |
AWS |
CloudTrail |
None |
AwsConsoleSignin |
None |
None |
None |
user |
modified |
ad object |
5136 |
A directory service object was modified. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
DS Access |
Directory Service Changes |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes |
user |
modified |
ad object |
5139 |
A directory service object was moved. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
DS Access |
Directory Service Changes |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes |
user |
modified |
cloud service |
UpdateTrail |
UpdateTrail |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
modified cloud service from |
ip |
UpdateTrail |
UpdateTrail |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
modified |
file |
4670 |
Permissions on an object were changed. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File System |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
user |
modified |
file |
DeviceFileEvents |
DeviceFileEvents |
Windows |
Windows Defender Advanced Threat Protection |
None |
None |
None |
None |
None |
user |
modified |
firewall |
2002 |
A Windows Defender Firewall setting has changed. |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
user |
modified |
firewall |
2003 |
A Windows Defender Firewall setting in the Private profile has changed. |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
user |
modified |
firewall rule |
2005 |
A rule has been modified in the Windows Defender Firewall exception list. |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
user |
modified |
firewall rule |
UpdateRuleGroup |
UpdateRuleGroup |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
modified firewall rule from |
ip |
UpdateRuleGroup |
UpdateRuleGroup |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
modified |
instance |
ModifyInstanceAttribute |
ModifyInstanceAttribute |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
modified instance from |
ip |
ModifyInstanceAttribute |
ModifyInstanceAttribute |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
modified |
network share |
5143 |
A network share object was modified. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File Share |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
user |
modified |
schedule job |
4702 |
A scheduled task was updated. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Other Object Access Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
user |
modified |
schedule job |
ScheduledTaskUpdated |
ScheduledTaskUpdated |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
modified |
user |
4738 |
A user account was changed. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
user |
modified |
user |
4781 |
The name of an account was changed. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
user |
modified |
user |
UserAccountModified |
UserAccountModified |
Windows |
Microsoft Defender for Endpoint |
DeviceEvents |
None |
None |
None |
None |
user |
modified |
windows registry key |
4670 |
Permissions on an object were changed. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
user |
modified |
windows registry key |
RegistryKeySet |
RegistryKeySet |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
user |
modified |
windows registry key value |
4657 |
A registry value was modified. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
user |
modified |
windows registry key value |
RegistryValueSet |
RegistryValueSet |
Windows |
Microsoft Defender for Endpoint |
DeviceRegistryEvents |
None |
None |
None |
None |
user |
removed access from |
user |
4718 |
System security access was removed from an account. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Policy Change |
Authentication Policy Change |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change |
user |
removed |
firewall rule |
2006 |
A rule has been deleted in the Windows Defender Firewall exception list |
Windows |
Microsoft-Windows-Windows Firewall With Advanced Security |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
None |
None |
None |
None |
user |
removed |
firewall rule |
DeleteRuleGroup |
DeleteRuleGroup |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
removed firewall rule from |
ip |
DeleteRuleGroup |
DeleteRuleGroup |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
requested access to |
ad object |
4661 |
A handle to an object was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
DS Access |
Directory Service Access |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access |
user |
requested access to |
file |
4656 |
A handle to an object was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
File System |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System |
user |
requested access to |
file |
4661 |
A handle to an object was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
SAM |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit SAM |
user |
requested access to |
service |
4656 |
A handle to an object was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Other Object Access Events |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
user |
requested access to |
windows registry key |
4656 |
A handle to an object was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Object Access |
Registry |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry |
user |
requested |
ad credential |
4768 |
A Kerberos authentication ticket (TGT) was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Logon |
Kerberos Authentication Service |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Authentication Service |
user |
requested |
ad credential |
4769 |
A Kerberos service ticket was requested. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Logon |
Kerberos Service Ticket Operations |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations |
user |
restored |
ad object |
5138 |
A directory service object was undeleted. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
DS Access |
Directory Service Changes |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes |
user |
retrieved information about |
cloud service |
GetTrail |
GetTrail |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about |
cloud service |
GetTrailStatus |
GetTrailStatus |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about |
cloud service |
DescribeTrails |
DescribeTrails |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about |
cloud service |
GetEventSelectors |
GetEventSelectors |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about |
cloud service |
GetInsightSelectors |
GetInsightSelectors |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about cloud service from |
ip |
GetTrail |
GetTrail |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about cloud service from |
ip |
GetTrailStatus |
GetTrailStatus |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about cloud service from |
ip |
DescribeTrails |
DescribeTrails |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about cloud service from |
ip |
GetEventSelectors |
GetEventSelectors |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about cloud service from |
ip |
GetInsightSelectors |
GetInsightSelectors |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about |
firewall |
DescribeFirewall |
DescribeFirewall |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about |
firewall |
DescribeFirewallPolicy |
DescribeFirewallPolicy |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about firewall from |
ip |
DescribeFirewall |
DescribeFirewall |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about firewall from |
ip |
DescribeFirewallPolicy |
DescribeFirewallPolicy |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about |
firewall rule |
DescribeRuleGroup |
DescribeRuleGroup |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
retrieved information about firewall rule from |
ip |
DescribeRuleGroup |
DescribeRuleGroup |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
started |
application host |
4103 |
Module logging. |
Windows |
Microsoft-Windows-PowerShell |
Microsoft-Windows-PowerShell/Operational |
Executing Pipeline |
None |
None |
None |
user |
started |
cloud service |
StartLogging |
StartLogging |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
started cloud service from |
ip |
StartLogging |
StartLogging |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
stopped |
cloud service |
StopLogging |
StopLogging |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
stopped cloud service from |
ip |
StopLogging |
StopLogging |
AWS |
CloudTrail |
None |
AwsApiCall |
None |
None |
None |
user |
terminated |
logon session |
4634 |
An account was logged off. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Logon/Logoff |
Logoff |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logoff |
user |
terminated |
process |
4689 |
A process has exited. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Detailed Tracking |
Process Termination |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Termination |
user |
unlocked |
user |
4767 |
A user account was unlocked. |
Windows |
Microsoft-Windows-Security-Auditing |
Security |
Account Management |
User Account Management |
|
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
wmi object |
created |
None |
5861 |
WMI permanent event created. |
Windows |
Microsoft-Windows-WMI-Activity |
Microsoft-Windows-WMI-Activity/Operational |
None |
None |
None |
None |
wmi object |
created |
None |
WmiBindEventFilterToConsumer |
WmiBindEventFilterToConsumer |
Windows |
Microsoft Defender for Endpoint |
DeviceREvents |
None |
None |
None |
None |