SIEM Microsoft Events To Monitor
Related Solution
AIS Managed SIEM
SIEM Events
A monitored security event pattern has occurred
A replay attack was detected May be a harmless false positive due to misconfiguration error
System audit policy was changed
SID History was added to an account
An attempt to add SID History to an account failed
An attempt was made to set the Directory Services Restore Mode
Role separation enabled:
Special groups have been assigned to a new logon
A security setting was updated on the OCSP Responder Service
Encryption of volume started
Encryption of volume stopped
Encryption of volume completed
Decryption of volume started
Decryption of volume stopped
Decryption of volume completed
Conversion worker thread for volume started
Conversion worker thread for volume temporarily stopped
The conversion operation on volume 2 encountered a bad sector error Please validate the data on this volume
Volume 2 contains bad clusters These clusters will be skipped during conversion
Initial state check: Rolling volume conversion transaction on 2
Windows is starting up
Windows is shutting down
An authentication package has been loaded by the Local Security Authority
A trusted logon process has been registered with the Local Security Authority
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
A notification package has been loaded by the Security Account Manager
Invalid use of LPC port
The system time was changed
A security package has been loaded by the Local Security Authority
An account was successfully logged on
An account failed to log on
An account was logged off
IKE DoS prevention mode started
User initiated logoff
A logon was attempted using explicit credentials
An IPsec Main Mode security association was established Extended Mode was not enabled Certificate authentication was not used
An IPsec Main Mode security association was established Extended Mode was not enabled A certificate was used for authentication
An IPsec Main Mode negotiation failed
An IPsec Main Mode negotiation failed
An IPsec Quick Mode negotiation failed
An IPsec Main Mode security association ended
A handle to an object was requested
A registry value was modified
The handle to an object was closed
A handle to an object was requested with intent to delete
An object was deleted
A handle to an object was requested
An operation was performed on an object
An attempt was made to access an object
An attempt was made to create a hard link
An attempt was made to create an application client context
An application attempted an operation:
An application client context was deleted
An application was initialized
Permissions on an object were changed
An application attempted to access a blocked ordinal through the TBS
Special privileges assigned to new logon
A privileged service was called
An operation was attempted on a privileged object
A new process has been created
A process has exited
An attempt was made to duplicate a handle to an object
Indirect access to an object was requested
Protection of auditable protected data was attempted
Unprotection of auditable protected data was attempted
A primary token was assigned to process
Attempt to install a service
A scheduled task was created
A scheduled task was deleted
A scheduled task was enabled
A scheduled task was disabled
A scheduled task was updated
A user right was assigned
A user right was removed
A trust to a domain was removed
IPsec Services was started
IPsec Services was disabled
PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer
IPsec Services encountered a potentially serious failure
System security access was granted to an account
System security access was removed from an account
A user account was created
A user account was enabled
An attempt was made to change an account’s password
A user account was disabled
A user account was deleted
A member was added to a security enabled global group
A member was removed from a security enabled global group
A security enabled global group was deleted
A security enabled local group was created
A member was added to a security enabled local group
A member was removed from a security enabled local group
A security enabled local group was deleted
A user account was changed
A user account was locked out
A computer account was changed
A computer account was changed
A computer account was deleted
A security disabled local group was created
A security disabled local group was changed
A member was added to a security disabled local group
A member was removed from a security disabled local group
A security disabled local group was deleted
A security disabled global group was created
A security disabled global group was changed
A member was added to a security disabled global group
A member was removed from a security disabled global group
A security disabled global group was deleted
A member was added to a security enabled universal group
A member was removed from a security enabled universal group
A security enabled universal group was deleted
A security disabled universal group was created
A security disabled universal group was changed
A member was added to a security disabled universal group
A member was removed from a security disabled universal group
A user account was unlocked
A Kerberos service ticket was renewed
Kerberos pre authentication failed
A Kerberos authentication ticket request failed
An account was mapped for logon
An account could not be mapped for logon
The domain controller attempted to validate the credentials for an account
The domain controller failed to validate the credentials for an account
A session was reconnected to a Window Station
A session was disconnected from a Window Station
The name of an account was changed:
The password hash an account was accessed
A basic application group was created
A basic application group was changed
A member was added to a basic application group
A member was removed from a basic application group
A nonmember was added to a basic application group
A nonmember was removed from a basic application group
A basic application group was deleted
An LDAP query group was created
The Password Policy Checking API was called
The workstation was locked
The workstation was unlocked
The screen saver was invoked
The screen saver was dismissed
A namespace collision was detected
Certificate Services received a resubmitted certificate request
Certificate Services received a request to publish the certificate revocation list (CRL)
Certificate Services published the certificate revocation list (CRL)
A certificate request extension changed
One or more certificate request attributes changed
Certificate Services received a request to shut down
Certificate Services backup started
Certificate Services backup completed
Certificate Services restore started
Certificate Services restore completed
Certificate Services started
Certificate Services stopped
Certificate Services retrieved an archived key
Certificate Services imported a certificate into its database
Certificate Services received a certificate request
Certificate Services approved a certificate request and issued a certificate
Certificate Services denied a certificate request
Certificate Services set the status of a certificate request to pending
A configuration entry changed in Certificate Services
Certificate Services archived a key
Certificate Services imported and archived a key
Certificate Services published the CA certificate to Active Directory Domain Services
Certificate Services loaded default configuration
The Per user audit policy table was created
An attempt was made to register a security event source
An attempt was made to unregister a security event source
The local policy settings for the TBS were changed
The Group Policy settings for the TBS were changed
An Active Directory replica source naming context was established
An Active Directory replica source naming context was removed
An Active Directory replica source naming context was modified
An Active Directory replica destination naming context was modified
Synchronization of a replica of an Active Directory naming context has begun
Synchronization of a replica of an Active Directory naming context has ended
Attributes of an Active Directory object were replicated
Replication failure begins
Replication failure ends
A lingering object was removed from a replica
The following policy was active when the Windows Firewall started
A rule was listed when the Windows Firewall started
A change has been made to Windows Firewall exception list A rule was added
A change has been made to Windows Firewall exception list A rule was modified
A change has been made to Windows Firewall exception list A rule was deleted
Windows Firewall settings were restored to the default values
A Windows Firewall setting has changed
A rule has been ignored because its major version number was not recognized by Windows Firewall
Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall The other parts of the rule will be enforced
A rule has been ignored by Windows Firewall because it could not parse the rule
Windows Firewall Group Policy settings have changed The new settings have been applied
Windows Firewall has changed the active profile
Windows Firewall did not apply the following rule:
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
IPsec Main Mode and Extended Mode security associations were established
IPsec Main Mode and Extended Mode security associations were established
IPsec Main Mode and Extended Mode security associations were established
IPsec Main Mode and Extended Mode security associations were established
The state of a transaction has changed
The Windows Firewall Service has started successfully
The Windows Firewall Service has been stopped
The Windows Firewall Service blocked an application from accepting incoming connections on the network
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
The Windows Firewall Driver has started successfully
The Windows Firewall Driver has been stopped
A registry key was virtualized
A change has been made to IPsec settings An Authentication Set was added
A change has been made to IPsec settings An Authentication Set was modified
A change has been made to IPsec settings An Authentication Set was deleted
A change has been made to IPsec settings A Connection Security Rule was added
A change has been made to IPsec settings A Connection Security Rule was modified
A change has been made to IPsec settings A Connection Security Rule was deleted
A change has been made to IPsec settings A Crypto Set was added
A change has been made to IPsec settings A Crypto Set was modified
A change has been made to IPsec settings A Crypto Set was deleted
An IPsec Security Association was deleted
An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile FirewallEnabled(False)
A file was virtualized
A cryptographic self test was performed
A cryptographic primitive operation failed
Key file operation
Key migration operation
Verification operation failed
Cryptographic operation
A kernel mode cryptographic self test was performed
A cryptographic provider operation was attempted
A cryptographic context operation was attempted
A cryptographic context modification was attempted
A cryptographic function operation was attempted
A cryptographic function modification was attempted
A cryptographic function provider operation was attempted
A cryptographic function property operation was attempted
A cryptographic function property modification was attempted
A request was submitted to the OCSP Responder Service
Signing Certificate was automatically updated by the OCSP Responder Service
The OCSP Revocation Provider successfully updated the revocation information
A directory service object was modified
A directory service object was created
A directory service object was undeleted
A directory service object was moved
A network share object was accessed
A directory service object was deleted
The Windows Filtering Platform blocked a packet
A more restrictive Windows Filtering Platform filter has blocked a packet
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
The Windows Filtering Platform has allowed a connection
The Windows Filtering Platform has blocked a connection
The Windows Filtering Platform has permitted a bind to a local port
The Windows Filtering Platform has blocked a bind to a local port
The requested credentials delegation was disallowed by policy
The following callout was present when the Windows Filtering Platform Base Filtering Engine started
The following filter was present when the Windows Filtering Platform Base Filtering Engine started
The following provider was present when the Windows Filtering Platform Base Filtering Engine started
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started
The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started
A Windows Filtering Platform callout has been changed
A Windows Filtering Platform filter has been changed
A Windows Filtering Platform provider has been changed
A Windows Filtering Platform provider context has been changed
A Windows Filtering Platform sublayer has been changed
An IPsec Quick Mode security association was established
An IPsec Quick Mode security association ended
PAStore Engine applied Active Directory storage IPsec policy on the computer
PAStore Engine failed to apply Active Directory storage IPsec policy on the computer
PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer
PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer
PAStore Engine applied local registry storage IPsec policy on the computer
PAStore Engine failed to apply local registry storage IPsec policy on the computer
PAStore Engine failed to apply some rules of the active IPsec policy on the computer Use the IP Security Monitor snap in to diagnose the problem
PAStore Engine polled for changes to the active IPsec policy and detected no changes
PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services
PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead Any changes made to the Active Directory IPsec policy since the last poll could not be applied
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy The cached copy of the Active Directory IPsec policy is no longer being used
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes The cached copy of the Active Directory IPsec policy is no longer being used
PAStore Engine loaded local storage IPsec policy on the computer
PAStore Engine failed to load local storage IPsec policy on the computer
PAStore Engine loaded directory storage IPsec policy on the computer
PAStore Engine failed to load directory storage IPsec policy on the computer
PAStore Engine failed to add quick mode filter
IPsec Services has started successfully
IPsec Services has been shut down successfully The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks
A request was made to authenticate to a wireless network
A request was made to authenticate to a wired network
A Remote Procedure Call (RPC) was attempted
An object in the COM+ Catalog was modified
An object was deleted from the COM+ Catalog
An object was added to the COM+ Catalog
The previous system shutdown was unexpected
Security policy in the Group Policy objects has been applied successfully
Network Policy Server granted access to a user
A handle to an object was requested
Object open for delete
IPsec policy agent started
IPsec policy agent disabled
IPsec policy agent
IPsec policy agent encountered a potential serious failure
User Account Type Changed
Quality of Service Policy changed
General account database changed
An error was encountered converting volume
An attempt to automatically restart conversion on volume 2 failed
Metadata write: Volume 2 returning errors while trying to modify metadata If failures continue, decrypt volume
Metadata rebuild: An attempt to write a copy of metadata on volume 2 failed and may appear as disk corruption If failures continue, decrypt volume
Administrator recovered system from CrashOnAuditFail Users who are not administrators will now be allowed to log on Some auditable activity might not have been recorded
SIDs were filtered
Backup of data protection master key was attempted
Recovery of data protection master key was attempted
A new trust was created to a domain
Kerberos policy was changed
Encrypted data recovery policy was changed
The audit policy (SACL) on an object was changed
Trusted domain information was modified
An attempt was made to reset an account’s password
A security enabled global group was created
A security enabled local group was changed
A security enabled global group was changed
Domain Policy was changed
A security enabled universal group was created
A security enabled universal group was changed
A security disabled group was deleted
A group’s type was changed
The ACL was set on accounts which are members of administrators groups
RPC detected an integrity violation while decrypting an incoming message
A trusted forest information entry was added
A trusted forest information entry was removed
A trusted forest information entry was modified
The certificate manager denied a pending certificate request
Certificate Services revoked a certificate
The security permissions for Certificate Services changed
The audit filter for Certificate Services changed
The certificate manager settings for Certificate Services changed
A property of Certificate Services changed
One or more rows have been deleted from the certificate database
The CrashOnAuditFail value has changed
Auditing settings on object were changed
Special Groups Logon table modified
Per User Audit Policy was changed
IPsec dropped an inbound packet that failed an integrity check If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer Verify that the packets sent from the remote computer are the same as those received by this computer This error might also indicate interoperability problems with other IPsec implementations
IPsec dropped an inbound packet that failed a replay check If this problem persists, it could indicate a replay attack against this computer
IPsec dropped an inbound packet that failed a replay check The inbound packet had too low a sequence number to ensure it was not a replay
IPsec dropped an inbound clear text packet that should have been secured This is usually due to the remote computer changing its IPsec policy without informing this computer This could also be a spoofing attack attempt
IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI) This is usually caused by malfunctioning hardware that is corrupting packets If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer This error may also indicate interoperability problems with other IPsec implementations In that case, if connectivity is not impeded, then these events can be ignored
During Main Mode negotiation, IPsec received an invalid negotiation packet If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation
During Quick Mode negotiation, IPsec received an invalid negotiation packet If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation
During Extended Mode negotiation, IPsec received an invalid negotiation packet If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation
An IPsec Extended Mode negotiation failed The corresponding Main Mode security association has been deleted
An IPsec Extended Mode negotiation failed The corresponding Main Mode security association has been deleted
The Windows Firewall Service was unable to retrieve the security policy from the local storage The service will continue enforcing the current policy
The Windows Firewall Service was unable to parse the new security policy The service will continue with currently enforced policy
The Windows Firewall Service failed to initialize the driver The service will continue to enforce the current policy
The Windows Firewall Service failed to start
The Windows Firewall Driver failed to start
The Windows Firewall Driver detected critical runtime error Terminating
Code integrity determined that the image hash of a file is not valid The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error
OCSP Responder Service Started
OCSP Responder Service Stopped
A configuration entry changed in OCSP Responder Service
A configuration entry changed in OCSP Responder Service
Credential Manager credentials were backed up
Credential Manager credentials were restored from a backup
An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started
IPsec Services failed to get the complete list of network interfaces on the computer This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters Use the IP Security Monitor snap in to diagnose the problem
IPsec Services failed to initialize RPC server IPsec Services could not be started
IPsec Services has experienced a critical failure and has been shut down The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks
IPsec Services failed to process some IPsec filters on a plug and play event for network interfaces This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters Use the IP Security Monitor snap in to diagnose the problem
One or more errors occurred while processing security policy in the Group Policy objects
Network Policy Server denied access to a user
Network Policy Server discarded the request for a user
Network Policy Server discarded the accounting request for a user
Network Policy Server quarantined a user
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy
Network Policy Server granted full access to a user because the host met the defined health policy
Network Policy Server locked the user account due to repeated failed authentication attempts
Network Policy Server unlocked the user account
Possible denial of service (DoS) attack
The audit log was cleared
Last modified
September 14, 2021