|
ACCOUNT_LOGON_SUCCESSFUL
|
LOGIN
|
ACCOUNT
|
|
ACL_SET_ON_ACCOUNT
|
SET
|
ACCOUNT
|
|
ACCOUNT_COULD_NOT_MAP_FOR_LOGON
|
LOGIN
|
ACCOUNT
|
|
ACCOUNT_FAILED_TO_LOGON
|
LOGIN
|
ACCOUNT
|
|
ACCOUNT_MAPPED_FOR_LOGON
|
LOGIN
|
ACCOUNT
|
|
ASSIGNED_PRIMARY_TOKEN_TO_PROCESS
|
ASSIGN
|
PROCESS
|
|
ATTEMPT_MADE_TO_REGISTER_SECURITY_EVENT_SOURCE
|
REGISTER
|
LOG
|
|
ATTEMPT_MADE_TO_UNREGISTER_SECURITY_EVENT_SOURCE
|
UNREGISTER
|
LOG
|
|
ATTEMPT_TO_ADD_SID_HISTORY_TO_ACCOUNT_FAILED
|
INSERT
|
ACCOUNT
|
|
ATTEMPT_TO_QUERY_EXISTANCE_OF_BLANK_PASSWORD_FOR_ACCOUNT
|
ANALYZE
|
ACCOUNT
|
|
ATTEMPTED_TO_MODIFY_ACCOUNT_PASSWORD
|
UPDATE
|
ACCOUNT
|
|
ATTEMPTED_TO_RESET_ACCOUNT_PASSWORD
|
RESET
|
ACCOUNT
|
|
ATTEMPTED_TO_VALIDATE_ACCOUNT_CREDENTIAL
|
VALIDATE
|
ACCOUNT
|
|
AUDIT_FILTER_FOR_CERTIFICATE_SERVICE_CHANGED
|
UPDATE
|
SERVICE
|
|
BACKED_UP_CREDENTIAL_MANAGER_CREDENTIALS
|
BACKUP
|
MANAGER
|
|
BASIC_APPLICATION_GROUP_CREATED
|
CREATE
|
GROUP
|
|
BASIC_APPLICATION_GROUP_DELETED
|
DELETE
|
GROUP
|
|
BASIC_APPLICATION_GROUP_MODIFIED
|
UPDATE
|
GROUP
|
|
CENTRAL_ACCESS_POLICIES_ON_THE_MACHINE_HAVE_BEEN_CHANGED
|
UPDATE
|
POLICY
|
|
CENTRAL_ACCESS_POLICY_ON_THE_OBJECT_CHANGED
|
UPDATE
|
OBJECT
|
|
CERTIFICATE_MANAGER_SETTINGS_FOR_CERTIFICATE_SERVICE_MODIFIED
|
UPDATE
|
SERVICE
|
|
CERTIFICATE_REQUEST_ATTRIBUTES_MODIFIED
|
UPDATE
|
CERTIFICATE
|
|
CERTIFICATE_REQUEST_EXTENSION_MODIFIED
|
UPDATE
|
CERTIFICATE
|
|
CERTIFICATE_SERVICES_PUBLISHED_CRL
|
PUBLISH
|
CRL
|
|
CERTIFICATE_SERVICE_APPROVED_CERTIFICATE_REQUEST_AND_ISSUED_CERTIFICATE
|
GRANT
|
SERVICE
|
|
CERTIFICATE_SERVICE_ARCHIVED_KEY
|
ARCHIVE
|
SERVICE
|
|
CERTIFICATE_SERVICE_BACKUP_COMPLETED
|
BACKUP
|
SERVICE
|
|
CERTIFICATE_SERVICE_BACKUP_STARTED
|
BACKUP
|
SERVICE
|
|
CERTIFICATE_SERVICE_CONFIGURATION_ENTRY_MODIFIED
|
UPDATE
|
SERVICE
|
|
CERTIFICATE_SERVICE_DENIED_CERTIFICATE_REQUEST
|
DENY
|
SERVICE
|
|
CERTIFICATE_SERVICE_IMPORTED_AND_ARCHIVED_KEY
|
ARCHIVE
|
SERVICE
|
|
CERTIFICATE_SERVICE_IMPORTED_CERTIFICATE_IN_ITS_DATABASE
|
IMPORT
|
SERVICE
|
|
CERTIFICATE_SERVICE_LOADED_TEMPLATE
|
LOAD
|
TEMPLATE
|
|
CERTIFICATE_SERVICE_PROPERTY_MODIFIED
|
UPDATE
|
SERVICE
|
|
CERTIFICATE_SERVICE_RETRIEVED_ARCHIVED_KEY
|
RETRIEVE
|
SERVICE
|
|
CERTIFICATE_SERVICE_RECEIVED_CERTIFICATE_REQUEST
|
RECEIVE
|
SERVICE
|
|
CERTIFICATE_SERVICE_RECEIVED_SHUT_DOWN_REQUEST
|
RECEIVE
|
SERVICE
|
|
CERTIFICATE_SERVICE_RESTORE_STARTED
|
RESTORE
|
SERVICE
|
|
CERTIFICATE_SERVICE_RESTORE_COMPLETED
|
RESTORE
|
SERVICE
|
|
CERTIFICATE_SERVICE_SECURITY_PERMISSIONS_MODIFIED
|
UPDATE
|
SERVICE
|
|
CERTIFICATE_SERVICE_SET_CERTIFICATE_REQUEST_STATUS_TO_PENDING
|
SET
|
SERVICE
|
|
CERTIFICATE_SERVICE_STARTED
|
START
|
SERVICE
|
|
CERTIFICATE_SERVICE_STOPPED
|
STOP
|
SERVICE
|
|
CERTIFICATE_SERVICE_PUBLISHED_CA_CERTIFICATE_TO_ACTIVE_DIRECTORY_DOMAIN_SERVICES
|
PUBLISH
|
SERVICE
|
|
CERTIFICATE_SERVICES_RECEIVED_RESUBMITTED_CERTIFICATE_REQUEST
|
RECEIVE
|
CERTIFICATE
|
|
CERTIFICATE_SERVICES_RECEIVED_CERTIFICATE_REVOKATION_LIST_PUBLISH_REQUEST
|
RECEIVE
|
CRL
|
|
CERTIFICATE_SERVICES_REVOKED_CERTIFICATE
|
REVOKE
|
CERTIFICATE
|
|
COMPUTER_ACCOUNT_CREATED
|
CREATE
|
ACCOUNT
|
|
COMPUTER_ACCOUNT_DELETED
|
DELETE
|
ACCOUNT
|
|
COMPUTER_ACCOUNT_MODIFIED
|
UPDATE
|
ACCOUNT
|
|
CHANGED_TYPE_OR_SCOPE_OF_GROUP
|
UPDATE
|
GROUP
|
|
CREATED_USER_ACCOUNT
|
CREATE
|
ACCOUNT
|
|
CREATED_NEW_PROCESS
|
START
|
PROCESS
|
|
DISABLED_USER_ACCOUNT
|
DISABLE
|
ACCOUNT
|
|
DELETED_USER_ACCOUNT
|
DELETE
|
ACCOUNT
|
|
ENABLED_USER_ACCOUNT
|
ENABLE
|
ACCOUNT
|
|
EXITED_PROCESS
|
STOP
|
PROCESS
|
|
FAILED_TO_VALIDATE_ACCOUNT_CREDENTIAL
|
VALIDATE
|
ACCOUNT
|
|
KERBEROS_AUTHENTICATE_TICKET_REQUEST
|
AUTHENTICATE
|
SYSTEM
|
|
KERBEROS_PRE_AUTHENTICATION_FAILED
|
AUTHENTICATE
|
SYSTEM
|
|
KERBEROS_AUTHENTICATION_TICKET_REQUEST_FAILED
|
AUTHENTICATE
|
SYSTEM
|
|
KERBEROS_SERVICE_TICKET_REQUESTED
|
REQUEST
|
SYSTEM
|
|
KERBEROS_SERVICE_TICKET_RENEWED
|
RENEW
|
SYSTEM
|
|
MEMBER_ADDED_TO_BASIC_APPLICATION_GROUP
|
UPDATE
|
GROUP
|
|
MEMBER_REMOVED_FROM_BASIC_APPLICATION_GROUP
|
UPDATE
|
GROUP
|
|
NON-MEMBER_ADDED_TO_BASIC_APPLICATION_GROUP
|
UPDATE
|
GROUP
|
|
NON-MEMBER_REMOVED_FROM_BASIC_APPLICATION_GROUP
|
UPDATE
|
GROUP
|
|
LDAP_QUERY_GROUP_CREATED
|
CREATE
|
GROUP
|
|
SECURITY-DISABLED_LOCAL_GROUP_CREATED
|
CREATE
|
GROUP
|
|
SECURITY-DISABLED_LOCAL_GROUP_MODIFIED
|
UPDATE
|
GROUP
|
|
MEMBER_ADDED_TO_SECURITY-DISABLED_LOCAL_GROUP
|
UPDATE
|
GROUP
|
|
MEMBER_REMOVED_FROM_SECURITY-DISABLED_LOCAL_GROUP
|
UPDATE
|
GROUP
|
|
SECURITY-DISABLED_LOCAL_GROUP_DELETED
|
DELETE
|
GROUP
|
|
SECURITY-DISABLED_GLOBAL_GROUP_CREATED
|
CREATE
|
GROUP
|
|
SECURITY-DISABLED_GLOBAL_GROUP_MODIFIED
|
UPDATE
|
GROUP
|
|
MEMBER_ADDED_TO_SECURITY-DISABLED_GLOBAL_GROUP
|
UPDATE
|
GROUP
|
|
MEMBER_REMOVED_FROM_SECURITY-DISABLED_GLOBAL_GROUP
|
UPDATE
|
GROUP
|
|
SECURITY-DISABLED_GLOBAL_GROUP_DELETED
|
DELETE
|
GROUP
|
|
SECURITY-DISABLED_UNIVERSAL_GROUP_CREATED
|
CREATE
|
GROUP
|
|
SECURITY-DISABLED_UNIVERSAL_GROUP_MODIFIED
|
UPDATE
|
GROUP
|
|
MEMBER_ADDED_TO_SECURITY-DISABLED_UNIVERSAL_GROUP
|
UPDATE
|
GROUP
|
|
MEMBER_REMOVED_FROM_SECURITY-DISABLED_UNIVERSAL_GROUP
|
UPDATE
|
GROUP
|
|
SECURITY-DISABLED_UNIVERSAL_GROUP_DELETED
|
DELETE
|
GROUP
|
|
PASSWORD_POLICY_CHECKING_API_CALLED
|
CALL
|
POLICY
|
|
SECURITY-ENABLED_GLOBAL_GROUP_CREATED
|
CREATE
|
GROUP
|
|
MEMBER_ADDED_TO_SECURITY-ENABLED_GLOBAL_GROUP
|
UPDATE
|
GROUP
|
|
MEMBER_REMOVED_FROM_SECURITY-ENABLED_GLOBAL_GROUP
|
UPDATE
|
GROUP
|
|
SECURITY-ENABLED_GLOBAL_GROUP_DELETED
|
DELETE
|
GROUP
|
|
SECURITY-ENABLED_LOCAL_GROUP_CREATED
|
CREATE
|
GROUP
|
|
MEMBER_ADDED_TO_SECURITY-ENABLED_LOCAL_GROUP
|
UPDATE
|
GROUP
|
|
MEMBER_REMOVED_FROM_SECURITY-ENABLED_LOCAL_GROUP
|
UPDATE
|
GROUP
|
|
SECURITY-ENABLED_LOCAL_GROUP_DELETED
|
DELETE
|
GROUP
|
|
SECURITY-ENABLED_LOCAL_GROUP_MODIFIED
|
UPDATE
|
GROUP
|
|
SECURITY-ENABLED_GLOBAL_GROUP_MODIFIED
|
UPDATE
|
GROUP
|
|
SECURITY-ENABLED_UNIVERSAL_GROUP_CREATED
|
CREATE
|
GROUP
|
|
SECURITY-ENABLED_UNIVERSAL_GROUP_MODIFIED
|
UPDATE
|
GROUP
|
|
MEMBER_ADDED_TO_SECURITY-ENABLED_UNIVERSAL_GROUP
|
UPDATE
|
GROUP
|
|
MEMBER_REMOVED_FROM_SECURITY-ENABLED_UNIVERSAL_GROUP
|
UPDATE
|
GROUP
|
|
SECURITY-ENABLED_UNIVERSAL_GROUP_DELETED
|
DELETE
|
GROUP
|
|
MODIFIED_USER_ACCOUNT
|
UPDATE
|
ACCOUNT
|
|
LOCKED_OUT_USER_ACCOUNT
|
LOCK
|
ACCOUNT
|
|
SID_HISTORY_ADDED_TO_ACCOUNT
|
UPDATE
|
ACCOUNT
|
|
UNLOCKED_USER_ACCOUNT
|
UNLOCK
|
ACCOUNT
|
|
MODIFIED_ACCOUNT_NAME
|
UPDATE
|
ACCOUNT
|
|
MODIFIED_DIRECTORY_SERVICE_RESTORE_MODE_ADMIN_PASSWORD
|
UPDATE
|
SERVICE
|
|
RESTORED_CREDENTIAL_MANAGER_CREDENTIALS
|
RESTORE
|
MANAGER
|
|
REMOTE_PROCEDURE_CALL_ATTEMPTED
|
REMOTE CALL
|
PROCEDURE
|
|
LOGGED_OFF_ACCOUNT
|
LOGOUT
|
ACCOUNT
|
|
USER_INITIATED_LOGOFF
|
LOGOUT
|
ACCOUNT
|
|
LOGON_ATTEMPTED_USING_EXPLICIT_CREDENTIAL
|
LOGIN
|
SYSTEM
|
|
NETWORK_POLICY_SERVER_GRANTED_USER_ACCESS
|
GRANT
|
USER
|
|
NETWORK_POLICY_SERVER_DENIED_USER_ACCESS
|
DENY
|
USER
|
|
NETWORK_POLICY_SERVER_DISCARDED_USER_REQUEST
|
DENY
|
USER
|
|
NETWORK_POLICY_SERVER_DISCARDED_USER_ACCOUNTING_REQUEST
|
DENY
|
USER
|
|
NETWORK_POLICY_SERVER_QUARANTINED_USER
|
QUARANTINE
|
USER
|
|
NETWORK_POLICY_SERVER_GRANTED_USER_ACCESS_WITH_PROBATION
|
GRANT
|
USER
|
|
NETWORK_POLICY_SERVER_GRANTED_FULL_ACCESS
|
GRANT
|
USER
|
|
NETWORK_POLICY_SERVER_LOCKED_USER_ACCOUNT
|
LOCK
|
ACCOUNT
|
|
NETWORK_POLICY_SERVER_UNLOCKED_USER_ACCOUNT
|
UNLOCK
|
ACCOUNT
|
|
REPLAY_ATTACK_DETECTED
|
GET
|
SYSTEM
|
|
SESSION_RECONNECTED_TO_WORKSTATION
|
CONNECT
|
WORKSTATION
|
|
SESSION_DISCONNECTED_FROM_WORKSTATION
|
DISCONNECT
|
WORKSTATION
|
|
LOCKED_WORKSTATION
|
LOCK
|
WORKSTATION
|
|
UNLOCKED_WORKSTATION
|
UNLOCK
|
WORKSTATION
|
|
INVOKED_SCREEN_SAVER
|
CALL
|
SCREEN SAVER
|
|
DISMISSED_SCREEN_SAVER
|
ABORT RELEASE
|
SCREEN SAVER
|
|
REQUESTED_CREDENTIAL_DELEGATION_DISALLOWED_BY_POLICY
|
DENY
|
ACCOUNT
|
|
REQUEST_MADE_TO_AUTHENTICATE_WIRELESS_NETWORK
|
AUTHENTICATE
|
NETWORK
|
|
REQUEST_MADE_TO_AUTHENTICATE_WIRED_NETWORK
|
AUTHENTICATE
|
NETWORK
|
|
SPECIAL_GROUP_ASSIGNED_TO_LOGON
|
ASSIGN
|
ACCOUNT
|
|
ROWS_DELETED_FROM_CERTIFICATE_DATABASE
|
DELETE
|
DATABASE
|
|
ENABLED_ROLE_SEPERATION_ON_CERTIFICATION_AUTHORITY
|
ENABLE
|
ROLE
|
|
NETWORK_SHARE_OBJECT_ACCESSED
|
ACCESS
|
OBJECT
|
|
ATTEMPT_MADE_TO_CREATE_HARD_LINK
|
CREATE
|
FILE
|
|
TRANSACTION_STATE_CHANGED
|
UPDATE
|
SYSTEM
|
|
FILE_WAS_VIRTUALIZED
|
ASSIGN
|
FILE
|
|
SE_AUDITID_ETW_FIREWALL_APP_BLOCKED_FROM_LISTENING
|
BLOCK
|
APPLICATION
|
|
WINDOWS_FILTERING_PLATFORM_PERMITTED_APPLICATION_TO_LISTEN_ON_PORT
|
GRANT
|
APPLICATION
|
|
WINDOWS_FILTERING_PLATFORM_BLOCKED_APPLICATION_FROM_LISTENING_ON_PORT
|
BLOCK
|
APPLICATION
|
|
WINDOWS_FILTERING_PLATFORM_BLOCKED_CONNECTION
|
BLOCK
|
CONNECTION
|
|
WINDOWS_FILTERING_PLATFORM_PERMITTED_BIND_TO_LOCAL_PORT
|
GRANT
|
PORT
|
|
WINDOWS_FILTERING_PLATFORM_BLOCKED_BIND_TO_LOCAL_PORT
|
BLOCK
|
PORT
|
|
WINDOWS_FILTERING_PLATFORM_BLOCKED_PACKET
|
BLOCK
|
PACKET
|
|
RESTRICTIVE_WINDOWS_FILTERING_PLATFORM_BLOCKED_PACKET
|
BLOCK
|
PACKET
|
|
HANDLE_TO_OBJECT_REQUESTED
|
REQUEST
|
OBJECT
|
|
HANDLE_TO_OBJECT_CLOSED
|
CLOSE
|
OBJECT
|
|
ATTEMPT_MADE_TO_DUPLICATE_HANDLE_TO_OBJECT
|
ACCESS
|
OBJECT
|
|
APPLICATION_ATTEMPTED_TO_ACCESS_BLOCKED_ORDINAL
|
ACCESS
|
ORDINAL
|
|
INDIRECT_ACCESS_TO_OBJECT_REQUESTED
|
ACCESS
|
OBJECT
|
|
CREATED_SCHEDULED_TASK
|
CREATE
|
TASK
|
|
DELETED_SCHEDULED_TASK
|
DELETE
|
TASK
|
|
ENABLED_SCHEDULED_TASK
|
ENABLE
|
TASK
|
|
DISABLED_SCHEDULED_TASK
|
DISABLE
|
TASK
|
|
UPDATED_SCHEDULED_TASK
|
UPDATE
|
TASK
|
|
OBJECT_IN_COM+_CATALOG_MODIFIED
|
UPDATE
|
OBJECT
|
|
OBJECT_DELETED_FROM_COM+_CATALOG
|
DELETE
|
OBJECT
|
|
OBJECT_ADDED_TO_COM+_CATALOG
|
INSERT
|
OBJECT
|
|
MODIFIED_REGISTRY_VALUE
|
UPDATE
|
REGISTRY
|
|
VIRTUALIZED_REGISTRY_KEY
|
ASSIGN
|
REGISTRY
|
|
HANDLE_TO_OBJECT_REQUESTED_WITH_DELETE_INTENT
|
REQUEST
|
OBJECT
|
|
OBJECT_DELETED
|
DELETE
|
OBJECT
|
|
HANDLE_TO_OBJECT_REQUESTED
|
REQUEST
|
OBJECT
|
|
OBJECT_ACCESS_ATTEMPTED
|
ACCESS
|
OBJECT
|
|
AUDIT_POLICY_ON_OBJECT_CHANGED
|
AUDIT
|
POLICY
|
|
SYSTEM_AUDIT_POLICY_CHANGED
|
AUDIT
|
POLICY
|
|
CRASHONAUDITFAIL_VALUE_MODIFIED
|
UPDATE
|
CRASHONAUDITFAIL
|
|
MODIFIED_AUDITING_SETTINGS_ON_OBJECT
|
AUDIT
|
OBJECT
|
|
MODIFIED_SPECIAL_GROUPS_LOGON_TABLE
|
UPDATE
|
GROUP
|
|
MODIFIED_PER_USER_AUDIT_POLICY
|
AUDIT
|
POLICY
|
|
KERBEROS_POLICY_MODIFIED
|
UPDATE
|
POLICY
|
|
TRUSTED_DOMAIN_INFORMATION_MODIFIED
|
UPDATE
|
DOMAIN
|
|
GRANTED_SYSTEM_SECURITY_ACCESS_TO_ACCOUNT
|
GRANT
|
ACCOUNT
|
|
REMOVED_SYSTEM_SECURITY_ACCESS_FROM_ACCOUNT
|
DROP
|
ACCOUNT
|
|
MODIFIED_DOMAIN_POLICY
|
UPDATE
|
DOMAIN
|
|
NAMESPACE_COLLISION_DETECTED
|
GET
|
NAMESPACE
|
|
TRUSTED_FOREST_INFORMATION_ENTRY_ADDED
|
INSERT
|
INFORMATION
|
|
TRUSTED_FOREST_INFORMATION_ENTRY_REMOVED
|
DROP
|
INFORMATION
|
|
TRUSTED_FOREST_INFORMATION_ENTRY_MODIFIED
|
UPDATE
|
INFORMATION
|
|
USER_RIGHT_ASSIGNED
|
ASSIGN
|
PRIVILEGE
|
|
USER_RIGHT_REMOVED
|
DROP
|
PRIVILEGE
|
|
NEW_TRUST_CREATED_TO_DOMAIN
|
CREATE
|
DOMAIN
|
|
TRUST_TO_DOMAIN_REMOVED
|
DROP
|
DOMAIN
|
|
ENCRYPTED_DATA_RECOVERY_POLICY_MODIFIED
|
UPDATE
|
POLICY
|
|
SE_AUDITID_ETW_IPSEC_POLICY_START
|
START
|
SERVICE
|
|
SE_AUDITID_ETW_IPSEC_POLICY_DISABLED
|
DISABLE
|
SERVICE
|
|
APPLIED_PASTORE_ENGINE
|
APPLY
|
ENGINE
|
|
SE_AUDITID_ETW_IPSEC_POLICY_FAILURE
|
EXECUTE
|
SERVICE
|
|
SE_AUDITID_ETW_IPSEC_AUTHENTICATION_SET_ADD
|
INSERT
|
SETTING
|
|
SE_AUDITID_ETW_IPSEC_AUTHENTICATION_SET_CHANGE
|
UPDATE
|
SETTING
|
|
SE_AUDITID_ETW_IPSEC_AUTHENTICATION_SET_DELETE
|
DELETE
|
SETTING
|
|
SE_AUDITID_ETW_IPSEC_CONNECTION_SECURITY_ADD
|
INSERT
|
SETTING
|
|
SE_AUDITID_ETW_IPSEC_CONNECTION_SECURITY_CHANGE
|
UPDATE
|
SETTING
|
|
SE_AUDITID_ETW_IPSEC_CONNECTION_SECURITY_DELETE
|
DELETE
|
SETTING
|
|
SE_AUDITID_ETW_IPSEC_CRYPTO_SET_ADD
|
ADD
|
SETTINGS
|
|
SE_AUDITID_ETW_IPSEC_CRYPTO_SET_CHANGE
|
MODIFY
|
SETTINGS
|
|
SE_AUDITID_ETW_IPSEC_CRYPTO_SET_DELETE
|
DELETE
|
SETTINGS
|
|
WINDOWS_FILTERING_PLATFORM_CALLOUTS_MODIFIED
|
UPDATE
|
CALLOUT
|
|
WINDOWS_FILTERING_PLATFORM_PROVIDER_MODIFIED
|
UPDATE
|
PROVIDER
|
|
WINDOWS_FILTERING_PLATFORM_PROVIDER_CONTEXT_MODIFIED
|
UPDATE
|
CONTEXT
|
|
WINDOWS_FILTERING_PLATFORM_SUBLAYER_MODIFIED
|
UPDATE
|
SUBLAYER
|
|
SE_AUDITID_ETW_FIREWALL_STARTUP_STATE
|
START
|
FIREWALL
|
|
SE_AUDITID_ETW_FIREWALL_STARTUP_STATE_RULE
|
READ
|
RULE
|
|
SE_AUDITID_ETW_FIREWALL_RULE_ADD
|
INSERT
|
RULE
|
|
SE_AUDITID_ETW_FIREWALL_RULE_CHANGE
|
UPDATE
|
RULE
|
|
SE_AUDITID_ETW_FIREWALL_RULE_DELETE
|
DELETE
|
RULE
|
|
SE_AUDITID_ETW_FIREWALL_RESTORE_DEFAULTS
|
RESTORE
|
FIREWALL
|
|
SE_AUDITID_ETW_FIREWALL_SETTING_CHANGE
|
UPDATE
|
FIREWALL
|
|
SE_AUDITID_ETW_FIREWALL_GROUP_POLICY_CHANGED
|
UPDATE
|
FIREWALL
|
|
SE_AUDITID_ETW_FIREWALL_PROFILE_CHANGE
|
UPDATE
|
PROFILE
|
|
WINDOWS_FILTERING_PLATFORM_CHANGED_FILTER
|
UPDATE
|
FILTER
|
|
ERROR_OCCURED_WHILE_PROCESSING_SECURITY_POLICY_IN_GROUP_POLICY_OBJECTS
|
GET
|
POLICY
|
|
OBJECT_PERMISSION_MODIFIED
|
UPDATE
|
OBJECT
|
|
SPECIAL_PRIVILEGES_ASSIGNED_TO_NEW_LOGON
|
ASSIGN
|
ACCOUNT
|
|
PRIVILEGED_SERVICE_CALLED
|
CALL
|
SERVICE
|
|
OPERATION_ATTEMPTED_ON_PRIVILEGED_OBJECT
|
EXECUTE
|
OBJECT
|
|
IPSEC_DROPPED_INBOUND_PACKET_THAT_FAILED_INTEGRITY_CHECK
|
DROP
|
PACKET
|
|
IPSEC_DROPPED_INBOUND_PACKET_THAT_FAILED_REPLAY_BACK
|
DROP
|
PACKET
|
|
IPSEC_DROPPED_INBOUND_PACKET_THAT_FAILED_REPLAY_BACK
|
DROP
|
PACKET
|
|
IPSEC_DROPPED_INSECURE_CLEAR_TEXT_PACKET
|
DROP
|
PACKET
|
|
IPSEC_RECEIVED_PACKET_FROM_REMOTE_COMPUTER_WITH_INCORRECT_SPI
|
RECEIVE
|
PACKET
|
|
SE_AUDITID_ETW_POLICYAGENT_IPSECSVC_SUCCESSFUL_START
|
START
|
SERVICE
|
|
SE_AUDITID_ETW_POLICYAGENT_IPSECSVC_SUCCESSFUL_SHUTDOWN
|
STOP
|
SERVICE
|
|
SE_AUDITID_ETW_POLICYAGENT_IPSECSVC_INTERFACE_LIST_INCOMPLETE
|
GET
|
INTERFACE
|
|
SE_AUDITID_ETW_POLICYAGENT_IPSECSVC_RPC_INIT_FAILURE
|
INITIALIZE
|
SERVICE
|
|
SE_AUDITID_ETW_POLICYAGENT_IPSECSVC_ERROR_SHUTDOWN
|
STOPE
|
SERVICE
|
|
SE_AUDITID_ETW_POLICYAGENT_IPSECSVC_FAILED_PNP_FILTER_PROCESSING
|
EXECUTE
|
FILTER
|
|
SE_AUDITID_ETW_MPSFIREWALL_SERVICE_STARTUP
|
START
|
FIREWALL
|
|
SE_AUDITID_ETW_MPSFIREWALL_STOPPED
|
STOP
|
FIREWALL
|
|
SE_AUDITID_ETW_MPSFIREWALL_GET_POLICY_FAILURE
|
RETRIEVE
|
FIREWALL
|
|
SE_AUDITID_ETW_MPSFIREWALL_PARSE_POLICY_FAILURE
|
READ
|
POLICY
|
|
SE_AUDITID_ETW_MPSFIREWALL_INIT_DRIVER_FAILURE
|
INITIALIZE
|
DRIVER
|
|
SE_AUDITID_ETW_MPSFIREWALL_SERVICE_STARTUP_FAILURE
|
START
|
SERVICE
|
|
SE_AUDITID_ETW_FIREWALL_UPCALL_NOTIFICATION_ERROR
|
NOTIFY
|
FIREWALL
|
|
SE_AUDITID_ETW_MPSFIREWALL_DRIVER_STARTED
|
START
|
DRIVER
|
|
SE_AUDITID_ETW_MPSFIREWALL_DRIVER_STOPPED
|
STOP
|
DRIVER
|
|
SE_AUDITID_ETW_MPSFIREWALL_DRIVER_STARTUP_FAILURE
|
START
|
DRIVER
|
|
SE_AUDITID_ETW_MPSFIREWALL_DRIVER_CRITICAL_ERROR
|
STOP
|
DRIVER
|
|
KEY_FILE_OPERATION
|
READ
|
KEY
|
|
KEY_MIGRATION_OPERATION
|
MIGRATE
|
KEY
|
|
WINDOWS_STARTING_UP
|
STARTUP
|
OS
|
|
WINDOWS_SHUTTING_DOWN
|
SHUTDOWN
|
OS
|
|
SYSTEM_TIME_CHANGED
|
UPDATE
|
SYSTEM TIME
|
|
ADMINISTRATOR_RECOVERED_SYSTEM_FROM_CRASHONAUDITFAIL
|
RECOVER
|
SYSTEM
|
|
LOCAL_SECURITY_AUTHORITY_LOADED_AUTHENTICATION_PACKAGE
|
LOAD
|
AUTHORITY
|
|
TRUSTED_LOGON_PROCESS_REGISTERED_WITH_LOCAL_SECURITY_AUTHORITY
|
REGISTER
|
PROCESS
|
|
SECURITY_ACCOUNT_MANAGER_LOADED_NOTIFICATION_PACKAGE
|
LOAD
|
MANAGER
|
|
LOCAL_SECURITY_AUTHORITY_LOADED_SECURITY_PACKAGE
|
LOAD
|
AUTHORITY
|
|
SERVICE_INSTALLED_IN_SYSTEM
|
INSTALL
|
SERVICE
|
|
EXHAUSTED_INTERNAL_RESOURCES_ALLOCATED_FOR_QUEUING_OF_AUDIT_MESSAGES
|
EXCEED
|
MESSAGES
|
|
INVALID_USE_LOCAL_PROCEDURE_CALL_PORT_BY_AN_APPLICATION
|
INVALID
|
PORT
|
|
MONITORED_SECURITY_EVENT_PATTERN_OCCURRED
|
RECEIVE
|
PATTERN
|
|
RPC_DETECTED_INTEGRITY_VIOLATION_WHILE_DECRYPTING_INCOMING_MESSAGE
|
GET
|
MESSAGE
|
|
DETERMINED_INVALID_IMAGE_HASH_OF_FILE
|
CALCULATE
|
FILE
|
|
CRYPTOGRAPHIC_PRIMITIVE_OPERATION_FAILED
|
EXECUTE
|
OPERATION
|
|
VERIFICATION_OPERATION_FAILED
|
VALIDATE
|
OPERATION
|
|
CRYPTROGRAPHIC_OPERATION
|
EXECUTE
|
OPERATION
|
|
LDAP_QUERY_GROUP_MODIFIED
|
UPDATE
|
GROUP
|
|
LDAP_QUERY_GROUP_DELETED
|
DELETE
|
GROUP
|
|
CERTIFICATE_SERVICE_TEMPLATE_MODIFIED
|
UPDATE
|
TEMPLATE
|
|
CERTIFICATE_SERVICE_TEMPLATE_SECURITY_MODIFIED
|
UPDATE
|
TEMPLATE
|
|
OCSP_RESPONDER_SERVICE_STARTED
|
START
|
SERVICE
|
|
OCSP_RESPONDER_SERVICE_STOPPED
|
STOP
|
SERVICE
|
|
CONFIGURATION_ENTRY_CHANGED_IN_OCSP_RESPONDER_SERVICE
|
UPDATE
|
SERVICE
|
|
CONFIGURATION_ENTRY_CHANGED_IN_OCSP_RESPONDER_SERVICE
|
UPDATE
|
SERVICE
|
|
SECURITY_SETTING_MODIFIED_ON_OCSP_RESPONDER_SERVICE
|
UPDATE
|
SERVICE
|
|
REQUEST_SUBMITTED_TO_OCSP_RESPONDER_SERVICE
|
SUBMIT
|
SERVICE
|
|
OCSP_RESPODER_SERVICE_AUTOMATICALLY_MODIFIED_SIGNING_CERTIFICATE
|
UPDATE
|
CERTIFICATE
|
|
OCSP_REVOCATION_PROVIDER_UPDATED_REVOCATION_INFORMATION
|
UPDATE
|
INFORMATION
|
|
AUDIT_LOG_CLEARED
|
DELETE
|
AUDIT LOG
|
|
EVENT_LOGGING_SERVICE_HAS_SHUTDOWN
|
STOP
|
SERVICE
|
|
SECURITY_LOG_IS_FULL
|
EXCEED
|
AUDIT LOG
|
|
NETWORK_SHARE_OBJECT_ADDED
|
INSERT
|
OBJECT
|
|
NETWORK_SHARE_OBJECT_MODIFIED
|
UPDATE
|
OBJECT
|
|
NETWORK_SHARE_OBJECT_DELETED
|
DELETE
|
OBJECT
|
|
MODIFIED_AUDITING_SETTINGS_ON_OBJECT
|
AUDIT
|
OBJECT
|
|
NETWORK_SHARE_OBJECT_CHECKED_TO_SEE_CLIENT_GRANTED_DESIRED_ACCESS
|
VALIDATE
|
OBJECT
|
|
USER_DEVICE_CLAIMS_INFORMATION
|
LOGIN
|
ACCOUNT
|
|
PROPOSED_CENTRAL_ACCESS_POLICY_DOES_NOT_GRANT_SAME_ACCESS_PERMISSIONS_AS_CURRENT
|
UPDATE
|
POLICY
|
|
RESOURCE_ATTRIBUTES_OF_THE_OBJECT_CHANGED
|
UPDATE
|
POLICY
|
|
KEY_ACCESS_DENIED_BY_MICROSOFT_KEY_DISTRIBUTION_SERVICE
|
DENY
|
SERVICE
|
|
WINDOWS_FILTERING_PLATFORM_BLOCKED_PACKET
|
BLOCK
|
PACKET
|
|
RESTRICTIVE_WINDOWS_FILTERING_PLATFORM_BLOCKED_PACKET
|
BLOCK
|
PACKET
|
|
SERVICE_CONNECTION_POINT_OBJECT_COULD_NOT_BE_PARSED
|
READ
|
OBJECT
|
|
KERBEROS_TICKET_GRANTING_TICKIT_DENIED
|
DENY
|
SYSTEM
|
|
KERBEROS_SERVICE_TICKET_DENIED
|
DENY
|
SYSTEM
|
|
NTLM_AUTHETICATION_FAILED
|
AUTHENTICATE
|
ACCOUNT
|
|
KERBEROS_PREAUTHETICATION_FAILED
|
AUTHENTICATE
|
ACCOUNT
|
|
GROUP_MEMBERSHIP_INFORMATION
|
LOGIN
|
GROUP
|
|
SECURITY_GROUP_ENUMERATED
|
CALCULATE
|
GROUP
|
|
USER_LOCAL_GROUP_ENUMERATED
|
CALCULATE
|
GROUP
|
|
BOOT_CONFIGURATION_DATA_LOADED
|
LOAD
|
CONFIGURATION
|
|
INTEGRITY_CHECK_TO_LOAD_INTO_PROCESS_FAILED_FOR_FILE
|
LOAD
|
FILE
|
|
EXTERNAL_DEVICE_RECOGNIZED
|
CONNECT
|
DEVICE
|
|
DEVICE_DISABLE_REQUESTED
|
REQUEST
|
DEVICE
|
|
DEVICE_DISABLED
|
DISABLE
|
DEVICE
|
|
DEVICE_ENABLE_REQUESTED
|
REQUEST
|
DEVICE
|
|
DEVICE_ENABLED
|
ENABLE
|
DEVICE
|
|
DEVICE_INSTALLATION_FORBIDDED
|
INSTALL
|
DEVICE
|
|
FORBIDDEN_DEVICE_INSTALLATION_ALLOWED
|
INSTALL
|
DEVICE
|
|
FIPS_MODE_SELFTESTS_SUCCEEDED
|
VALIDATE
|
PROCESS
|
|
FIPS_MODE_SELFTESTS_FAILED
|
VALIDATE
|
PROCESS
|
|
USER_RIGHT_ADJUSTED
|
UPDATE
|
PRIVILEGE
|