Medium

Medium Priority Events
Active Directory Account Locked Out
    Active Directory - Account Locked Out
Ceph Scrub Errors
    Sections on this page Configuration (2) Configuration Query scrub errors Config Key | Value — | — type | aggregation-v1 query | scrub errors streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 86400000 execute_every_ms | 86400000
Performance Applications Crashing
    Performance - Applications crashing
Read Only File System
    Sections on this page Configuration (2) Configuration Query Read-only file system Config Key | Value — | — type | aggregation-v1 query | Read-only file system streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 3600000 execute_every_ms | 3600000
Reliability License Manager Errors
    Reliability - License Manager errors
Reliability Service Errors
    Reliability - Service Errors
Security Authentication Errors
    Security - Authentication errors
Office 365 Admin Commands Run By User
    Certificate Services Loaded Default Configuration
      Certificate Services loaded default configuration
    Office 365 New User Created
      Office 365 - New User Created
    Reliability Network Drive Access Denied
      Reliability - Network Drive access denied
    Syslog Log Level 2 Alert
      Syslog Log level 2 alert
    Office 365 New Country Activity
      Scan Failed
        Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
      SSH Server Login Event
        Update
      Sensitive Privilege Use
        Severity:ERROR AND Channel:Security AND Category:File System
          Active Directory Unexpected Shutdown
            Active Directory - Unexpected Shutdown
          Fortigate Firewall SSL VPN Disconnection
            Fortigate Firewall SSL VPN Disconnection
          General Account Database Changed
            General account database changed
          Performance Terminal Server Remote Desktop Login Errors
            Performance - Terminal Server remote desktop login errors2
          Quality Of Service Policy Changed
            Quality of Service Policy changed
          Aggregating Count() By Channel, Level, EventType Error
            Aggregating count() by Channel, level, EventType Error
          Level 2 Severity Errors
            Level 2 Severity Errors
          Performance Scheduled Task Errors
            Performance - Scheduled Task errors
          Performance SQL Server Errors
            Performance - SQL server errors
          Reliability License Manager Errors
            Reliability - License Manager errors
          Reliability Network Drive Disconnect Errors
            Reliability - Network drive disconnect errors
          Reliability Settings Sync Not Configured Properly
            Reliability - Settings Sync not configured properly
          Reliability Temporary Profile Errors
            Reliability - Temporary Profile Errors
          Security Authentication Errors
            Security - Authentication errors
          Security Permissions Errors
            Security - Permissions errors
          Security Ransomware Vulnerability
            Security - Ransomware vulnerability
          Security Windows Updates Missing
            Security - Windows Updates missing
          Office 365 Impossible Travel
            Office 365 Suspicious Email Detected
              Firewall Credit Card Numbers Detected
                Firewall Network Trojan Detected
                  Firewall Social Security Numbers Detected
                    Office 365 More Than 100 Messages Purged Per Day
                      Updated 10-7-20
                    Remote Interactive Logons
                      3
                    A Configuration Entry Changed In OCSP Responder Service
                      A configuration entry changed in OCSP Responder Service
                    A Configuration Entry Changed In OCSP Responder Service
                      A configuration entry changed in OCSP Responder Service
                    A Group's Type Was Changed
                      A group’s type was changed.
                    A New Trust Was Created To A Domain
                      A new trust was created to a domain.
                    A Property Of Certificate Services Changed
                      A property of Certificate Services changed.
                    A Security Disabled Group Was Deleted
                      A security-disabled group was deleted
                    A Security Enabled Global Group Was Changed
                      A security-enabled global group was changed.
                    A Security Enabled Global Group Was Created
                      A security-enabled global group was created.
                    A Security Enabled Local Group Was Changed
                      A security-enabled local group was changed.
                    A Security Enabled Universal Group Was Changed
                      A security-enabled universal group was changed.
                    A Security Enabled Universal Group Was Created
                      A security-enabled universal group was created.
                    A Trusted Forest Information Entry Was Added
                      A trusted forest information entry was added.
                    A Trusted Forest Information Entry Was Modified
                      A trusted forest information entry was modified.
                    A Trusted Forest Information Entry Was Removed
                      A trusted forest information entry was removed.
                    Action On Malware Failed
                      Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
                    Administrator Recovered System From CrashOnAuditFail Users Who Are Not Administrators Will Now Be Allowed To Log On Some Auditable Activity Might Not Have Been Recorded
                      Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
                    An Attempt To Automatically Restart Conversion On Volume 2 Failed
                      An attempt to automatically restart conversion on volume 2 failed.
                    An Attempt Was Made To Reset An Account's Password
                      An attempt was made to reset an account’s password.
                    An Error Was Encountered Converting Volume
                      An error was encountered converting volume
                    An IPsec Extended Mode Negotiation Failed The Corresponding Main Mode Security Association Has Been Deleted
                      An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
                    An IPsec Extended Mode Negotiation Failed The Corresponding Main Mode Security Association Has Been Deleted
                      An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
                    An IPsec Negotiation With A Remote Computer Failed Because The IKE And AuthIP IPsec Keying Modules (IKEEXT) Service Is Not Started
                      An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
                    App Crash
                      Application Crashed Event Source - Application Error - Event Log - Application
                    App Hang
                      Event Source - Application Hang - Event Log - Application
                    AppLocker Warning
                      Event Source - Microsoft-Windows-AppLocker - Event Log - Microsoft-Windows-AppLocker/MSI and Script
                    Auditing Settings On Object Were Changed
                      Auditing settings on object were changed.
                    Backup Of Data Protection Master Key Was Attempted
                      Backup of data protection master key was attempted.
                    BSOD
                      Event Source - Microsoft-Windows-WER-SystemErrorReporting - Event Log - System
                    CA Permissions Corrupted Or Missing
                      Security Permission corrupt or missing Event Source - Microsoft-Windows-CertificationAuthority - Event Log - Application
                    Certificate Services Revoked A Certificate
                      Certificate Services revoked a certificate.
                    Code Integrity Check
                      Event Source - Microsoft-Windows-CodeIntegrity - Event Log - Microsoft-Windows-CodeIntegrity/Operational
                    Code Integrity Determined That The Image Hash Of A File Is Not Valid The File Could Be Corrupt Due To Unauthorized Modification Or The Invalid Hash Could Indicate A Potential Disk Device Error
                      Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
                    Create Profile Failed
                      Cannot Create profile, using temporary profile Event Source - Microsoft-Windows-User Profiles Service - Event Log - Application
                    Credential Manager Credentials Were Backed Up
                      Credential Manager credentials were backed up.
                    Credential Manager Credentials Were Restored From A Backup
                      Credential Manager credentials were restored from a backup.
                    Detected Malware
                      Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
                    Domain Policy Was Changed
                      Domain Policy was changed.
                    During Extended Mode Negotiation, IPsec Received An Invalid Negotiation Packet If This Problem Persists, IT Could Indicate A Network Issue Or An Attempt To Modify Or Replay This Negotiation
                      During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
                    During Main Mode Negotiation, IPsec Received An Invalid Negotiation Packet If This Problem Persists, IT Could Indicate A Network Issue Or An Attempt To Modify Or Replay This Negotiation
                      During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
                    During Quick Mode Negotiation, IPsec Received An Invalid Negotiation Packet If This Problem Persists, IT Could Indicate A Network Issue Or An Attempt To Modify Or Replay This Negotiation
                      During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
                    Encrypted Data Recovery Policy Was Changed
                      Encrypted data recovery policy was changed.
                    Failed Kernel Driver Loading
                      Event Source - Microsoft-Windows-Kernel-PnP - Event Log - System
                    Failed To Remove Item From Quarantine
                      Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
                    Failed To Update Engine
                      Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
                    Failed To Update Signatures
                      Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
                    Firewall Failed To Load Group Policy
                      Event Source - Microsoft-Windows-Windows Firewall With Advanced Security - Event Log - Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
                    Generic Internal Error
                      Event Source - Microsoft-Windows-GroupPolicy - Event Log - System
                    Group Policy Application Failed Due To Connectivity
                      Event Source - Microsoft-Windows-GroupPolicy - Event Log - System
                    Internal Error
                      Event Source - Microsoft-Windows-GroupPolicy - Event Log - System
                    IPsec Dropped An Inbound Clear Text Packet That Should Have Been Secured This Is Usually Due To The Remote Computer Changing Its IPsec Policy Without Informing This Computer This Could Also Be A Spoofing Attack Attempt
                      IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
                    IPsec Dropped An Inbound Packet That Failed A Replay Check If This Problem Persists, IT Could Indicate A Replay Attack Against This Computer
                      IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
                    IPsec Dropped An Inbound Packet That Failed A Replay Check The Inbound Packet Had Too Low A Sequence Number To Ensure IT Was Not A Replay
                      IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
                    IPsec Dropped An Inbound Packet That Failed An Integrity Check If This Problem Persists, IT Could Indicate A Network Issue Or That Packets Are Being Modified In Transit To This Computer Verify That The Packets Sent From The Remote Computer Are The Same As Those Received By This Computer This Error Might Also Indicate Interoperability Problems With Other IPsec Implementations
                      IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
                    IPsec Received A Packet From A Remote Computer With An Incorrect Security Parameter Index (SPI) This Is Usually Caused By Malfunctioning Hardware That Is Corrupting Packets If These Errors Persist, Verify That The Packets Sent From The Remote Computer Are The Same As Those Received By This Computer This Error May Also Indicate Interoperability Problems With Other IPsec Implementations In That Case, If Connectivity Is Not Impeded, Then These Events Can Be Ignored
                      IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
                    IPsec Services Failed To Get The Complete List Of Network Interfaces On The Computer This Poses A Potential Security Risk Because Some Of The Network Interfaces May Not Get The Protection Provided By The Applied IPsec Filters Use The IP Security Monitor Snap In To Diagnose The Problem
                      IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
                    IPsec Services Failed To Initialize RPC Server IPsec Services Could Not Be Started
                      IPsec Services failed to initialize RPC server. IPsec Services could not be started.
                    IPsec Services Failed To Process Some IPsec Filters On A Plug And Play Event For Network Interfaces This Poses A Potential Security Risk Because Some Of The Network Interfaces May Not Get The Protection Provided By The Applied IPsec Filters Use The IP Security Monitor Snap In To Diagnose The Problem
                      IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
                    IPsec Services Has Experienced A Critical Failure And Has Been Shut Down The Shutdown Of IPsec Services Can Put The Computer At Greater Risk Of Network Attack Or Expose The Computer To Potential Security Risks
                      IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
                    Kerberos Policy Was Changed
                      Kerberos policy was changed.
                    Malware Removal Fatal Error
                      Malware removal action attempted with critical error Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
                    Metadata Rebuild: An Attempt To Write A Copy Of Metadata On Volume 2 Failed And May Appear As Disk Corruption If Failures Continue, Decrypt Volume
                      Metadata rebuild: An attempt to write a copy of metadata on volume 2 failed and may appear as disk corruption. If failures continue, decrypt volume.
                    Metadata Write: Volume 2 Returning Errors While Trying To Modify Metadata If Failures Continue, Decrypt Volume
                      Metadata write: Volume 2 returning errors while trying to modify metadata. If failures continue, decrypt volume
                    Network Policy Server Denied Access To A User
                      Network Policy Server denied access to a user.
                    Network Policy Server Discarded The Accounting Request For A User
                      Network Policy Server discarded the accounting request for a user.
                    Network Policy Server Discarded The Request For A User
                      Network Policy Server discarded the request for a user.
                    Network Policy Server Granted Access To A User But Put IT On Probation Because The Host Did Not Meet The Defined Health Policy
                      Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
                    Network Policy Server Granted Full Access To A User Because The Host Met The Defined Health Policy
                      Network Policy Server granted full access to a user because the host met the defined health policy.
                    Network Policy Server Locked The User Account Due To Repeated Failed Authentication Attempts
                      Network Policy Server locked the user account due to repeated failed authentication attempts.
                    Network Policy Server Quarantined A User
                      Network Policy Server quarantined a user.
                    Network Policy Server Unlocked The User Account
                      Network Policy Server unlocked the user account.
                    OCSP Responder Service Started
                      OCSP Responder Service Started
                    OCSP Responder Service Stopped
                      OCSP Responder Service Stopped
                    Office 365 Activity Outside USA
                      Office 365 - Activity Outside USA updated event definition
                    Office 365 Owner Added To Group
                      Office 365 - Owner Added to Group
                    One Or More Errors Occurred While Processing Security Policy In The Group Policy Objects
                      One or more errors occurred while processing security policy in the Group Policy objects.
                    One Or More Rows Have Been Deleted From The Certificate Database
                      One or more rows have been deleted from the certificate database.
                    Per User Audit Policy Was Changed
                      Per User Audit Policy was changed.
                    Possible Denial Of Service (DoS) Attack
                      Possible denial-of-service (DoS) attack
                    RADIUS User Assigned IP
                      RADIUS authentication User assigned IP address Event Source - Microsoft-Windows-MPRMSG - Event Log - RemoteAccess
                    RADIUS User Authenticated
                      RADIUS authentication User successfully authenticated Event Source - Microsoft-Windows-MPRMSG - Event Log - RemoteAccess
                    RADIUS User Disconnected
                      RADIUS authentication User Disconnected Event Source - Microsoft-Windows-MPRMSG - Event Log - RemoteAccess
                    Recovery Of Data Protection Master Key Was Attempted
                      Recovery of data protection master key was attempted.
                    RPC Detected An Integrity Violation While Decrypting An Incoming Message
                      RPC detected an integrity violation while decrypting an incoming message.
                    Service Start Failure
                      Service Start Failure Event Source - Service Control Manager - Event Log - System
                    Shutdown Initiate Failed
                      Shutdown initiate request failed Event Source - User32 - Event Log - User32
                    SIDs Were Filtered
                      SIDs were filtered.
                    Special Groups Logon Table Modified
                      Special Groups Logon table modified.
                    SRP Block
                      Event Source - Microsoft-Windows-SoftwareRestrictionPolicies - Event Log - Application
                    Temp Profile Logon
                      User Logging on with Temporary Profile Event Source - Microsoft-Windows-User Profiles Service - Event Log - Application
                    The ACL Was Set On Accounts Which Are Members Of Administrators Groups
                      The ACL was set on accounts which are members of administrators groups.
                    The Audit Filter For Certificate Services Changed
                      The audit filter for Certificate Services changed.
                    The Audit Log Was Cleared
                      The audit log was cleared
                    The Audit Policy (SACL) On An Object Was Changed
                      The audit policy (SACL) on an object was changed.
                    The Certificate Manager Denied A Pending Certificate Request
                      The certificate manager denied a pending certificate request.
                    The Certificate Manager Settings For Certificate Services Changed
                      The certificate manager settings for Certificate Services changed.
                    The CrashOnAuditFail Value Has Changed
                      The CrashOnAuditFail value has changed.
                    The Security Permissions For Certificate Services Changed
                      The security permissions for Certificate Services changed.
                    The Windows Firewall Driver Detected Critical Runtime Error Terminating
                      The Windows Firewall Driver detected critical runtime error. Terminating.
                    The Windows Firewall Driver Failed To Start
                      The Windows Firewall Driver failed to start.
                    The Windows Firewall Service Failed To Initialize The Driver The Service Will Continue To Enforce The Current Policy
                      The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
                    The Windows Firewall Service Failed To Start
                      The Windows Firewall Service failed to start.
                    The Windows Firewall Service Was Unable To Parse The New Security Policy The Service Will Continue With Currently Enforced Policy
                      The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
                    The Windows Firewall Service Was Unable To Retrieve The Security Policy From The Local Storage The Service Will Continue Enforcing The Current Policy
                      The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
                    Threat Intelligence Alert Source IP Threat Indicated
                      src_ip_threat_indicated:true AND threat_indicated:true NOT filter_action:block - updated
                    Trusted Domain Information Was Modified
                      Trusted domain information was modified.
                    Unexpected Error
                      Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
                    Windows Service Fails Or Crashes
                      Event Source - Service Control Manager - Event Log - System
                    Windows Update Failed
                      Event Source - Microsoft-Windows-WindowsUpdateClient - Event Log - Microsoft-Windows-WindowsUpdateClient/Operational
                    Server Admin Logon
                      Office 365 Login From Risky Anonymous IP Detected
                        Office 365 Mailbox Forwarding Rules Created
                          Update Alternate query - event_class_id:EVENT_CATEGORY_SET_FORWARDING_MAILBOX
                        Office 365 Malware Detected In Email
                          Office 365 Users Added To Groups
                            Office 365 Users Granting 3rd Party Access
                              Proxmox Ceph Osd Shutdown Alert
                                Proxmox Backup To Azure Via Rclone
                                  Updated
                                Puppet Cert Request
                                  RDP Detected On Non Standard Port
                                    SIEM High Rest API Usage
                                      Threat Intelligence Alert Destination IP Threat Indicated
                                        dst_ip_threat_indicated:true updated
                                      Windows User High Failed Login Count
                                        Windows - User high failed login count updated2