Medium


Active Directory Account Locked Out

Active Directory - Account Locked Out

Azure Blob Rclone Sync Errors

Configuration Query zc_storage_error.go Config Key | Value — | — type | aggregation-v1 query | zc_storage_error.go streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 86400000 execute_every_ms | 86400000

Ceph Scrub Errors

Configuration Query scrub errors Config Key | Value — | — type | aggregation-v1 query | scrub errors streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 86400000 execute_every_ms | 86400000

Read Only File System

Configuration Query Read-only file system Config Key | Value — | — type | aggregation-v1 query | Read-only file system streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 3600000 execute_every_ms | 3600000

Performance Applications Crashing

Performance - Applications crashing

Reliability License Manager Errors

Reliability - License Manager errors

Reliability Service Errors

Reliability - Service Errors

Security Authentication Errors

Security - Authentication errors

Windows User High Failed Login Count

Windows - User high failed login count

Certificate Services Loaded Default Configuration

Certificate Services loaded default configuration

Office 365 New User Created

Office 365 - New User Created

Reliability Network Drive Access Denied

Reliability - Network Drive access denied

Syslog Log Level 2 Alert

Syslog Log level 2 alert

Scan Failed

Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational

Active Directory Unexpected Shutdown

Active Directory - Unexpected Shutdown

Fortigate Firewall SSL VPN Disconnection

Fortigate Firewall SSL VPN Disconnection

General Account Database Changed

General account database changed

Performance Terminal Server Remote Desktop Login Errors

Performance - Terminal Server remote desktop login errors2

Quality Of Service Policy Changed

Quality of Service Policy changed

Aggregating Count() By Channel, Level, EventType Error

Aggregating count() by Channel, level, EventType Error

Level 2 Severity Errors

Level 2 Severity Errors

Performance Scheduled Task Errors

Performance - Scheduled Task errors

Performance SQL Server Errors

Performance - SQL server errors

Reliability License Manager Errors

Reliability - License Manager errors

Reliability Network Drive Disconnect Errors

Reliability - Network drive disconnect errors

Reliability Settings Sync Not Configured Properly

Reliability - Settings Sync not configured properly

Reliability Temporary Profile Errors

Reliability - Temporary Profile Errors

Security Authentication Errors

Security - Authentication errors

Security Permissions Errors

Security - Permissions errors

Security Ransomware Vulnerability

Security - Ransomware vulnerability

Security Windows Updates Missing

Security - Windows Updates missing

A Configuration Entry Changed In OCSP Responder Service

A configuration entry changed in OCSP Responder Service

A Configuration Entry Changed In OCSP Responder Service

A configuration entry changed in OCSP Responder Service

A Group's Type Was Changed

A group’s type was changed.

A New Trust Was Created To A Domain

A new trust was created to a domain.

A Property Of Certificate Services Changed

A property of Certificate Services changed.

A Security Disabled Group Was Deleted

A security-disabled group was deleted

A Security Enabled Global Group Was Changed

A security-enabled global group was changed.

A Security Enabled Global Group Was Created

A security-enabled global group was created.

A Security Enabled Local Group Was Changed

A security-enabled local group was changed.

A Security Enabled Universal Group Was Changed

A security-enabled universal group was changed.

A Security Enabled Universal Group Was Created

A security-enabled universal group was created.

A Trusted Forest Information Entry Was Added

A trusted forest information entry was added.

A Trusted Forest Information Entry Was Modified

A trusted forest information entry was modified.

A Trusted Forest Information Entry Was Removed

A trusted forest information entry was removed.

Action On Malware Failed

Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational

Administrator Recovered System From CrashOnAuditFail Users Who Are Not Administrators Will Now Be Allowed To Log On Some Auditable Activity Might Not Have Been Recorded

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

An Attempt To Automatically Restart Conversion On Volume 2 Failed

An attempt to automatically restart conversion on volume 2 failed.

An Attempt Was Made To Reset An Account's Password

An attempt was made to reset an account’s password.

An Error Was Encountered Converting Volume

An error was encountered converting volume

An IPsec Extended Mode Negotiation Failed The Corresponding Main Mode Security Association Has Been Deleted

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

An IPsec Extended Mode Negotiation Failed The Corresponding Main Mode Security Association Has Been Deleted

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

An IPsec Negotiation With A Remote Computer Failed Because The IKE And AuthIP IPsec Keying Modules (IKEEXT) Service Is Not Started

An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

App Crash

Application Crashed Event Source - Application Error - Event Log - Application

App Hang

Event Source - Application Hang - Event Log - Application

AppLocker Warning

Event Source - Microsoft-Windows-AppLocker - Event Log - Microsoft-Windows-AppLocker/MSI and Script

Auditing Settings On Object Were Changed

Auditing settings on object were changed.

Backup Of Data Protection Master Key Was Attempted

Backup of data protection master key was attempted.

BSOD

Event Source - Microsoft-Windows-WER-SystemErrorReporting - Event Log - System

CA Permissions Corrupted Or Missing

Security Permission corrupt or missing Event Source - Microsoft-Windows-CertificationAuthority - Event Log - Application

Certificate Services Revoked A Certificate

Certificate Services revoked a certificate.

Code Integrity Check

Event Source - Microsoft-Windows-CodeIntegrity - Event Log - Microsoft-Windows-CodeIntegrity/Operational

Code Integrity Determined That The Image Hash Of A File Is Not Valid The File Could Be Corrupt Due To Unauthorized Modification Or The Invalid Hash Could Indicate A Potential Disk Device Error

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Create Profile Failed

Cannot Create profile, using temporary profile Event Source - Microsoft-Windows-User Profiles Service - Event Log - Application

Credential Manager Credentials Were Backed Up

Credential Manager credentials were backed up.

Credential Manager Credentials Were Restored From A Backup

Credential Manager credentials were restored from a backup.

Detected Malware

Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational

Domain Policy Was Changed

Domain Policy was changed.

During Extended Mode Negotiation, IPsec Received An Invalid Negotiation Packet If This Problem Persists, IT Could Indicate A Network Issue Or An Attempt To Modify Or Replay This Negotiation

During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

During Main Mode Negotiation, IPsec Received An Invalid Negotiation Packet If This Problem Persists, IT Could Indicate A Network Issue Or An Attempt To Modify Or Replay This Negotiation

During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

During Quick Mode Negotiation, IPsec Received An Invalid Negotiation Packet If This Problem Persists, IT Could Indicate A Network Issue Or An Attempt To Modify Or Replay This Negotiation

During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

Encrypted Data Recovery Policy Was Changed

Encrypted data recovery policy was changed.

Failed Kernel Driver Loading

Event Source - Microsoft-Windows-Kernel-PnP - Event Log - System

Failed To Remove Item From Quarantine

Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational

Failed To Update Engine

Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational

Failed To Update Signatures

Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational

Firewall Failed To Load Group Policy

Event Source - Microsoft-Windows-Windows Firewall With Advanced Security - Event Log - Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Generic Internal Error

Event Source - Microsoft-Windows-GroupPolicy - Event Log - System

Group Policy Application Failed Due To Connectivity

Event Source - Microsoft-Windows-GroupPolicy - Event Log - System

Internal Error

Event Source - Microsoft-Windows-GroupPolicy - Event Log - System

IPsec Dropped An Inbound Clear Text Packet That Should Have Been Secured This Is Usually Due To The Remote Computer Changing Its IPsec Policy Without Informing This Computer This Could Also Be A Spoofing Attack Attempt

IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

IPsec Dropped An Inbound Packet That Failed A Replay Check If This Problem Persists, IT Could Indicate A Replay Attack Against This Computer

IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

IPsec Dropped An Inbound Packet That Failed A Replay Check The Inbound Packet Had Too Low A Sequence Number To Ensure IT Was Not A Replay

IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

IPsec Dropped An Inbound Packet That Failed An Integrity Check If This Problem Persists, IT Could Indicate A Network Issue Or That Packets Are Being Modified In Transit To This Computer Verify That The Packets Sent From The Remote Computer Are The Same As Those Received By This Computer This Error Might Also Indicate Interoperability Problems With Other IPsec Implementations

IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

IPsec Received A Packet From A Remote Computer With An Incorrect Security Parameter Index (SPI) This Is Usually Caused By Malfunctioning Hardware That Is Corrupting Packets If These Errors Persist, Verify That The Packets Sent From The Remote Computer Are The Same As Those Received By This Computer This Error May Also Indicate Interoperability Problems With Other IPsec Implementations In That Case, If Connectivity Is Not Impeded, Then These Events Can Be Ignored

IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.

IPsec Services Failed To Get The Complete List Of Network Interfaces On The Computer This Poses A Potential Security Risk Because Some Of The Network Interfaces May Not Get The Protection Provided By The Applied IPsec Filters Use The IP Security Monitor Snap In To Diagnose The Problem

IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

IPsec Services Failed To Initialize RPC Server IPsec Services Could Not Be Started

IPsec Services failed to initialize RPC server. IPsec Services could not be started.

IPsec Services Failed To Process Some IPsec Filters On A Plug And Play Event For Network Interfaces This Poses A Potential Security Risk Because Some Of The Network Interfaces May Not Get The Protection Provided By The Applied IPsec Filters Use The IP Security Monitor Snap In To Diagnose The Problem

IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

IPsec Services Has Experienced A Critical Failure And Has Been Shut Down The Shutdown Of IPsec Services Can Put The Computer At Greater Risk Of Network Attack Or Expose The Computer To Potential Security Risks

IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

Kerberos Policy Was Changed

Kerberos policy was changed.

Malware Removal Fatal Error

Malware removal action attempted with critical error Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational

Metadata Rebuild: An Attempt To Write A Copy Of Metadata On Volume 2 Failed And May Appear As Disk Corruption If Failures Continue, Decrypt Volume

Metadata rebuild: An attempt to write a copy of metadata on volume 2 failed and may appear as disk corruption. If failures continue, decrypt volume.

Metadata Write: Volume 2 Returning Errors While Trying To Modify Metadata If Failures Continue, Decrypt Volume

Metadata write: Volume 2 returning errors while trying to modify metadata. If failures continue, decrypt volume

Network Policy Server Denied Access To A User

Network Policy Server denied access to a user.

Network Policy Server Discarded The Accounting Request For A User

Network Policy Server discarded the accounting request for a user.

Network Policy Server Discarded The Request For A User

Network Policy Server discarded the request for a user.

Network Policy Server Granted Access To A User But Put IT On Probation Because The Host Did Not Meet The Defined Health Policy

Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

Network Policy Server Granted Full Access To A User Because The Host Met The Defined Health Policy

Network Policy Server granted full access to a user because the host met the defined health policy.

Network Policy Server Locked The User Account Due To Repeated Failed Authentication Attempts

Network Policy Server locked the user account due to repeated failed authentication attempts.

Network Policy Server Quarantined A User

Network Policy Server quarantined a user.

Network Policy Server Unlocked The User Account

Network Policy Server unlocked the user account.

OCSP Responder Service Started

OCSP Responder Service Started

OCSP Responder Service Stopped

OCSP Responder Service Stopped

Office 365 Activity Outside USA

Office 365 - Activity Outside USA updated event definition

Office 365 Owner Added To Group

Office 365 - Owner Added to Group

One Or More Errors Occurred While Processing Security Policy In The Group Policy Objects

One or more errors occurred while processing security policy in the Group Policy objects.

One Or More Rows Have Been Deleted From The Certificate Database

One or more rows have been deleted from the certificate database.

Per User Audit Policy Was Changed

Per User Audit Policy was changed.

Possible Denial Of Service (DoS) Attack

Possible denial-of-service (DoS) attack

RADIUS User Assigned IP

RADIUS authentication User assigned IP address Event Source - Microsoft-Windows-MPRMSG - Event Log - RemoteAccess

RADIUS User Authenticated

RADIUS authentication User successfully authenticated Event Source - Microsoft-Windows-MPRMSG - Event Log - RemoteAccess

RADIUS User Disconnected

RADIUS authentication User Disconnected Event Source - Microsoft-Windows-MPRMSG - Event Log - RemoteAccess

Recovery Of Data Protection Master Key Was Attempted

Recovery of data protection master key was attempted.

RPC Detected An Integrity Violation While Decrypting An Incoming Message

RPC detected an integrity violation while decrypting an incoming message.

Service Start Failure

Service Start Failure Event Source - Service Control Manager - Event Log - System

Shutdown Initiate Failed

Shutdown initiate request failed Event Source - User32 - Event Log - User32

SIDs Were Filtered

SIDs were filtered.

Special Groups Logon Table Modified

Special Groups Logon table modified.

SRP Block

Event Source - Microsoft-Windows-SoftwareRestrictionPolicies - Event Log - Application

Temp Profile Logon

User Logging on with Temporary Profile Event Source - Microsoft-Windows-User Profiles Service - Event Log - Application

The ACL Was Set On Accounts Which Are Members Of Administrators Groups

The ACL was set on accounts which are members of administrators groups.

The Audit Filter For Certificate Services Changed

The audit filter for Certificate Services changed.

The Audit Log Was Cleared

The audit log was cleared

The Audit Policy (SACL) On An Object Was Changed

The audit policy (SACL) on an object was changed.

The Certificate Manager Denied A Pending Certificate Request

The certificate manager denied a pending certificate request.

The Certificate Manager Settings For Certificate Services Changed

The certificate manager settings for Certificate Services changed.

The CrashOnAuditFail Value Has Changed

The CrashOnAuditFail value has changed.

The Security Permissions For Certificate Services Changed

The security permissions for Certificate Services changed.

The Windows Firewall Driver Detected Critical Runtime Error Terminating

The Windows Firewall Driver detected critical runtime error. Terminating.

The Windows Firewall Driver Failed To Start

The Windows Firewall Driver failed to start.

The Windows Firewall Service Failed To Initialize The Driver The Service Will Continue To Enforce The Current Policy

The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.

The Windows Firewall Service Failed To Start

The Windows Firewall Service failed to start.

The Windows Firewall Service Was Unable To Parse The New Security Policy The Service Will Continue With Currently Enforced Policy

The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.

The Windows Firewall Service Was Unable To Retrieve The Security Policy From The Local Storage The Service Will Continue Enforcing The Current Policy

The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.

Threat Intelligence Alert Source IP Threat Indicated

src_ip_threat_indicated:true AND threat_indicated:true NOT filter_action:block - updated

Trusted Domain Information Was Modified

Trusted domain information was modified.

Unexpected Error

Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational

Windows Service Fails Or Crashes

Event Source - Service Control Manager - Event Log - System

Windows Update Failed

Event Source - Microsoft-Windows-WindowsUpdateClient - Event Log - Microsoft-Windows-WindowsUpdateClient/Operational

Office 365 Mailbox Forwarding Rules Created

Update Alternate query - event_class_id:EVENT_CATEGORY_SET_FORWARDING_MAILBOX

Last modified October 18, 2021