Medium
Active Directory Account Locked Out
Active Directory - Account Locked Out
Azure Blob Rclone Sync Errors
Configuration Query zc_storage_error.go Config Key | Value — | — type | aggregation-v1 query | zc_storage_error.go streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 86400000 execute_every_ms | 86400000
Ceph Scrub Errors
Configuration Query scrub errors Config Key | Value — | — type | aggregation-v1 query | scrub errors streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 86400000 execute_every_ms | 86400000
Performance Applications Crashing
Performance - Applications crashing
Read Only File System
Configuration Query Read-only file system Config Key | Value — | — type | aggregation-v1 query | Read-only file system streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 3600000 execute_every_ms | 3600000
Reliability License Manager Errors
Reliability - License Manager errors
Reliability Service Errors
Reliability - Service Errors
Security Authentication Errors
Security - Authentication errors
Windows User High Failed Login Count
Windows - User high failed login count
Certificate Services Loaded Default Configuration
Certificate Services loaded default configuration
Office 365 New User Created
Office 365 - New User Created
Reliability Network Drive Access Denied
Reliability - Network Drive access denied
Syslog Log Level 2 Alert
Syslog Log level 2 alert
Scan Failed
Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
SSH Server Login Event
Update
Active Directory Unexpected Shutdown
Active Directory - Unexpected Shutdown
Fortigate Firewall SSL VPN Disconnection
Fortigate Firewall SSL VPN Disconnection
General Account Database Changed
General account database changed
Performance Terminal Server Remote Desktop Login Errors
Performance - Terminal Server remote desktop login errors2
Quality Of Service Policy Changed
Quality of Service Policy changed
Aggregating Count() By Channel, Level, EventType Error
Aggregating count() by Channel, level, EventType Error
Level 2 Severity Errors
Level 2 Severity Errors
Performance Scheduled Task Errors
Performance - Scheduled Task errors
Performance SQL Server Errors
Performance - SQL server errors
Reliability License Manager Errors
Reliability - License Manager errors
Reliability Network Drive Disconnect Errors
Reliability - Network drive disconnect errors
Reliability Settings Sync Not Configured Properly
Reliability - Settings Sync not configured properly
Reliability Temporary Profile Errors
Reliability - Temporary Profile Errors
Security Authentication Errors
Security - Authentication errors
Security Permissions Errors
Security - Permissions errors
Security Ransomware Vulnerability
Security - Ransomware vulnerability
Security Windows Updates Missing
Security - Windows Updates missing
Office 365 More Than 100 Messages Purged Per Day
Updated 10-7-20
A Configuration Entry Changed In OCSP Responder Service
A configuration entry changed in OCSP Responder Service
A Configuration Entry Changed In OCSP Responder Service
A configuration entry changed in OCSP Responder Service
A Group's Type Was Changed
A group’s type was changed.
A New Trust Was Created To A Domain
A new trust was created to a domain.
A Property Of Certificate Services Changed
A property of Certificate Services changed.
A Security Disabled Group Was Deleted
A security-disabled group was deleted
A Security Enabled Global Group Was Changed
A security-enabled global group was changed.
A Security Enabled Global Group Was Created
A security-enabled global group was created.
A Security Enabled Local Group Was Changed
A security-enabled local group was changed.
A Security Enabled Universal Group Was Changed
A security-enabled universal group was changed.
A Security Enabled Universal Group Was Created
A security-enabled universal group was created.
A Trusted Forest Information Entry Was Added
A trusted forest information entry was added.
A Trusted Forest Information Entry Was Modified
A trusted forest information entry was modified.
A Trusted Forest Information Entry Was Removed
A trusted forest information entry was removed.
Action On Malware Failed
Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
Administrator Recovered System From CrashOnAuditFail Users Who Are Not Administrators Will Now Be Allowed To Log On Some Auditable Activity Might Not Have Been Recorded
Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
An Attempt To Automatically Restart Conversion On Volume 2 Failed
An attempt to automatically restart conversion on volume 2 failed.
An Attempt Was Made To Reset An Account's Password
An attempt was made to reset an account’s password.
An Error Was Encountered Converting Volume
An error was encountered converting volume
An IPsec Extended Mode Negotiation Failed The Corresponding Main Mode Security Association Has Been Deleted
An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
An IPsec Extended Mode Negotiation Failed The Corresponding Main Mode Security Association Has Been Deleted
An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
An IPsec Negotiation With A Remote Computer Failed Because The IKE And AuthIP IPsec Keying Modules (IKEEXT) Service Is Not Started
An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
App Crash
Application Crashed Event Source - Application Error - Event Log - Application
App Hang
Event Source - Application Hang - Event Log - Application
AppLocker Warning
Event Source - Microsoft-Windows-AppLocker - Event Log - Microsoft-Windows-AppLocker/MSI and Script
Auditing Settings On Object Were Changed
Auditing settings on object were changed.
Backup Of Data Protection Master Key Was Attempted
Backup of data protection master key was attempted.
BSOD
Event Source - Microsoft-Windows-WER-SystemErrorReporting - Event Log - System
CA Permissions Corrupted Or Missing
Security Permission corrupt or missing Event Source - Microsoft-Windows-CertificationAuthority - Event Log - Application
Certificate Services Revoked A Certificate
Certificate Services revoked a certificate.
Code Integrity Check
Event Source - Microsoft-Windows-CodeIntegrity - Event Log - Microsoft-Windows-CodeIntegrity/Operational
Code Integrity Determined That The Image Hash Of A File Is Not Valid The File Could Be Corrupt Due To Unauthorized Modification Or The Invalid Hash Could Indicate A Potential Disk Device Error
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Create Profile Failed
Cannot Create profile, using temporary profile Event Source - Microsoft-Windows-User Profiles Service - Event Log - Application
Credential Manager Credentials Were Backed Up
Credential Manager credentials were backed up.
Credential Manager Credentials Were Restored From A Backup
Credential Manager credentials were restored from a backup.
Detected Malware
Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
Domain Policy Was Changed
Domain Policy was changed.
During Extended Mode Negotiation, IPsec Received An Invalid Negotiation Packet If This Problem Persists, IT Could Indicate A Network Issue Or An Attempt To Modify Or Replay This Negotiation
During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
During Main Mode Negotiation, IPsec Received An Invalid Negotiation Packet If This Problem Persists, IT Could Indicate A Network Issue Or An Attempt To Modify Or Replay This Negotiation
During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
During Quick Mode Negotiation, IPsec Received An Invalid Negotiation Packet If This Problem Persists, IT Could Indicate A Network Issue Or An Attempt To Modify Or Replay This Negotiation
During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Encrypted Data Recovery Policy Was Changed
Encrypted data recovery policy was changed.
Failed Kernel Driver Loading
Event Source - Microsoft-Windows-Kernel-PnP - Event Log - System
Failed To Remove Item From Quarantine
Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
Failed To Update Engine
Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
Failed To Update Signatures
Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
Firewall Failed To Load Group Policy
Event Source - Microsoft-Windows-Windows Firewall With Advanced Security - Event Log - Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Generic Internal Error
Event Source - Microsoft-Windows-GroupPolicy - Event Log - System
Group Policy Application Failed Due To Connectivity
Event Source - Microsoft-Windows-GroupPolicy - Event Log - System
Internal Error
Event Source - Microsoft-Windows-GroupPolicy - Event Log - System
IPsec Dropped An Inbound Clear Text Packet That Should Have Been Secured This Is Usually Due To The Remote Computer Changing Its IPsec Policy Without Informing This Computer This Could Also Be A Spoofing Attack Attempt
IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
IPsec Dropped An Inbound Packet That Failed A Replay Check If This Problem Persists, IT Could Indicate A Replay Attack Against This Computer
IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
IPsec Dropped An Inbound Packet That Failed A Replay Check The Inbound Packet Had Too Low A Sequence Number To Ensure IT Was Not A Replay
IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
IPsec Dropped An Inbound Packet That Failed An Integrity Check If This Problem Persists, IT Could Indicate A Network Issue Or That Packets Are Being Modified In Transit To This Computer Verify That The Packets Sent From The Remote Computer Are The Same As Those Received By This Computer This Error Might Also Indicate Interoperability Problems With Other IPsec Implementations
IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
IPsec Received A Packet From A Remote Computer With An Incorrect Security Parameter Index (SPI) This Is Usually Caused By Malfunctioning Hardware That Is Corrupting Packets If These Errors Persist, Verify That The Packets Sent From The Remote Computer Are The Same As Those Received By This Computer This Error May Also Indicate Interoperability Problems With Other IPsec Implementations In That Case, If Connectivity Is Not Impeded, Then These Events Can Be Ignored
IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
IPsec Services Failed To Get The Complete List Of Network Interfaces On The Computer This Poses A Potential Security Risk Because Some Of The Network Interfaces May Not Get The Protection Provided By The Applied IPsec Filters Use The IP Security Monitor Snap In To Diagnose The Problem
IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
IPsec Services Failed To Initialize RPC Server IPsec Services Could Not Be Started
IPsec Services failed to initialize RPC server. IPsec Services could not be started.
IPsec Services Failed To Process Some IPsec Filters On A Plug And Play Event For Network Interfaces This Poses A Potential Security Risk Because Some Of The Network Interfaces May Not Get The Protection Provided By The Applied IPsec Filters Use The IP Security Monitor Snap In To Diagnose The Problem
IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
IPsec Services Has Experienced A Critical Failure And Has Been Shut Down The Shutdown Of IPsec Services Can Put The Computer At Greater Risk Of Network Attack Or Expose The Computer To Potential Security Risks
IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
Kerberos Policy Was Changed
Kerberos policy was changed.
Malware Removal Fatal Error
Malware removal action attempted with critical error Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
Metadata Rebuild: An Attempt To Write A Copy Of Metadata On Volume 2 Failed And May Appear As Disk Corruption If Failures Continue, Decrypt Volume
Metadata rebuild: An attempt to write a copy of metadata on volume 2 failed and may appear as disk corruption. If failures continue, decrypt volume.
Metadata Write: Volume 2 Returning Errors While Trying To Modify Metadata If Failures Continue, Decrypt Volume
Metadata write: Volume 2 returning errors while trying to modify metadata. If failures continue, decrypt volume
Network Policy Server Denied Access To A User
Network Policy Server denied access to a user.
Network Policy Server Discarded The Accounting Request For A User
Network Policy Server discarded the accounting request for a user.
Network Policy Server Discarded The Request For A User
Network Policy Server discarded the request for a user.
Network Policy Server Granted Access To A User But Put IT On Probation Because The Host Did Not Meet The Defined Health Policy
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Network Policy Server Granted Full Access To A User Because The Host Met The Defined Health Policy
Network Policy Server granted full access to a user because the host met the defined health policy.
Network Policy Server Locked The User Account Due To Repeated Failed Authentication Attempts
Network Policy Server locked the user account due to repeated failed authentication attempts.
Network Policy Server Quarantined A User
Network Policy Server quarantined a user.
Network Policy Server Unlocked The User Account
Network Policy Server unlocked the user account.
OCSP Responder Service Started
OCSP Responder Service Started
OCSP Responder Service Stopped
OCSP Responder Service Stopped
Office 365 Activity Outside USA
Office 365 - Activity Outside USA updated event definition
Office 365 Owner Added To Group
Office 365 - Owner Added to Group
One Or More Errors Occurred While Processing Security Policy In The Group Policy Objects
One or more errors occurred while processing security policy in the Group Policy objects.
One Or More Rows Have Been Deleted From The Certificate Database
One or more rows have been deleted from the certificate database.
Per User Audit Policy Was Changed
Per User Audit Policy was changed.
Possible Denial Of Service (DoS) Attack
Possible denial-of-service (DoS) attack
RADIUS User Assigned IP
RADIUS authentication User assigned IP address Event Source - Microsoft-Windows-MPRMSG - Event Log - RemoteAccess
RADIUS User Authenticated
RADIUS authentication User successfully authenticated Event Source - Microsoft-Windows-MPRMSG - Event Log - RemoteAccess
RADIUS User Disconnected
RADIUS authentication User Disconnected Event Source - Microsoft-Windows-MPRMSG - Event Log - RemoteAccess
Recovery Of Data Protection Master Key Was Attempted
Recovery of data protection master key was attempted.
RPC Detected An Integrity Violation While Decrypting An Incoming Message
RPC detected an integrity violation while decrypting an incoming message.
Service Start Failure
Service Start Failure Event Source - Service Control Manager - Event Log - System
Shutdown Initiate Failed
Shutdown initiate request failed Event Source - User32 - Event Log - User32
SIDs Were Filtered
SIDs were filtered.
Special Groups Logon Table Modified
Special Groups Logon table modified.
SRP Block
Event Source - Microsoft-Windows-SoftwareRestrictionPolicies - Event Log - Application
Temp Profile Logon
User Logging on with Temporary Profile Event Source - Microsoft-Windows-User Profiles Service - Event Log - Application
The ACL Was Set On Accounts Which Are Members Of Administrators Groups
The ACL was set on accounts which are members of administrators groups.
The Audit Filter For Certificate Services Changed
The audit filter for Certificate Services changed.
The Audit Log Was Cleared
The audit log was cleared
The Audit Policy (SACL) On An Object Was Changed
The audit policy (SACL) on an object was changed.
The Certificate Manager Denied A Pending Certificate Request
The certificate manager denied a pending certificate request.
The Certificate Manager Settings For Certificate Services Changed
The certificate manager settings for Certificate Services changed.
The CrashOnAuditFail Value Has Changed
The CrashOnAuditFail value has changed.
The Security Permissions For Certificate Services Changed
The security permissions for Certificate Services changed.
The Windows Firewall Driver Detected Critical Runtime Error Terminating
The Windows Firewall Driver detected critical runtime error. Terminating.
The Windows Firewall Driver Failed To Start
The Windows Firewall Driver failed to start.
The Windows Firewall Service Failed To Initialize The Driver The Service Will Continue To Enforce The Current Policy
The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
The Windows Firewall Service Failed To Start
The Windows Firewall Service failed to start.
The Windows Firewall Service Was Unable To Parse The New Security Policy The Service Will Continue With Currently Enforced Policy
The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
The Windows Firewall Service Was Unable To Retrieve The Security Policy From The Local Storage The Service Will Continue Enforcing The Current Policy
The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
Threat Intelligence Alert Source IP Threat Indicated
src_ip_threat_indicated:true AND threat_indicated:true NOT filter_action:block - updated
Trusted Domain Information Was Modified
Trusted domain information was modified.
Unexpected Error
Event Source - Microsoft-Windows-Windows Defender - Event Log - Microsoft-Windows-Windows Defender/Operational
Windows Service Fails Or Crashes
Event Source - Service Control Manager - Event Log - System
Windows Update Failed
Event Source - Microsoft-Windows-WindowsUpdateClient - Event Log - Microsoft-Windows-WindowsUpdateClient/Operational
Office 365 Mailbox Forwarding Rules Created
Update Alternate query - event_class_id:EVENT_CATEGORY_SET_FORWARDING_MAILBOX
Threat Intelligence Alert Destination IP Threat Indicated
dst_ip_threat_indicated:true updated