Windows Event Filtering - JCSC-JE/Graylog-IR GitHub Wiki
The tables blow show which Windows Event ID's are filtered by the drop rules in the pipelines.
Log Source : Security
| Windows Event ID | Description |
|---|---|
| 1001 | The audit log was cleared |
| 1102 | The security Log is now full |
| 1104 | eventlog deleted |
| 1106 | eventlog service error |
| 4624 | An account was successfully logged on |
| 4625 | An account failed to log on |
| 4634 | An account was logged off |
| 4648 | A logon was attempted using explicit credentials |
| 4657 | A registry value was modified |
| 4661 | attempt to access an object |
| 4662 | object permissions accessed |
| 4672 | Special privileges assigned to new logon |
| 4689 | A service was installed in the system |
| 4698 | A scheduled task was created |
| 4699 | A scheduled task was deleted |
| 4700 | A scheduled task was enabled |
| 4701 | A scheduled task was disabled |
| 4702 | A scheduled task was updated |
| 4720 | A user account was created |
| 4722 | A user account was enabled |
| 4728 | A member was added to a security-enabled global group |
| 4732 | A member was added to a security-enabled local group |
| 4738 | A user account was changed |
| 4740 | A user account was locked out |
| 4756 | A member was added to a security-enabled universal group |
| 4767 | A user account was unlocked |
| 4768 | A kerberos authentication ticket was requested |
| 4769 | A Kerberos service ticket was requested |
| 4771 | Kerberos pre-authentication failed |
| 4772 | Kerberos authentication ticket request failed |
| 4773 | A Kerberos authentication ticket request failed. |
| 4778 | user reconnected to RDP session |
| 4779 | user disconnected from RDP session |
| 4907 | Auditing settings on object were changed |
| 5140 | Network share accessed |
| 5141 | Directory service deleted |
| 5142 | Network Share Created |
| 5143 | Network share Modified |
| 5144 | Network Share Deleted |
| 6416 | external attached to system |
| 9009 | user intiated RDP logoff |
Log Source : System
| Windows Event ID | Description |
|---|---|
| 6 | Driver loaded |
| 19 | WUA Update Installation |
| 104 | Event Log was Cleared |
| 219 | Failed Kernel Driver Loading |
| 1125 | Internal Error |
| 1126 | Generic Internal Error |
| 1129 | Group Policy Application Failed due to Connectivity |
| 7022 | Service Start failure or crash |
| 7023 | Service Start failure or crash |
| 7024 | Service Start failure or crash |
| 7026 | Service Start failure or crash |
| 7031 | Service Start failure or crash |
| 7032 | Service Start failure or crash |
| 7033 | The Service Control Manager did not initialize successfully. |
| 7034 | Service Start failure or crash |
| 7045 | New windows service |
Log Source : Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
| Windows Event ID | Description |
|---|---|
| 21 | RDP user successfully authenticated |
| 22 | Remote Desktop Services: Shell start notification received |
| 23 | RDP logoff |
| 24 | RDP user has disconnected |
| 24 | RDP user connection succeeded |
| 39 | Session A has been disconnected from session b |
| 40 | Sessions A reason code B |
Log Source : Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
| Windows Event ID | Description |
|---|---|
| 1149 | Established connection to RDP server from client |
Log Source : Microsoft-Windows-Sysmon/Operational
| Windows Event ID | Description |
|---|---|
| All | Sysmon events are not filtered |
Log Source : Microsoft-Windows-Windows Defender/Operational
| Windows Event ID | Description |
|---|---|
| 1005 | MALWAREPROTECTION_SCAN_FAILED |
| 1006 | MALWAREPROTECTION_MALWARE_DETECTED |
| 1008 | MALWAREPROTECTION_MALWARE_ACTION_FAILED |
| 1010 | MALWAREPROTECTION_QUARANTINE_FAILED REMOVE |
| 2001 | MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED |
| 2003 | MALWAREPROTECTION_ENGINE_UPDATE_FAILED |
| 2003 | MALWAREPROTECTION_RTP_FAILED |
| 5001 | MALWAREPROTECTION_RTP_DISABLED |
| 5008 | MALWAREPROTECTION_ENGINE_FAILURE |
| 5012 | MALWAREPROTECTION_ANTIVIRUS_DISABLED |
Log Source : Microsoft-Windows-TaskScheduler/Operational
| Windows Event ID | Description |
|---|---|
| 100 | Task registration: Task registered in Task Scheduler. |
| 101 | Task started: Task execution started. |
| 102 | Task completed: Task execution completed. |
| 106 | Task triggered by user: Task triggered manually by a user. |
| 107 | Task triggered by time: Task triggered at a specific time according to the scheduled time configuration. |
| 110 | Task triggered on idle: Task triggered when the system goes idle, based on the idle conditions specified in the task configuration. |
| 111 | Task triggered on power: Task triggered when a specific power event occurs, such as the system being powered on or off. |
| 140 | Task registration updated: Task registration was modified or updated in Task Scheduler. |
| 200 | Task failed to start: Task failed to start execution. |
| 201 | Task stopped: Task execution was stopped or terminated. |
| 203 | Task terminated: Task execution was forcibly terminated. |
| 301 | Task missed its start time: Task did not start execution at its scheduled time. |
| 400 | Task registration deleted: Task registration was deleted from Task Scheduler. |
| 404 | Task registration disabled: Task registration was disabled and will not be triggered for execution. |
| 410 | Task registration enabled: Task registration was enabled and will be triggered for execution according to the configured schedule. |
| 413 | Task suspended: Task execution was suspended or paused. |
| 414 | Task resumed: Task execution was resumed after being suspended. |
Log Source : Microsoft-Windows-WinRM/Operational
| Windows Event ID | Description |
|---|---|
| 6 | Creating WSMan session on client |
| 81 | Processing client request for operation CreateShell |
| 82 | Entering the plugin for operation CreateShell with a ResourceURI |
| 134 | Sending response for operation CreateShell |
| 169 | Creating WSMan session on server |
Log Source : Microsoft-Windows-WMI-Activity/Operational
| Windows Event ID | Description |
|---|---|
| 5857 | Operation_StartedOperational |
| 5858 | Operation_ClientFailure |