From 5fbd3e07d79ac80f4a6e27a3acfdaa17d7929c04 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 17 Jun 2022 15:46:12 +0530 Subject: [PATCH] Acrolinx enhancement effort --- .../threat-protection/auditing/event-4953.md | 18 +++++++++--------- .../threat-protection/auditing/event-4957.md | 16 ++++++++-------- .../threat-protection/auditing/event-4958.md | 12 ++++++------ .../threat-protection/auditing/event-5030.md | 4 ++-- .../threat-protection/auditing/event-5031.md | 6 +++--- .../threat-protection/auditing/event-5038.md | 12 ++++++------ .../threat-protection/auditing/event-5039.md | 6 +++--- .../threat-protection/auditing/event-5051.md | 6 +++--- .../threat-protection/auditing/event-5056.md | 4 ++-- .../threat-protection/auditing/event-5057.md | 6 +++--- .../threat-protection/auditing/event-5058.md | 10 +++++----- .../threat-protection/auditing/event-5060.md | 4 ++-- .../threat-protection/auditing/event-5061.md | 10 +++++----- .../threat-protection/auditing/event-5063.md | 6 +++--- .../threat-protection/auditing/event-5064.md | 6 +++--- .../threat-protection/auditing/event-5065.md | 7 +++---- .../threat-protection/auditing/event-5066.md | 6 +++--- .../threat-protection/auditing/event-5067.md | 8 ++++---- .../threat-protection/auditing/event-5068.md | 8 ++++---- .../threat-protection/auditing/event-5069.md | 8 ++++---- 20 files changed, 81 insertions(+), 82 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index 2d31faae0c..c327d3a349 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -1,6 +1,6 @@ --- -title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10) -description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed. +title: 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. (Windows 10) +description: Describes security event 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4953(F): Windows Firewall ignored a rule because it could not be parsed. +# 4953(F): Windows Firewall ignored a rule because it couldn't be parsed. Event 4953 illustration @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates if Windows Firewall was not able to parse Windows Firewall rule for some reason. +This event generates if Windows Firewall wasn't able to parse Windows Firewall rule for some reason. It can happen if Windows Firewall rule registry entry was corrupted. @@ -72,11 +72,11 @@ It can happen if Windows Firewall rule registry entry was corrupted. - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -90,7 +90,7 @@ It can happen if Windows Firewall rule registry entry was corrupted. - **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule. - To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration @@ -100,7 +100,7 @@ It can happen if Windows Firewall rule registry entry was corrupted. ## Security Monitoring Recommendations -For 4953(F): Windows Firewall ignored a rule because it could not be parsed. +For 4953(F): Windows Firewall ignored a rule because it couldn't be parsed. - This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues. diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index b83701e32b..0f2cc44b6b 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -1,6 +1,6 @@ --- -title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10) -description: Describes security event 4957(F) Windows Firewall did not apply the following rule. +title: 4957(F) Windows Firewall didn't apply the following rule. (Windows 10) +description: Describes security event 4957(F) Windows Firewall didn't apply the following rule. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4957(F): Windows Firewall did not apply the following rule. +# 4957(F): Windows Firewall didn't apply the following rule. Event 4957 illustration @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when Windows Firewall starts or apply new rule, and the rule cannot be applied for some reason. +This event generates when Windows Firewall starts or apply new rule, and the rule can't be applied for some reason. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -69,21 +69,21 @@ This event generates when Windows Firewall starts or apply new rule, and the rul - **ID** \[Type = UnicodeString\]: the unique identifier for not applied firewall rule. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Name** \[Type = UnicodeString\]: the name of the rule which was not applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Name** \[Type = UnicodeString\]: the name of the rule that wasn't applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration **Error Information:** -- **Reason** \[Type = UnicodeString\]: the reason why the rule was not applied. +- **Reason** \[Type = UnicodeString\]: the reason why the rule wasn't applied. ## Security Monitoring Recommendations -For 4957(F): Windows Firewall did not apply the following rule. +For 4957(F): Windows Firewall didn't apply the following rule. - This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues. diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index 3fc2c85a83..5e6f8b57f9 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -1,6 +1,6 @@ --- -title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10) -description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. +title: 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. (Windows 10) +description: Describes security event 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,18 +14,18 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. +# 4958(F): Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. -Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied. +Windows Firewall with Advanced Security processed a rule that contains parameters that can't be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This exclusion isn't necessarily an error. Examine the rule for applicability on the computers to which it was applied. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md) ***Event Schema:*** -*Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: +*Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer: Rule Information: %tID:%t%1 %tName:%t%2 diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index 9216275f2d..86502afb98 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -19,9 +19,9 @@ ms.technology: windows-sec Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message. -This event doesn't generate during Windows Firewall service failures if Windows Firewall policy is incorrect\\corrupted or one of the service dependencies was not started. +This event doesn't generate during Windows Firewall service failures if Windows Firewall policy is incorrect\\corrupted or one of the service dependencies wasn't started. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other System Events](audit-other-system-events.md) diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index b54933cde7..0e6d81e9ac 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). -If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) layer, because by default this layer is denying any incoming connections. +If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you'll get this event from [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) layer, because by default this layer is denying any incoming connections. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -82,8 +82,8 @@ For 5031(F): The Windows Firewall Service blocked an application from accepting - You can use this event to detect applications for which no Windows Firewall rules were created. -- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. +- If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. -- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.” \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index dbb32f1459..44d9fafb84 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -1,6 +1,6 @@ --- -title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10) -description: Describes security event 5038(F) Code integrity determined that the image hash of a file is not valid. +title: 5038(F) Code integrity determined that the image hash of a file isn't valid. (Windows 10) +description: Describes security event 5038(F) Code integrity determined that the image hash of a file isn't valid. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,16 +14,16 @@ ms.author: dansimp ms.technology: windows-sec --- -# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. +# 5038(F): Code integrity determined that the image hash of a file isn't valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. -This event generates by [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) feature, if signature of a file is not valid. +This event generates by [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) feature, if signature of a file isn't valid. -Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. +Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index 7194197d62..aec25c2291 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -19,9 +19,9 @@ ms.technology: windows-sec This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). -This event occurs very rarely during standard LUAFV registry key virtualization. +This event occurs rarely during standard LUAFV registry key virtualization. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Registry](audit-registry.md) @@ -59,7 +59,7 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. +- There's no recommendation for this event in this document. diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 67f25e7071..530cebdbe3 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -19,9 +19,9 @@ ms.technology: windows-sec This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). -This event occurs very rarely during standard LUAFV file virtualization. +This event occurs rarely during standard LUAFV file virtualization. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit File System](audit-file-system.md) @@ -59,5 +59,5 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. +- There's no recommendation for this event in this document. diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index a0be07f3bf..b8d749b9fe 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for CNG troubleshooting. +This event is used for CNG troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index 8ef262994a..6f251535e5 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5057(F): A cryptographic primitive operation failed. -This event generates in case of CNG primitive operation failure. +This event generates if there's a CNG primitive operation failure. For more information about Cryptographic Next Generation (CNG) visit these pages: @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index eaa7c1b441..42a31d7a3a 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used: +This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs was used: - Microsoft Software Key Storage Provider @@ -81,13 +81,13 @@ You can see these events, for example, during certificate renewal or export oper **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested key file operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested key file operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested key file operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -109,7 +109,7 @@ You can see these events, for example, during certificate renewal or export oper - Microsoft Smart Card Key Storage Provider -- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values: +- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this algorithm has “**UNKNOWN**” value. Can also have one of the following values: - RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman. @@ -129,7 +129,7 @@ You can see these events, for example, during certificate renewal or export oper - ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length. -- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example: +- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here's an output example: Certutil command illustration diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index e20a614013..b8f9fb0ef7 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -27,9 +27,9 @@ For more information about CNG, visit these pages: - -This event is mainly used for CNG troubleshooting. +This event is used for CNG troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index af59c9ccb8..58bcd9848d 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used: +This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs was used: - Microsoft Software Key Storage Provider @@ -78,13 +78,13 @@ This event generates when a cryptographic operation (open key, create key, creat **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested specific cryptographic operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -106,7 +106,7 @@ This event generates when a cryptographic operation (open key, create key, creat - Microsoft Smart Card Key Storage Provider -- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values: +- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this algorithm has “**UNKNOWN**” value. Can also have one of the following values: - RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman. @@ -126,7 +126,7 @@ This event generates when a cryptographic operation (open key, create key, creat - ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length. -- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example: +- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here's an output example: Certutil command illustration diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index 5038c7efce..ca597eccaf 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5063(S, F): A cryptographic provider operation was attempted. -This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These functions are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic provider was registered or unregistered. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index 58926d7958..ae83f4488b 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5064(S, F): A cryptographic context operation was attempted. -This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These functions are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic context was created or deleted. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 7e24add6fe..e382f07e2f 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -16,8 +16,7 @@ ms.technology: windows-sec # 5065(S, F): A cryptographic context modification was attempted. - -This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when configuration information was changed for existing CNG context. @@ -27,9 +26,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 310525c71a..6a40bb0b06 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5066(S, F): A cryptographic function operation was attempted. -This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These functions are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic function was added or removed from the list of functions that are supported by an existing CNG context. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 509b5d140a..02b76446df 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -17,19 +17,19 @@ ms.technology: windows-sec # 5067(S, F): A cryptographic function modification was attempted. -This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when configuration information for the cryptographic function of an existing CNG context was changed. -For more information about Cryptographic Next Generation (CNG) visit these pages: +For more information about Cryptographic Next Generation (CNG), visit these pages: - - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index 1214a053db..ed2e8582db 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -17,17 +17,17 @@ ms.technology: windows-sec # 5068(S, F): A cryptographic function provider operation was attempted. -This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These functions are Cryptographic Next Generation (CNG) functions. -For more information about Cryptographic Next Generation (CNG) visit these pages: +For more information about Cryptographic Next Generation (CNG), visit these pages: - - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index dadbcf3347..fc14219958 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -17,19 +17,19 @@ ms.technology: windows-sec # 5069(S, F): A cryptographic function property operation was attempted. -This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when named property for a cryptographic function in an existing CNG context was added or removed. -For more information about Cryptographic Next Generation (CNG) visit these pages: +For more information about Cryptographic Next Generation (CNG), visit these pages: - - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)