100 KiB
Threat protection
Overview
What is Microsoft Defender Advanced Threat Protection?
Overview of Microsoft Defender ATP capabilities
Threat & Vulnerability Management
Next-generation capabilities
What's in the dashboard and what it means for my organization
Exposure score
Configuration score
Security recommendation
Remediation and exception
Software inventory
Weaknesses
Scenarios
Attack surface reduction
Overview of attack surface reduction
Hardware-based isolation
Hardware-based isolation in Windows 10
Application isolation
Application guard overview
System requirements
System integrity
Application control
Exploit protection
Network protection
Web protection
Web protection overview
Monitor web security
Respond to web threats
Controlled folder access
Attack surface reduction
Network firewall
Next generation protection
Endpoint detection and response
Endpoint detection and response overview
Security operations dashboard
Incidents queue
View and organize the Incidents queue
Manage incidents
Investigate incidents
Alerts queue
View and organize the Alerts queue
Manage alerts
Investigate alerts
Investigate files
Investigate machines
Investigate an IP address
Investigate a domain
Investigate connection events that occur behind forward proxies
Investigate a user account
Machines list
View and organize the Machines list
Manage machine group and tags
Take response actions
Take response actions on a machine
Response actions on machines
Manage tags
Initiate Automated investigation
Initiate Live Response session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machines from the network
Consult a threat expert
Check activity details in Action center
Take response actions on a file
Response actions on files
Stop and quarantine files in your network
Restore file from quarantine
Add indicators to block or allow a file
Consult a threat expert
Check activity details in Action center
Download or collect file
Deep analysis
Submit files for analysis
View deep analysis reports
Troubleshoot deep analysis
Investigate entities using Live response
Investigate entities on machines
Live response command examples
Automated investigation and remediation
Automated investigation and remediation overview
Learn about the automated investigation and remediation dashboard
Manage actions related to automated investigation and remediation
Secure score
Threat analytics
Advanced hunting
Advanced hunting overview
Learn the query language
Use shared queries
Advanced hunting schema reference
Understand the schema
AlertEvents
FileCreationEvents
ImageLoadEvents
LogonEvents
MachineInfo
MachineNetworkInfo
MiscEvents
NetworkCommunicationEvents
ProcessCreationEvents
RegistryEvents
DeviceTvmSoftwareInventoryVulnerabilities
DeviceTvmSoftwareVulnerabilitiesKB
DeviceTvmSecureConfigurationAssessment
DeviceTvmSecureConfigurationAssessmentKB
Apply query best practices
Stream Advanced hunting events to Azure Event Hubs
Custom detections
Understand custom detection rules
Create and manage custom detections rules
Management and APIs
Overview of management and APIs
Understand threat intelligence concepts
Managed security service provider support
Integrations
Microsoft Defender ATP integrations
Protect users, data, and devices with conditional access
Microsoft Cloud App Security integration overview
Information protection in Windows overview
Windows integration
Use sensitivity labels to prioritize incident response
Microsoft Threat Experts
Portal overview
Microsoft Defender ATP for US Government Community Cloud High customers
Get started
What's new in Microsoft Defender ATP
Minimum requirements
Validate licensing and complete setup
Evaluation lab
Preview features
Data storage and privacy
Assign user access to the portal
Evaluate Microsoft Defender ATP
Attack surface reduction and next-generation capability evaluation
Attack surface reduction and nex-generation evaluation overview
Hardware-based isolation
Application control
Exploit protection
Network Protection
Controlled folder access
Attack surface reduction
Network firewall
Evaluate next generation protection
Access the Windows Defender Security Center Community Center
Configure and manage capabilities
Configure attack surface reduction
Attack surface reduction configuration settings
Hardware-based isolation
System isolation
Application isolation
Install Windows Defender Application Guard
Application control
Device control
Control USB devices
Device Guard
Code integrity
Memory integrity
####### Understand memory integrity ####### Hardware qualifications ####### Enable HVCI
Exploit protection
Enable exploit protection
Import/export configurations
Network protection
Controlled folder access
Attack surface reduction controls
Enable attack surface reduction rules
Customize attack surface reduction
Network firewall
Configure next generation protection
Configure Windows Defender Antivirus features
Utilize Microsoft cloud-delivered protection
Enable cloud-delivered protection
Specify the cloud-delivered protection level
Configure and validate network connections
Prevent security settings changes with tamper protection
Enable Block at first sight
Configure the cloud block timeout period
Configure behavioral, heuristic, and real-time protection
Configuration overview
Detect and block Potentially Unwanted Applications
Enable and configure always-on protection and monitoring
Antivirus on Windows Server 2016
Antivirus compatibility
Compatibility charts
Use limited periodic antivirus scanning
Deploy, manage updates, and report on antivirus
Preparing to deploy
Deploy and enable antivirus
Deployment guide for VDI environments
Report on antivirus protection
Review protection status and alerts
Troubleshoot antivirus reporting in Update Compliance
Manage updates and apply baselines
Learn about the different kinds of updates
Manage protection and security intelligence updates
Manage when protection updates should be downloaded and applied
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and VMs
Customize, initiate, and review the results of scans and remediation
Configuration overview
Configure and validate exclusions in antivirus scans
Exclusions overview
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Configure antivirus exclusions Windows Server 2016
Configure scanning antivirus options
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage antivirus in your business
Management overview
Use Group Policy settings to configure and manage antivirus
Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus
Use PowerShell cmdlets to configure and manage antivirus
Use Windows Management Instrumentation (WMI) to configure and manage antivirus
Use the mpcmdrun.exe commandline tool to configure and manage antivirus
Manage scans and remediation
Management overview
Configure and validate exclusions in antivirus scans
Exclusions overview
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Configure antivirus exclusions on Windows Server 2016
Configure scanning options
Configure remediation for scans
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage next generation protection in your business
Management overview
Use Microsoft Intune and System Center Configuration Manager to manage next generation protection
Use Group Policy settings to manage next generation protection
Use PowerShell cmdlets to manage next generation protection
Use Windows Management Instrumentation (WMI) to manage next generation protection
Use the mpcmdrun.exe command line tool to manage next generation protection
Microsoft Defender Advanced Threat Protection for Mac
What's New
Deploy
Microsoft Intune-based deployment
JAMF-based deployment
Deployment with a different Mobile Device Management (MDM) system
Manual deployment
Update
Configure
Configure and validate exclusions
Set preferences
Detect and block Potentially Unwanted Applications
Troubleshoot
Troubleshoot performance issues
Troubleshoot kernel extension issues
Privacy
Resources
Configure Secure score dashboard security controls
Configure and manage Microsoft Threat Experts capabilities
Management and API support
Onboard devices to the service
Onboard machines to Microsoft Defender ATP
Onboard previous versions of Windows
Onboard Windows 10 machines
Onboarding tools and methods
Onboard machines using Group Policy
Onboard machines using System Center Configuration Manager
Onboard machines using Mobile Device Management tools
Onboard machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Onboard servers
Onboard non-Windows machines
Onboard machines without Internet access
Run a detection test on a newly onboarded machine
Run simulated attacks on machines
Configure proxy and Internet connectivity settings
Create an onboarding or offboarding notification rule
Troubleshoot onboarding issues
Troubleshoot issues during onboarding
Troubleshoot subscription and portal access issues
Microsoft Defender ATP API
Microsoft Defender ATP API license and terms
Get started with Microsoft Defender ATP APIs
Introduction
Hello World
Get access with application context
Get access with user context
APIs
Supported Microsoft Defender ATP query APIs
Advanced Hunting
Alert
####### Alert methods and properties ####### List alerts ####### Create alert ####### Update Alert ####### Get alert information by ID ####### Get alert related domains information ####### Get alert related file information ####### Get alert related IPs information ####### Get alert related machine information ####### Get alert related user information
Machine
####### Machine methods and properties ####### List machines ####### Get machine by ID ####### Get machine log on users ####### Get machine related alerts ####### Add or Remove machine tags ####### Find machines by IP
Machine Action
####### Machine Action methods and properties ####### List Machine Actions ####### Get Machine Action ####### Collect investigation package ####### Get investigation package SAS URI ####### Isolate machine ####### Release machine from isolation ####### Restrict app execution ####### Remove app restriction ####### Run antivirus scan ####### Offboard machine ####### Stop and quarantine file ####### Initiate investigation (preview)
Indicators
####### Indicators methods and properties ####### Submit Indicator ####### List Indicators ####### Delete Indicator
Domain
####### Get domain related alerts ####### Get domain related machines ####### Get domain statistics
File
####### File methods and properties ####### Get file information ####### Get file related alerts ####### Get file related machines ####### Get file statistics
IP
####### Get IP related alerts ####### Get IP statistics
User
####### User methods ####### Get user related alerts ####### Get user related machines
How to use APIs - Samples
Microsoft Flow
Power BI
Advanced Hunting using Python
Advanced Hunting using PowerShell
Using OData Queries
Windows updates (KB) info
Get KbInfo collection
Common Vulnerabilities and Exposures (CVE) to KB map
Get CVE-KB map
API for custom alerts (Deprecated)
Use the threat intelligence API to create custom alerts (Deprecated)
Create custom threat intelligence alerts (Deprecated)
PowerShell code examples (Deprecated)
Python code examples (Deprecated)
Experiment with custom threat intelligence alerts (Deprecated)
Troubleshoot custom threat intelligence issues (Deprecated)
Pull detections to your SIEM tools
Learn about different ways to pull detections
Enable SIEM integration
Configure Splunk to pull detections
Configure HP ArcSight to pull detections
Microsoft Defender ATP detection fields
Pull detections using SIEM REST API
Troubleshoot SIEM tool integration issues
Reporting
Create and build Power BI reports using Microsoft Defender ATP data
Threat protection reports
Machine health and compliance reports
Partners & APIs
Partner applications
Connected applications
API explorer
Manage machine configuration
Ensure your machines are configured properly
Monitor and increase machine onboarding
Increase compliance to the security baseline
Optimize ASR rule deployment and detections
Role-based access control
Manage portal access using RBAC
Create and manage roles
Create and manage machine groups
Using machine groups
Create and manage machine tags
Configure managed security service provider (MSSP) support
Configure Microsoft threat protection integration
Configure conditional access
Configure Microsoft Cloud App Security integration
Configure information protection in Windows
Configure portal settings
Set up preferences
General
Update data retention settings
Configure alert notifications
Enable and create Power BI reports using Windows Defender Security center data
Enable Secure score security controls
Configure advanced features
Permissions
Use basic permissions to access the portal
Manage portal access using RBAC
Create and manage roles
Create and manage machine groups
####### Create and manage machine tags
APIs
Enable Threat intel (Deprecated)
Enable SIEM integration
Rules
Manage suppression rules
Manage indicators
Manage automation file uploads
Manage automation folder exclusions
Machine management
Onboarding machines
Offboarding machines
Configure Microsoft Defender Security Center time zone settings
Troubleshoot Microsoft Defender ATP
Troubleshoot sensor state
Check sensor state
Fix unhealthy sensors
Inactive machines
Misconfigured machines
Review sensor events and errors on machines with Event Viewer
Troubleshoot Microsoft Defender ATP service issues
Troubleshoot service issues
Check service health
Troubleshoot live response issues
Troubleshoot issues related to live response
Troubleshoot attack surface reduction
Network protection
Attack surface reduction rules
Troubleshoot next generation protection
Security intelligence
Understand malware & other threats
Prevent malware infection
Malware names
Coin miners
Exploits and exploit kits
Fileless threats
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Industry antivirus tests
Industry collaboration programs
Virus information alliance
Microsoft virus initiative
Coordinated malware eradication
Information for developers
Software developer FAQ
Software developer resources
Windows Certifications
FIPS 140 Validations
Common Criteria Certifications
More Windows 10 security
The Windows Security app
Customize the Windows Security app for your organization
Hide Windows Security app notifications
Manage Windows Security app in Windows 10 in S mode
Virus and threat protection
Account protection
Firewall and network protection
App and browser control
Device security
Device performance and health
Family options
SmartScreen
SmartScreen Group Policy and mobile device management (MDM) settings
Set up and use SmartScreen on individual devices
Windows Defender Device Guard: virtualization-based security and WDAC
Control the health of Windows 10-based devices
Mitigate threats by using Windows 10 security features
Override Process Mitigation Options to help enforce app-related security policies
Use Windows Event Forwarding to help with intrusion detection
Block untrusted fonts in an enterprise
Security auditing
Basic security audit policies
Create a basic audit policy for an event category
Apply a basic audit policy on a file or folder
View the security event log
Basic security audit policy settings
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Advanced security audit policies
Planning and deploying advanced security audit policies
Advanced security auditing FAQ
Which editions of Windows support advanced audit policy configuration
How to list XML elements in <EventData>
Using advanced security auditing options to monitor dynamic access control objects
####### Monitor the central access policies that apply on a file server ####### Monitor the use of removable storage devices ####### Monitor resource attribute definitions ####### Monitor central access policy and rule definitions ####### Monitor user and device claims during sign-in ####### Monitor the resource attributes on files and folders ####### Monitor the central access policies associated with files and folders ####### Monitor claim types
Advanced security audit policy settings
####### Audit Credential Validation ####### Event 4774 S, F: An account was mapped for logon. ####### Event 4775 F: An account could not be mapped for logon. ####### Event 4776 S, F: The computer attempted to validate the credentials for an account. ####### Event 4777 F: The domain controller failed to validate the credentials for an account.
Audit Kerberos Authentication Service
####### Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested. ####### Event 4771 F: Kerberos pre-authentication failed. ####### Event 4772 F: A Kerberos authentication ticket request failed.
Audit Kerberos Service Ticket Operations
####### Event 4769 S, F: A Kerberos service ticket was requested. ####### Event 4770 S: A Kerberos service ticket was renewed. ####### Event 4773 F: A Kerberos service ticket request failed.
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
####### Event 4741 S: A computer account was created. ####### Event 4742 S: A computer account was changed. ####### Event 4743 S: A computer account was deleted.
Audit Distribution Group Management
####### Event 4749 S: A security-disabled global group was created. ####### Event 4750 S: A security-disabled global group was changed. ####### Event 4751 S: A member was added to a security-disabled global group. ####### Event 4752 S: A member was removed from a security-disabled global group. ####### Event 4753 S: A security-disabled global group was deleted.
Audit Other Account Management Events
####### Event 4782 S: The password hash of an account was accessed. ####### Event 4793 S: The Password Policy Checking API was called.
Audit Security Group Management
####### Event 4731 S: A security-enabled local group was created. ####### Event 4732 S: A member was added to a security-enabled local group. ####### Event 4733 S: A member was removed from a security-enabled local group. ####### Event 4734 S: A security-enabled local group was deleted. ####### Event 4735 S: A security-enabled local group was changed. ####### Event 4764 S: A group<75>s type was changed. ####### Event 4799 S: A security-enabled local group membership was enumerated.
Audit User Account Management
####### Event 4720 S: A user account was created. ####### Event 4722 S: A user account was enabled. ####### Event 4723 S, F: An attempt was made to change an account's password. ####### Event 4724 S, F: An attempt was made to reset an account's password. ####### Event 4725 S: A user account was disabled. ####### Event 4726 S: A user account was deleted. ####### Event 4738 S: A user account was changed. ####### Event 4740 S: A user account was locked out. ####### Event 4765 S: SID History was added to an account. ####### Event 4766 F: An attempt to add SID History to an account failed. ####### Event 4767 S: A user account was unlocked. ####### Event 4780 S: The ACL was set on accounts which are members of administrators groups. ####### Event 4781 S: The name of an account was changed. ####### Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password. ####### Event 4798 S: A user's local group membership was enumerated. ####### Event 5376 S: Credential Manager credentials were backed up. ####### Event 5377 S: Credential Manager credentials were restored from a backup.
Audit DPAPI Activity
####### Event 4692 S, F: Backup of data protection master key was attempted. ####### Event 4693 S, F: Recovery of data protection master key was attempted. ####### Event 4694 S, F: Protection of auditable protected data was attempted. ####### Event 4695 S, F: Unprotection of auditable protected data was attempted.
Audit PNP Activity
####### Event 6416 S: A new external device was recognized by the System. ####### Event 6419 S: A request was made to disable a device. ####### Event 6420 S: A device was disabled. ####### Event 6421 S: A request was made to enable a device. ####### Event 6422 S: A device was enabled. ####### Event 6423 S: The installation of this device is forbidden by system policy. ####### Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.
Audit Process Creation
####### Event 4688 S: A new process has been created. ####### Event 4696 S: A primary token was assigned to process.
Audit Process Termination
####### Event 4689 S: A process has exited.
Audit RPC Events
####### Event 5712 S: A Remote Procedure Call, RPC, was attempted.
Audit Detailed Directory Service Replication
####### Event 4928 S, F: An Active Directory replica source naming context was established. ####### Event 4929 S, F: An Active Directory replica source naming context was removed. ####### Event 4930 S, F: An Active Directory replica source naming context was modified. ####### Event 4931 S, F: An Active Directory replica destination naming context was modified. ####### Event 4934 S: Attributes of an Active Directory object were replicated. ####### Event 4935 F: Replication failure begins. ####### Event 4936 S: Replication failure ends. ####### Event 4937 S: A lingering object was removed from a replica.
Audit Directory Service Access
####### Event 4662 S, F: An operation was performed on an object. ####### Event 4661 S, F: A handle to an object was requested.
Audit Directory Service Changes
####### Event 5136 S: A directory service object was modified. ####### Event 5137 S: A directory service object was created. ####### Event 5138 S: A directory service object was undeleted. ####### Event 5139 S: A directory service object was moved. ####### Event 5141 S: A directory service object was deleted.
Audit Directory Service Replication
####### Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun. ####### Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.
Audit Account Lockout
####### Event 4625 F: An account failed to log on.
Audit User/Device Claims
####### Event 4626 S: User/Device claims information.
Audit Group Membership
####### Event 4627 S: Group membership information.
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
####### Event 4634 S: An account was logged off. ####### Event 4647 S: User initiated logoff.
Audit Logon
####### Event 4624 S: An account was successfully logged on. ####### Event 4625 F: An account failed to log on. ####### Event 4648 S: A logon was attempted using explicit credentials. ####### Event 4675 S: SIDs were filtered.
Audit Network Policy Server
Audit Other Logon/Logoff Events
####### Event 4649 S: A replay attack was detected. ####### Event 4778 S: A session was reconnected to a Window Station. ####### Event 4779 S: A session was disconnected from a Window Station. ####### Event 4800 S: The workstation was locked. ####### Event 4801 S: The workstation was unlocked. ####### Event 4802 S: The screen saver was invoked. ####### Event 4803 S: The screen saver was dismissed. ####### Event 5378 F: The requested credentials delegation was disallowed by policy. ####### Event 5632 S, F: A request was made to authenticate to a wireless network. ####### Event 5633 S, F: A request was made to authenticate to a wired network.
Audit Special Logon
####### Event 4964 S: Special groups have been assigned to a new logon. ####### Event 4672 S: Special privileges assigned to new logon.
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
####### Event 5140 S, F: A network share object was accessed. ####### Event 5142 S: A network share object was added. ####### Event 5143 S: A network share object was modified. ####### Event 5144 S: A network share object was deleted. ####### Event 5168 F: SPN check for SMB/SMB2 failed.
Audit File System
####### Event 4656 S, F: A handle to an object was requested. ####### Event 4658 S: The handle to an object was closed. ####### Event 4660 S: An object was deleted. ####### Event 4663 S: An attempt was made to access an object. ####### Event 4664 S: An attempt was made to create a hard link. ####### Event 4985 S: The state of a transaction has changed. ####### Event 5051: A file was virtualized. ####### Event 4670 S: Permissions on an object were changed.
Audit Filtering Platform Connection
####### Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network. ####### Event 5150: The Windows Filtering Platform blocked a packet. ####### Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet. ####### Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. ####### Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. ####### Event 5156 S: The Windows Filtering Platform has permitted a connection. ####### Event 5157 F: The Windows Filtering Platform has blocked a connection. ####### Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port. ####### Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.
Audit Filtering Platform Packet Drop
####### Event 5152 F: The Windows Filtering Platform blocked a packet. ####### Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.
Audit Handle Manipulation
####### Event 4690 S: An attempt was made to duplicate a handle to an object.
Audit Kernel Object
####### Event 4656 S, F: A handle to an object was requested. ####### Event 4658 S: The handle to an object was closed. ####### Event 4660 S: An object was deleted. ####### Event 4663 S: An attempt was made to access an object.
Audit Other Object Access Events
####### Event 4671: An application attempted to access a blocked ordinal through the TBS. ####### Event 4691 S: Indirect access to an object was requested. ####### Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. ####### Event 5149 F: The DoS attack has subsided and normal processing is being resumed. ####### Event 4698 S: A scheduled task was created. ####### Event 4699 S: A scheduled task was deleted. ####### Event 4700 S: A scheduled task was enabled. ####### Event 4701 S: A scheduled task was disabled. ####### Event 4702 S: A scheduled task was updated. ####### Event 5888 S: An object in the COM+ Catalog was modified. ####### Event 5889 S: An object was deleted from the COM+ Catalog. ####### Event 5890 S: An object was added to the COM+ Catalog.
Audit Registry
####### Event 4663 S: An attempt was made to access an object. ####### Event 4656 S, F: A handle to an object was requested. ####### Event 4658 S: The handle to an object was closed. ####### Event 4660 S: An object was deleted. ####### Event 4657 S: A registry value was modified. ####### Event 5039: A registry key was virtualized. ####### Event 4670 S: Permissions on an object were changed.
Audit Removable Storage
Audit SAM
####### Event 4661 S, F: A handle to an object was requested.
Audit Central Access Policy Staging
Audit Audit Policy Change
####### Event 4670 S: Permissions on an object were changed. ####### Event 4715 S: The audit policy, SACL, on an object was changed. ####### Event 4719 S: System audit policy was changed. ####### Event 4817 S: Auditing settings on object were changed. ####### Event 4902 S: The Per-user audit policy table was created. ####### Event 4906 S: The CrashOnAuditFail value has changed. ####### Event 4907 S: Auditing settings on object were changed. ####### Event 4908 S: Special Groups Logon table modified. ####### Event 4912 S: Per User Audit Policy was changed. ####### Event 4904 S: An attempt was made to register a security event source. ####### Event 4905 S: An attempt was made to unregister a security event source.
Audit Authentication Policy Change
####### Event 4706 S: A new trust was created to a domain. ####### Event 4707 S: A trust to a domain was removed. ####### Event 4716 S: Trusted domain information was modified. ####### Event 4713 S: Kerberos policy was changed. ####### Event 4717 S: System security access was granted to an account. ####### Event 4718 S: System security access was removed from an account. ####### Event 4739 S: Domain Policy was changed. ####### Event 4864 S: A namespace collision was detected. ####### Event 4865 S: A trusted forest information entry was added. ####### Event 4866 S: A trusted forest information entry was removed. ####### Event 4867 S: A trusted forest information entry was modified.
Audit Authorization Policy Change
####### Event 4703 S: A user right was adjusted. ####### Event 4704 S: A user right was assigned. ####### Event 4705 S: A user right was removed. ####### Event 4670 S: Permissions on an object were changed. ####### Event 4911 S: Resource attributes of the object were changed. ####### Event 4913 S: Central Access Policy on the object was changed.
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
####### Event 4944 S: The following policy was active when the Windows Firewall started. ####### Event 4945 S: A rule was listed when the Windows Firewall started. ####### Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added. ####### Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified. ####### Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted. ####### Event 4949 S: Windows Firewall settings were restored to the default values. ####### Event 4950 S: A Windows Firewall setting has changed. ####### Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall. ####### Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. ####### Event 4953 F: Windows Firewall ignored a rule because it could not be parsed. ####### Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied. ####### Event 4956 S: Windows Firewall has changed the active profile. ####### Event 4957 F: Windows Firewall did not apply the following rule. ####### Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
Audit Other Policy Change Events
####### Event 4714 S: Encrypted data recovery policy was changed. ####### Event 4819 S: Central Access Policies on the machine have been changed. ####### Event 4826 S: Boot Configuration Data loaded. ####### Event 4909: The local policy settings for the TBS were changed. ####### Event 4910: The group policy settings for the TBS were changed. ####### Event 5063 S, F: A cryptographic provider operation was attempted. ####### Event 5064 S, F: A cryptographic context operation was attempted. ####### Event 5065 S, F: A cryptographic context modification was attempted. ####### Event 5066 S, F: A cryptographic function operation was attempted. ####### Event 5067 S, F: A cryptographic function modification was attempted. ####### Event 5068 S, F: A cryptographic function provider operation was attempted. ####### Event 5069 S, F: A cryptographic function property operation was attempted. ####### Event 5070 S, F: A cryptographic function property modification was attempted. ####### Event 5447 S: A Windows Filtering Platform filter has been changed. ####### Event 6144 S: Security policy in the group policy objects has been applied successfully. ####### Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.
Audit Sensitive Privilege Use
####### Event 4673 S, F: A privileged service was called. ####### Event 4674 S, F: An operation was attempted on a privileged object. ####### Event 4985 S: The state of a transaction has changed.
Audit Non Sensitive Privilege Use
####### Event 4673 S, F: A privileged service was called. ####### Event 4674 S, F: An operation was attempted on a privileged object. ####### Event 4985 S: The state of a transaction has changed.
Audit Other Privilege Use Events
####### Event 4985 S: The state of a transaction has changed.
Audit IPsec Driver
Audit Other System Events
####### Event 5024 S: The Windows Firewall Service has started successfully. ####### Event 5025 S: The Windows Firewall Service has been stopped. ####### Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. ####### Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. ####### Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. ####### Event 5030 F: The Windows Firewall Service failed to start. ####### Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. ####### Event 5033 S: The Windows Firewall Driver has started successfully. ####### Event 5034 S: The Windows Firewall Driver was stopped. ####### Event 5035 F: The Windows Firewall Driver failed to start. ####### Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating. ####### Event 5058 S, F: Key file operation. ####### Event 5059 S, F: Key migration operation. ####### Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content. ####### Event 6401: BranchCache: Received invalid data from a peer. Data discarded. ####### Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted. ####### Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client. ####### Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. ####### Event 6405: BranchCache: %2 instances of event id %1 occurred. ####### Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2. ####### Event 6407: 1%. ####### Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. ####### Event 6409: BranchCache: A service connection point object could not be parsed.
Audit Security State Change
####### Event 4608 S: Windows is starting up. ####### Event 4616 S: The system time was changed. ####### Event 4621 S: Administrator recovered system from CrashOnAuditFail.
Audit Security System Extension
####### Event 4610 S: An authentication package has been loaded by the Local Security Authority. ####### Event 4611 S: A trusted logon process has been registered with the Local Security Authority. ####### Event 4614 S: A notification package has been loaded by the Security Account Manager. ####### Event 4622 S: A security package has been loaded by the Local Security Authority. ####### Event 4697 S: A service was installed in the system.
Audit System Integrity
####### Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ####### Event 4615 S: Invalid use of LPC port. ####### Event 4618 S: A monitored security event pattern has occurred. ####### Event 4816 S: RPC detected an integrity violation while decrypting an incoming message. ####### Event 5038 F: Code integrity determined that the image hash of a file is not valid. ####### Event 5056 S: A cryptographic self-test was performed. ####### Event 5062 S: A kernel-mode cryptographic self-test was performed. ####### Event 5057 F: A cryptographic primitive operation failed. ####### Event 5060 F: Verification operation failed. ####### Event 5061 S, F: Cryptographic operation. ####### Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid. ####### Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.
Other Events
####### Event 1100 S: The event logging service has shut down. ####### Event 1102 S: The audit log was cleared. ####### Event 1104 S: The security log is now full. ####### Event 1105 S: Event log automatic backup. ####### Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.
Appendix A: Security monitoring recommendations for many audit events
Registry (Global Object Access Auditing)
File System (Global Object Access Auditing)
Security policy settings
Administer security policy settings
Network List Manager policies
Configure security policy settings
Security policy settings reference
Account Policies
Password Policy
####### Enforce password history ####### Maximum password age ####### Minimum password age ####### Minimum password length ####### Password must meet complexity requirements ####### Store passwords using reversible encryption
Account Lockout Policy
####### Account lockout duration ####### Account lockout threshold ####### Reset account lockout counter after
Kerberos Policy
####### Enforce user logon restrictions ####### Maximum lifetime for service ticket ####### Maximum lifetime for user ticket ####### Maximum lifetime for user ticket renewal ####### Maximum tolerance for computer clock synchronization