91 KiB
Threat protection
Windows Defender Advanced Threat Protection
Windows Defender Security Center
####Get started
Minimum requirements
Validate licensing and complete setup
Troubleshoot subscription and portal access issues
Preview features
Data storage and privacy
Assign user access to the portal
Onboard machines
Onboard Windows 10 machines
Onboard machines using Group Policy
Onboard machines using System Center Configuration Manager
Onboard machines using Mobile Device Management tools
####### Onboard machines using Microsoft Intune
Onboard machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Onboard servers
Onboard non-Windows machines
Run a detection test on a newly onboarded machine
Run simulated attacks on machines
Configure proxy and Internet connectivity settings
Troubleshoot onboarding issues
Understand the portal
Portal overview
View the Security operations dashboard
View the Secure Score dashboard and improve your secure score
View the Threat analytics dashboard and take recommended mitigation actions
####Investigate and remediate threats #####Alerts queue
View and organize the Alerts queue
Manage alerts
Investigate alerts
Investigate files
Investigate machines
Investigate an IP address
Investigate a domain
Investigate a user account
#####Machines list
View and organize the Machines list
Manage machine group and tags
Alerts related to this machine
Machine timeline
####### Search for specific events ####### Filter events from a specific date ####### Export machine timeline events ####### Navigate between pages
Take response actions
Take response actions on a machine
####### Collect investigation package ####### Run antivirus scan ####### Restrict app execution ####### Remove app restriction ####### Isolate machines from the network ####### Release machine from isolation ####### Check activity details in Action center
Take response actions on a file
####### Stop and quarantine files in your network ####### Remove file from quarantine ####### Block files in your network ####### Remove file from blocked list ####### Check activity details in Action center ####### Deep analysis ######## Submit files for analysis ######## View deep analysis reports ######## Troubleshoot deep analysis
Use Automated investigation to investigate and remediate threats
Query data using Advanced hunting
####### Advanced hunting reference ####### Advanced hunting query language best practices
Protect users, data, and devices with conditional access
####API and SIEM support
Pull alerts to your SIEM tools
Enable SIEM integration
Configure Splunk to pull alerts
Configure HP ArcSight to pull alerts
Windows Defender ATP alert API fields
Pull alerts using REST API
Troubleshoot SIEM tool integration issues
Use the threat intelligence API to create custom alerts
Understand threat intelligence concepts
Enable the custom threat intelligence application
Create custom threat intelligence alerts
PowerShell code examples
Python code examples
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
Use the Windows Defender ATP exposed APIs
Supported Windows Defender ATP APIs
#######Actor ######## Get actor information ######## Get actor related alerts #######Alerts ######## Get alerts ######## Get alert information by ID ######## Get alert related actor information ######## Get alert related domain information ######## Get alert related file information ######## Get alert related IP information ######## Get alert related machine information ########Domain ######### Get domain related alerts ######### Get domain related machines ######### Get domain statistics ######### Is domain seen in organization
#######File ######## Block file API ######## Get file information ######## Get file related alerts ######## Get file related machines ######## Get file statistics ######## Get FileActions collection API ######## Unblock file API
#######IP ######## Get IP related alerts ######## Get IP related machines ######## Get IP statistics ######## Is IP seen in organization #######Machines ######## Collect investigation package API ######## Find machine information by IP ######## Get machines ######## Get FileMachineAction object API ######## Get FileMachineActions collection API ######## Get machine by ID ######## Get machine log on users ######## Get machine related alerts ######## Get MachineAction object API ######## Get MachineActions collection API ######## Get machines ######## Get package SAS URI API ######## Isolate machine API ######## Release machine from isolation API ######## Remove app restriction API ######## Request sample API ######## Restrict app execution API ######## Run antivirus scan API ######## Stop and quarantine file API
#######User ######## Get alert related user information ######## Get user information ######## Get user related alerts ######## Get user related machines
####Reporting
Create and build Power BI reports using Windows Defender ATP data
####Check service health and sensor state
Check sensor state
Fix unhealthy sensors
Inactive machines
Misconfigured machines
Check service health
####Configure Windows Defender Security Center settings #####General
Update data retention settings
Configure alert notifications
Enable and create Power BI reports using Windows Defender Security center data
Enable Secure score security controls
Configure advanced features
#####Permissions
Manage portal access using RBAC
Create and manage machine groups
#####APIs
Enable Threat intel
Enable SIEM integration
#####Rules
Manage suppression rules
Manage automation allowed/blocked
Manage automation file uploads
Manage automation folder exclusions
#####Machine management
Onboarding machines
Offboarding machines
Configure Windows Defender Security Center time zone settings
Access the Windows Defender Security Center Community Center
Troubleshoot Windows Defender ATP service issues
Review events and errors on machines with Event Viewer
Windows Defender Antivirus compatibility with Windows Defender ATP
Windows Defender Antivirus
Windows Defender AV in the Windows Defender Security app
Windows Defender AV on Windows Server 2016
Windows Defender Antivirus compatibility
Use limited periodic scanning in Windows Defender AV
Evaluate Windows Defender Antivirus protection
Deploy, manage updates, and report on Windows Defender Antivirus
Deploy and enable Windows Defender Antivirus
Deployment guide for VDI environments
Report on Windows Defender Antivirus protection
Troubleshoot Windows Defender Antivirus reporting in Update Compliance
Manage updates and apply baselines
Manage protection and definition updates
Manage when protection updates should be downloaded and applied
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and VMs
Configure Windows Defender Antivirus features
Utilize Microsoft cloud-delivered protection
Enable cloud-delivered protection
Specify the cloud-delivered protection level
Configure and validate network connections
Enable the Block at First Sight feature
Configure the cloud block timeout period
Configure behavioral, heuristic, and real-time protection
Detect and block Potentially Unwanted Applications
Enable and configure always-on protection and monitoring
Configure end-user interaction with Windows Defender AV
Configure the notifications that appear on endpoints
Prevent users from seeing or interacting with the user interface
Prevent or allow users to locally modify policy settings
Customize, initiate, and review the results of scans and remediation
Configure and validate exclusions in Windows Defender AV scans
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Configure exclusions in Windows Defender AV on Windows Server 2016
Configure scanning options in Windows Defender AV
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of a Windows Defender Offline scan
Restore quarantined files in Windows Defender AV
Review event logs and error codes to troubleshoot issues
Manage Windows Defender AV in your business
Use Group Policy settings to configure and manage Windows Defender AV
Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
Use PowerShell cmdlets to configure and manage Windows Defender AV
Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV
Windows Defender Exploit Guard
Evaluate Windows Defender Exploit Guard
Use auditing mode to evaluate Windows Defender Exploit Guard
View Exploit Guard events
Exploit protection
Comparison with Enhanced Mitigation Experience Toolkit
Evaluate Exploit protection
Enable Exploit protection
Customize Exploit protection
Import, export, and deploy Exploit protection configurations
Memory integrity
Requirements for virtualization-based protection of code integrity
Enable virtualization-based protection of code integrity
Attack surface reduction
Evaluate Attack surface reduction
Enable Attack surface reduction
Customize Attack surface reduction
Troubleshoot Attack surface reduction rules
Network Protection
Evaluate Network Protection
Enable Network Protection
Troubleshoot Network protection
Controlled folder access
Evaluate Controlled folder access
Enable Controlled folder access
Customize Controlled folder access
Windows Defender Application Control
Windows Defender Application Guard
System requirements for Windows Defender Application Guard
Prepare and install Windows Defender Application Guard
Configure the Group Policy settings for Windows Defender Application Guard
Testing scenarios using Windows Defender Application Guard in your business or organization
Frequently Asked Questions - Windows Defender Application Guard
Other security features
The Windows Security app
Customize the Windows Security app for your organization
Hide Windows Security app notifications
Manage Windows Security app in Windows 10 in S mode
Virus and threat protection
Account protection
Firewall and network protection
App and browser control
Device security
Device performance and health
Family options
Windows Defender SmartScreen
Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
Set up and use Windows Defender SmartScreen on individual devices
Windows Defender Device Guard: virtualization-based security and WDAC
Control the health of Windows 10-based devices
Mitigate threats by using Windows 10 security features
Override Process Mitigation Options to help enforce app-related security policies
Use Windows Event Forwarding to help with intrusion detection
Block untrusted fonts in an enterprise
Security auditing
Basic security audit policies
Create a basic audit policy for an event category
Apply a basic audit policy on a file or folder
View the security event log
Basic security audit policy settings
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Advanced security audit policies
Planning and deploying advanced security audit policies
Advanced security auditing FAQ
####### Which editions of Windows support advanced audit policy configuration
Using advanced security auditing options to monitor dynamic access control objects
####### Monitor the central access policies that apply on a file server ####### Monitor the use of removable storage devices ####### Monitor resource attribute definitions ####### Monitor central access policy and rule definitions ####### Monitor user and device claims during sign-in ####### Monitor the resource attributes on files and folders ####### Monitor the central access policies associated with files and folders ####### Monitor claim types
Advanced security audit policy settings
####### Audit Credential Validation ####### Event 4774 S, F: An account was mapped for logon. ####### Event 4775 F: An account could not be mapped for logon. ####### Event 4776 S, F: The computer attempted to validate the credentials for an account. ####### Event 4777 F: The domain controller failed to validate the credentials for an account.
Audit Kerberos Authentication Service
####### Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested. ####### Event 4771 F: Kerberos pre-authentication failed. ####### Event 4772 F: A Kerberos authentication ticket request failed.
Audit Kerberos Service Ticket Operations
####### Event 4769 S, F: A Kerberos service ticket was requested. ####### Event 4770 S: A Kerberos service ticket was renewed. ####### Event 4773 F: A Kerberos service ticket request failed.
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
####### Event 4741 S: A computer account was created. ####### Event 4742 S: A computer account was changed. ####### Event 4743 S: A computer account was deleted.
Audit Distribution Group Management
####### Event 4749 S: A security-disabled global group was created. ####### Event 4750 S: A security-disabled global group was changed. ####### Event 4751 S: A member was added to a security-disabled global group. ####### Event 4752 S: A member was removed from a security-disabled global group. ####### Event 4753 S: A security-disabled global group was deleted.
Audit Other Account Management Events
####### Event 4782 S: The password hash an account was accessed. ####### Event 4793 S: The Password Policy Checking API was called.
Audit Security Group Management
####### Event 4731 S: A security-enabled local group was created. ####### Event 4732 S: A member was added to a security-enabled local group. ####### Event 4733 S: A member was removed from a security-enabled local group. ####### Event 4734 S: A security-enabled local group was deleted. ####### Event 4735 S: A security-enabled local group was changed. ####### Event 4764 S: A group’s type was changed. ####### Event 4799 S: A security-enabled local group membership was enumerated.
Audit User Account Management
####### Event 4720 S: A user account was created. ####### Event 4722 S: A user account was enabled. ####### Event 4723 S, F: An attempt was made to change an account's password. ####### Event 4724 S, F: An attempt was made to reset an account's password. ####### Event 4725 S: A user account was disabled. ####### Event 4726 S: A user account was deleted. ####### Event 4738 S: A user account was changed. ####### Event 4740 S: A user account was locked out. ####### Event 4765 S: SID History was added to an account. ####### Event 4766 F: An attempt to add SID History to an account failed. ####### Event 4767 S: A user account was unlocked. ####### Event 4780 S: The ACL was set on accounts which are members of administrators groups. ####### Event 4781 S: The name of an account was changed. ####### Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password. ####### Event 4798 S: A user's local group membership was enumerated. ####### Event 5376 S: Credential Manager credentials were backed up. ####### Event 5377 S: Credential Manager credentials were restored from a backup.
Audit DPAPI Activity
####### Event 4692 S, F: Backup of data protection master key was attempted. ####### Event 4693 S, F: Recovery of data protection master key was attempted. ####### Event 4694 S, F: Protection of auditable protected data was attempted. ####### Event 4695 S, F: Unprotection of auditable protected data was attempted.
Audit PNP Activity
####### Event 6416 S: A new external device was recognized by the System. ####### Event 6419 S: A request was made to disable a device. ####### Event 6420 S: A device was disabled. ####### Event 6421 S: A request was made to enable a device. ####### Event 6422 S: A device was enabled. ####### Event 6423 S: The installation of this device is forbidden by system policy. ####### Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.
Audit Process Creation
####### Event 4688 S: A new process has been created. ####### Event 4696 S: A primary token was assigned to process.
Audit Process Termination
####### Event 4689 S: A process has exited.
Audit RPC Events
####### Event 5712 S: A Remote Procedure Call, RPC, was attempted.
Audit Detailed Directory Service Replication
####### Event 4928 S, F: An Active Directory replica source naming context was established. ####### Event 4929 S, F: An Active Directory replica source naming context was removed. ####### Event 4930 S, F: An Active Directory replica source naming context was modified. ####### Event 4931 S, F: An Active Directory replica destination naming context was modified. ####### Event 4934 S: Attributes of an Active Directory object were replicated. ####### Event 4935 F: Replication failure begins. ####### Event 4936 S: Replication failure ends. ####### Event 4937 S: A lingering object was removed from a replica.
Audit Directory Service Access
####### Event 4662 S, F: An operation was performed on an object. ####### Event 4661 S, F: A handle to an object was requested.
Audit Directory Service Changes
####### Event 5136 S: A directory service object was modified. ####### Event 5137 S: A directory service object was created. ####### Event 5138 S: A directory service object was undeleted. ####### Event 5139 S: A directory service object was moved. ####### Event 5141 S: A directory service object was deleted.
Audit Directory Service Replication
####### Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun. ####### Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.
Audit Account Lockout
####### Event 4625 F: An account failed to log on.
Audit User/Device Claims
####### Event 4626 S: User/Device claims information.
Audit Group Membership
####### Event 4627 S: Group membership information.
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
####### Event 4634 S: An account was logged off. ####### Event 4647 S: User initiated logoff.
Audit Logon
####### Event 4624 S: An account was successfully logged on. ####### Event 4625 F: An account failed to log on. ####### Event 4648 S: A logon was attempted using explicit credentials. ####### Event 4675 S: SIDs were filtered.
Audit Network Policy Server
Audit Other Logon/Logoff Events
####### Event 4649 S: A replay attack was detected. ####### Event 4778 S: A session was reconnected to a Window Station. ####### Event 4779 S: A session was disconnected from a Window Station. ####### Event 4800 S: The workstation was locked. ####### Event 4801 S: The workstation was unlocked. ####### Event 4802 S: The screen saver was invoked. ####### Event 4803 S: The screen saver was dismissed. ####### Event 5378 F: The requested credentials delegation was disallowed by policy. ####### Event 5632 S, F: A request was made to authenticate to a wireless network. ####### Event 5633 S, F: A request was made to authenticate to a wired network.
Audit Special Logon
####### Event 4964 S: Special groups have been assigned to a new logon. ####### Event 4672 S: Special privileges assigned to new logon.
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
####### Event 5140 S, F: A network share object was accessed. ####### Event 5142 S: A network share object was added. ####### Event 5143 S: A network share object was modified. ####### Event 5144 S: A network share object was deleted. ####### Event 5168 F: SPN check for SMB/SMB2 failed.
Audit File System
####### Event 4656 S, F: A handle to an object was requested. ####### Event 4658 S: The handle to an object was closed. ####### Event 4660 S: An object was deleted. ####### Event 4663 S: An attempt was made to access an object. ####### Event 4664 S: An attempt was made to create a hard link. ####### Event 4985 S: The state of a transaction has changed. ####### Event 5051: A file was virtualized. ####### Event 4670 S: Permissions on an object were changed.
Audit Filtering Platform Connection
####### Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network. ####### Event 5150: The Windows Filtering Platform blocked a packet. ####### Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet. ####### Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. ####### Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. ####### Event 5156 S: The Windows Filtering Platform has permitted a connection. ####### Event 5157 F: The Windows Filtering Platform has blocked a connection. ####### Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port. ####### Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.
Audit Filtering Platform Packet Drop
####### Event 5152 F: The Windows Filtering Platform blocked a packet. ####### Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.
Audit Handle Manipulation
####### Event 4690 S: An attempt was made to duplicate a handle to an object.
Audit Kernel Object
####### Event 4656 S, F: A handle to an object was requested. ####### Event 4658 S: The handle to an object was closed. ####### Event 4660 S: An object was deleted. ####### Event 4663 S: An attempt was made to access an object.
Audit Other Object Access Events
####### Event 4671: An application attempted to access a blocked ordinal through the TBS. ####### Event 4691 S: Indirect access to an object was requested. ####### Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. ####### Event 5149 F: The DoS attack has subsided and normal processing is being resumed. ####### Event 4698 S: A scheduled task was created. ####### Event 4699 S: A scheduled task was deleted. ####### Event 4700 S: A scheduled task was enabled. ####### Event 4701 S: A scheduled task was disabled. ####### Event 4702 S: A scheduled task was updated. ####### Event 5888 S: An object in the COM+ Catalog was modified. ####### Event 5889 S: An object was deleted from the COM+ Catalog. ####### Event 5890 S: An object was added to the COM+ Catalog.
Audit Registry
####### Event 4663 S: An attempt was made to access an object. ####### Event 4656 S, F: A handle to an object was requested. ####### Event 4658 S: The handle to an object was closed. ####### Event 4660 S: An object was deleted. ####### Event 4657 S: A registry value was modified. ####### Event 5039: A registry key was virtualized. ####### Event 4670 S: Permissions on an object were changed.
Audit Removable Storage
Audit SAM
####### Event 4661 S, F: A handle to an object was requested.
Audit Central Access Policy Staging
Audit Audit Policy Change
####### Event 4670 S: Permissions on an object were changed. ####### Event 4715 S: The audit policy, SACL, on an object was changed. ####### Event 4719 S: System audit policy was changed. ####### Event 4817 S: Auditing settings on object were changed. ####### Event 4902 S: The Per-user audit policy table was created. ####### Event 4906 S: The CrashOnAuditFail value has changed. ####### Event 4907 S: Auditing settings on object were changed. ####### Event 4908 S: Special Groups Logon table modified. ####### Event 4912 S: Per User Audit Policy was changed. ####### Event 4904 S: An attempt was made to register a security event source. ####### Event 4905 S: An attempt was made to unregister a security event source.
Audit Authentication Policy Change
####### Event 4706 S: A new trust was created to a domain. ####### Event 4707 S: A trust to a domain was removed. ####### Event 4716 S: Trusted domain information was modified. ####### Event 4713 S: Kerberos policy was changed. ####### Event 4717 S: System security access was granted to an account. ####### Event 4718 S: System security access was removed from an account. ####### Event 4739 S: Domain Policy was changed. ####### Event 4864 S: A namespace collision was detected. ####### Event 4865 S: A trusted forest information entry was added. ####### Event 4866 S: A trusted forest information entry was removed. ####### Event 4867 S: A trusted forest information entry was modified.
Audit Authorization Policy Change
####### Event 4703 S: A user right was adjusted. ####### Event 4704 S: A user right was assigned. ####### Event 4705 S: A user right was removed. ####### Event 4670 S: Permissions on an object were changed. ####### Event 4911 S: Resource attributes of the object were changed. ####### Event 4913 S: Central Access Policy on the object was changed.
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
####### Event 4944 S: The following policy was active when the Windows Firewall started. ####### Event 4945 S: A rule was listed when the Windows Firewall started. ####### Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added. ####### Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified. ####### Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted. ####### Event 4949 S: Windows Firewall settings were restored to the default values. ####### Event 4950 S: A Windows Firewall setting has changed. ####### Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall. ####### Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. ####### Event 4953 F: Windows Firewall ignored a rule because it could not be parsed. ####### Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied. ####### Event 4956 S: Windows Firewall has changed the active profile. ####### Event 4957 F: Windows Firewall did not apply the following rule. ####### Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
Audit Other Policy Change Events
####### Event 4714 S: Encrypted data recovery policy was changed. ####### Event 4819 S: Central Access Policies on the machine have been changed. ####### Event 4826 S: Boot Configuration Data loaded. ####### Event 4909: The local policy settings for the TBS were changed. ####### Event 4910: The group policy settings for the TBS were changed. ####### Event 5063 S, F: A cryptographic provider operation was attempted. ####### Event 5064 S, F: A cryptographic context operation was attempted. ####### Event 5065 S, F: A cryptographic context modification was attempted. ####### Event 5066 S, F: A cryptographic function operation was attempted. ####### Event 5067 S, F: A cryptographic function modification was attempted. ####### Event 5068 S, F: A cryptographic function provider operation was attempted. ####### Event 5069 S, F: A cryptographic function property operation was attempted. ####### Event 5070 S, F: A cryptographic function property modification was attempted. ####### Event 5447 S: A Windows Filtering Platform filter has been changed. ####### Event 6144 S: Security policy in the group policy objects has been applied successfully. ####### Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.
Audit Sensitive Privilege Use
####### Event 4673 S, F: A privileged service was called. ####### Event 4674 S, F: An operation was attempted on a privileged object. ####### Event 4985 S: The state of a transaction has changed.
Audit Non Sensitive Privilege Use
####### Event 4673 S, F: A privileged service was called. ####### Event 4674 S, F: An operation was attempted on a privileged object. ####### Event 4985 S: The state of a transaction has changed.
Audit Other Privilege Use Events
####### Event 4985 S: The state of a transaction has changed.
Audit IPsec Driver
Audit Other System Events
####### Event 5024 S: The Windows Firewall Service has started successfully. ####### Event 5025 S: The Windows Firewall Service has been stopped. ####### Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. ####### Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. ####### Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. ####### Event 5030 F: The Windows Firewall Service failed to start. ####### Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. ####### Event 5033 S: The Windows Firewall Driver has started successfully. ####### Event 5034 S: The Windows Firewall Driver was stopped. ####### Event 5035 F: The Windows Firewall Driver failed to start. ####### Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating. ####### Event 5058 S, F: Key file operation. ####### Event 5059 S, F: Key migration operation. ####### Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content. ####### Event 6401: BranchCache: Received invalid data from a peer. Data discarded. ####### Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted. ####### Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client. ####### Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. ####### Event 6405: BranchCache: %2 instances of event id %1 occurred. ####### Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2. ####### Event 6407: 1%. ####### Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. ####### Event 6409: BranchCache: A service connection point object could not be parsed.
Audit Security State Change
####### Event 4608 S: Windows is starting up. ####### Event 4616 S: The system time was changed. ####### Event 4621 S: Administrator recovered system from CrashOnAuditFail.
Audit Security System Extension
####### Event 4610 S: An authentication package has been loaded by the Local Security Authority. ####### Event 4611 S: A trusted logon process has been registered with the Local Security Authority. ####### Event 4614 S: A notification package has been loaded by the Security Account Manager. ####### Event 4622 S: A security package has been loaded by the Local Security Authority. ####### Event 4697 S: A service was installed in the system.
Audit System Integrity
####### Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ####### Event 4615 S: Invalid use of LPC port. ####### Event 4618 S: A monitored security event pattern has occurred. ####### Event 4816 S: RPC detected an integrity violation while decrypting an incoming message. ####### Event 5038 F: Code integrity determined that the image hash of a file is not valid. ####### Event 5056 S: A cryptographic self-test was performed. ####### Event 5062 S: A kernel-mode cryptographic self-test was performed. ####### Event 5057 F: A cryptographic primitive operation failed. ####### Event 5060 F: Verification operation failed. ####### Event 5061 S, F: Cryptographic operation. ####### Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid. ####### Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.
Other Events
####### Event 1100 S: The event logging service has shut down. ####### Event 1102 S: The audit log was cleared. ####### Event 1104 S: The security log is now full. ####### Event 1105 S: Event log automatic backup. ####### Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.
Appendix A: Security monitoring recommendations for many audit events
Registry (Global Object Access Auditing)
File System (Global Object Access Auditing)
Security policy settings
Administer security policy settings
Network List Manager policies
Configure security policy settings
Security policy settings reference
Account Policies
Password Policy
####### Enforce password history ####### Maximum password age ####### Minimum password age ####### Minimum password length ####### Password must meet complexity requirements ####### Store passwords using reversible encryption
Account Lockout Policy
####### Account lockout duration ####### Account lockout threshold ####### Reset account lockout counter after
Kerberos Policy
####### Enforce user logon restrictions ####### Maximum lifetime for service ticket ####### Maximum lifetime for user ticket ####### Maximum lifetime for user ticket renewal ####### Maximum tolerance for computer clock synchronization