windows-itpro-docs/windows/security/threat-protection/TOC.md

Threat protection

The Windows Defender Security Center app

Customize the Windows Defender Security Center app for your organization

Hide Windows Defender Security Center app notifications

Manage Windows Defender Security Center in Windows 10 in S mode

Virus and threat protection

Account protection

Firewall and network protection

App and browser control

Device security

Device performance and health

Family options

Windows Defender Advanced Threat Protection

###Get started

Minimum requirements

Validate licensing and complete setup

Troubleshoot subscription and portal access issues

Preview features

Data storage and privacy

Assign user access to the portal

Onboard machines

Onboard Windows 10 machines

Onboard machines using Group Policy

Onboard machines using System Center Configuration Manager

Onboard machines using Mobile Device Management tools

Onboard machines using Microsoft Intune

Onboard machines using a local script

Onboard non-persistent virtual desktop infrastructure (VDI) machines

Onboard servers

Onboard non-Windows machines

Run a detection test on a newly onboarded machine

Run simulated attacks on machines

Configure proxy and Internet connectivity settings

Troubleshoot onboarding issues

Understand the Windows Defender ATP portal

Portal overview

View the Security operations dashboard

View the Secure Score dashboard and improve your secure score

View the Threat analytics dashboard and take recommended mitigation actions

###Investigate and remediate threats ####Alerts queue

View and organize the Alerts queue

Manage alerts

Investigate alerts

Investigate files

Investigate machines

Investigate an IP address

Investigate a domain

Investigate a user account

####Machines list

View and organize the Machines list

Manage machine group and tags

Alerts related to this machine

Machine timeline

Search for specific events

Filter events from a specific date

Export machine timeline events

Navigate between pages

Take response actions

Take response actions on a machine

Collect investigation package

Run antivirus scan

Restrict app execution

Remove app restriction

Isolate machines from the network

Release machine from isolation

Check activity details in Action center

Take response actions on a file

Stop and quarantine files in your network

Remove file from quarantine

Block files in your network

Remove file from blocked list

Check activity details in Action center

Deep analysis

####### Submit files for analysis ####### View deep analysis reports ####### Troubleshoot deep analysis

Use Automated investigation to investigate and remediate threats

Query data using Advanced hunting

Advanced hunting reference

Advanced hunting query language best practices

Protect users, data, and devices with conditional access

###API and SIEM support

Pull alerts to your SIEM tools

Enable SIEM integration

Configure Splunk to pull alerts

Configure HP ArcSight to pull alerts

Windows Defender ATP alert API fields

Pull alerts using REST API

Troubleshoot SIEM tool integration issues

Use the threat intelligence API to create custom alerts

Understand threat intelligence concepts

Enable the custom threat intelligence application

Create custom threat intelligence alerts

PowerShell code examples

Python code examples

Experiment with custom threat intelligence alerts

Troubleshoot custom threat intelligence issues

Use the Windows Defender ATP exposed APIs

Supported Windows Defender ATP APIs

######Actor ####### Get actor information ####### Get actor related alerts ######Alerts ####### Get alerts ####### Get alert information by ID ####### Get alert related actor information ####### Get alert related domain information ####### Get alert related file information ####### Get alert related IP information ####### Get alert related machine information ######Domain ####### Get domain related alerts ####### Get domain related machines ####### Get domain statistics ####### Is domain seen in organization

######File ####### Block file API ####### Get file information ####### Get file related alerts ####### Get file related machines ####### Get file statistics ####### Get FileActions collection API ####### Unblock file API

######IP ####### Get IP related alerts ####### Get IP related machines ####### Get IP statistics ####### Is IP seen in organization ######Machines ####### Collect investigation package API ####### Find machine information by IP ####### Get machines ####### Get FileMachineAction object API ####### Get FileMachineActions collection API ####### Get machine by ID ####### Get machine log on users ####### Get machine related alerts ####### Get MachineAction object API ####### Get MachineActions collection API ####### Get machines ####### Get package SAS URI API ####### Isolate machine API ####### Release machine from isolation API ####### Remove app restriction API ####### Request sample API ####### Restrict app execution API ####### Run antivirus scan API ####### Stop and quarantine file API

######User ####### Get alert related user information ####### Get user information ####### Get user related alerts ####### Get user related machines

###Reporting

Create and build Power BI reports using Windows Defender ATP data

###Check service health and sensor state

Check sensor state

Fix unhealthy sensors

Inactive machines

Misconfigured machines

Check service health

Configure Windows Defender ATP Settings

####General

Update data retention settings

Configure alert notifications

Enable and create Power BI reports using Windows Defender ATP data

Enable Secure score security controls

Configure advanced features

####Permissions

Manage portal access using RBAC

Create and manage machine groups

####APIs

Enable Threat intel

Enable SIEM integration

####Rules

Manage suppression rules

Manage automation allowed/blocked

Manage automation file uploads

Manage automation folder exclusions

####Machine management

Onboarding machines

Offboarding machines

Configure Windows Defender ATP time zone settings

Access the Windows Defender ATP Community Center

Troubleshoot Windows Defender ATP

Review events and errors on machines with Event Viewer

Windows Defender Antivirus compatibility with Windows Defender ATP

Windows Defender Antivirus in Windows 10

Windows Defender AV in the Windows Defender Security Center app

Windows Defender AV on Windows Server 2016

Windows Defender Antivirus compatibility

Use limited periodic scanning in Windows Defender AV

Evaluate Windows Defender Antivirus protection

Deploy, manage updates, and report on Windows Defender Antivirus

Deploy and enable Windows Defender Antivirus

Deployment guide for VDI environments

Report on Windows Defender Antivirus protection

Troubleshoot Windows Defender Antivirus reporting in Update Compliance

Manage updates and apply baselines

Manage protection and definition updates

Manage when protection updates should be downloaded and applied

Manage updates for endpoints that are out of date

Manage event-based forced updates

Manage updates for mobile devices and VMs

Configure Windows Defender Antivirus features

Utilize Microsoft cloud-delivered protection

Enable cloud-delivered protection

Specify the cloud-delivered protection level

Configure and validate network connections

Enable the Block at First Sight feature

Configure the cloud block timeout period

Configure behavioral, heuristic, and real-time protection

Detect and block Potentially Unwanted Applications

Enable and configure always-on protection and monitoring

Configure end-user interaction with Windows Defender AV

Configure the notifications that appear on endpoints

Prevent users from seeing or interacting with the user interface

Prevent or allow users to locally modify policy settings

Customize, initiate, and review the results of scans and remediation

Configure and validate exclusions in Windows Defender AV scans

Configure and validate exclusions based on file name, extension, and folder location

Configure and validate exclusions for files opened by processes

Configure exclusions in Windows Defender AV on Windows Server 2016

Configure scanning options in Windows Defender AV

Configure remediation for scans

Configure scheduled scans

Configure and run scans

Review scan results

Run and review the results of a Windows Defender Offline scan

Restore quarantined files in Windows Defender AV

Review event logs and error codes to troubleshoot issues

Manage Windows Defender AV in your business

Use Group Policy settings to configure and manage Windows Defender AV

Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV

Use PowerShell cmdlets to configure and manage Windows Defender AV

Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV

Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV

Windows Defender Exploit Guard

Evaluate Windows Defender Exploit Guard

Use auditing mode to evaluate Windows Defender Exploit Guard

View Exploit Guard events

Exploit protection

Comparison with Enhanced Mitigation Experience Toolkit

Evaluate Exploit protection

Enable Exploit protection

Customize Exploit protection

Import, export, and deploy Exploit protection configurations

Attack surface reduction

Evaluate Attack surface reduction

Enable Attack surface reduction

Customize Attack surface reduction

Troubleshoot Attack surface reduction rules

Network Protection

Evaluate Network Protection

Enable Network Protection

Troubleshoot Network protection

Controlled folder access

Evaluate Controlled folder access

Enable Controlled folder access

Customize Controlled folder access

Memory integrity

Requirements for virtualization-based protection of code integrity

Enable virtualization-based protection of code integrity

Windows Defender Application Control

Control the health of Windows 10-based devices

Windows Defender Device Guard: virtualization-based security and WDAC

Windows Defender SmartScreen

Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings

Set up and use Windows Defender SmartScreen on individual devices

##Windows Defender Application Guard ###System requirements for Windows Defender Application Guard ###Prepare and install Windows Defender Application Guard ###Configure the Group Policy settings for Windows Defender Application Guard ###Testing scenarios using Windows Defender Application Guard in your business or organization ###Frequently Asked Questions - Windows Defender Application Guard

Mitigate threats by using Windows 10 security features

Override Process Mitigation Options to help enforce app-related security policies

Use Windows Event Forwarding to help with intrusion detection

Block untrusted fonts in an enterprise

Security auditing

Basic security audit policies

Create a basic audit policy for an event category

Apply a basic audit policy on a file or folder

View the security event log

Basic security audit policy settings

Audit account logon events

Audit account management

Audit directory service access

Audit logon events

Audit object access

Audit policy change

Audit privilege use

Audit process tracking

Audit system events

Advanced security audit policies

Planning and deploying advanced security audit policies

Advanced security auditing FAQ

Which editions of Windows support advanced audit policy configuration

Using advanced security auditing options to monitor dynamic access control objects

Monitor the central access policies that apply on a file server

Monitor the use of removable storage devices

Monitor resource attribute definitions

Monitor central access policy and rule definitions

Monitor user and device claims during sign-in

Monitor the resource attributes on files and folders

Monitor the central access policies associated with files and folders

Monitor claim types

Advanced security audit policy settings

Audit Credential Validation

Event 4774 S, F: An account was mapped for logon.

Event 4775 F: An account could not be mapped for logon.

Event 4776 S, F: The computer attempted to validate the credentials for an account.

Event 4777 F: The domain controller failed to validate the credentials for an account.

Audit Kerberos Authentication Service

Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.

Event 4771 F: Kerberos pre-authentication failed.

Event 4772 F: A Kerberos authentication ticket request failed.

Audit Kerberos Service Ticket Operations

Event 4769 S, F: A Kerberos service ticket was requested.

Event 4770 S: A Kerberos service ticket was renewed.

Event 4773 F: A Kerberos service ticket request failed.

Audit Other Account Logon Events

Audit Application Group Management

Audit Computer Account Management

Event 4741 S: A computer account was created.

Event 4742 S: A computer account was changed.

Event 4743 S: A computer account was deleted.

Audit Distribution Group Management

Event 4749 S: A security-disabled global group was created.

Event 4750 S: A security-disabled global group was changed.

Event 4751 S: A member was added to a security-disabled global group.

Event 4752 S: A member was removed from a security-disabled global group.

Event 4753 S: A security-disabled global group was deleted.

Audit Other Account Management Events

Event 4782 S: The password hash an account was accessed.

Event 4793 S: The Password Policy Checking API was called.

Audit Security Group Management

Event 4731 S: A security-enabled local group was created.

Event 4732 S: A member was added to a security-enabled local group.

Event 4733 S: A member was removed from a security-enabled local group.

Event 4734 S: A security-enabled local group was deleted.

Event 4735 S: A security-enabled local group was changed.

Event 4764 S: A group’s type was changed.

Event 4799 S: A security-enabled local group membership was enumerated.

Audit User Account Management

Event 4720 S: A user account was created.

Event 4722 S: A user account was enabled.

Event 4723 S, F: An attempt was made to change an account's password.

Event 4724 S, F: An attempt was made to reset an account's password.

Event 4725 S: A user account was disabled.

Event 4726 S: A user account was deleted.

Event 4738 S: A user account was changed.

Event 4740 S: A user account was locked out.

Event 4765 S: SID History was added to an account.

Event 4766 F: An attempt to add SID History to an account failed.

Event 4767 S: A user account was unlocked.

Event 4780 S: The ACL was set on accounts which are members of administrators groups.

Event 4781 S: The name of an account was changed.

Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.

Event 4798 S: A user's local group membership was enumerated.

Event 5376 S: Credential Manager credentials were backed up.

Event 5377 S: Credential Manager credentials were restored from a backup.

Audit DPAPI Activity

Event 4692 S, F: Backup of data protection master key was attempted.

Event 4693 S, F: Recovery of data protection master key was attempted.

Event 4694 S, F: Protection of auditable protected data was attempted.

Event 4695 S, F: Unprotection of auditable protected data was attempted.

Audit PNP Activity

Event 6416 S: A new external device was recognized by the System.

Event 6419 S: A request was made to disable a device.

Event 6420 S: A device was disabled.

Event 6421 S: A request was made to enable a device.

Event 6422 S: A device was enabled.

Event 6423 S: The installation of this device is forbidden by system policy.

Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.

Audit Process Creation

Event 4688 S: A new process has been created.

Event 4696 S: A primary token was assigned to process.

Audit Process Termination

Event 4689 S: A process has exited.

Audit RPC Events

Event 5712 S: A Remote Procedure Call, RPC, was attempted.

Audit Detailed Directory Service Replication

Event 4928 S, F: An Active Directory replica source naming context was established.

Event 4929 S, F: An Active Directory replica source naming context was removed.

Event 4930 S, F: An Active Directory replica source naming context was modified.

Event 4931 S, F: An Active Directory replica destination naming context was modified.

Event 4934 S: Attributes of an Active Directory object were replicated.

Event 4935 F: Replication failure begins.

Event 4936 S: Replication failure ends.

Event 4937 S: A lingering object was removed from a replica.

Audit Directory Service Access

Event 4662 S, F: An operation was performed on an object.

Event 4661 S, F: A handle to an object was requested.

Audit Directory Service Changes

Event 5136 S: A directory service object was modified.

Event 5137 S: A directory service object was created.

Event 5138 S: A directory service object was undeleted.

Event 5139 S: A directory service object was moved.

Event 5141 S: A directory service object was deleted.

Audit Directory Service Replication

Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.

Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.

Audit Account Lockout

Event 4625 F: An account failed to log on.

Audit User/Device Claims

Event 4626 S: User/Device claims information.

Audit Group Membership

Event 4627 S: Group membership information.

Audit IPsec Extended Mode

Audit IPsec Main Mode

Audit IPsec Quick Mode

Audit Logoff

Event 4634 S: An account was logged off.

Event 4647 S: User initiated logoff.

Audit Logon

Event 4624 S: An account was successfully logged on.

Event 4625 F: An account failed to log on.

Event 4648 S: A logon was attempted using explicit credentials.

Event 4675 S: SIDs were filtered.

Audit Network Policy Server

Audit Other Logon/Logoff Events

Event 4649 S: A replay attack was detected.

Event 4778 S: A session was reconnected to a Window Station.

Event 4779 S: A session was disconnected from a Window Station.

Event 4800 S: The workstation was locked.

Event 4801 S: The workstation was unlocked.

Event 4802 S: The screen saver was invoked.

Event 4803 S: The screen saver was dismissed.

Event 5378 F: The requested credentials delegation was disallowed by policy.

Event 5632 S, F: A request was made to authenticate to a wireless network.

Event 5633 S, F: A request was made to authenticate to a wired network.

Audit Special Logon

Event 4964 S: Special groups have been assigned to a new logon.

Event 4672 S: Special privileges assigned to new logon.

Audit Application Generated

Audit Certification Services

Audit Detailed File Share

Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.

Audit File Share

Event 5140 S, F: A network share object was accessed.

Event 5142 S: A network share object was added.

Event 5143 S: A network share object was modified.

Event 5144 S: A network share object was deleted.

Event 5168 F: SPN check for SMB/SMB2 failed.

Audit File System

Event 4656 S, F: A handle to an object was requested.

Event 4658 S: The handle to an object was closed.

Event 4660 S: An object was deleted.

Event 4663 S: An attempt was made to access an object.

Event 4664 S: An attempt was made to create a hard link.

Event 4985 S: The state of a transaction has changed.

Event 5051: A file was virtualized.

Event 4670 S: Permissions on an object were changed.

Audit Filtering Platform Connection

Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.

Event 5150: The Windows Filtering Platform blocked a packet.

Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.

Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Event 5156 S: The Windows Filtering Platform has permitted a connection.

Event 5157 F: The Windows Filtering Platform has blocked a connection.

Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.

Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.

Audit Filtering Platform Packet Drop

Event 5152 F: The Windows Filtering Platform blocked a packet.

Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.

Audit Handle Manipulation

Event 4690 S: An attempt was made to duplicate a handle to an object.

Audit Kernel Object

Event 4656 S, F: A handle to an object was requested.

Event 4658 S: The handle to an object was closed.

Event 4660 S: An object was deleted.

Event 4663 S: An attempt was made to access an object.

Audit Other Object Access Events

Event 4671: An application attempted to access a blocked ordinal through the TBS.

Event 4691 S: Indirect access to an object was requested.

Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

Event 5149 F: The DoS attack has subsided and normal processing is being resumed.

Event 4698 S: A scheduled task was created.

Event 4699 S: A scheduled task was deleted.

Event 4700 S: A scheduled task was enabled.

Event 4701 S: A scheduled task was disabled.

Event 4702 S: A scheduled task was updated.

Event 5888 S: An object in the COM+ Catalog was modified.

Event 5889 S: An object was deleted from the COM+ Catalog.

Event 5890 S: An object was added to the COM+ Catalog.

Audit Registry

Event 4663 S: An attempt was made to access an object.

Event 4656 S, F: A handle to an object was requested.

Event 4658 S: The handle to an object was closed.

Event 4660 S: An object was deleted.

Event 4657 S: A registry value was modified.

Event 5039: A registry key was virtualized.

Event 4670 S: Permissions on an object were changed.

Audit Removable Storage

Audit SAM

Event 4661 S, F: A handle to an object was requested.

Audit Central Access Policy Staging

Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.

Audit Audit Policy Change

Event 4670 S: Permissions on an object were changed.

Event 4715 S: The audit policy, SACL, on an object was changed.

Event 4719 S: System audit policy was changed.

Event 4817 S: Auditing settings on object were changed.

Event 4902 S: The Per-user audit policy table was created.

Event 4906 S: The CrashOnAuditFail value has changed.

Event 4907 S: Auditing settings on object were changed.

Event 4908 S: Special Groups Logon table modified.

Event 4912 S: Per User Audit Policy was changed.

Event 4904 S: An attempt was made to register a security event source.

Event 4905 S: An attempt was made to unregister a security event source.

Audit Authentication Policy Change

Event 4706 S: A new trust was created to a domain.

Event 4707 S: A trust to a domain was removed.

Event 4716 S: Trusted domain information was modified.

Event 4713 S: Kerberos policy was changed.

Event 4717 S: System security access was granted to an account.

Event 4718 S: System security access was removed from an account.

Event 4739 S: Domain Policy was changed.

Event 4864 S: A namespace collision was detected.

Event 4865 S: A trusted forest information entry was added.

Event 4866 S: A trusted forest information entry was removed.

Event 4867 S: A trusted forest information entry was modified.

Audit Authorization Policy Change

Event 4703 S: A user right was adjusted.

Event 4704 S: A user right was assigned.

Event 4705 S: A user right was removed.

Event 4670 S: Permissions on an object were changed.

Event 4911 S: Resource attributes of the object were changed.

Event 4913 S: Central Access Policy on the object was changed.

Audit Filtering Platform Policy Change

Audit MPSSVC Rule-Level Policy Change

Event 4944 S: The following policy was active when the Windows Firewall started.

Event 4945 S: A rule was listed when the Windows Firewall started.

Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.

Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.

Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.

Event 4949 S: Windows Firewall settings were restored to the default values.

Event 4950 S: A Windows Firewall setting has changed.

Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.

Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.

Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.

Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.

Event 4956 S: Windows Firewall has changed the active profile.

Event 4957 F: Windows Firewall did not apply the following rule.

Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.

Audit Other Policy Change Events

Event 4714 S: Encrypted data recovery policy was changed.

Event 4819 S: Central Access Policies on the machine have been changed.

Event 4826 S: Boot Configuration Data loaded.

Event 4909: The local policy settings for the TBS were changed.

Event 4910: The group policy settings for the TBS were changed.

Event 5063 S, F: A cryptographic provider operation was attempted.

Event 5064 S, F: A cryptographic context operation was attempted.

Event 5065 S, F: A cryptographic context modification was attempted.

Event 5066 S, F: A cryptographic function operation was attempted.

Event 5067 S, F: A cryptographic function modification was attempted.

Event 5068 S, F: A cryptographic function provider operation was attempted.

Event 5069 S, F: A cryptographic function property operation was attempted.

Event 5070 S, F: A cryptographic function property modification was attempted.

Event 5447 S: A Windows Filtering Platform filter has been changed.

Event 6144 S: Security policy in the group policy objects has been applied successfully.

Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.

Audit Sensitive Privilege Use

Event 4673 S, F: A privileged service was called.

Event 4674 S, F: An operation was attempted on a privileged object.

Event 4985 S: The state of a transaction has changed.

Audit Non Sensitive Privilege Use

Event 4673 S, F: A privileged service was called.

Event 4674 S, F: An operation was attempted on a privileged object.

Event 4985 S: The state of a transaction has changed.

Audit Other Privilege Use Events

Event 4985 S: The state of a transaction has changed.

Audit IPsec Driver

Audit Other System Events

Event 5024 S: The Windows Firewall Service has started successfully.

Event 5025 S: The Windows Firewall Service has been stopped.

Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.

Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.

Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.

Event 5030 F: The Windows Firewall Service failed to start.

Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Event 5033 S: The Windows Firewall Driver has started successfully.

Event 5034 S: The Windows Firewall Driver was stopped.

Event 5035 F: The Windows Firewall Driver failed to start.

Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.

Event 5058 S, F: Key file operation.

Event 5059 S, F: Key migration operation.

Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.

Event 6401: BranchCache: Received invalid data from a peer. Data discarded.

Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.

Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.

Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.

Event 6405: BranchCache: %2 instances of event id %1 occurred.

Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.

Event 6407: 1%.

Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.

Event 6409: BranchCache: A service connection point object could not be parsed.

Audit Security State Change

Event 4608 S: Windows is starting up.

Event 4616 S: The system time was changed.

Event 4621 S: Administrator recovered system from CrashOnAuditFail.

Audit Security System Extension

Event 4610 S: An authentication package has been loaded by the Local Security Authority.

Event 4611 S: A trusted logon process has been registered with the Local Security Authority.

Event 4614 S: A notification package has been loaded by the Security Account Manager.

Event 4622 S: A security package has been loaded by the Local Security Authority.

Event 4697 S: A service was installed in the system.

Audit System Integrity

Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

Event 4615 S: Invalid use of LPC port.

Event 4618 S: A monitored security event pattern has occurred.

Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.

Event 5038 F: Code integrity determined that the image hash of a file is not valid.

Event 5056 S: A cryptographic self-test was performed.

Event 5062 S: A kernel-mode cryptographic self-test was performed.

Event 5057 F: A cryptographic primitive operation failed.

Event 5060 F: Verification operation failed.

Event 5061 S, F: Cryptographic operation.

Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.

Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.

Other Events

Event 1100 S: The event logging service has shut down.

Event 1102 S: The audit log was cleared.

Event 1104 S: The security log is now full.

Event 1105 S: Event log automatic backup.

Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.

Appendix A: Security monitoring recommendations for many audit events

Registry (Global Object Access Auditing)

File System (Global Object Access Auditing)

Security policy settings

Administer security policy settings

Network List Manager policies

Configure security policy settings

Security policy settings reference

Account Policies

Password Policy

Enforce password history

Maximum password age

Minimum password age

Minimum password length

Password must meet complexity requirements

Store passwords using reversible encryption

Account Lockout Policy

Account lockout duration

Account lockout threshold

Reset account lockout counter after

Kerberos Policy

Enforce user logon restrictions

Maximum lifetime for service ticket

Maximum lifetime for user ticket

Maximum lifetime for user ticket renewal

Maximum tolerance for computer clock synchronization

Audit Policy

Security Options

Accounts: Administrator account status

Accounts: Block Microsoft accounts

Accounts: Guest account status

Accounts: Limit local account use of blank passwords to console logon only

Accounts: Rename administrator account

Accounts: Rename guest account

Audit: Audit the access of global system objects

Audit: Audit the use of Backup and Restore privilege

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

Audit: Shut down system immediately if unable to log security audits

DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

Devices: Allow undock without having to log on

Devices: Allowed to format and eject removable media

Devices: Prevent users from installing printer drivers

Devices: Restrict CD-ROM access to locally logged-on user only

Devices: Restrict floppy access to locally logged-on user only

Domain controller: Allow server operators to schedule tasks

Domain controller: LDAP server signing requirements

Domain controller: Refuse machine account password changes

Domain member: Digitally encrypt or sign secure channel data (always)

Domain member: Digitally encrypt secure channel data (when possible)

Domain member: Digitally sign secure channel data (when possible)

Domain member: Disable machine account password changes

Domain member: Maximum machine account password age

Domain member: Require strong (Windows 2000 or later) session key

Interactive logon: Display user information when the session is locked

Interactive logon: Don't display last signed-in

Interactive logon: Don't display username at sign-in

Interactive logon: Do not require CTRL+ALT+DEL

Interactive logon: Machine account lockout threshold

Interactive logon: Machine inactivity limit

Interactive logon: Message text for users attempting to log on

Interactive logon: Message title for users attempting to log on

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

Interactive logon: Prompt user to change password before expiration

Interactive logon: Require Domain Controller authentication to unlock workstation

Interactive logon: Require smart card

Interactive logon: Smart card removal behavior

Microsoft network client: Digitally sign communications (always)

Microsoft network client: Digitally sign communications (if server agrees)

Microsoft network client: Send unencrypted password to third-party SMB servers

Microsoft network server: Amount of idle time required before suspending session

Microsoft network server: Attempt S4U2Self to obtain claim information

Microsoft network server: Digitally sign communications (always)

Microsoft network server: Digitally sign communications (if client agrees)

Microsoft network server: Disconnect clients when logon hours expire

Microsoft network server: Server SPN target name validation level

Network access: Allow anonymous SID/Name translation

Network access: Do not allow anonymous enumeration of SAM accounts

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Network access: Do not allow storage of passwords and credentials for network authentication

Network access: Let Everyone permissions apply to anonymous users

Network access: Named Pipes that can be accessed anonymously

Network access: Remotely accessible registry paths

Network access: Remotely accessible registry paths and subpaths

Network access: Restrict anonymous access to Named Pipes and Shares

Network access: Restrict clients allowed to make remote calls to SAM

Network access: Shares that can be accessed anonymously

Network access: Sharing and security model for local accounts

Network security: Allow Local System to use computer identity for NTLM

Network security: Allow LocalSystem NULL session fallback

Network security: Allow PKU2U authentication requests to this computer to use online identities

Network security: Configure encryption types allowed for Kerberos Win7 only

Network security: Do not store LAN Manager hash value on next password change

Network security: Force logoff when logon hours expire

Network security: LAN Manager authentication level

Network security: LDAP client signing requirements

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

Network security: Restrict NTLM: Add server exceptions in this domain

Network security: Restrict NTLM: Audit incoming NTLM traffic

Network security: Restrict NTLM: Audit NTLM authentication in this domain

Network security: Restrict NTLM: Incoming NTLM traffic

Network security: Restrict NTLM: NTLM authentication in this domain

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

Recovery console: Allow automatic administrative logon

Recovery console: Allow floppy copy and access to all drives and folders

Shutdown: Allow system to be shut down without having to log on

Shutdown: Clear virtual memory pagefile

System cryptography: Force strong key protection for user keys stored on the computer

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

System objects: Require case insensitivity for non-Windows subsystems

System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)

System settings: Optional subsystems

System settings: Use certificate rules on Windows executables for Software Restriction Policies

User Account Control: Admin Approval Mode for the Built-in Administrator account

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

User Account Control: Behavior of the elevation prompt for standard users

User Account Control: Detect application installations and prompt for elevation

User Account Control: Only elevate executables that are signed and validated

User Account Control: Only elevate UIAccess applications that are installed in secure locations

User Account Control: Run all administrators in Admin Approval Mode

User Account Control: Switch to the secure desktop when prompting for elevation

User Account Control: Virtualize file and registry write failures to per-user locations

Advanced security audit policy settings

User Rights Assignment

Access Credential Manager as a trusted caller

Access this computer from the network

Act as part of the operating system

Add workstations to domain

Adjust memory quotas for a process

Allow log on locally

Allow log on through Remote Desktop Services

Back up files and directories

Bypass traverse checking

Change the system time

Change the time zone

Create a pagefile

Create a token object

Create global objects

Create permanent shared objects

Create symbolic links

Debug programs

Deny access to this computer from the network

Deny log on as a batch job

Deny log on as a service

Deny log on locally

Deny log on through Remote Desktop Services

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system

Generate security audits

Impersonate a client after authentication

Increase a process working set

Increase scheduling priority

Load and unload device drivers

Lock pages in memory

Log on as a batch job

Log on as a service

Manage auditing and security log

Modify an object label

Modify firmware environment values

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Replace a process level token

Restore files and directories

Shut down the system

Synchronize directory service data

Take ownership of files or other objects

Windows security baselines

Security Compliance Toolkit

Get support

Windows 10 Mobile security guide

Change history for Threat protection