1ff7546c-cb36-4a24-87f7-89d2cecc5761.md

Products: Microsoft - Windows

Rules

Rule ID	Rule Name
MATCH-S00574	.NET Framework Remote Code Execution Vulnerability
MATCH-S00458	ADPassHunt Tool
MATCH-S00814	Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
MATCH-S00139	Abnormal Parent-Child Process Combination
MATCH-S00511	Accessibility Executables Replaced
THRESHOLD-S00062	Active Directory Domain Enumeration
MATCH-S00516	Antivirus Ransomware Detection
MATCH-S00510	Attempt to Add Certificate to Store
MATCH-S00415	Attempt to Clear Windows Event Logs Using Wevtutil
MATCH-S00390	Attempted Credential Dump From Registry Via Reg.Exe
MATCH-S00417	Attrib.exe use to Hide Files and Folders
CHAIN-S00018	Autorun file created after USB disk mount on host
MATCH-S00564	Azorult Malware Registry Key
LEGACY-S00003	Base32 in DNS Query
MATCH-S00686	Base64 Decode in Command Line
MATCH-S00541	Batch File Write To System32
MATCH-S00373	BlueMashroom DLL Load
THRESHOLD-S00096	Brute Force Attempt
MATCH-S00388	COMPlus_ETWEnabled Command Line Arguments
MATCH-S00727	CPL File Executed from Temp Directory
MATCH-S00821	Chromium Browser History Access by Non-Browser Process
MATCH-S00819	Chromium Process Started With Debugging Port
MATCH-S00269	Clipboard Copied
MATCH-S00820	Cloud Credential File Accessed
MATCH-S00412	Command Line Execution with Suspicious URL and AppData Strings
MATCH-S00410	Copy from Admin Share
MATCH-S00758	CrashControl Registry Modification
MATCH-S00443	Create Windows Share
MATCH-S00591	Cred Dump-Tools Named Pipes
MATCH-S00525	Credential Dumping Via Copy Command From Shadow Copy
MATCH-S00526	Credential Dumping Via Symlink To Shadow Copy
MATCH-S00586	Credential Dumping by LaZagne
MATCH-S00348	Curl Start Combination
THRESHOLD-S00044	DNS DGA Lookup Behavior - NXDOMAIN Responses
LEGACY-S00026	DNS Lookup of High Entropy Domain
MATCH-S00375	DNS RCE Exploit CVE-2020-1350
MATCH-S00211	DNS.EXE Observed as Parent Process
MATCH-S00695	DPAPI Key Manipulation - Backup of Backup Key
MATCH-S00696	DPAPI Key Manipulation - Extracting Backup Key
MATCH-S00385	DTRACK Process Creation
MATCH-S00441	Delete Windows Share
MATCH-S00543	Detect Psexec With Accepteula Flag
LEGACY-S00029	Disabled Account Logon Attempt
MATCH-S00544	Disabling Remote User Account Control
MATCH-S00568	Dnscat Execution
AGGREGATION-S00006	Docker Enumeration Detected on Host
THRESHOLD-S00103	Domain Brute Force Attempt
THRESHOLD-S00102	Domain Password Attack
MATCH-S00319	Dridex Process Pattern
MATCH-S00590	Elise Backdoor
MATCH-S00527	Email Files Written Outside Of The Outlook Directory
MATCH-S00572	Emotet Process Creation
MATCH-S00587	Empire PowerShell Launch Parameters
MATCH-S00576	Equation Group DLL_U Load
MATCH-S00479	Excavator Utility
MATCH-S00682	Excessive Use of Escape Characters in Command Line
MATCH-S00360	Exfiltration and Tunneling Tools Execution
MATCH-S00304	External Device Installation Denied
MATCH-S00392	File or Folder Permissions Modifications
MATCH-S00394	Findstr Launching .lnk File
FIRST-S00001	First Seen Administrative Privileges Granted for User
FIRST-S00026	First Seen Anonymous Logon Change Activity to Domain Controller
FIRST-S00028	First Seen Common Windows Recon Commands From User
FIRST-S00013	First Seen Driver Load - Global
FIRST-S00014	First Seen Driver Load - Host
FIRST-S00073	First Seen Get-ADDefaultDomainPasswordPolicy
FIRST-S00072	First Seen Group Policy Discovery Operation
FIRST-S00062	First Seen IP Address Connecting to Active Directory Certificate Services Process
FIRST-S00027	First Seen InstallUtil Allow List Bypass From User
FIRST-S00017	First Seen Kerberoasting Attempt from User - Global
FIRST-S00018	First Seen Kerberoasting Attempt from User - Host
FIRST-S00032	First Seen Kubectl Command From User
FIRST-S00004	First Seen Local Group Addition by User
FIRST-S00015	First Seen Macro Execution from User
FIRST-S00088	First Seen NTLM Authentication to Host (User)
FIRST-S00076	First Seen Net Command Use on Host
FIRST-S00016	First Seen Non-Network/Non-System Logon from User
FIRST-S00030	First Seen Outbound Connection to External IP Address on Port 445 from IP Address
FIRST-S00010	First Seen PowerShell Execution from Computer
FIRST-S00009	First Seen RDP Logon From User
FIRST-S00029	First Seen Successful Authentication From Unexpected Country
FIRST-S00061	First Seen USB device in use on Windows host
FIRST-S00005	First Seen User Creation From User
FIRST-S00006	First Seen Weak Kerberos Encryption from User
FIRST-S00038	First Seen Wget Usage from User
FIRST-S00040	First Seen cURL execution from User
FIRST-S00074	First Seen driverquery execution on host
FIRST-S00059	First Seen esentutl command From User
FIRST-S00079	First Seen gpresult execution on host
FIRST-S00058	First Seen vssadmin command From User
FIRST-S00060	First Seen wbadmin command From User
FIRST-S00008	First Seen whoami command From User
MATCH-S00535	Golden SAML Indicator : Certificate Export
MATCH-S00414	Grabbing Sensitive Hives via Reg Utility
MATCH-S00325	Greenbug Campaign Indicators
MATCH-S00894	HAR file creation observed on host
LEGACY-S00027	Hexadecimal in DNS Query Domain
MATCH-S00367	Impacket Lateralization Detection
MATCH-S00482	Impacket-Obfuscation SMBEXEC Utility
MATCH-S00483	Impacket-Obfuscation WMIEXEC Utility
THRESHOLD-S00097	Impossible Travel - Successful
THRESHOLD-S00098	Impossible Travel - Unsuccessful
MATCH-S00816	Interactive Logon to Domain Controller
MATCH-S00138	Interactive Logon with Service Account
THRESHOLD-S00080	Internal Port Scan
THRESHOLD-S00081	Internal Port Sweep
MATCH-S00322	Judgement Panda Credential Access Activity
MATCH-S00334	Judgement Panda Exfil Activity
MATCH-S00703	KeeThief Detection
MATCH-S00364	Kerberos Manipulation
MATCH-S00445	Known Ransomware File Extensions
MATCH-S00648	Kubernetes ListSecrets
MATCH-S00647	Kubernetes Pod Deletion
MATCH-S00837	Kubernetes Secrets Enumeration via Kubectl
MATCH-S00461	LNKSmasher Utility Commands
MATCH-S00340	LSASS Memory Dump
MATCH-S00429	LSASS Memory Dumping
CHAIN-S00004	Lateral Movement Using the Windows Hidden Admin Share
MATCH-S00687	Linux Security Tool Usage
MATCH-S00745	Loadable Kernel Module Enumeration
MATCH-S00723	Loadable Kernel Module Modifications
MATCH-S00505	Local User Created
MATCH-S00509	Logon with Local Credentials
MATCH-S00578	Lsass Registry Key Modified
MATCH-S00573	MS Office Memory Corruption Vulnerability Exploit
MATCH-S00811	MS Office Product Spawning Msdt.exe - CVE-2022-30190
MATCH-S00352	MSHTA Suspicious Execution
MATCH-S00579	Malicious Named Pipes
MATCH-S00161	Malicious PowerShell Get Commands
MATCH-S00190	Malicious PowerShell Invoke Commands
MATCH-S00198	Malicious PowerShell Keywords
MATCH-S00582	Malicious Service Installs
MATCH-S00519	Malware Cleaned
MATCH-S00518	Malware Not Cleaned
MATCH-S00331	MavInject Process Injection
MATCH-S00355	Meterpreter or Cobalt Strike Getsystem Service Start
MATCH-S00725	Microsoft CHM File Observed
MATCH-S00763	Microsoft Office Add-In Persistence
MATCH-S00813	Microsoft Support Diagnostic Tool Invoking PowerShell - CVE-2022-30190
MATCH-S00812	Microsoft Support Diagnostic Tool with BrowseForFile - CVE-2022-30190
MATCH-S00397	Mimikatz Loaded Images Detected
MATCH-S00404	Mimikatz via Powershell and EventID 4703
MATCH-S00750	Modification of Windows Network Logon Scripts
MATCH-S00466	MsiExec Web Install
MATCH-S00419	Multiple File Extensions
THRESHOLD-S00077	Multiple Windows Account Lockouts On Endpoint
MATCH-S00743	Network Connection from Control Panel - Sysmon
MATCH-S00736	Network Connection from InstallUtil - Sysmon
MATCH-S00737	Network Connection from MSHTA - Sysmon
MATCH-S00738	Network Connection from Msiexec - Sysmon
MATCH-S00744	Network Connection from Odbcconf - Sysmon
MATCH-S00740	Network Connection from Regsvcs/Regasm - Sysmon
MATCH-S00742	Network Connection from Regsvr32 - Sysmon
MATCH-S00741	Network Connection from Rundll32 - Sysmon
MATCH-S00739	Network Connection from Verclsid - Sysmon
THRESHOLD-S00059	Network Share Scan
THRESHOLD-S00060	Network Share Sweep
MATCH-S00156	New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch
MATCH-S00152	New or Renamed Windows User Account Mimicking a Machine Account
MATCH-S00895	NinjaCopy Usage Detected
MATCH-S00288	NotPetya Ransomware Activity
MATCH-S00137	Office Application or Browser Launching Shell
MATCH-S00554	Outbound IRC Traffic
THRESHOLD-S00048	Outbound Traffic to Countries Outside the United States
MATCH-S00755	Outlook Form Creation
MATCH-S00756	Outlook Homepage Modification
MATCH-S00683	Overly Permissive Chmod Command
MATCH-S00900	Overly-Permissive Active Directory Certificate Template Loaded
MATCH-S00698	PATH Set to Current Directory
MATCH-S00610	PSExec Named Pipe Created by Non-PsExec Process
MATCH-S00465	PXELoot Utility
THRESHOLD-S00095	Password Attack
MATCH-S00704	Persistence Registry Key Modification
THRESHOLD-S00520	Persistent Malware Infection
MATCH-S00887	Port Forwarding Enabled via Visual Studio Code
LEGACY-S00061	Possible DNS Data Exfiltration
LEGACY-S00008	Possible Dynamic DNS Domain
MATCH-S00451	Possible Malicious Nirsoft Tool Usage
CHAIN-S00019	Potential Active Directory Certificate Services Enrollment Agent Misconfiguration
MATCH-S00459	Potential Cobalt Strike Profile
MATCH-S00822	Potential Microsoft Office In-Memory Token Theft
MATCH-S00753	Potential Microsoft Office Template Abuse
MATCH-S00200	Potential Pass the Hash Activity
MATCH-S00546	Potential Reconnaissance Obfuscation
MATCH-S00898	Potentially Misconfigured Active Directory Certificate Template Loaded
MATCH-S00901	Potentially Vulnerable Active Directory Certificate Services Template Loaded
MATCH-S00136	PowerShell Encoded Command
MATCH-S00149	PowerShell File Download
MATCH-S00425	PowerShell Rundll32 Remote Thread Creation
MATCH-S00449	Powershell Execution Policy Bypass
MATCH-S00580	Powerview Add-DomainObjectAcl DCSync AD Extend Right
MATCH-S00427	Process Dump via Rundll32 and Comsvcs.dll
MATCH-S00187	Process Execution Inside Webserver Root Folder
MATCH-S00691	Productivity App Spawning Rundll32 or Regsvr32
MATCH-S00439	Psr.exe Capture Screenshots
MATCH-S00575	QBot Process Creation
MATCH-S00265	QuarksPwDump Dump File Observed
MATCH-S00176	RDP Login from Localhost
MATCH-S00167	Recon Using Common Windows Commands
MATCH-S00545	Registry Keys For Creating Shim Databases
MATCH-S00747	Registry Modification - Active Setup
MATCH-S00705	Registry Modification - Authentication Package
MATCH-S00730	Registry Modification - Code Signing
MATCH-S00754	Registry Modification - Microsoft Office Test Function Registry Entry
MATCH-S00733	Registry Modification - Print Processors
MATCH-S00735	Registry Modification - SIP or Trust Provider
MATCH-S00722	Registry Modification - Security Support Provider
MATCH-S00706	Registry Modification - Time Providers
MATCH-S00749	Registry Modification - Windows Logon Script
MATCH-S00707	Registry Modification - Winlogon Helper DLL
MATCH-S00569	Registry Persistence Mechanisms
MATCH-S00689	Regsvr32.exe Silent Mode from TEMP Directory
MATCH-S00475	Renamed MSBUILD.EXE by Arguments
MATCH-S00328	Rubeus Hack Tool
MATCH-S00498	Rubeus Hack Tool Logon Process Name
MATCH-S00690	Rundll32.exe Load from TEMP Directory with By Ordinal Load
MATCH-S00346	Ryuk Ransomware Endpoint Indicator
MATCH-S00506	SC Exe Manipulating Windows Services
MATCH-S00560	SMTP Traffic from Non-SMTP Servers
THRESHOLD-S00061	SYSVOL Share Sweep
MATCH-S00468	SafetyKatz Credential Stealer
MATCH-S00528	Samsam Test File Write
MATCH-S00153	Scheduled Task Created via PowerShell
MATCH-S00214	Scheduled Task Creation with Suspicious Task Executable
MATCH-S00529	Schtasks Scheduling Job On Remote System
MATCH-S00530	Schtasks Used For Forcing A Reboot
MATCH-S00547	Script Execution Via WMI
MATCH-S00447	Script Interpreter Launched by Cmd
MATCH-S00478	Seatbelt Utility
MATCH-S00437	Secure Deletion with SDelete
MATCH-S00299	SecurityXploded Tool
MATCH-S00834	Sensitive Registry Key (WDigest) Edit
CHAIN-S00010	Service Installation Followed By Elevated CMD Prompt
MATCH-S00296	Shadow Copies Deletion Using OS Utilities
MATCH-S00406	Shadow Copy Creation
MATCH-S00471	SharPersist A Utility
MATCH-S00469	SharPersist Utility
MATCH-S00473	SharpStomp Utility
MATCH-S00692	Silent Regsvr32 Scheduled Task Creation on Command Line
MATCH-S00370	Snatch Ransomware
MATCH-S00571	Sofacy Trojan Loader
MATCH-S00480	Solarwinds Suspicious Child Processes
MATCH-S00422	Spaces Before File Extension
OUTLIER-S00003	Spike in Failed Share Access by User
OUTLIER-S00001	Spike in Login Failures from a User
OUTLIER-S00009	Spike in PowerShell Command Line Length From Host
OUTLIER-S00002	Spike in Successful Distinct Share Access
OUTLIER-S00007	Spike in Windows Administrative Privileges Granted for User
MATCH-S00507	Spoolsv Child Process Created
CHAIN-S00008	Successful Brute Force
MATCH-S00196	Successful Overpass the Hash Attempt
MATCH-S00470	Sunburst Suspicious File Writes
MATCH-S00337	Suspect Svchost Activity
MATCH-S00899	Suspicious Active Directory Certificate Modification
MATCH-S00902	Suspicious Active Directory Certificate Modification - Enrollment Agent
MATCH-S00359	Suspicious Certutil Command
MATCH-S00356	Suspicious Compression Tool Parameters
MATCH-S00362	Suspicious Curl File Upload
LEGACY-S00105	Suspicious DC Logon
MATCH-S00476	Suspicious Execution of Search Indexer
MATCH-S00293	Suspicious External Device Installation
AGGREGATION-S00004	Suspicious K8s Enumeration
MATCH-S00464	Suspicious Non-Standard InstallUtil Execution
MATCH-S00917	Suspicious PowerShell Application Window Discovery COM method
MATCH-S00191	Suspicious PowerShell Keywords
MATCH-S00920	Suspicious PowerShell Window Discovery Cmdlet execution
MATCH-S00135	Suspicious Registry Key Modification
MATCH-S00164	Suspicious Shells Spawned by Web Servers
MATCH-S00500	Suspicious Shortcut File Launching Process
AGGREGATION-S00005	Suspicious System Enumeration Occurring in Quick Succession
MATCH-S00350	Suspicious Typical Malware Back Connect Ports
MATCH-S00431	Suspicious Use of Procdump
MATCH-S00477	Suspicious Use of Workflow Compiler for Payload Execution
MATCH-S00158	Suspicious Windows ANONYMOUS LOGON Account Created
MATCH-S00551	Suspicious Writes To System Volume Information
MATCH-S00550	Suspicious Writes To Windows Recycle Bin
MATCH-S00342	Suspicious use of Dev-Tools-Launcher
MATCH-S00699	Sysmon - RawAccessRead Event
MATCH-S00279	TAIDOOR RAT DLL Load
MATCH-S00595	Telegram API Access
LEGACY-S00170	The Audit Log was Cleared - 1102
LEGACY-S00109	Threat Intel - Matched Domain Name
LEGACY-S00108	Threat Intel - Matched File Hash
MATCH-S00815	Threat Intel - Successful Authentication from Threat IP
LEGACY-S00107	Threat Intel Match - IP Address
THRESHOLD-S00075	Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting)
THRESHOLD-S00036	Too many empty/refused DNS queries
MATCH-S00588	Trickbot Malware Recon Activity
MATCH-S00577	Turla Group Commands
MATCH-S00542	Unauthorized Access Attempt Detected
MATCH-S00313	Unauthorized External Device Installation
MATCH-S00531	Unload Sysmon Filter Driver
MATCH-S00757	Unsafe Outlook Rule Creation Enabled
MATCH-S00344	Unsigned Image Loaded by LSASS
MATCH-S00762	Unusual Staging Directory - PolicyDefinitions
MATCH-S00567	Ursnif Malware Registry Key
THRESHOLD-S00064	User Account Created and Deleted in 24 Hours
MATCH-S00504	User Added to Local Administrators
MATCH-S00463	UserInit Process Launched by MSBuild.exe
MATCH-S00761	Volume Shadow Copy Service Stopped
MATCH-S00583	WCE wceaux.dll Access
MATCH-S00150	WMI Launching Shell
MATCH-S00147	WMI Managed Object Format (MOF) Process Execution
MATCH-S00523	WMI Permanent Event Subscription
MATCH-S00524	WMI Permanent Event Subscription - Sysmon
MATCH-S00760	WMI Ping Sweep
MATCH-S00146	WMI Process Call Create
MATCH-S00151	WMI Process Get Brief
MATCH-S00522	WMI Temporary Event Subscription
MATCH-S00379	WMIExec VBS Script
MATCH-S00570	WMIPRVSE Spawning Process
MATCH-S00316	WannaCry Ransomware
MATCH-S00400	Web Download via Office Binaries
MATCH-S00539	Web Servers Executing Suspicious Processes
MATCH-S00174	Web Services Executing Common Web Shell Commands
MATCH-S00684	Wget Passed to Script Execution Command
MATCH-S00521	Windows - Critical Service Disabled via Command Line
MATCH-S00284	Windows - Delete Windows Backup Catalog
MATCH-S00693	Windows - Denied RDP
MATCH-S00181	Windows - Domain Trust Discovery
THRESHOLD-S00065	Windows - Excessive User Interactive Logons Across Multiple Hosts
MATCH-S00202	Windows - Incoming LSASS Network Connection - Zerologon Behavior(CVE-2020-1472)
MATCH-S00168	Windows - Local System executing whoami.exe
MATCH-S00169	Windows - Microsoft Office Add-In File Created
MATCH-S00310	Windows - Network Connection from CMSTP
MATCH-S00162	Windows - Network trace capture using netsh.exe
MATCH-S00159	Windows - Permissions Group Discovery
MATCH-S00268	Windows - Possible Impersonation Token Creation Using Runas
MATCH-S00276	Windows - Possible Squiblydoo Technique Observed
MATCH-S00281	Windows - PowerShell Process Discovery
MATCH-S00171	Windows - Powershell Scheduled Task Creation from PowerSploit or Empire
MATCH-S00185	Windows - Remote System Discovery
MATCH-S00272	Windows - Rogue Domain Controller - dcshadow
MATCH-S00170	Windows - Scheduled Task Creation
CHAIN-S00002	Windows - Suspicious Anonymous Logon Activity - Zerologon Behavior(CVE-2020-1472)
MATCH-S00285	Windows - Suspicious CMSTP Process Spawn
MATCH-S00192	Windows - System Network Configuration Discovery
MATCH-S00194	Windows - System Time Discovery
MATCH-S00107	Windows - User Adds Self to Security Group
MATCH-S00172	Windows - WiFi Credential Harvesting with netsh
LEGACY-S00169	Windows Account Added To Privileged Security Group
LEGACY-S00168	Windows Account Locked Out - 4740
MATCH-S00532	Windows Adfind Exe
MATCH-S00189	Windows Admin User Remote Logon
MATCH-S00552	Windows Connhost Started Forcefully
MATCH-S00274	Windows Credential Editor (WCE) Tool Use Detected
MATCH-S00291	Windows Credential Editor (WCE) in use
MATCH-S00398	Windows Defender Download Activity
MATCH-S00549	Windows Disable Antispyware Registry
MATCH-S00538	Windows Firewall Rule Added
MATCH-S00537	Windows Firewall Rule Deleted
MATCH-S00536	Windows Firewall Rule Modified
MATCH-S00179	Windows Network Sniffing
MATCH-S00732	Windows Port Monitor Modification
MATCH-S00157	Windows Process Name Impersonation
MATCH-S00178	Windows Query Registry
MATCH-S00533	Windows Security Account Manager Stopped
LEGACY-S00171	Windows Service Executed from Nonstandard Execution Path
MATCH-S00724	Windows Update Agent DLL Changed
MATCH-S00134	Windows User Account Created with Abnormal Naming Convention
MATCH-S00382	Winnti Pipemon Characteristics
MATCH-S00435	XSL Script Processing
MATCH-S00508	Zoom Child Process
MATCH-S00919	chage command use on host
MATCH-S00581	smbexec.py Service Installation

Log Mappers

Log Mapper ID	Log Mapper Name
d0d9467f-fc72-47ff-a9cb-edebc7c6b1ae	Symantec Agent Behavior Logs
54b3f101-a8da-4eb4-b1eb-a48efb095365	Symantec Catch All
fa941c09-d584-427a-992c-b543cf611346	Windows - Microsoft-Windows-CodeIntegrity/Operational - 3065
a2b8171c-c72c-11ea-87d0-0242ac130003	Windows - Microsoft-Windows-CodeIntegrity/Operational - 3066
1575f9bd-0d2f-4b82-b0d3-e157b27d1629	Windows - Microsoft-Windows-PowerShell/Operational - 4103
674d9351-450f-4f61-83b5-e2b8957781ed	Windows - Microsoft-Windows-PowerShell/Operational - 4104
72a5e349-3537-4078-8c68-66b8a52984df	Windows - Microsoft-Windows-PowerShell/Operational - 4105
41089b30-77e2-45eb-8a60-b90ec34d1200	Windows - Microsoft-Windows-PowerShell/Operational - 4106
f1ea6ca2-ca75-492e-a18f-51aa3a94c783	Windows - Microsoft-Windows-Sysmon/Operational - 1
11b22c7c-ab5f-4be4-8d92-fa3ca3fcce26	Windows - Microsoft-Windows-Sysmon/Operational - 10
4149aadf-b757-44fd-8a28-9ecc1dc39a78	Windows - Microsoft-Windows-Sysmon/Operational - 11
75cb24d1-5364-43b5-8aed-baca1586225c	Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14
2978cae1-75f9-4117-b8d8-30e757ca7867	Windows - Microsoft-Windows-Sysmon/Operational - 15
0be697c1-8ec8-44d0-aaf3-cfdf5bcc530f	Windows - Microsoft-Windows-Sysmon/Operational - 17
9adaac5a-5ac6-46f6-a5be-3e98167ba5f0	Windows - Microsoft-Windows-Sysmon/Operational - 18
f9b6f13e-8499-4c1e-a9fa-3a48bf172e30	Windows - Microsoft-Windows-Sysmon/Operational - 2
a50cb8d9-b50c-4ee0-a61f-47488560ab98	Windows - Microsoft-Windows-Sysmon/Operational - 21
aa8f5337-c7e1-4b88-8f28-9c937552daa7	Windows - Microsoft-Windows-Sysmon/Operational - 22
8d3f540b-66d6-4af3-8f5f-7fa4c533efad	Windows - Microsoft-Windows-Sysmon/Operational - 23
02081dfa-0f4c-4047-97b2-0ece2974edb3	Windows - Microsoft-Windows-Sysmon/Operational - 24
30db4a1f-857e-48e2-a91f-97c0fbf3edd4	Windows - Microsoft-Windows-Sysmon/Operational - 25
395cd159-b7f7-490e-a3e6-5cec43c26739	Windows - Microsoft-Windows-Sysmon/Operational - 26
589ba074-03f8-49e1-91f2-812e8037f02c	Windows - Microsoft-Windows-Sysmon/Operational - 27
fa7ae50a-2cfe-411d-ba6d-8dd12468dd45	Windows - Microsoft-Windows-Sysmon/Operational - 28
14bbc391-9cb4-40df-aa8e-a37b73b2a15a	Windows - Microsoft-Windows-Sysmon/Operational - 3
3260e43c-8339-4240-a840-ed34fc253071	Windows - Microsoft-Windows-Sysmon/Operational - 4
1ee83b22-2ec5-4bc8-8a1f-dd6d951cd6b1	Windows - Microsoft-Windows-Sysmon/Operational - 5
58804909-751c-4398-8d10-7c0a1de5714c	Windows - Microsoft-Windows-Sysmon/Operational - 6
e4159ea5-4e24-4fae-ae41-a3f35f8b97f9	Windows - Microsoft-Windows-Sysmon/Operational - 7
1747f54c-cbbc-492b-a7b6-1396c343f5ef	Windows - Microsoft-Windows-Sysmon/Operational - 8
42656056-8445-4313-ba3e-56913a21cd3f	Windows - Microsoft-Windows-Sysmon/Operational - 9
a1eeb6c8-feec-4593-9cae-7858b56e12b7	Windows - Security - 1100
86c42ab4-ecb1-421b-8f04-6d10e40b78df	Windows - Security - 1102
8d98a4d6-6cbb-473f-bf16-a0dee8cb4b84	Windows - Security - 1102 - AD FS Auditing
940bd300-b545-11ea-b3de-0242ac130004	Windows - Security - 4610
940bd54e-b545-11ea-b3de-0242ac130004	Windows - Security - 4611
940bd648-b545-11ea-b3de-0242ac130004	Windows - Security - 4614
940bd71a-b545-11ea-b3de-0242ac130004	Windows - Security - 4616
530701a5-359e-482f-af68-1ae8405e4f69	Windows - Security - 4618
940bd800-b545-11ea-b3de-0242ac130004	Windows - Security - 4622
1feef4d7-96d6-49c8-a4c0-e3abf46eeb76	Windows - Security - 4624
0e3b7ced-f6b4-49a0-8fbc-8128ccdb4670	Windows - Security - 4625
9348e69b-b769-48a6-9f31-c43748cb5125	Windows - Security - 4627
82a49cb6-4d8a-4985-b5ca-6aad8815d53d	Windows - Security - 4634
e7e8595a-f267-11e8-8eb2-f2801f1b9fd1	Windows - Security - 4648
2f571b80-eaf0-4ecd-a5a6-196e53c72631	Windows - Security - 4649
8ed0317d-b4d2-4c7d-8088-ed237b9a0658	Windows - Security - 4656
1b87fa6e-730e-4e75-be65-77299f4ff48f	Windows - Security - 4657
57b9743d-249a-41d8-a216-32657adcc248	Windows - Security - 4658
849f7254-1a95-4af3-a2ed-1cf71d6fb64a	Windows - Security - 4661
6ed532ed-67c9-446b-94c6-9f4ac491d337	Windows - Security - 4662
5d21e0be-a121-4c29-92e9-d18a52e97299	Windows - Security - 4663
d0d9d7e7-79b2-4653-9faa-dffeeeb40bc5	Windows - Security - 4670
a7b7f2c8-2b27-4958-b164-2be8a5ec12cf	Windows - Security - 4672
b637f775-98d8-45ad-aaed-4e694d1e9ca3	Windows - Security - 4673
34955bba-b970-47d2-a336-f08b3c6b91bc	Windows - Security - 4674
5cbf805e-800b-48c6-86b5-129f62ff7ac9	Windows - Security - 4688
f3794cb2-600e-43f7-8105-3524def4dd25	Windows - Security - 4689
a339271e-126f-43cc-90be-323a32c344cb	Windows - Security - 4692
4c22c7d4-b844-43f7-9dfc-791cded3c794	Windows - Security - 4694
74986522-e6e3-4f9c-8aa4-7d4ab0f6211a	Windows - Security - 4697
4515f59f-774a-43fc-a7d8-0c6304b02597	Windows - Security - 4698
d290f61e-3572-495d-bca4-8e4cd06ef412	Windows - Security - 4699
18dd949b-7496-42b3-aaa1-fde40bf7529c	Windows - Security - 4702
b47d5d74-4b8e-47e1-b8ea-304b8995f6e3	Windows - Security - 4703
2e23c5c3-db43-4655-b85e-fb3c2f35654a	Windows - Security - 4704
ac47bfa1-effd-451b-9f67-05175c73b364	Windows - Security - 4706
b15b5c52-5fb2-4d1e-b7be-d56901ad65b6	Windows - Security - 4707
093f1178-2597-4a3b-8c6b-6b19f587781f	Windows - Security - 4713
d79b70d7-99ab-4dbd-b0a8-0cca901b1daf	Windows - Security - 4714
940bdaa8-b545-11ea-b3de-0242ac130004	Windows - Security - 4716
a0388783-0a9b-4473-ba83-d9c8b2013170	Windows - Security - 4719
52e8cc4d-62af-46c9-b216-7c5178fad0a4	Windows - Security - 4720
940bdb7a-b545-11ea-b3de-0242ac130004	Windows - Security - 4722
940bdd1e-b545-11ea-b3de-0242ac130004	Windows - Security - 4723
940bdde6-b545-11ea-b3de-0242ac130004	Windows - Security - 4724
940bdeae-b545-11ea-b3de-0242ac130004	Windows - Security - 4725
350a22fe-dd0e-4cbc-985e-a62e6ddea383	Windows - Security - 4726
940be11a-b545-11ea-b3de-0242ac130004	Windows - Security - 4727
5a71f245-2ee8-417e-b2df-f2a818b10d90	Windows - Security - 4728
af8a05ad-4c2e-4a54-87dc-4b3c62acc128	Windows - Security - 4729
9bcb89c4-a5c5-489f-8798-40961306f49c	Windows - Security - 4730
940be21e-b545-11ea-b3de-0242ac130004	Windows - Security - 4731
029fb12c-2848-4cda-9037-53261281ffed	Windows - Security - 4732
940be2e6-b545-11ea-b3de-0242ac130004	Windows - Security - 4733
940be912-b545-11ea-b3de-0242ac130004	Windows - Security - 4735
940be854-b545-11ea-b3de-0242ac130004	Windows - Security - 4737
940be52a-b545-11ea-b3de-0242ac130004	Windows - Security - 4738
7a48bcc9-2bcd-4d28-9a76-6243516f261b	Windows - Security - 4739
ab08f1b4-499e-4231-a1e0-db2df762a80b	Windows - Security - 4740
778d4ea8-5df1-4f96-9cae-31780e9d1bb7	Windows - Security - 4741
792dbe56-0381-4d86-9eb2-b9659687fb2a	Windows - Security - 4742
c5b68c1d-1d67-417a-89c3-1a33266778f7	Windows - Security - 4754
9b279c85e-6a83-11ea-bc55-0242ac130003	Windows - Security - 4755
91f357b3-f651-41c8-9480-986640212e74	Windows - Security - 4756
02f67142-6f39-48f1-b402-a030a61adf3d	Windows - Security - 4764
52e5cb31-12a0-4f31-9a4f-13ed738bafa2	Windows - Security - 4765
2325f6db-aa0e-4435-8543-d8dbf4ab45a3	Windows - Security - 4766
940be46c-b545-11ea-b3de-0242ac130004	Windows - Security - 4767
29f75eb6-71a1-4501-a69e-71141e7aed39	Windows - Security - 4768
42b9be76-5dbc-4d18-97aa-6a51b188bfa5	Windows - Security - 4769
38eab1f4-619f-40c4-b64d-0f43a311d6ff	Windows - Security - 4770
feb39f91-e81e-4b67-bc24-da943112cab6	Windows - Security - 4771
8fda2f9a-dc3c-4e40-872a-8fa03a8d997b	Windows - Security - 4776
f3c88519-7172-480d-9311-8a82b1c47a93	Windows - Security - 4778
0f0cbcae-8e99-409d-b059-47dc26fbe9c2	Windows - Security - 4779
e3f5b429-af48-4135-abf1-c3a32db01a14	Windows - Security - 4780
3d258ba5-0e2d-4b15-a419-25ccf870c9cc	Windows - Security - 4781
eaf8cb08-5152-4197-b9ac-519cf1a0977f	Windows - Security - 4782
2b44b85e-ad7c-4efb-becf-f99730d989b5	Windows - Security - 4793
16357b49-9ca9-4d93-b19b-fbb6c643e4fc	Windows - Security - 4794
fba04925-2d26-4824-aa75-c00cc0d21da0	Windows - Security - 4798
2c092636-c84a-4a8b-a804-574f3a1bc2ef	Windows - Security - 4799
1723b93f-a7e9-43fd-b4c1-6cfdf9b46d12	Windows - Security - 4820
a89f8984-26af-46f3-9599-6d2df93daa60	Windows - Security - 4825
bcbb5d54-1655-45f4-9d19-76001921799f	Windows - Security - 4870
1ed9b8a4-dd53-401f-8707-348622bd8921	Windows - Security - 4873
e540cecc-4d91-4a9b-8eab-cf3757d16399	Windows - Security - 4874
aeb12793-ecbb-495b-be6d-4e2fd633e126	Windows - Security - 4880
a555bb99-f419-4c52-980a-17c32e411c05	Windows - Security - 4881
f63ba614-ddb4-4922-89c4-c0c7e6604bca	Windows - Security - 4882
42e1a971-709d-4f4d-b0a4-259eb3ea71d9	Windows - Security - 4885
06d9ad9a-575c-4bdb-8f51-312abf0ffe4b	Windows - Security - 4886
b36d4f61-53bf-4bc7-908c-ac3db33fdb1f	Windows - Security - 4887
d93355b5-c344-4a30-93e8-ada0b12090c1	Windows - Security - 4888
45ebbf46-bad1-4d22-b311-bb84a4493c8b	Windows - Security - 4890
47e77961-aaaf-4e85-94b6-8e3a4e17e442	Windows - Security - 4891
b774a4f1-b58f-44b2-b962-8bec88f30976	Windows - Security - 4896
fba9c8ab-ae2d-4ba8-9078-42b632f9eb73	Windows - Security - 4897
6311b6ae-d490-4ca5-86df-f4bd1b6f57aa	Windows - Security - 4898
1d1d8a94-fd27-42fd-9927-1397623aea32	Windows - Security - 4899
fcf61539-91d2-4302-9c3a-442fb3353334	Windows - Security - 4900
98c096f5-3408-49c3-9a22-d6b9255b31cb	Windows - Security - 4946
deb1083f-6ea2-4ae8-b92a-d961035ed38b	Windows - Security - 4947
fd5cf2c5-3f74-458e-9052-3d53f182eef8	Windows - Security - 4948
3ba1df00-4c7d-42d7-b455-02eaf31fc22f	Windows - Security - 4964
d65a4b67-4089-4e69-8bc6-8d5a3f1f4685	Windows - Security - 4977
04d3b845-66d7-4662-a500-f0a315521122	Windows - Security - 4978
53a82bf7-0d71-4b85-8c80-fba3a382bffe	Windows - Security - 4983
8e39e06f-95cc-4eb5-9528-199a27c5b345	Windows - Security - 4984
a9352f93-c8b9-4652-812b-3673133307d1	Windows - Security - 5025
8d86c4a1-f509-407e-a053-c3ea390c89f9	Windows - Security - 5030
1194488e-6fcd-42bc-b48d-1d75dc97e380	Windows - Security - 5034
44c5a8d4-5c48-4c42-9a11-e13d2c150d31	Windows - Security - 5037
c2b18423-7561-459c-8872-b0ab7378ec14	Windows - Security - 5038
f50113e5-8a13-49a8-873e-6af7030f9b6d	Windows - Security - 5058
3e74ac72-2bf9-49d6-ba1e-f59f06437869	Windows - Security - 5059
f95d4f87-7e41-42ae-be1f-6d8890d93508	Windows - Security - 5061
45e494d6-b546-11ea-b3de-0242ac130004	Windows - Security - 5136
45e49742-b546-11ea-b3de-0242ac130004	Windows - Security - 5137
4b059a14-1664-4237-a243-6960b5451f0d	Windows - Security - 5138
45e49896-b546-11ea-b3de-0242ac130004	Windows - Security - 5139
3132e5c1-7516-4f1a-9764-3befa028c15e	Windows - Security - 5140
45e49eae-b546-11ea-b3de-0242ac130004	Windows - Security - 5141
cfca5441-a462-4f81-a40f-6b4d993a6608	Windows - Security - 5142
1e8323bf-4332-493c-89b8-894c210406e1	Windows - Security - 5144
01f2e102-e6d5-477c-abcb-71cc5c936442	Windows - Security - 5145
556dc316-280b-45cc-a457-d9a4e24f8741	Windows - Security - 5152
cd7583cc-cbcf-4a47-a444-72d87eafba46	Windows - Security - 5156
874c8ee4-1afa-4106-9bd9-d0c0e852a77d	Windows - Security - 5376
fcf205eb-4d8a-4dc3-aa89-2a175aff661a	Windows - Security - 5377
c4ee7da4-ad6e-43e1-b375-d485ec30ba51	Windows - Security - 5379
45a7c590-bc2e-4cb0-80ae-6b7a895c4c3d	Windows - Security - 5453
917df84d-bfc7-428c-869d-0abf7832dbbd	Windows - Security - 5480
6c1bf825-261b-4614-8e64-a6b4907b8cbf	Windows - Security - 5483
b63dd079-38dd-4603-833b-63dd50061f9c	Windows - Security - 5484
f5800ba9-3b7a-4d54-8cc2-380b61e1ba63	Windows - Security - 5485
b189f43b-1084-45b4-8898-454fd4664147	Windows - Security - 5632
85ef051a-6f4e-44ea-b341-c3bdf8735768	Windows - Security - 5805
2e636284-dd97-4b5a-a789-35ffe9d2c14a	Windows - Security - 6272
4862b4a0-a7e3-4ceb-b442-c3db613de78e	Windows - Security - 6273
d01cd3a1-c603-4128-8eb7-2200ff692fcb	Windows - Security - 6274
30dc0d5d-760d-46da-aeda-c74c4f8dc495	Windows - Security - 6275
0e420b1a-670d-4d13-98fe-00dd7b731a0d	Windows - Security - 6276
b99e87aa-6a60-44ab-b51d-ec4c1c2667aa	Windows - Security - 6277
dbe1aefa-8b38-49f6-83d4-d60fd0c7f99c	Windows - Security - 6278
f9e4f7e9-b671-4891-8e0f-980cfe4fa1dc	Windows - Security - 6279
87a0ff13-c8bb-41de-a5e8-3853d0826c56	Windows - Security - 6280
bbb4c160-56d1-4b0b-a331-fad241aa1d6c	Windows - Security - 6416
40fcd774-2caf-40ca-8190-0d5de167fd15	Windows - Security - 6423
563cc138-2449-4c1e-99e9-57d9d19509cd	Windows - Security - 6424
c73d6da2-5bfc-42e8-b1c3-abdcb840d526	Windows - Security - Default
496c1689-2b07-447a-85ff-d0aa40d5815e	Windows - System - 5138
1b599982-ae69-4bd2-b459-9db5c091ff50	Windows - System - 6005
db5af4d8-069e-4d16-8a78-fdcb49fa7cdf	Windows - System - 6006
99cd6835-a726-4032-9406-a3358beba9a9	Windows - System - 7045
ff18353f-3a63-4ffb-aeff-bb2d5a4fadba	Windows - WMI - 5680
ec47f79e-3512-44a7-8491-3d4a02b97f2f	Windows - WMI - 5681
53d9bca1-44a8-4be5-905c-1c4d19ffddf6	Windows Defender ATP Alert
820f039c-7423-11ea-bc55-0242ac130003	Windows Defender Custom
e58c8bce-3ea6-478e-ae72-4782bff6992a	Windows Defender JSON
8239516f-728b-4b6b-bb57-9df7b7f6e233	Windows Defender SCCM DB CSV