{ "version": "Notebook/1.0", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ccd5adcd-8d59-4cfe-99ec-98075de2e253", "version": "KqlParameterItem/1.0", "name": "DefaultSubscription_Internal", "type": 1, "isRequired": true, "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId", "crossComponentResources": [ "value::selected" ], "isHiddenWhenLocked": true, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "1ca69445-60fc-4806-b43d-ac7e6aad630a", "version": "KqlParameterItem/1.0", "name": "Subscription", "type": 6, "isRequired": true, "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\r\n", "crossComponentResources": [ "value::selected" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "e94aafa3-c5d9-4523-89f0-4e87aa754511", "version": "KqlParameterItem/1.0", "name": "Workspace", "type": 5, "isRequired": true, "query": "where type =~ 'microsoft.operationalinsights/workspaces'\n| project id", "crossComponentResources": [ "{Subscription}" ], "value": null, "typeSettings": { "resourceTypeFilter": { "microsoft.operationalinsights/workspaces": true }, "additionalResourceOptions": [], "showDefault": false }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "e028303b-1d06-4ba3-9d8d-69517a6c22e3", "version": "KqlParameterItem/1.0", "name": "TimeRange", "label": "Time Range", "type": 4, "typeSettings": { "selectableValues": [ { "durationMs": 86400000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ], "allowCustom": true }, "value": { "durationMs": 1209600000 } }, { "id": "c71f3009-a3f4-4aa5-aaf0-d0f667100e56", "version": "KqlParameterItem/1.0", "name": "Help", "label": "Show Help", "type": 10, "description": "This will show some help information to help you understand the page you are on", "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true }\r\n]", "value": "Yes" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 1" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "toolbar", "links": [ { "id": "de85d898-be2f-4a4a-b022-33cf260d4ac0", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Simple Search", "subTarget": "Search", "style": "secondary", "icon": "down" }, { "id": "e17b34f2-dcec-455f-8265-73db730c6a37", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Table Explorer", "subTarget": "Explorer", "style": "secondary" }, { "id": "1cccb130-770e-44eb-8818-403f058e755c", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Security Events", "subTarget": "Ninja", "style": "secondary" }, { "id": "f62c1fca-f17c-4905-bbb4-3ad698a11973", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Windows Events", "subTarget": "Events", "style": "secondary" }, { "id": "ea0e9b98-a7ed-40b5-9070-5e20c5e7e20b", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Security Policy", "subTarget": "Audit", "style": "secondary" }, { "id": "39305da6-51b2-4378-baf9-db84779304e0", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Azure Activity", "subTarget": "Activity", "style": "secondary" }, { "id": "48a35bc8-0950-4dda-9a79-50e14f9c4d20", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Azure AD Logs", "subTarget": "AAD", "style": "secondary" }, { "id": "716a8724-26e9-43e4-a3c5-e7408621bb54", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Security Alerts", "subTarget": "Alerts", "style": "secondary" }, { "id": "fd6c50c8-7c7a-4d70-ad2d-96cd112dbcd4", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "CEF Viewer", "subTarget": "CEF", "style": "secondary" }, { "id": "05c7b991-c441-4b0c-a9eb-b46472f895cc", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Syslog Viewer", "subTarget": "Syslog", "style": "secondary" }, { "id": "f212344d-2a29-4c7b-9464-dac95a72982f", "cellValue": "getTable", "linkTarget": "parameter", "linkLabel": "Agent Health", "subTarget": "Agents", "style": "secondary" } ] }, "name": "links - 5" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Simple Search", "items": [ { "type": 1, "content": { "json": "The Simple Search defaults to **all tables** if no tables are selected. The global search works best with short time durations. Longer durations can cause the query to error out. **Select one or more tables for queries over longer durations.** Bug: Selecting a row in the results below may cause your browser to freeze. Note that search results can be exported to Excel.", "style": "success" }, "customWidth": "75", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 0 - Copy - Copy" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "687dd190-007c-48e6-9b26-3d890cb73f5f", "version": "KqlParameterItem/1.0", "name": "SearchString", "label": "Search", "type": 1, "description": "Enter your search value here", "timeContext": { "durationMs": 86400000 }, "value": "Failed" }, { "id": "d4eb9fc0-3bf8-451c-997a-df4442a764cc", "version": "KqlParameterItem/1.0", "name": "SearchTime", "label": "Time", "type": 4, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ], "allowCustom": true }, "timeContext": { "durationMs": 86400000 }, "value": { "durationMs": 300000 } }, { "id": "af2351d8-5aed-47e5-81cd-5e11f5af6fed", "version": "KqlParameterItem/1.0", "name": "Tables", "type": 2, "description": "Select table(s) for best results", "multiSelect": true, "quote": "", "delimiter": ",", "query": "union withsource=TableName1 *\r\n| project Table = TableName1\r\n| distinct Table\r\n| order by Table asc", "crossComponentResources": [ "{Workspace}" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "timeContext": { "durationMs": 14400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "value": [] } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "set maxoutputcolumns=5000;\r\nsearch \"{SearchString}\"", "size": 0, "title": "Search Results", "timeContextFromParameter": "SearchTime", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "rowLimit": 1500, "filter": true } }, "conditionalVisibility": { "parameterName": "Tables", "comparison": "isEqualTo", "value": "" }, "name": "Table-Based Query - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "search in ({Tables}) \"{SearchString}\"", "size": 0, "title": "Search Results", "timeContextFromParameter": "SearchTime", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "rowLimit": 1500 } }, "conditionalVisibility": { "parameterName": "Tables", "comparison": "isNotEqualTo", "value": "" }, "name": "Table-Based Query" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "search \"{SearchString}\"\r\n| summarize count() by $table\r\n| sort by count_\r\n| project Table=$table, Count=count_\r\n", "size": 0, "title": "Summarize Count by Table", "timeContextFromParameter": "SearchTime", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Tables", "comparison": "isEqualTo" }, "name": "query - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "search in ({Tables}) \"{SearchString}\"\r\n| summarize count() by $table\r\n| sort by count_\r\n| project Table=$table, Count=count_\r\n", "size": 0, "title": "Summarize Count by Table", "timeContextFromParameter": "SearchTime", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Tables", "comparison": "isNotEqualTo" }, "name": "query - 3 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "search in ({Tables}) \"{SearchString}\"\r\n| summarize count() by bin(TimeGenerated, 5m)\r\n| take 10000\r\n", "size": 0, "title": "Results Over TIme", "timeContextFromParameter": "SearchTime", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "linechart" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Tables", "comparison": "isNotEqualTo" }, "name": "query - 5" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "search \"{SearchString}\"\r\n| summarize count() by bin(TimeGenerated, 5m)\r\n| take 10000", "size": 0, "title": "Results Over TIme", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "timechart" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Tables", "comparison": "isEqualTo" }, "name": "query - 5 - Copy" } ] }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "Search" }, "name": "Simple Search" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Table Explorer", "items": [ { "type": 1, "content": { "json": "**Table Explorer** is designed to help you better understand the data in your tables. Each table, column, and vaule is easily **sorted by volume**.", "style": "success" }, "customWidth": "75", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 0 - Copy - Copy" }, { "type": 1, "content": { "json": "" }, "customWidth": "24", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 6" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=TableName1 *\r\n| project _BilledSize, _IsBillable, TimeGenerated, TableName1\r\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by TableName1, _IsBillable\r\n| project Table = TableName1, Size = Size\r\n| order by Size desc", "size": 1, "title": "Table Picker", "noDataMessage": "Select a workspace above to begin. Empty workspaces will not work.", "timeContextFromParameter": "TimeRange", "exportFieldName": "Table", "exportParameterName": "Table", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Table", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "Size", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "90px" }, "numberFormat": { "unit": 36, "options": { "style": "decimal" } } } ], "rowLimit": 500, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Size_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Size_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "query - 5", "styleSettings": { "margin": "2px", "maxWidth": "20%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{Table}\r\n| getschema \r\n| project Column=tostring(ColumnName)\r\n| sort by Column asc\r\n\r\n//I want to update to exclude empty columns...", "size": 1, "title": "Column Picker", "noDataMessage": "Select a table to list columns", "timeContextFromParameter": "TimeRange", "exportFieldName": "Column", "exportParameterName": "Column", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Column", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } } ], "rowLimit": 1000, "filter": true }, "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isNotEqualTo" }, "name": "query - 5 - Copy", "styleSettings": { "margin": "2px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{Table}\r\n| summarize count() by tostring({Column})\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "Top Records", "noDataMessage": "Select a column to list top records.", "timeContextFromParameter": "TimeRange", "exportParameterName": "Selected", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark" } } ], "rowLimit": 2000, "filter": true }, "sortBy": [] }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Column", "comparison": "isNotEqualTo" }, "name": "query - 3", "styleSettings": { "margin": "2px", "maxWidth": "26%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{Table}\r\n| where {Column} == tostring(parse_json('{Selected}').{Column})\r\n| summarize count() by bin(TimeGenerated, 1h) \r\n| render timechart\r\n\r\n\r\n", "size": 1, "title": "Hourly Records - Time Brush to see Details", "noDataMessage": "Select a record above", "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Selected", "comparison": "isNotEqualTo" }, "name": "query - 4", "styleSettings": { "margin": "2px", "maxWidth": "38%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let CX = {Table} | count;\r\n{Table}\r\n| where {Column} == tostring(parse_json('{Selected}').{Column})\r\n| project-away TenantId\r\n| take 2000", "size": 0, "title": "Related Records", "noDataMessage": "Select a timespan above", "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "rowLimit": 2000, "filter": true } }, "conditionalVisibility": { "parameterName": "TimeSpan", "comparison": "isNotEqualTo" }, "name": "query - 5", "styleSettings": { "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "Explorer" }, "name": "Table Explorer" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Security Event Explorer", "items": [ { "type": 1, "content": { "json": "**Security Event Viewer**. Start by setting the time range above and the optional time brush. Each election is **cumulative**. Best if you **select from 1-2 filter categories at a time**.", "style": "success" }, "customWidth": "85", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 0 - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n| summarize count() by bin(TimeGenerated, 1h) \r\n| render timechart", "size": 4, "title": "Hourly Events - Time Brush Event Filter", "noDataMessage": "Select a Wokspace above to activate", "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 4", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n| summarize count() by EventID\r\n| project EventID, Count=count_\r\n| sort by EventID asc\r\n", "size": 1, "title": "Event Filter", "noDataMessage": "Select a workspace above to list devices", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "EventID", "parameterName": "Events", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "EventID", "formatter": 1, "formatOptions": { "customColumnWidthSetting": "70px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "90px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "query - 5 - Copy - Copy", "styleSettings": { "margin": "2px", "maxWidth": "17%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n| summarize count() by Computer\r\n| project Source_Device = Computer, Count=count_\r\n| sort by Count desc\r\n", "size": 1, "title": "Device Filter", "noDataMessage": "Select a workspace above to list devices", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Source_Device", "parameterName": "DeviceX", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Source_Device", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal" } } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "90px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "query - 5 - Copy", "styleSettings": { "margin": "2px", "maxWidth": "22%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n| extend AType = case(AccountType==\"User\", \"(U)\", AccountType==\"Machine\", \"(M)\",\"\")\r\n| extend Accounts = strcat(Account, \" \", AType)\r\n| summarize count() by Accounts, Account\r\n| project Accounts, Count=count_, replace_string(Account, \"\\\\\", \"\")\r\n| sort by Count desc\r\n| take 1000", "size": 1, "title": "Account Filter", "noDataMessage": "Select a workspace above to list accounts", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Column1", "parameterName": "AccountX", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Accounts", "formatter": 1, "formatOptions": { "customColumnWidthSetting": "150px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal" }, "emptyValCustomText": "BLANK" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "90px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } }, { "columnMatch": "Column1", "formatter": 5 } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "showPin": false, "name": "query - 5", "styleSettings": { "margin": "2px", "maxWidth": "22%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n| where IpAddress has \".\"\r\n| summarize count() by IpAddress\r\n| project IpAddress, Count=count_\r\n| sort by Count desc\r\n| take 5000", "size": 1, "title": "IP Filter", "noDataMessage": "Select a workspace above to list accounts", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "IpAddress", "parameterName": "IPX", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "IpAddress", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "100px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "80px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "showPin": false, "name": "query - 5 - Copy", "styleSettings": { "margin": "2px", "maxWidth": "18%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityEvent\r\n| extend File = tostring(array_reverse(split(FilePath, \"\\\\\")).[0])\r\n| where isnotempty(File)\r\n| summarize count() by File\r\n| project File, Count=count_\r\n| sort by Count\r\n| take 1000", "size": 1, "title": "Process Filter", "noDataMessage": "Select a workspace above to list accounts", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "File", "parameterName": "FileX", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "File", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "80px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "showPin": false, "name": "query - 5 - Copy - Copy", "styleSettings": { "margin": "2px", "maxWidth": "20%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Events = dynamic([{Events}]) ;\r\nlet Devices = dynamic([{DeviceX}]) ;\r\nlet Accounts = dynamic([{AccountX}]) ;\r\nlet IPs = dynamic([{IPX}]) ;\r\nlet Files = dynamic([{FileX}]) ;\r\nlet EventTable = SecurityEvent | where EventID in (Events);\r\nlet DeviceTable = SecurityEvent | where Computer in (Devices);\r\nlet AccountTable = SecurityEvent | extend AccountKey = replace_string(Account, \"\\\\\", \"\") | where AccountKey in (Accounts);\r\nlet IPTable = SecurityEvent | where IpAddress in (IPs);\r\nlet FileTable = SecurityEvent | where tostring(array_reverse(split(FilePath, \"\\\\\")).[0]) in (Files);\r\nunion kind=inner isfuzzy=true\r\n(EventTable),(DeviceTable), (AccountTable), (IPTable), (FileTable)\r\n| extend AType = iif(AccountType==\"User\", \"(U)\", \"(M)\")\r\n| extend Accounts = strcat(Account, \" \", AType)\r\n| project Time_and_Date=format_datetime(TimeGenerated, \"MM/dd/yyyy HH:mm:ss\"), tostring(EventID), _ResourceId, Devices=toupper(split(Computer, \".\").[0]), Accounts, Category=case(Level==0, \"Object Access\", Level==2, \"Event Processing\", Level==4, \"AppLocker\", Level ==8, \"Process Tracking\", \"Privilege Use\"), Description=split(Activity, \"-\").[1], AccountDomain,AccountName,AccountType,AuthenticationPackageName,CallerProcessName,CommandLine,EventID,EventSourceName,FileHash,FilePath,IpAddress,IpPort,LogonGuid,LogonProcessName,LogonTypeName,MandatoryLabel,NewProcessId,NewProcessName,ObjectName,ObjectServer,ObjectType,ObjectValueName,OperationType,ParentProcessName,Process,ProcessName,RelativeTargetName,ServiceName,ShareName,SourceComputerId,SubjectAccount,SubjectDomainName,SubjectUserName,SubjectUserSid,TargetAccount,TargetDomainName,TargetInfo,TargetLogonGuid,TargetServerName,TargetSid,TargetUser,TargetUserName,TargetUserSid,Task,WorkstationName\r\n| take 2000", "size": 2, "noDataMessage": "Select an event, device, or account to begin", "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "exportedParameters": [ { "fieldName": "Accounts", "parameterName": "Account", "parameterType": 1, "defaultValue": "" }, { "fieldName": "AccountType", "parameterName": "AccountType", "parameterType": 1, "defaultValue": "" }, { "fieldName": "AuthenticationPackageName", "parameterName": "AuthenticationPackageName", "parameterType": 1, "defaultValue": "" }, { "fieldName": "CallerProcessName", "parameterName": "CallerProcessName", "parameterType": 1, "defaultValue": "" }, { "fieldName": "CommandLine", "parameterName": "CommandLine", "parameterType": 1, "defaultValue": "" }, { "fieldName": "Devices", "parameterName": "Computer", "parameterType": 1, "defaultValue": "" }, { "fieldName": "EventID", "parameterName": "EventID", "parameterType": 1, "defaultValue": "blank" }, { "fieldName": "EventSourceName", "parameterName": "EventSourceName", "parameterType": 1, "defaultValue": "" }, { "fieldName": "Description", "parameterName": "Activity", "parameterType": 1 }, { "fieldName": "FileHash", "parameterName": "FileHash", "parameterType": 1 }, { "fieldName": "FilePath", "parameterName": "FilePath", "parameterType": 1 }, { "fieldName": "IpAddress", "parameterName": "IpAddress", "parameterType": 1 }, { "fieldName": "IpPort", "parameterName": "IpPort", "parameterType": 1 }, { "fieldName": "LogonGuid", "parameterName": "LogonGuid", "parameterType": 1 }, { "fieldName": "Category", "parameterName": "Level", "parameterType": 1 }, { "fieldName": "LogonProcessName", "parameterName": "LogonProcessName", "parameterType": 1 }, { "fieldName": "LogonTypeName", "parameterName": "LogonTypeName", "parameterType": 1 }, { "fieldName": "MandatoryLabel", "parameterName": "MandatoryLabel", "parameterType": 1 }, { "fieldName": "NewProcessId", "parameterName": "NewProcessId", "parameterType": 1 }, { "fieldName": "NewProcessName", "parameterName": "NewProcessName", "parameterType": 1 }, { "fieldName": "ObjectName", "parameterName": "ObjectName", "parameterType": 1 }, { "fieldName": "ObjectServer", "parameterName": "ObjectServer", "parameterType": 1 }, { "fieldName": "ObjectType", "parameterName": "ObjectType", "parameterType": 1 }, { "fieldName": "ObjectValueName", "parameterName": "ObjectValueName", "parameterType": 1 }, { "fieldName": "OperationType", "parameterName": "OperationType", "parameterType": 1 }, { "fieldName": "ParentProcessName", "parameterName": "ParentProcessName", "parameterType": 1 }, { "fieldName": "Process", "parameterName": "Process", "parameterType": 1 }, { "fieldName": "ProcessName", "parameterName": "ProcessName", "parameterType": 1 }, { "fieldName": "RelativeTargetName", "parameterName": "RelativeTargetName", "parameterType": 1 }, { "fieldName": "ServiceName", "parameterName": "ServiceName", "parameterType": 1 }, { "fieldName": "ShareName", "parameterName": "ShareName", "parameterType": 1 }, { "fieldName": "SourceComputerId", "parameterName": "SourceComputerId", "parameterType": 1 }, { "fieldName": "SubjectAccount", "parameterName": "SubjectAccount", "parameterType": 1 }, { "fieldName": "SubjectDomainName", "parameterName": "SubjectDomainName", "parameterType": 1 }, { "fieldName": "SubjectUserName", "parameterName": "SubjectUserName", "parameterType": 1 }, { "fieldName": "SubjectUserSid", "parameterName": "SubjectUserSid", "parameterType": 1 }, { "fieldName": "TargetAccount", "parameterName": "TargetAccount", "parameterType": 1 }, { "fieldName": "TargetDomainName", "parameterName": "TargetDomainName", "parameterType": 1 }, { "fieldName": "TargetInfo", "parameterName": "TargetInfo", "parameterType": 1 }, { "fieldName": "TargetLogonGuid", "parameterName": "TargetLogonGuid", "parameterType": 1 }, { "fieldName": "TargetServerName", "parameterName": "TargetServerName", "parameterType": 1 }, { "fieldName": "TargetSid", "parameterName": "TargetSid", "parameterType": 1 }, { "fieldName": "TargetUser", "parameterName": "TargetUser", "parameterType": 1 }, { "fieldName": "TargetUserName", "parameterName": "TargetUserName", "parameterType": 1 }, { "fieldName": "TargetUserSid", "parameterName": "TargetUserSid", "parameterType": 1 }, { "fieldName": "Task", "parameterName": "Task", "parameterType": 1 }, { "fieldName": "WorkstationName", "parameterName": "WorkstationName", "parameterType": 1 } ], "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Time_and_Date", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "130px" } }, { "columnMatch": "EventID", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "50px" } }, { "columnMatch": "_ResourceId", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "110px" } }, { "columnMatch": "Devices", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "110px" } }, { "columnMatch": "Accounts", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } }, { "columnMatch": "Category", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Event_Source", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } } ], "rowLimit": 2000, "filter": true } }, "name": "query - 4", "styleSettings": { "margin": "2px", "maxWidth": "72%", "showBorder": true } }, { "type": 1, "content": { "json": "- Account: **{Account}**\r\n- AccountType: **{AccountType}**\r\n- Activity: **{Activity}**\r\n- AuthenticationPackageName: **{AuthenticationPackageName}**\r\n- CallerProcessName: **{CallerProcessName}**\r\n- CommandLine: **{CommandLine}**\r\n- Computer: **{Computer}**\r\n- EventID: **{EventID}**\r\n- EventSourceName: **{EventSourceName}**\r\n- FileHash: **{FileHash}**\r\n- FilePath: **{FilePath}**\r\n- IpAddress: **{IpAddress}**\r\n- IpPort: **{IpPort}**\r\n- Level: **{Level}**\r\n- LogonGuid: **{LogonGuid}**\r\n- LogonProcessName: **{LogonProcessName}**\r\n- LogonTypeName: **{LogonTypeName}**\r\n- MandatoryLabel: **{MandatoryLabel}**\r\n- NewProcessId: **{NewProcessId}**\r\n- NewProcessName: **{NewProcessName}**\r\n- ObjectName: **{ObjectName}**\r\n- ObjectServer: **{ObjectServer}**\r\n- ObjectType: **{ObjectType}**\r\n- ObjectValueName: **{ObjectValueName}**\r\n- OperationType: **{OperationType}**\r\n- ParentProcessName: **{ParentProcessName}**\r\n- Process: **{Process}**\r\n- ProcessName: **{ProcessName}**\r\n- RelativeTargetName: **{RelativeTargetName}**\r\n- ServiceName: **{ServiceName}**\r\n- ShareName: **{ShareName}**\r\n- SourceComputerId: **{SourceComputerId}**\r\n- SubjectAccount: **{SubjectAccount}**\r\n- SubjectDomainName: **{SubjectDomainName}**\r\n- SubjectUserName: **{SubjectUserName}**\r\n- SubjectUserSid: **{SubjectUserSid}**\r\n- TargetAccount: **{TargetAccount}**\r\n- TargetDomainName: **{TargetDomainName}**\r\n- TargetInfo: **{TargetInfo}**\r\n- TargetLogonGuid: **{TargetLogonGuid}**\r\n- TargetServerName: **{TargetServerName}**\r\n- TargetSid: **{TargetSid}**\r\n- TargetUser: **{TargetUser}**\r\n- TargetUserName: **{TargetUserName}**\r\n- TargetUserSid: **{TargetUserSid}**\r\n- Task: **{Task}**\r\n- WorkstationName: **{WorkstationName}**\t" }, "name": "text - 5", "styleSettings": { "margin": "10px", "padding": "2px", "maxWidth": "28%", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "Ninja" }, "name": "Security Event Explorer" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Windows Event Explorer", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "32d24ecb-c707-4aa2-9c65-02c54e4fa6e2", "version": "KqlParameterItem/1.0", "name": "Severity", "type": 10, "isRequired": true, "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n { \\\"value\\\": \\\"r\\\", \\\"label\\\": \\\"All\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"Information\\\", \\\"label\\\": \\\"Information\\\"},\\r\\n { \\\"value\\\": \\\"Warning\\\", \\\"label\\\": \\\"Warning\\\"},\\r\\n { \\\"value\\\": \\\"Error\\\", \\\"label\\\": \\\"Error\\\"}\\r\\n]\",\"transformers\":null}", "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "queryType": 8 } ], "style": "pills", "queryType": 8 }, "customWidth": "30", "name": "parameters - 8" }, { "type": 1, "content": { "json": "**Windows Event Viewer**. Set the severity and optional timebrush. Each selection is **cumulative**. **Best if you select from 1-2 filter categories at a time.**", "style": "success" }, "customWidth": "70", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 0 - Copy - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Event\r\n| where EventLevelName contains \"{Severity}\"\r\n| summarize count() by bin(TimeGenerated, 1h) \r\n| render timechart", "size": 4, "title": "Hourly Events - Time Brush Event Filter", "noDataMessage": "Select a Wokspace above to activate", "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 4", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Event\r\n| where EventLevelName contains \"{Severity}\"\r\n| summarize count() by EventID\r\n| project EventID, Count=count_\r\n| sort by Count\r\n", "size": 1, "title": "Event Filter", "noDataMessage": "Select a workspace above to list devices", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "EventID", "parameterName": "Events", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "EventID", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "query - 5 - Copy - Copy", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Event\r\n| where EventLevelName contains \"{Severity}\"\r\n| summarize count() by Computer\r\n| project Source_Device = Computer, Count=count_\r\n| sort by Count desc\r\n", "size": 1, "title": "Device Filter", "noDataMessage": "Select a workspace above to list devices", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Source_Device", "parameterName": "DeviceX", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Source_Device", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal" } } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "query - 5 - Copy", "styleSettings": { "margin": "1px", "maxWidth": "21%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Event\r\n| where EventLevelName contains \"{Severity}\"\r\n| summarize count() by UserName\r\n| extend User2 = split(UserName, \"\\\\\").[0]\r\n| project UserName, Count=count_, User2\r\n| sort by Count desc\r\n| take 1000", "size": 1, "title": "Account Filter", "noDataMessage": "Select a workspace above to list accounts", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "User2", "parameterName": "AccountX", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "UserName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } }, { "columnMatch": "User2", "formatter": 5 } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "name": "query - 5", "styleSettings": { "margin": "1px", "maxWidth": "19%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Event\r\n| where EventLevelName contains \"{Severity}\"\r\n| extend LogSource1 = strcat(EventLog, \"-\", Source)\r\n| extend LogSource2 = case(\r\n LogSource1 has \"Admin-AD FS\", \"ADFS-Admin\",\r\n LogSource1 == \"Application-Microsoft-Windows-AppModel-State\", \"Application-AppModel-State\",\r\n LogSource1 == \"Application-Microsoft-Windows-CAPI2\", \"Application-CAPI2\",\r\n LogSource1 == \"Application-Microsoft-Windows-COMRuntime\", \"Application-COMRuntime\",\r\n LogSource1 == \"Application-Microsoft-Windows-Defrag\", \"Application-Defrag\",\r\n LogSource1 == \"Application-Microsoft-Windows-Perflib\", \"Application-Perflib\",\r\n LogSource1 == \"Application-Microsoft-Windows-PerfNet\", \"Application-PerfNet\",\r\n LogSource1 == \"Application-Microsoft-Windows-PerfOS\", \"Application-PerfOS\",\r\n LogSource1 == \"Application-Microsoft-Windows-PerfProc\", \"Application-PerfProc\",\r\n LogSource1 == \"Application-Microsoft-Windows-Security-SPP\", \"Application-Security-SPP\",\r\n LogSource1 == \"Application-Microsoft-Windows-WMI\", \"Application-WMI\",\r\n LogSource1 == \"Directory Service-Microsoft-Windows-ActiveDirectory_DomainService\", \"Directory Service-AADS\",\r\n LogSource1 has \"Microsoft-Windows-PowerShell\", \"PowerShell-Operational\",\r\n LogSource1 has \"Microsoft-Windows-Windows Defender\", \"Windows Defender-Antivirus\",\r\n LogSource1 has \"Microsoft-Windows-Windows Firewall With Advanced Security\", \"Windows Firewall-Advanced Security\",\r\n LogSource1==\"System-Microsoft-Windows-Bits-Client\", \"System-Bits-Client\",\r\n LogSource1==\"System-Microsoft-Windows-DistributedCOM\", \"System-DistributedCOM\",\r\n LogSource1==\"System-Microsoft-Windows-Kernel-Power\", \"System-Kernel-Power\",\r\n LogSource1==\"System-Microsoft-Windows-WindowsUpdateClient\", \"System-WindowsUpdateClient\",\r\n LogSource1==\"Windows PowerShell-PowerShell\", \"PowerShell-Windows\", \"xxx\")\r\n| extend LogSource = iff(LogSource2==\"xxx\", LogSource1, LogSource2)\r\n| summarize count() by tostring(LogSource), LogSource1\r\n| project LogSource, Count=count_, LogSource1\r\n| sort by Count\r\n\r\n\r\n", "size": 1, "title": "Log Filter", "noDataMessage": "Select a workspace above to list accounts", "timeContextFromParameter": "TimeRange", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "LogSource1", "parameterName": "LogX", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "LogSource", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } }, { "columnMatch": "LogSource1", "formatter": 5 } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "name": "query - 5 - Copy - Copy", "styleSettings": { "margin": "2px", "maxWidth": "21%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Event \r\n| where EventLevelName contains \"{Severity}\"\r\n| extend Description = split(RenderedDescription, \".\").[0]\r\n| project tostring(Description)\r\n| summarize count() by Description\r\n| project Description, Count=count_\r\n| sort by Count\r\n", "size": 1, "title": "Error Filter", "noDataMessage": "Select a workspace above to list accounts", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Description", "parameterName": "Error", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Description", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "177px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "name": "query - 5 - Copy", "styleSettings": { "margin": "1px", "maxWidth": "23%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let EventTable = Event | where EventLevelName contains \"{Severity}\"| where EventID in (dynamic([{Events}]));\r\nlet DeviceTable = Event | where EventLevelName contains \"{Severity}\"| where Computer in (dynamic([{DeviceX}]));\r\nlet AccountTable = Event | where EventLevelName contains \"{Severity}\"| extend New = split(UserName, \"\\\\\").[0] | where New in (dynamic([{AccountX}]));\r\nlet LogTable = Event | where EventLevelName contains \"{Severity}\"| extend Log2 = strcat(EventLog, \"-\", Source) | where Log2 in (dynamic([{LogX}]));\r\nlet DescriptionTable = Event | where EventLevelName contains \"{Severity}\"| extend Description = split(RenderedDescription, \".\").[0] | where Description in (dynamic([{Error}]));\r\nunion kind=inner isfuzzy=true\r\n(EventTable),(DeviceTable), (AccountTable), (LogTable), (DescriptionTable)\r\n| parse RenderedDescription with *\"SRUJet: \" D1\r\n| extend Description = iif(RenderedDescription has \"SRUJet\", D1, RenderedDescription)\r\n| project L=case(EventLevelName==\"Error\", \"🔴\", EventLevelName==\"Warning\", \"⚠️\",\"ℹ️\"), Level=EventLevelName, Time_and_Date=format_datetime(TimeGenerated, \"MM/dd/yyyy HH:mm:ss\"), _ResourceId, Computer, EventID, Source, UserName, Description\r\n| sort by Time_and_Date\r\n| take 2000", "size": 2, "noDataMessage": "Select an event, device, or account to begin", "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "exportFieldName": "TargetUserSid", "exportParameterName": "TargetUserSid", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "L", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "30px" } }, { "columnMatch": "Level", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "60px" } }, { "columnMatch": "Time_and_Date", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "130px" } }, { "columnMatch": "_ResourceId", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Computer", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "EventLog", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Source", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "UserName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Description", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "600px" } } ], "rowLimit": 2000, "filter": true } }, "name": "query - 4", "styleSettings": { "margin": "2px", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "Events" }, "name": "Windows Event Explorer" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Azure Activity Explorer", "items": [ { "type": 1, "content": { "json": "**Azure Activity Log Viewer**. Start by setting the time range above and the optional time brush. Each selection is **cumulative**. **Best if you select from 1-2 filter categories at a time.**", "style": "success" }, "customWidth": "85", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "CEF Explorer Instructions" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity\r\n| summarize count() by bin(TimeGenerated, 1h)\r\n| render timechart", "size": 4, "title": "Hourly Events - Time Brush Event Filter", "noDataMessage": "Select a Wokspace above to activate", "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 4", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity\r\n| extend Operation = iif(OperationName == \"\", OperationNameValue, OperationName)\r\n| summarize count() by Operation\r\n| project Operation, Count=count_\r\n| sort by Count", "size": 1, "title": "Operation", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Operation", "parameterName": "Operation", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Operation", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "Operation", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity\r\n| extend Status = case(ActivityStatusValue == \"Succeeded\", \"Success\", ActivityStatusValue == \"Start\", \"Started\", ActivityStatusValue == \"Failure\", \"Failed\", ActivityStatusValue == \"Accept\",\"Accepted\", ActivityStatusValue)\r\n| summarize count() by Status\r\n| project Status, Count=count_\r\n| sort by Count desc\r\n", "size": 1, "title": "Status", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Status", "parameterName": "Status", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Status", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } }, { "columnMatch": "ActivityStatusValue", "formatter": 5 } ], "rowLimit": 1000, "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "Status", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity\r\n| summarize count() by CategoryValue\r\n| project Category = CategoryValue, Count=count_, CategoryValue\r\n| sort by Count desc\r\n", "size": 1, "title": "Category", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "CategoryValue", "parameterName": "CategoryValue", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Category", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } }, { "columnMatch": "CategoryValue", "formatter": 5 } ], "rowLimit": 1000, "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "Category", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity\r\n| extend Level = iif(Level == \"Information\", \"Informational\", Level)\r\n| summarize count() by Level\r\n| project Severity=Level, Count=count_, Level\r\n| sort by Count desc\r\n| take 1000", "size": 1, "title": "Severity", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Severity", "parameterName": "Severity", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Severity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } }, { "columnMatch": "Level", "formatter": 5 } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "name": "Severity", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity\r\n| summarize count() by Caller\r\n| project Caller, Count=count_\r\n| sort by Count", "size": 1, "title": "Caller", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Caller", "parameterName": "Caller", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Caller", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "name": "Caller", "styleSettings": { "margin": "1px", "maxWidth": "18%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "AzureActivity\r\n| summarize count() by CallerIpAddress\r\n| project CallerIp=CallerIpAddress, Count=count_\r\n| sort by Count\r\n", "size": 1, "title": "Caller IP", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "CallerIp", "parameterName": "CallerIp", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "CallerIp", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "name": "Caller IP", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Operation = AzureActivity | extend Operation2 = iif(OperationName == \"\", OperationNameValue, OperationName) | where Operation2 in (dynamic([{Operation}]));\r\nlet Status = AzureActivity | extend Status = case(ActivityStatusValue == \"Succeeded\", \"Success\", ActivityStatusValue == \"Start\", \"Started\", ActivityStatusValue == \"Failure\", \"Failed\", ActivityStatusValue == \"Accept\",\"Accepted\", ActivityStatusValue) | where Status in (dynamic([{Status}]));\r\nlet CategoryValue = AzureActivity | where CategoryValue in (dynamic([{CategoryValue}]));\r\nlet Severity = AzureActivity | where Level in (dynamic([{Severity}]));\r\nlet Caller = AzureActivity | where Caller in (dynamic([{Caller}]));\r\nlet CallerIpAddress = AzureActivity | where CallerIpAddress in (dynamic([{CallerIp}]));\r\nunion kind=inner isfuzzy=true\r\n(Operation), (Status), (CategoryValue), (Severity), (Caller), (CallerIpAddress)\r\n| project TimeGenerated, OperationName, OperationNameValue, Level, ActivityStatusValue, ResourceGroup, Caller, CallerIpAddress, CategoryValue, HTTPRequest, Properties\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "OperationName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } }, { "columnMatch": "OperationNameValue", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } }, { "columnMatch": "Level", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ActivityStatusValue", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ResourceGroup", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Caller", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "CallerIpAddress", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "CategoryValue", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "HTTPRequest", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } }, { "columnMatch": "Properties", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } } ], "rowLimit": 2000, "filter": true } }, "name": "query - 4", "styleSettings": { "margin": "2px", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "Activity" }, "name": "Azure Activity Explorer" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Entra ID Explorer", "items": [ { "type": 1, "content": { "json": "**Microsoft Entra ID Log Viewer**. Start by setting the time range above and the optional time brush. Select the Entra ID log table followed by one or more item of interest. Each selection is **cumulative**. **Best if you select from 1-2 filte**r categories at a time.**", "style": "success" }, "customWidth": "75", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "CEF Explorer Instructions" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=\"SourceTable\" isfuzzy=true\r\n(SigninLogs), (AuditLogs), (AADNonInteractiveUserSignInLogs), (AADServicePrincipalSignInLogs), (AADManagedIdentitySignInLogs), (AADProvisioningLogs), (ADFSSignInLogs), (AADUserRiskEvents), (AADRiskyUsers)\r\n| summarize count() by bin(TimeGenerated, 1h), SourceTable\r\n| render timechart", "size": 4, "title": "Hourly Events - Time Brush Event Filter", "noDataMessage": "Select a Wokspace above to activate", "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 4", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union withsource=\"SourceTable\" isfuzzy=true\r\n(SigninLogs), (AuditLogs), (AADNonInteractiveUserSignInLogs), (AADServicePrincipalSignInLogs), (AADManagedIdentitySignInLogs), (AADProvisioningLogs), (ADFSSignInLogs), (AADUserRiskEvents), (AADRiskyUsers)\r\n| summarize count() by SourceTable\r\n| project-rename Count=count_\r\n| sort by Count\r\n", "size": 1, "title": "SourceTable", "timeContextFromParameter": "TimeSpan", "exportFieldName": "SourceTable", "exportParameterName": "SourceTable", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "SourceTable", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "SourceTable", "styleSettings": { "maxWidth": "15%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union {SourceTable}\r\n| summarize count() by Identity\r\n| project-rename Count=count_\r\n| sort by Count\r\n\r\n", "size": 1, "title": "Identity", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Identity", "parameterName": "Identity", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Identity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" } ], "name": "Identity", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by ResultDescription\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000\r\n", "size": 1, "title": "ResultDescription", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "ResultDescription", "parameterName": "ResultDescription", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "ResultDescription", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" } ], "name": "ResultDescription", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by AADOperationType\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000\r\n", "size": 1, "title": "OperationType", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "AADOperationType", "parameterName": "AADOperationType", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "AADOperationType", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "SourceTable", "comparison": "isEqualTo", "value": "AuditLogs" }, "name": "AADOperationType", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by ActivityDisplayName\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000\r\n", "size": 1, "title": "DisplayName", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "ActivityDisplayName", "parameterName": "ActivityDisplayName", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "ActivityDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "SourceTable", "comparison": "isEqualTo", "value": "AuditLogs" }, "name": "ActivityDisplayName", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by Category\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000\r\n", "size": 1, "title": "Category", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Category", "parameterName": "Category", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Category", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "SourceTable", "comparison": "isEqualTo", "value": "AuditLogs" }, "name": "Category", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by Result\r\n| project-rename Count=count_, Crazy=Result\r\n| sort by Count\r\n| take 1000\r\n\r\n", "size": 1, "title": "Result", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Crazy", "parameterName": "Crazy", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Result", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "SourceTable", "comparison": "isEqualTo", "value": "AuditLogs" }, "name": "Result", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where Result == \"failure\"\r\n| summarize count() by ResultReason\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000\r\n", "size": 1, "title": "Failures", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "ResultReason", "parameterName": "ResultReason", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "ResultReason", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "SourceTable", "comparison": "isEqualTo", "value": "AuditLogs" }, "name": "Failures", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union {SourceTable}\r\n| summarize count() by AppDisplayName\r\n| project-rename Count=count_\r\n| sort by Count\r\n", "size": 1, "title": "AppDisplayName", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "AppDisplayName", "parameterName": "AppDisplayName", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "AppDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" } ], "name": "AppDisplayName", "styleSettings": { "maxWidth": "14%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union {SourceTable}\r\n| summarize count() by AuthenticationRequirement\r\n| project-rename Count=count_\r\n| sort by Count\r\n\r\n\r\n", "size": 1, "title": "AuthenticationRequirement", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "AuthenticationRequirement", "parameterName": "AuthenticationRequirement", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "AuthenticationRequirement", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" } ], "name": "AuthenticationRequirement", "styleSettings": { "maxWidth": "13%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by ResourceDisplayName\r\n| project-rename Count=count_\r\n| sort by Count\r\n\r\n", "size": 1, "title": "ResourceDisplayName", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "ResourceDisplayName", "parameterName": "ResourceDisplayName", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "ResourceDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" } ], "name": "ResourceDisplayName", "styleSettings": { "maxWidth": "15%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union {SourceTable}\r\n| summarize count() by ServicePrincipalName\r\n| project-rename Count=count_\r\n| sort by Count\r\n\r\n", "size": 1, "title": "ServicePrincipalName", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "ServicePrincipalName", "parameterName": "ServicePrincipalName", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "ServicePrincipalName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" } ], "name": "ServicePrincipalName", "styleSettings": { "maxWidth": "15%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by IPAddress\r\n| sort by count_\r\n| project-rename Count=count_\r\n| take 2000", "size": 1, "title": "IPAddress", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "IPAddress", "parameterName": "IPAddress", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "IPAddress", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 2000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" } ], "name": "IPAddress", "styleSettings": { "maxWidth": "14%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union {SourceTable}\r\n| summarize count() by IpAddress\r\n| sort by count_\r\n| project-rename Count=count_\r\n| take 2000", "size": 1, "title": "IpAddress", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "IpAddress", "parameterName": "IpAddress", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "IpAddress", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "count_", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 2000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "SourceTable", "comparison": "isEqualTo", "value": "AADUserRiskEvents" }, "name": "IpAddress", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| extend LocationD = todynamic(LocationDetails)\r\n| extend Location = strcat(LocationD.countryOrRegion, \"-\", LocationD.city)\r\n| summarize count() by Location\r\n| project-rename Count=count_\r\n| sort by Count", "size": 1, "title": "Location", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Location", "parameterName": "Location", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Location", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" } ], "name": "Location", "styleSettings": { "maxWidth": "14%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union {SourceTable}\r\n| summarize count() by Action\r\n| project-rename Count=count_\r\n| sort by Count\r\n\r\n", "size": 1, "title": "Action", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Action", "parameterName": "Action", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Action", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" } ], "name": "Action", "styleSettings": { "maxWidth": "15%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union {SourceTable}\r\n| summarize count() by ResultType\r\n| project-rename Count=count_\r\n| sort by Count\r\n\r\n", "size": 1, "title": "ResultType", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "ResultType", "parameterName": "ResultType", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "ResultType", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" } ], "name": "ResultType", "styleSettings": { "maxWidth": "15%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| extend TargetSystem = todynamic(TargetSystem)\r\n| extend App = tostring(TargetSystem.Name) \r\n| summarize count() by App\r\n| project-rename Count=count_\r\n| sort by Count\r\n\r\n", "size": 1, "title": "Application", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeRange", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "App", "parameterName": "App", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "App", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" } ], "name": "Application", "styleSettings": { "maxWidth": "15%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union {SourceTable}\r\n| extend TargetSystem = todynamic(TargetSystem)\r\n| extend SP = tostring(parse_json(tostring(TargetSystem.details)).ServicePrincipalDisplayName)\r\n| summarize count() by SP\r\n| project-rename Count=count_, ServicePrincipal=SP\r\n| sort by Count\r\n\r\n", "size": 1, "title": "ServicePrincipal", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "ServicePrincipal", "parameterName": "ServicePrincipal", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "ServicePrincipal", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" } ], "name": "ServicePrincipal", "styleSettings": { "maxWidth": "15%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by UserDisplayName\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000", "size": 1, "title": "UserDisplayName", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "UserDisplayName", "parameterName": "UserDisplayName", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "UserDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" } ], "name": "UserDisplayName", "styleSettings": { "maxWidth": "15%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by RiskLevel\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000", "size": 1, "title": "RiskLevel", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "RiskLevel", "parameterName": "RiskLevel", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "RiskLevel", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "50px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" } ], "name": "RiskLevel", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| extend RiskLocation = strcat(Location.countryOrRegion, \"-\", Location.city)\r\n| summarize count() by RiskLocation\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000", "size": 1, "title": "RiskLocation", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "RiskLocation", "parameterName": "RiskLocation", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "RiskLocation", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "80px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "SourceTable", "comparison": "isEqualTo", "value": "AADUserRiskEvents" }, "name": "RiskLocation", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by RiskDetail\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000", "size": 1, "title": "RiskDetail", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "RiskDetail", "parameterName": "RiskDetail", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "RiskDetail", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "SourceTable", "comparison": "isEqualTo", "value": "AADUserRiskEvents" }, "name": "RiskDetail", "styleSettings": { "maxWidth": "11%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by RiskEventType\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000", "size": 1, "title": "RiskEventType", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "RiskEventType", "parameterName": "RiskEventType", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "RiskEventType", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "SourceTable", "comparison": "isEqualTo", "value": "AADUserRiskEvents" }, "name": "RiskEventType", "styleSettings": { "maxWidth": "11%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| summarize count() by RiskState\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 1000", "size": 1, "title": "RiskState", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "RiskState", "parameterName": "RiskState", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "RiskState", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" } ], "name": "RiskState", "styleSettings": { "maxWidth": "11%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where RiskEventType in (dynamic([{RiskEventType}]))\r\n| summarize count() by bin(TimeGenerated, 1h), RiskEventType\r\n| render timechart\r\n", "size": 4, "title": "RiskEventType Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "RiskEventType", "comparison": "isNotEqualTo" }, "name": "RiskEventType", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where RiskState in (dynamic([{RiskState}]))\r\n| summarize count() by bin(TimeGenerated, 1h), RiskState\r\n| render timechart\r\n", "size": 4, "title": "RiskEvRiskState entType Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "RiskState", "comparison": "isNotEqualTo" }, "name": "RiskState", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where RiskDetail in (dynamic([{RiskDetail}]))\r\n| summarize count() by bin(TimeGenerated, 1h), RiskDetail\r\n| render timechart\r\n", "size": 4, "title": "RiskDetail Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "RiskDetail", "comparison": "isNotEqualTo" }, "name": "RiskDetail", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| extend RiskLocation = strcat(Location.countryOrRegion, \"-\", Location.city)\r\n| where RiskLocation in (dynamic([{RiskLocation}]))\r\n| summarize count() by bin(TimeGenerated, 1h), RiskLocation\r\n| render timechart\r\n", "size": 4, "title": "RiskLocation Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "RiskLocation", "comparison": "isNotEqualTo" }, "name": "RiskLocation", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where RiskLevel in (dynamic([{RiskLevel}]))\r\n| summarize count() by bin(TimeGenerated, 1h), RiskLevel\r\n| render timechart\r\n", "size": 4, "title": "RiskLevel Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "RiskLevel", "comparison": "isNotEqualTo" }, "name": "RiskLevel", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where UserDisplayName in (dynamic([{UserDisplayName}]))\r\n| summarize count() by bin(TimeGenerated, 1h), UserDisplayName\r\n| render timechart\r\n", "size": 4, "title": "UserDisplayName Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "UserDisplayName", "comparison": "isNotEqualTo" }, "name": "UserDisplayName", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where IpAddress in (dynamic([{IpAddress}]))\r\n| summarize count() by bin(TimeGenerated, 1h), IpAddress\r\n| render timechart\r\n", "size": 4, "title": "IpAddress Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "IpAddress", "comparison": "isNotEqualTo" }, "name": "IpAddress", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| extend TargetSystem = todynamic(TargetSystem)\r\n| extend SP = tostring(parse_json(tostring(TargetSystem.details)).ServicePrincipalDisplayName)\r\n| where SP in (dynamic([{ServicePrincipal}]))\r\n| summarize count() by bin(TimeGenerated, 1h), SP\r\n| render timechart\r\n", "size": 4, "title": "ServicePrincipal Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "ServicePrincipal", "comparison": "isNotEqualTo" }, "name": "ServicePrincipal", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| extend TargetSystem = todynamic(TargetSystem)\r\n| extend App = tostring(TargetSystem.Name) \r\n| where App in (dynamic([{App}]))\r\n| summarize count() by bin(TimeGenerated, 1h), App\r\n| render timechart\r\n", "size": 4, "title": "App Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "App", "comparison": "isNotEqualTo" }, "name": "App", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where ResultType in (dynamic([{ResultType}]))\r\n| summarize count() by bin(TimeGenerated, 1h), ResultType\r\n| render timechart\r\n", "size": 4, "title": "ResultType Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "ResultType", "comparison": "isNotEqualTo" }, "name": "ResultType", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where Action in (dynamic([{Action}]))\r\n| summarize count() by bin(TimeGenerated, 1h), Action\r\n| render timechart\r\n", "size": 4, "title": "Action Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "Action", "comparison": "isNotEqualTo" }, "name": "Action", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where ResultReason in (dynamic([{ResultReason}]))\r\n| summarize count() by bin(TimeGenerated, 1h), ResultReason\r\n| render timechart\r\n", "size": 4, "title": "ResultReason Timeline", "timeContextFromParameter": "TimeSpan", "timeBrushParameterName": "Result", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "ResultReason", "comparison": "isNotEqualTo" }, "name": "ResultReason", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where Result in (dynamic([{Crazy}]))\r\n| summarize count() by bin(TimeGenerated, 1h), Result\r\n| render timechart\r\n", "size": 4, "title": "Result Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "Crazy", "comparison": "isNotEqualTo" }, "name": "Result", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where Category in (dynamic([{Category}]))\r\n| summarize count() by bin(TimeGenerated, 1h), Category\r\n| render timechart\r\n", "size": 4, "title": "Category Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "Category", "comparison": "isNotEqualTo" }, "name": "Category", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where ActivityDisplayName in (dynamic([{ActivityDisplayName}]))\r\n| summarize count() by bin(TimeGenerated, 1h), ActivityDisplayName\r\n| render timechart\r\n", "size": 4, "title": "ActivityDisplayName Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "ActivityDisplayName", "comparison": "isNotEqualTo" }, "name": "OperationType - Copy", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where AADOperationType in (dynamic([{AADOperationType}]))\r\n| summarize count() by bin(TimeGenerated, 1h), AADOperationType\r\n| render timechart\r\n", "size": 4, "title": "OperationType Timeline", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "AADOperationType", "comparison": "isNotEqualTo" }, "name": "OperationType", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| extend LocationD = todynamic(LocationDetails)\r\n| extend Location = strcat(LocationD.countryOrRegion, \"-\", LocationD.city)\r\n| where Location in (dynamic([{Location}]))\r\n| summarize count() by bin(TimeGenerated, 1h), Location\r\n| render timechart\r\n", "size": 4, "title": "Location Timeline", "timeBrushParameterName": "Result", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "Location", "comparison": "isNotEqualTo" }, "name": "Location", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where ServicePrincipalName in (dynamic([{ServicePrincipalName}]))\r\n| summarize count() by bin(TimeGenerated, 1h), ServicePrincipalName\r\n| render timechart\r\n", "size": 4, "title": "ServicePrincipalName Timeline", "timeBrushParameterName": "Result", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "ServicePrincipalName", "comparison": "isNotEqualTo" }, "name": "ServicePrincipalName", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where ResourceDisplayName in (dynamic([{ResourceDisplayName}]))\r\n| summarize count() by bin(TimeGenerated, 1h), ResourceDisplayName\r\n| render timechart\r\n", "size": 4, "title": "ResourceDisplayName Timeline", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "ResourceDisplayName", "comparison": "isNotEqualTo" }, "name": "ResourceDisplayName", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where ResultDescription in (dynamic([{ResultDescription}]))\r\n| summarize count() by bin(TimeGenerated, 1h), ResultDescription\r\n| render timechart\r\n", "size": 4, "title": "Result Timeline", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "ResultDescription", "comparison": "isNotEqualTo" }, "name": "Result Timeline", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where AppDisplayName in (dynamic([{AppDisplayName}]))\r\n| summarize count() by bin(TimeGenerated, 1h), AppDisplayName\r\n| render timechart\r\n", "size": 4, "title": "App Timeline", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "AppDisplayName", "comparison": "isNotEqualTo" }, "name": "App Timeline", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where AuthenticationRequirement in (dynamic([{AuthenticationRequirement}]))\r\n| summarize count() by bin(TimeGenerated, 1h), AuthenticationRequirement\r\n| render timechart\r\n", "size": 4, "title": "Authentication Timeline", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "AuthenticationRequirement", "comparison": "isNotEqualTo" }, "name": "App Timeline - Copy", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where Identity in (dynamic([{Identity}]))\r\n| summarize count() by bin(TimeGenerated, 1h), Identity\r\n| render timechart\r\n", "size": 4, "title": "Identity Timeline", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "Identity", "comparison": "isNotEqualTo" }, "name": "Identity Timeline", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{SourceTable}\r\n| where IPAddress in (dynamic([{IPAddress}]))\r\n| summarize count() by bin(TimeGenerated, 1h), IPAddress\r\n| render timechart\r\n", "size": 4, "title": "IPAddress Timeline", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "conditionalVisibility": { "parameterName": "IPAddress", "comparison": "isNotEqualTo" }, "name": "IPAddress Timeline", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let RiskLevel = {SourceTable} | where RiskLevel in (dynamic([{RiskLevel}]));\r\nlet RiskState = {SourceTable} | where RiskState in (dynamic([{RiskState}]));\r\nlet UserDisplayName = {SourceTable} | where UserDisplayName in (dynamic([{UserDisplayName}]));\r\nunion isfuzzy=true\r\n(RiskLevel), (RiskState), (UserDisplayName)\r\n| project TimeGenerated, UserDisplayName, UserPrincipalName, OperationName, Type, RiskLevel, RiskState, RiskDetail, IsProcessing, IsDeleted\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "UserDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "UserPrincipalName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "OperationName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Type", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "RiskLevel", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "RiskState", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "RiskDetail", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "IsProcessing", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "IsDeleted", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } } ], "rowLimit": 2000, "filter": true } }, "conditionalVisibilities": [ { "parameterName": "Result", "comparison": "isNotEqualTo" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" } ], "name": "AADRiskyUsers", "styleSettings": { "margin": "2px", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let IpAddress = {SourceTable} | where IpAddress in (dynamic([{IpAddress}]));\r\nlet UserDisplayName = {SourceTable} | where UserDisplayName in (dynamic([{UserDisplayName}]));\r\nlet RiskLevel = {SourceTable} | where RiskLevel in (dynamic([{RiskLevel}]));\r\nlet RiskLocation = {SourceTable} | extend RiskLocation = strcat(Location.countryOrRegion, \"-\", Location.city) | where RiskLocation in (dynamic([{RiskLocation}]));\r\nlet RiskDetail = {SourceTable} | where RiskDetail in (dynamic([{RiskDetail}]));\r\nlet RiskEventType = {SourceTable} | where RiskEventType in (dynamic([{RiskEventType}]));\r\nlet RiskState = {SourceTable} | where RiskState in (dynamic([{RiskState}]));\r\nunion isfuzzy=true\r\n(IpAddress), (UserDisplayName), (RiskLevel), (RiskLocation), (RiskDetail), (RiskEventType), (RiskState)\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "UserDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "UserPrincipalName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "OperationName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Type", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "RiskLevel", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "RiskState", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "RiskDetail", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "IsProcessing", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "IsDeleted", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } } ], "rowLimit": 2000, "filter": true } }, "conditionalVisibilities": [ { "parameterName": "Result", "comparison": "isNotEqualTo" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" } ], "name": "AADUserRiskEvents", "styleSettings": { "margin": "2px", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Action = {SourceTable} | where Action in (dynamic([{Action}]));\r\nlet ResultType = {SourceTable} | where ResultType in (dynamic([{ResultType}]));\r\nlet App = {SourceTable} | extend TargetSystem = todynamic(TargetSystem)\r\n| extend App = tostring(TargetSystem.Name) | where App in (dynamic([{App}]));\r\nlet ServicePrincipal = {SourceTable} | extend TargetSystem = todynamic(TargetSystem)\r\n| extend ServicePrincipal= tostring(parse_json(tostring(TargetSystem.details)).ServicePrincipalDisplayName)| where ServicePrincipal in (dynamic([{ServicePrincipal}]));\r\nunion isfuzzy=true\r\n(Action), (ResultType), (App), (ServicePrincipal)\r\n| project TimeGenerated, OperationName, Action, ResultType, App, ServicePrincipal, ResultDescription, InitiatedBy, SourceIdentity, TargetIdentity\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "OperationName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Action", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ResultType", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "App", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ServicePrincipal", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "ResultDescription", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "InitiatedBy", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "SourceIdentity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "TargetIdentity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } } ], "rowLimit": 2000, "filter": true } }, "conditionalVisibilities": [ { "parameterName": "Result", "comparison": "isNotEqualTo" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" } ], "name": "AADProvisioningLogs", "styleSettings": { "margin": "2px", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let ServicePrincipalName = {SourceTable} | where ServicePrincipalName in (dynamic([{ServicePrincipalName}]));\r\nlet ResourceDisplayName = {SourceTable} | where ResourceDisplayName in (dynamic([{ResourceDisplayName}]));\r\nunion isfuzzy=true\r\n(ServicePrincipalName), (ResourceDisplayName)\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Identity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "OperationName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "ResultDescription", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "AADOperationType", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ActivityDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Category", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "LoggedByService", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Result", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ResultReason", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } } ], "rowLimit": 2000, "filter": true } }, "conditionalVisibilities": [ { "parameterName": "Result", "comparison": "isNotEqualTo" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" } ], "name": "AADManagedIdentitySignInLogs", "styleSettings": { "margin": "2px", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let ResultDescription = {SourceTable} | where ResultDescription in (dynamic([{ResultDescription}]));\r\nlet Identity = {SourceTable} | where Identity in (dynamic([{Identity}]));\r\nlet AADOperationType = {SourceTable} | where AADOperationType in (dynamic([{AADOperationType}]));\r\nlet ActivityDisplayName = {SourceTable} | where ActivityDisplayName in (dynamic([{ActivityDisplayName}]));\r\nlet Category = {SourceTable} | where Category in (dynamic([{Category}]));\r\nlet ResultReason = {SourceTable} | where ResultReason in (dynamic([{ResultReason}]));\r\n//let Crazy = {SourceTable} | where Crazy in (dynamic([{Crazy}]));\r\nunion isfuzzy=true\r\n(ResultDescription), (Identity), (AADOperationType), (ActivityDisplayName), (Category), (ResultReason)//, (Crazy)\r\n| project TimeGenerated, Identity, OperationName, ResultDescription, AADOperationType, ActivityDisplayName, Category, LoggedByService, Result, ResultReason\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Identity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "OperationName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "ResultDescription", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "AADOperationType", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ActivityDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Category", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "LoggedByService", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Result", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ResultReason", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } } ], "rowLimit": 2000, "filter": true } }, "conditionalVisibilities": [ { "parameterName": "Result", "comparison": "isNotEqualTo" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" } ], "name": "AuditLogs", "styleSettings": { "margin": "2px", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let ServicePrincipalName = {SourceTable} | where ServicePrincipalName in (dynamic([{ServicePrincipalName}]));\r\nlet ResourceDisplayName = {SourceTable} | where ResourceDisplayName in (dynamic([{ResourceDisplayName}]));\r\nlet IPAddress = {SourceTable} | where IPAddress in (dynamic([{IPAddress}]));\r\nlet Location = {SourceTable} | extend LocationD = todynamic(LocationDetails) \r\n| extend Location = strcat(LocationD.countryOrRegion, \"-\", LocationD.city) \r\n| where Location in (dynamic([{Location}]));\r\nunion kind=inner isfuzzy=true\r\n(ServicePrincipalName), (ResourceDisplayName), (IPAddress), (Location)\r\n| extend ss = todynamic(AuthenticationProcessingDetails)\r\n| extend cc = todynamic(LocationDetails)\r\n| extend Type = ss[0].key\r\n| extend City = cc.city\r\n| extend State = cc.state\r\n| extend Latitude = parse_json(tostring(cc.geoCoordinates)).latitude\r\n| extend Longitude = parse_json(tostring(cc.geoCoordinates)).longitude\r\n| project TimeGenerated, ServicePrincipalName, ResourceDisplayName, Type, IPAddress, Country=Location, City, State, Latitude, Longitude\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "ServicePrincipalName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "ResourceDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } }, { "columnMatch": "Type", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } }, { "columnMatch": "IPAddress", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Country", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "City", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "State", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Latitude", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Longitude", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } } ], "rowLimit": 2000, "filter": true } }, "conditionalVisibilities": [ { "parameterName": "Result", "comparison": "isNotEqualTo" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "SigninLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADNonInteractiveUserSignInLogs" } ], "name": "AADServicePrincipalSignInLogs", "styleSettings": { "margin": "2px", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Identity = {SourceTable} | where Identity in (dynamic([{Identity}]));\r\nlet Result = {SourceTable} | where ResultDescription in (dynamic([{ResultDescription}]));\r\nlet AppDisplayName = {SourceTable} | where AppDisplayName in (dynamic([{AppDisplayName}]));\r\nlet AuthenticationRequirement = {SourceTable} | where AuthenticationRequirement in (dynamic([{AuthenticationRequirement}]));\r\nlet IPAddress = {SourceTable} | where IPAddress in (dynamic([{IPAddress}]));\r\nlet Location = {SourceTable} | extend LocationD = todynamic(LocationDetails) \r\n| extend Location = strcat(LocationD.countryOrRegion, \"-\", LocationD.city) \r\n| where Location in (dynamic([{Location}]));\r\nunion kind=inner isfuzzy=true\r\n(Identity), (Result), (AppDisplayName), (AuthenticationRequirement), (IPAddress), (Location)\r\n| extend DeviceDetail = todynamic(DeviceDetail)\r\n| extend Browser = todynamic(DeviceDetail.browser)\r\n| extend LocationDetails = todynamic(LocationDetails)\r\n| extend State = LocationDetails.state\r\n| extend City = LocationDetails.city\r\n| extend AuthDetails = todynamic(AuthenticationProcessingDetails)\r\n| extend A1 = AuthDetails[0].key\r\n| extend A2 = AuthDetails[1].key\r\n| extend A3= AuthDetails[2].key\r\n| extend Latitude = parse_json(tostring(LocationDetails.geoCoordinates)).latitude\r\n| extend Longitude = parse_json(tostring(LocationDetails.geoCoordinates)).longitude\r\n| project TimeGenerated, Identity, UserPrincipalName, Country=Location, State, City, AppDisplayName, ClientAppUsed, Browser, ConditionalAccessStatus, IPAddress, AuthenticationRequirement, ResourceDisplayName, RiskState, Latitude, Longitude, A1, A2, A3\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Identity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "UserPrincipalName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Country", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "60px" } }, { "columnMatch": "State", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "City", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "AppDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ClientAppUsed", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Browser", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ConditionalAccessStatus", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "IPAddress", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "AuthenticationRequirement", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ResourceDisplayName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "RiskState", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Latitude", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Longitude", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "A1", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "A2", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "A3", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } } ], "rowLimit": 2000, "filter": true } }, "conditionalVisibilities": [ { "parameterName": "Result", "comparison": "isNotEqualTo" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AuditLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADServicePrincipalSignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADManagedIdentitySignInLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADProvisioningLogs" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADUserRiskEvents" }, { "parameterName": "SourceTable", "comparison": "isNotEqualTo", "value": "AADRiskyUsers" } ], "name": "AADNonInteractiveUserSignInLogs & SigninLogs", "styleSettings": { "margin": "2px", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "AAD" }, "name": "AAD Explorer" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "CEF Explorer", "items": [ { "type": 1, "content": { "json": "**CEF Log Explorer**. Start by selecting a timespan and one or more device vendor. Each selection is **cumulative**. **Best if you select from 1-2 filter categories at a time.**", "style": "success" }, "customWidth": "75", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "CEF Explorer Instructions" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| summarize count() by bin(TimeGenerated, 1h), DeviceVendor\r\n| where count_ > 100\r\n| render timechart", "size": 4, "title": "Hourly Events - Time Brush Event Filter", "noDataMessage": "Select a Wokspace above to activate", "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 4 - Copy", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| summarize count() by DeviceVendor\r\n| project Vendor=DeviceVendor, Count=count_, DeviceVendor\r\n| sort by Count\r\n", "size": 1, "title": "Vendor", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "DeviceVendor", "parameterName": "DeviceVendor", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Vendor", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } }, { "columnMatch": "DeviceVendor", "formatter": 5, "formatOptions": { "customColumnWidthSetting": "90px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal" } } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "DeviceVendor", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}]))\r\n| summarize count() by Computer\r\n| project Forwarder = Computer, Count=count_, Computer\r\n| sort by Count desc\r\n", "size": 1, "title": "Forwarder", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Computer", "parameterName": "Computer", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Forwarder", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } }, { "columnMatch": "Computer", "formatter": 5 } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "Computer", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}]))\r\n| summarize count() by LogSeverity\r\n| project Severity = LogSeverity, Count=count_, LogSeverity\r\n| sort by Count desc\r\n", "size": 1, "title": "Severity", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "LogSeverity", "parameterName": "LogSeverity", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Severity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } }, { "columnMatch": "LogSeverity", "formatter": 5 } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "LogSeverity", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}]))\r\n| summarize count() by SourceIP\r\n| project SourceIP, Count=count_\r\n| sort by Count desc\r\n| take 1000", "size": 1, "title": "SourceIP", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "SourceIP", "parameterName": "SourceIP", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "SourceIP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "name": "SourceIP", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}]))\r\n| summarize count() by DestinationIP\r\n| project DestinationIP, Count=count_\r\n| sort by Count\r\n| take 1000", "size": 1, "title": "DestinationIP", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "DestinationIP", "parameterName": "DestinationIP", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "DestinationIP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "name": "DestinationIP", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}]))\r\n| summarize count() by Message\r\n| project Message, Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "Message", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Message", "parameterName": "Message", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Message", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "name": "Message", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Computer = CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}])) | where Computer in (dynamic([{Computer}]));\r\nlet LogSeverity = CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}])) | where LogSeverity in (dynamic([{LogSeverity}]));\r\nlet SourceIP = CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}])) | where SourceIP in (dynamic([{SourceIP}]));\r\nlet DestinationIP = CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}])) | where DestinationIP in (dynamic([{DestinationIP}]));\r\nlet Message = CommonSecurityLog | where DeviceVendor in (dynamic([{DeviceVendor}])) | where Message in (dynamic([{Message}]));\r\nunion kind=inner isfuzzy=true\r\n(Computer), (LogSeverity), (SourceIP), (DestinationIP), (Message)\r\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceVersion, LogSeverity, Forwarder=Computer, DestinationIP, SourceIP, Activity, AdditionalExtensions, Message\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "DeviceVendor", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "DeviceProduct", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "DeviceVersion", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "LogSeverity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Forwarder", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "DestinationIP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "SourceIP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Activity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "AdditionalExtensions", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Message", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "450px" } } ], "rowLimit": 2000, "filter": true } }, "name": "query - 4", "styleSettings": { "margin": "2px", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "CEF" }, "name": "CEF Explorer" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Security Alert Viewer", "items": [ { "type": 1, "content": { "json": "**Security Alert Viewer**. The initial set of tiles represents top alert and incident activity. The first tile displays the **alert-to-incident ratio**. This is a good indicator of alert aggregation. A low or near 1:1 ratio is an indicator of insufficient alert aggregation.\r\n\r\nFor Alert and Incident table analysis, start by selecting a timespan and one or more tables. Each selection is **cumulative**. **Best if you select from 1-2 filter categories at a time.**", "style": "success" }, "customWidth": "75", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "CEF Explorer Instructions" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "185f607b-6cf0-4730-9b9e-48f090034cf4", "version": "KqlParameterItem/1.0", "name": "ShowTop", "label": "Show Top Tiles", "type": 10, "description": "Turn off the top results tiles", "isRequired": true, "value": "Yes", "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true }\r\n]", "timeContext": { "durationMs": 86400000 } } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "parameters - 18", "styleSettings": { "maxWidth": "15%" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| summarize arg_max(TimeGenerated, *) by SystemAlertId\r\n| summarize count() by bin(TimeGenerated, 1h), ProductName\r\n| project TimeGenerated, Source=ProductName, Count=count_", "size": 4, "title": "Hourly Alerts by Source - Time Brush Event Filter", "noDataMessage": "Select a Wokspace above to activate", "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "timechart" }, "name": "query - 4", "styleSettings": { "showBorder": true } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Alert = SecurityAlert\r\n| extend Source = iif(ProductName == \"Azure Sentinel\", \"Sentinel\", \"External\") \r\n| summarize count() by Source\r\n| project Source, Alerts=count_;\r\nlet Incident = SecurityIncident\r\n| extend Source = iif(ProviderName == \"Azure Sentinel\", \"Sentinel\", \"External\")\r\n| summarize count() by Source\r\n| project Source, Incidents=count_;\r\nAlert\r\n| join (Incident) on Source\r\n| project Source, Alerts, Incidents, Ratio = strcat(round(toreal(Alerts)/toreal(Incidents),1), \" : 1\")", "size": 1, "title": "Alert-to-Incident Ratio", "timeContextFromParameter": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Source", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Alerts", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Incidents", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Ratio", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal" } }, "tooltipFormat": { "tooltip": "Low ratio indicates poor alert aggregation" } } ], "sortBy": [ { "itemKey": "$gen_number_Ratio_3", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "$gen_number_Ratio_3", "sortOrder": 1 } ] }, "customWidth": "50", "name": "query - 0", "styleSettings": { "maxWidth": "24%" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| summarize count() by ProductName\r\n| project Source=ProductName, Count=count_\r\n| sort by Count", "size": 1, "title": "Most Common Alert Source", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Source", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "175px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ] } }, "customWidth": "0", "name": "Most Common Alert Source", "styleSettings": { "maxWidth": "23%" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityIncident\r\n| summarize count() by Title\r\n| project Title, Count=count_\r\n| sort by Count\r\n| take 20\r\n\r\n", "size": 1, "title": "Most Common Incidents", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Title", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "175px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ] } }, "customWidth": "0", "name": "Most Common Incidents", "styleSettings": { "maxWidth": "24%" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| summarize count() by AlertName\r\n| project Title=AlertName, Count=count_\r\n| sort by Count\r\n| take 20", "size": 1, "title": "Most Common Alerts", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Title", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "175px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ] } }, "customWidth": "50", "name": "Most Common Alerts", "styleSettings": { "maxWidth": "24%" } } ] }, "conditionalVisibility": { "parameterName": "ShowTop", "comparison": "isEqualTo", "value": "Yes" }, "name": "group - 17" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Alerts = SecurityIncident | summarize arg_max(TimeGenerated, *) by IncidentNumber | count;\r\nlet Incidents = SecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | count;\r\nunion withsource=Table\r\nAlerts, Incidents\r\n| extend Type = iff(Table == \"union_arg0\", \"Incidents\", \"Alerts\")\r\n| extend Table = iff(Table == \"union_arg0\", \"SecurityIncident\", \"SecurityAlert\")\r\n| project Type, Count, Table\r\n| sort by Count\r\n\r\n\r\n", "size": 1, "title": "Table", "timeContextFromParameter": "TimeSpan", "exportFieldName": "Table", "exportParameterName": "Table", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Type", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } }, { "columnMatch": "Table", "formatter": 5 } ], "rowLimit": 1000, "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "Table", "styleSettings": { "maxWidth": "13%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert \r\n| summarize count() by Status\r\n| project-rename Count=count_\r\n| sort by Count desc\r\n", "size": 1, "title": "Status", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Status", "parameterName": "Status", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Status", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityAlert" }, "name": "Status", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityIncident\r\n| summarize count() by Status\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "Status", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Status", "parameterName": "Status", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Status", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityIncident" }, "name": "Status", "styleSettings": { "maxWidth": "13%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| summarize count() by AlertSeverity\r\n| project-rename Count=count_\r\n| sort by Count desc\r\n", "size": 1, "title": "Severity", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "AlertSeverity", "parameterName": "AlertSeverity", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "AlertSeverity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityAlert" }, "name": "AlertSeverity", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| summarize count() by AlertName\r\n| project-rename Count=count_\r\n| sort by Count desc\r\n| take 1000", "size": 1, "title": "AlertName", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "AlertName", "parameterName": "AlertName", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "AlertName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "140px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityAlert" }, "name": "AlertName", "styleSettings": { "maxWidth": "18%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| summarize count() by Entities\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "Entities", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Entities", "parameterName": "Entities", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Entities", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityAlert" }, "name": "Entities", "styleSettings": { "maxWidth": "14%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| extend Source = iif(ProviderName startswith \"ASI\", replace_string(ProviderName, \"ASI \", \"\"), ProductName)\r\n| summarize count() by Source\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "Source", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Source", "parameterName": "Source", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Source", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityAlert" }, "name": "Source", "styleSettings": { "maxWidth": "14%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityAlert\r\n| summarize count() by Tactics\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "Tactics", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Tactics", "parameterName": "Tactics", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Tactics", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityAlert" }, "name": "Tactics", "styleSettings": { "maxWidth": "14%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityIncident\r\n| summarize count() by Severity\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "Severity", "noDataMessage": "Select one or more vendor source", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Severity", "parameterName": "Severity", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Severity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityIncident" }, "name": "Severity - Copy", "styleSettings": { "maxWidth": "14%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityIncident\r\n| summarize count() by Title\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "Title", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Title", "parameterName": "Title", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Title", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "180px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityIncident" }, "name": "Title", "styleSettings": { "maxWidth": "18%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityIncident\r\n| extend Assigned = tostring(Owner.assignedTo)\r\n| summarize count() by Assigned\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "Assigned", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Assigned", "parameterName": "Assigned", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "Assigned", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityIncident" }, "name": "Assigned", "styleSettings": { "maxWidth": "15%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityIncident\r\n| extend AlertCount = tostring(AdditionalData.alertsCount)\r\n| summarize count() by AlertCount\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "AlertCount", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "AlertCount", "parameterName": "AlertCount", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "AlertCount", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "55px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityIncident" }, "name": "AlertCount", "styleSettings": { "maxWidth": "12%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "SecurityIncident\r\n| summarize count() by ModifiedBy\r\n| project-rename Count=count_\r\n| sort by Count\r\n| take 2000\r\n", "size": 1, "title": "ModifiedBy", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeRange", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "ModifiedBy", "parameterName": "ModifiedBy", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "ModifiedBy", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 5000, "filter": true } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityIncident" }, "name": "ModifiedBy", "styleSettings": { "maxWidth": "14%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Severity = SecurityIncident | where Severity in (dynamic([{Severity}]));\r\nlet Title = SecurityIncident | where Title in (dynamic([{Title}]));\r\nlet Status = SecurityIncident | where Status in (dynamic([{Status}]));\r\nlet Assigned = SecurityIncident | extend Assigned = Owner.assignedTo | where Assigned in (dynamic([{Assigned}]));\r\nlet AlertCount = SecurityIncident | extend AlertCount = AdditionalData.alertsCount | where AlertCount in (dynamic([{AlertCount}]));\r\nlet ModifiedBy = SecurityIncident | where ModifiedBy in (dynamic([{ModifiedBy}]));\r\nunion isfuzzy=true\r\n(Severity), (Title), (Status), (Assigned), (AlertCount), (ModifiedBy)\r\n| extend Assigned = Owner.assignedTo\r\n| extend AlertCount = AdditionalData.alertsCount\r\n| project TimeGenerated, Severity, Title, Status, Assigned, AlertCount, ModifiedBy, IncidentUrl\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Severity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Title", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } }, { "columnMatch": "Status", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Assigned", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "AlertCount", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ModifiedBy", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "IncidentUrl", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } } ], "rowLimit": 2000, "filter": true } }, "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityIncident" }, "name": "query - 4 - Copy", "styleSettings": { "margin": "2px", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Status = SecurityAlert | where Status in (dynamic([{Status}]));\r\nlet AlertSeverity = SecurityAlert | where AlertSeverity in (dynamic([{AlertSeverity}]));\r\nlet AlertName = SecurityAlert | where AlertName in (dynamic([{AlertName}]));\r\nlet Entities = SecurityAlert | where Entities in (dynamic([{Entities}]));\r\nlet Tactics = SecurityAlert | where Tactics in (dynamic([{Tactics}]));\r\nlet Source = SecurityAlert | extend Source = iif(ProviderName startswith \"ASI\", replace_string(ProviderName, \"ASI \", \"\"), ProductName)\r\n| where Source in (dynamic([{Source}]));\r\nunion isfuzzy=true\r\n(Status), (AlertSeverity), (AlertName), (Entities), (Tactics), (Source)\r\n| extend Source = iif(ProviderName startswith \"ASI\", replace_string(ProviderName, \"ASI \", \"\"), ProductName)\r\n| project TimeGenerated, Status, AlertSeverity, AlertName, Description, Entities, Source, Tactics\r\n| sort by TimeGenerated\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Status", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "100px" } }, { "columnMatch": "AlertSeverity", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "AlertName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "275px" } }, { "columnMatch": "Description", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "300px" } }, { "columnMatch": "Entities", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "200px" } }, { "columnMatch": "Source", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Tactics", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } } ], "rowLimit": 2000, "filter": true } }, "conditionalVisibility": { "parameterName": "Table", "comparison": "isEqualTo", "value": "SecurityAlert" }, "name": "query - 4", "styleSettings": { "margin": "2px", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "Alerts" }, "name": "Security Alert Viewer" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Syslog Explorer", "items": [ { "type": 1, "content": { "json": "**Syslog Explorer**. Start by selecting a timespan and one or more device vendor. Each selection is **cumulative**. **Best if you select from 1-2 filter categories at a time.**\r\n\r\nSyslog data can be mainly found in the message body. There is no official formatting, though logs from the same vendor or model often follow a common standard. More granular investigation of Syslog data usually requires vendor-specific parsing. ", "style": "success" }, "customWidth": "75", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "CEF Explorer Instructions" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Syslog\r\n| summarize count() by bin(TimeGenerated, 1h)\r\n| render timechart", "size": 4, "title": "Hourly Events - Time Brush Event Filter", "noDataMessage": "Select a Wokspace above to activate", "timeContextFromParameter": "TimeRange", "timeBrushParameterName": "TimeSpan", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 4", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Syslog\r\n| summarize count() by Computer\r\n| project Forwarder = Computer, Count=count_, Computer\r\n| sort by Count desc\r\n", "size": 1, "title": "Forwarder", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Computer", "parameterName": "Computer", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Forwarder", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } }, { "columnMatch": "Computer", "formatter": 5 } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "Computer", "styleSettings": { "margin": "1px", "maxWidth": "17%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Syslog\r\n| summarize count() by Facility\r\n| project Facility, Count=count_\r\n| sort by Count desc\r\n", "size": 1, "title": "Facility", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Facility", "parameterName": "Facility", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "Facility", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "80px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "Facility", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Syslog\r\n| summarize count() by SeverityLevel\r\n| project SeverityLevel, Count=count_\r\n| sort by Count desc\r\n", "size": 1, "title": "SeverityLevel", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "SeverityLevel", "parameterName": "SeverityLevel", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "SeverityLevel", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "80px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "$gen_heatmap_Count_1", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "name": "SeverityLevel", "styleSettings": { "margin": "1px", "maxWidth": "16%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Syslog\r\n| summarize count() by SyslogMessage\r\n| project SyslogMessage, Count=count_\r\n| sort by Count desc\r\n| take 1000", "size": 1, "title": "Message", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeSpan", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "SyslogMessage", "parameterName": "SyslogMessage", "parameterType": 1, "quote": "'" } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "SyslogMessage", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "500px" } }, { "columnMatch": "Count", "formatter": 8, "formatOptions": { "palette": "redDark", "customColumnWidthSetting": "75px" }, "numberFormat": { "unit": 0, "options": { "style": "decimal", "useGrouping": true } } } ], "rowLimit": 1000, "filter": true } }, "customWidth": "0", "name": "SyslogMessage", "styleSettings": { "margin": "1px", "maxWidth": "50%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let Computer = Syslog | where Computer in (dynamic([{Computer}]));\r\nlet Facility = Syslog | where Facility in (dynamic([{Facility}]));\r\nlet SeverityLevel = Syslog | where SeverityLevel in (dynamic([{SeverityLevel}]));\r\nlet SyslogMessage = Syslog | where SyslogMessage in (dynamic([{SyslogMessage}]));\r\nunion kind=inner isfuzzy=true\r\n(Computer), (Facility), (SeverityLevel), (SyslogMessage)\r\n| project TimeGenerated, Forwarder=Computer, Facility, SeverityLevel, SyslogMessage\r\n| take 2000", "size": 2, "timeContextFromParameter": "TimeSpan", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Forwarder", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Facility", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "SeverityLevel", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "SyslogMessage", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "80%" } } ], "rowLimit": 2000, "filter": true } }, "name": "query - 4", "styleSettings": { "margin": "2px", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "Syslog" }, "name": "Syslog Explorer " }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Agent Health", "items": [ { "type": 1, "content": { "json": "**Agent Health Viewer**. The following workbooks shows agent health for connected Linux and Windows agents. Optional extension to view Defender for Cloud and Defender for Endpoint status. **Time range must exceed the threshold value.**\r\n\r\nRequirement: At least one connected agent. Optional MDFC sharig the same workspace. Optional MDE integration. Based on Heartbeat, Update, and DeviceInfo tables.", "style": "success" }, "customWidth": "75", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "CEF Explorer Instructions" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "7fbc3819-eeaa-4715-a95a-d0b3fd7e819c", "version": "KqlParameterItem/1.0", "name": "Threshold", "type": 4, "isRequired": true, "value": { "durationMs": 172800000 }, "typeSettings": { "selectableValues": [ { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 172800000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2592000000 } ], "allowCustom": true }, "timeContext": { "durationMs": 86400000 } }, { "version": "KqlParameterItem/1.0", "name": "MDFC", "label": "Shared MDFC?", "type": 10, "description": "Do Senitnel and MDFC share the same workspace?", "isRequired": true, "value": "Yes", "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true }\r\n]", "timeContext": { "durationMs": 86400000 }, "id": "188fb095-c3ff-4b8f-bd2e-80720c13c3a0" }, { "version": "KqlParameterItem/1.0", "name": "MDE", "label": "MDE Integrated?", "type": 10, "description": "Are your MDE logs streamed to Sentinel?", "isRequired": true, "value": "Yes", "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true }\r\n]", "timeContext": { "durationMs": 86400000 }, "id": "f4ecf1f4-4357-4f53-be2b-fb6563b0f613" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "parameters - 7", "styleSettings": { "maxWidth": "20%" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "union isfuzzy=true\r\n(SecurityEvent),(DnsEvents),(Event) \r\n| summarize count() by bin(TimeGenerated, 1h), Computer\r\n| render timechart ", "size": 4, "title": "Hourly Events by Agent", "noDataMessage": "Select a Wokspace above to activate", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 4", "styleSettings": { "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let MDFC = Update\r\n| extend ResourceId = iif(isempty(ResourceId), Computer, ResourceId)\r\n| summarize arg_max(TimeGenerated, *) by Computer\r\n| extend MDFC = iif(TimeGenerated < ago({Threshold:grain}),\"⚫\",\"🟢\")\r\n| project MDFC, Agent=ResourceId, LastSeen=TimeGenerated, Computer=tolower(Computer), Type;\r\nlet Sentinel = Heartbeat\r\n| extend ResourceId = iif(isempty(ResourceId), Computer, ResourceId)\r\n| extend Type = iif(Category == \"Direct Agent\", \"Extension\", \"MMA Direct\")\r\n| summarize arg_max(TimeGenerated, *) by ResourceId\r\n| extend UP = iif(TimeGenerated < ago({Threshold:grain}),\"⚫\",\"🟢\")\r\n| project UP, Agent=ResourceId, LastSeen=TimeGenerated, Computer=tolower(Computer), Type;\r\nSentinel\r\n| join kind=leftouter MDFC on Computer\r\n| project LastSeen, UP, Agent, Type, MDFC, Computer\r\n| sort by LastSeen", "size": 1, "title": "Sentinel Agent Health", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeRange", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Computer", "parameterName": "Computer", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "LastSeen", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "UP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "60px" } }, { "columnMatch": "Agent", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "Type", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "MDFC", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "MDE", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "MDFC", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "MDE", "comparison": "isEqualTo", "value": "No" } ], "name": "Only MDFC", "styleSettings": { "margin": "1px", "maxWidth": "53%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| extend ResourceId = iif(isempty(ResourceId), Computer, ResourceId)\r\n| extend Type = iif(Category == \"Direct Agent\", \"Extension\", \"MMA Direct\")\r\n| summarize arg_max(TimeGenerated, *) by ResourceId\r\n| extend UP = iif(TimeGenerated < ago({Threshold:grain}),\"⚫\",\"🟢\")\r\n| project LastSeen=TimeGenerated, UP, Agent=ResourceId, Type, Computer=tolower(Computer)\r\n| sort by LastSeen", "size": 1, "title": "Sentinel Agent Health", "noDataMessage": "Select one or more vendor source", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Computer", "parameterName": "Computer", "parameterType": 1 }, { "fieldName": "MDFC", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "LastSeen", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "UP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "60px" } }, { "columnMatch": "Agent", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "Type", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Computer", "formatter": 5 }, { "columnMatch": "MDFC", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "MDE", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "MDE", "comparison": "isEqualTo", "value": "No" }, { "parameterName": "MDFC", "comparison": "isEqualTo", "value": "No" } ], "name": "Only Sentinel", "styleSettings": { "margin": "1px", "maxWidth": "53%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let MDE = DeviceInfo\r\n| summarize arg_max(TimeGenerated, *) by DeviceName\r\n| extend MDE = iif(TimeGenerated < ago({Threshold:grain}),\"⚫\",\"🟢\")\r\n| project MDE, Computer=tolower(DeviceName), LastSeen=TimeGenerated;\r\nlet Sentinel = Heartbeat\r\n| extend ResourceId = iif(isempty(ResourceId), Computer, ResourceId)\r\n| extend Type = iif(Category == \"Direct Agent\", \"Extension\", \"MMA Direct\")\r\n| summarize arg_max(TimeGenerated, *) by ResourceId\r\n| extend UP = iif(TimeGenerated < ago({Threshold:grain}),\"⚫\",\"🟢\")\r\n| project UP, Agent=ResourceId, LastSeen=TimeGenerated, Computer=tolower(Computer), Type;\r\nSentinel\r\n| join kind=leftouter MDE on Computer\r\n| project LastSeen, UP, Agent, Type, MDE, Computer\r\n| sort by LastSeen", "size": 1, "title": "Sentinel Agent Health", "noDataMessage": "Select one or more vendor source", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Computer", "parameterName": "Computer", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "LastSeen", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "UP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "60px" } }, { "columnMatch": "Agent", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "Type", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "MDFC", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "MDE", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "MDFC", "comparison": "isEqualTo", "value": "No" }, { "parameterName": "MDE", "comparison": "isEqualTo", "value": "Yes" } ], "name": "No MDFC", "styleSettings": { "margin": "1px", "maxWidth": "53%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let MDFC = Update\r\n| extend ResourceId = iif(isempty(ResourceId), Computer, ResourceId)\r\n| summarize arg_max(TimeGenerated, *) by Computer\r\n| extend MDFC = iif(TimeGenerated < ago({Threshold:grain}),\"⚫\",\"🟢\")\r\n| project MDFC, Agent=ResourceId, LastSeen=TimeGenerated, Computer=tolower(Computer), Type;\r\nlet MDE = DeviceInfo\r\n| summarize arg_max(TimeGenerated, *) by DeviceName\r\n| extend MDE = iif(TimeGenerated < ago({Threshold:grain}),\"⚫\",\"🟢\")\r\n| project MDE, Computer=tolower(DeviceName), LastSeen=TimeGenerated;\r\nlet J1 =MDFC\r\n| join kind=leftouter MDE on Computer;\r\nlet Sentinel = Heartbeat\r\n| extend ResourceId = iif(isempty(ResourceId), Computer, ResourceId)\r\n| extend Type = iif(Category == \"Direct Agent\", \"Extension\", \"MMA Direct\")\r\n| summarize arg_max(TimeGenerated, *) by ResourceId\r\n| extend UP = iif(TimeGenerated < ago({Threshold:grain}),\"⚫\",\"🟢\")\r\n| project UP, Agent=ResourceId, LastSeen=TimeGenerated, Computer=tolower(Computer), Type;\r\nSentinel\r\n| join kind=leftouter J1 on Computer\r\n| project LastSeen, UP, Agent, Type, MDFC, MDE, Computer\r\n| sort by LastSeen", "size": 1, "title": "Sentinel Agent Health", "noDataMessage": "Select one or more vendor source", "exportMultipleValues": true, "exportedParameters": [ { "fieldName": "Computer", "parameterName": "Computer", "parameterType": 1 } ], "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "LastSeen", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "UP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "60px" } }, { "columnMatch": "Agent", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "150px" } }, { "columnMatch": "Type", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "MDFC", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "MDE", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } } ], "rowLimit": 1000, "filter": true, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibilities": [ { "parameterName": "MDE", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "MDFC", "comparison": "isEqualTo", "value": "Yes" } ], "name": "ALL", "styleSettings": { "margin": "1px", "maxWidth": "53%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Update\r\n| extend ResourceId = iif(isempty(ResourceId), Computer, ResourceId)\r\n| summarize arg_max(TimeGenerated, *) by ResourceId\r\n| extend MDFC = iif(TimeGenerated < ago({Threshold:grain}),\"⚫\",\"🟢\")\r\n| project LastSeen=TimeGenerated, MDFC, Agent=ResourceId, OS = iif(OSType == \"Linux\", \"Linux\", \"Windows\")\r\n| sort by LastSeen\r\n", "size": 1, "title": "MDFC Agent Details", "noDataMessage": "Select one or more vendor source", "timeContextFromParameter": "TimeRange", "exportFieldName": "Facility", "exportParameterName": "Facility", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "LastSeen", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } }, { "columnMatch": "MDFC", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "65px" } }, { "columnMatch": "Agent", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "OS", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "75px" } } ], "rowLimit": 5000, "filter": true, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "LastSeen", "sortOrder": 2 } ], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "MDFC", "comparison": "isEqualTo", "value": "Yes" }, "name": "MDFC", "styleSettings": { "margin": "1px", "maxWidth": "25%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "DeviceInfo\r\n| summarize arg_max(TimeGenerated, *) by DeviceName\r\n| project LastSeen=TimeGenerated, DeviceName, MachineGroup\r\n| where LastSeen < ago({Threshold:grain})\r\n| sort by LastSeen\r\n", "size": 1, "title": "MDE Devices Offline", "noDataMessage": "Select one or more vendor source", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "LastSeen", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "DeviceName", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "MachineGroup", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } } ], "rowLimit": 5000, "filter": true }, "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "ColumnName", "formatter": 1 }, "showBorder": true }, "graphSettings": { "type": 0 }, "mapSettings": { "locInfo": "LatLong" } }, "customWidth": "0", "conditionalVisibility": { "parameterName": "MDE", "comparison": "isEqualTo", "value": "Yes" }, "name": "MDE Offline", "styleSettings": { "margin": "1px", "maxWidth": "22%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| where tolower(Computer) in (dynamic([{Computer}]))\r\n| summarize count() by bin(TimeGenerated, 1h), Computer", "size": 4, "noDataMessage": "Select an agent above", "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "timechart" }, "name": "query - 7" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| where tolower(Computer) in (dynamic([{Computer}]))\r\n| extend ResourceId = iif(isempty(ResourceId), Computer, ResourceId)\r\n| project TimeGenerated, _ResourceId, ComputerIP, OSType, Version, ResourceGroup", "size": 0, "title": "Heartbeat Table", "timeContextFromParameter": "TimeRange", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "table", "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "_ResourceId", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "ComputerIP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "OSType", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Version", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ResourceGroup", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } } ], "rowLimit": 2000, "filter": true } }, "customWidth": "50", "name": "query - 4", "styleSettings": { "maxWidth": "48%", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "Heartbeat\r\n| extend ResourceId = iif(isempty(ResourceId), Computer, ResourceId)\r\n| extend Type = iif(Category == \"Direct Agent\", \"Extension\", \"MMA Direct\")\r\n| summarize arg_max(TimeGenerated, *) by ResourceId\r\n| where TimeGenerated > ago({Threshold:grain})\r\n| project RemoteIPLatitude, RemoteIPLongitude, RemoteIPCountry", "size": 0, "title": "Agent Map", "timeContextFromParameter": "TimeRange", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "visualization": "map", "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "_ResourceId", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "ComputerIP", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "OSType", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Version", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "ResourceGroup", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } } ], "rowLimit": 2000, "filter": true }, "mapSettings": { "locInfo": "LatLong", "latitude": "RemoteIPLatitude", "longitude": "RemoteIPLongitude", "sizeSettings": "RemoteIPLatitude", "sizeAggregation": "Sum", "labelSettings": "RemoteIPCountry", "legendMetric": "RemoteIPLatitude", "legendAggregation": "Count", "itemColorSettings": { "nodeColorField": "RemoteIPLatitude", "colorAggregation": "Sum", "type": "heatmap", "heatmapPalette": "greenRed" } } }, "customWidth": "50", "name": "query - 4 - Copy", "styleSettings": { "maxWidth": "48%", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "Agents" }, "name": "Agent Health" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Security Audit", "items": [ { "type": 1, "content": { "json": "The **Security Audit Assessment** attempts to verify your Windows Security Audit Policy based on the event IDs collected. Windows Security Events are primarily the result of audit policy. This workbook can help to identify noisy policy configurations and potential audit gaps. [Windows Audit Policy Documentation]( https://docs.microsoft.com/windows/security/threat-protection/auditing/security-auditing-overview)\r\n\r\n**Active Audit Policies** compares collected events with known audit policies. Review this to help idenfy unwanted policy-based event creation or collection.\r\n\r\n**Inactive Audit Policies** shows policies that have no matching events. Either these policies are disabled or the related activity is infrequent. Note that any alert rules based on these events would be ineffective if the underlying policy is disabled.", "style": "success" }, "customWidth": "75", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "Yes" }, "name": "CEF Explorer Instructions" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AuditRef = datatable (EventID:int,Severity:string,PolicyLevel:string,Impact:string,Default:string,Policy:string,Description:string,Group:string)\r\n[\r\n1,\"\",\"Sysmon\",\"\",\"\",\"Process Created\",\"The process creation event provides extended information about a newly created process.\",\"Common\",\r\n2,\"\",\"Sysmon\",\"\",\"\",\"Process Changed\",\"A process changed a file creation time\",\"Full\",\r\n3,\"\",\"Sysmon\",\"\",\"\",\"Network Connection\",\"Network connection. It is disabled by default. Each connection is linked to a process.\",\"Full\",\r\n4,\"\",\"Sysmon\",\"\",\"\",\"Sysmon Service\",\"Sysmon service state changed (started or stopped).\",\"Full\",\r\n5,\"\",\"Sysmon\",\"\",\"\",\"Process Terminated\",\"Process terminated\",\"Full\",\r\n6,\"\",\"Sysmon\",\"\",\"\",\"Driver Loaded\",\"Driver loaded\",\"Full\",\r\n7,\"\",\"Sysmon\",\"\",\"\",\"Cmage loaded\",\"Image loaded. This event is disabled by default and needs to be configured with the –l option.\",\"Full\",\r\n8,\"\",\"Sysmon\",\"\",\"\",\"Createremotethread\",\"CreateRemoteThread. Process creates a thread in another process. This technique is used by malware to inject code and hide in other processes.\",\"Full\",\r\n9,\"\",\"Sysmon\",\"\",\"\",\"Cawaccessread\",\"RawAccessRead. Process conducts reading operations from the drive using relative path denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools.\",\"Full\",\r\n10,\"\",\"Sysmon\",\"\",\"\",\"Process Access\",\"ProcessAccess. Reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes.\",\"Full\",\r\n11,\"\",\"Sysmon\",\"\",\"\",\"Cilecreate\",\"FileCreate. Logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.\",\"Full\",\r\n12,\"\",\"Sysmon\",\"\",\"\",\"Registry Change\",\"RegistryEvent (Object create and delete)\",\"Full\",\r\n13,\"\",\"Sysmon\",\"\",\"\",\"Registry Change\",\"RegistryEvent (Value Set or Modification)\",\"Full\",\r\n14,\"\",\"Sysmon\",\"\",\"\",\"Registry Change\",\"RegistryEvent (Key and Value Rename)\",\"Full\",\r\n15,\"\",\"Sysmon\",\"\",\"\",\"File Change\",\"FileCreateStreamHash. File stream is created.\",\"Full\",\r\n16,\"\",\"Sysmon\",\"\",\"\",\"Sysmon Change\",\"ServiceConfigurationChange (Sysmon configuration change)\",\"Full\",\r\n17,\"\",\"Sysmon\",\"\",\"\",\"Pipe Change\",\"PipeEvent (Pipe Created)\",\"Full\",\r\n18,\"\",\"Sysmon\",\"\",\"\",\"Pipe Change\",\"PipeEvent (Pipe Connected) Named pipe connection is made between a client and a server.\",\"Full\",\r\n19,\"\",\"Sysmon\",\"\",\"\",\"WMI\",\"WmiEvent (WmiEventFilter activity detected) When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.\",\"Full\",\r\n20,\"\",\"Sysmon\",\"\",\"\",\"WMI\",\"WmiEvent (WmiEventConsumer activity detected)\",\"Full\",\r\n21,\"\",\"Sysmon\",\"\",\"\",\"WMI\",\"WmiEvent (WmiEventConsumerToFilter activity detected)\",\"Full\",\r\n22,\"\",\"Sysmon\",\"\",\"\",\"DNS\",\"DNSEvent (DNS query)\",\"Full\",\r\n23,\"\",\"Sysmon\",\"\",\"\",\"File Delete\",\"FileDelete (A file delete was detected)\",\"Full\",\r\n24,\"\",\"Sysmon\",\"\",\"\",\"Clipboard\",\"ClipboardChange (New content in the clipboard)\",\"Full\",\r\n25,\"\",\"Sysmon\",\"\",\"\",\"Process Tamper\",\"ProcessTampering (Process image change)\",\"Full\",\r\n255,\"\",\"Sysmon\",\"\",\"\",\"Error\",\"Error. This event is generated when an error occurred within Sysmon.\",\"Full\",\r\n299,\"\",\"Unknown\",\"\",\"Unknown\",\"Unknown\",\"Unknown\",\"Common\",\r\n300,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n324,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n340,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n403,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n404,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n410,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n411,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n412,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n413,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n431,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n500,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n501,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n512,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"Windows is starting up.\",\"Full\",\r\n513,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"Windows is shutting down.\",\"Full\",\r\n514,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"An authentication package was loaded by the Local Security Authority.\",\"Full\",\r\n515,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"A trusted logon process has registered with the Local Security Authority.\",\"Full\",\r\n516,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.\",\"Full\",\r\n517,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"The audit log was cleared.\",\"Full\",\r\n518,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"A notification package was loaded by the Security Accounts Manager.\",\"Full\",\r\n519,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.\",\"Full\",\r\n520,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"The system time was changed. (Normaly appears twice)\",\"Full\",\r\n528,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"Successful Logon - Includes a logon type is also listed in the event log\",\"Full\",\r\n560,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Access was granted to an already existing object.\",\"Full\",\r\n562,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A handle to an object was closed.\",\"Full\",\r\n563,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"An attempt was made to open an object with the intent to delete it.\",\"Full\",\r\n564,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A protected object was deleted.\",\"Full\",\r\n565,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Access was granted to an already existing object type.\",\"Full\",\r\n566,\"\",\"Basic\",\"\",\"Success on DCs\",\"Directory Services\",\"A generic object operation took place.\",\"Full\",\r\n567,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A permission associated with a handle was used.\",\"Full\",\r\n568,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"An attempt was made to create a hard link to a file that is being audited.\",\"Full\",\r\n569,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The resource manager in Authorization Manager attempted to create a client context.\",\"Full\",\r\n570,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A client attempted to access an object.\",\"Full\",\r\n571,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The client context was deleted by the Authorization Manager application.\",\"Full\",\r\n572,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The administrator manager initialized the application.\",\"Full\",\r\n576,\"\",\"Basic\",\"\",\"No auditing\",\"Privilege Use\",\"Specified privileges were added to a user's access token. (every logon)\",\"Full\",\r\n577,\"\",\"Basic\",\"\",\"No auditing\",\"Privilege Use\",\"A user attempted to perform a privileged system service operation.\",\"Full\",\r\n578,\"\",\"Basic\",\"\",\"No auditing\",\"Privilege Use\",\"Privileges were used on an already open handle to a protected object.\",\"Full\",\r\n592,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A new process was created.\",\"Full\",\r\n593,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A process exited.\",\"Full\",\r\n594,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A handle to an object was duplicated.\",\"Full\",\r\n595,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"Indirect access to an object was obtained.\",\"Full\",\r\n596,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A data protection master key was backed up.\",\"Full\",\r\n597,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A data protection master key was recovered from a recovery server.\",\"Full\",\r\n598,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"Auditable data was protected.\",\"Full\",\r\n599,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"Auditable data was unprotected.\",\"Full\",\r\n600,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A process was assigned a primary token.\",\"Full\",\r\n601,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A user attempted to install a service.\",\"Full\",\r\n602,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A scheduler job was created.\",\"Full\",\r\n608,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A user right was assigned.\",\"Full\",\r\n609,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A user right was removed.\",\"Full\",\r\n610,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A trust relationship with another domain was created.\",\"Full\",\r\n611,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A trust relationship with another domain was removed.\",\"Full\",\r\n612,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An audit policy was changed.\",\"Full\",\r\n613,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An Internet Protocol security (IPSec) policy agent started.\",\"Full\",\r\n614,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An IPSec policy agent was disabled.\",\"Full\",\r\n615,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An IPSec policy agent changed.\",\"Full\",\r\n616,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An IPSec policy agent encountered a potentially serious failure.\",\"Full\",\r\n617,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A Kerberos policy changed.\",\"Full\",\r\n618,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Encrypted Data Recovery policy changed.\",\"Full\",\r\n620,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A trust relationship with another domain was modified.\",\"Full\",\r\n621,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"System access was granted to an account.\",\"Full\",\r\n622,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"System access was removed from an account.\",\"Full\",\r\n623,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Per user auditing policy was set for a user.\",\"Full\",\r\n624,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user account was created.\",\"Full\",\r\n625,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Per user audit policy was refreshed.\",\"Full\",\r\n627,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user password was changed.\",\"Full\",\r\n628,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user password was set.\",\"Full\",\r\n630,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user account was deleted.\",\"Full\",\r\n631,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A global group was created.\",\"Full\",\r\n632,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a global group.\",\"Full\",\r\n633,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a global group.\",\"Full\",\r\n634,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A global group was deleted.\",\"Full\",\r\n635,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A new local group was created.\",\"Full\",\r\n636,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a local group.\",\"Full\",\r\n637,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a local group.\",\"Full\",\r\n638,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A local group was deleted.\",\"Full\",\r\n639,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A local group account was changed.\",\"Full\",\r\n641,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A global group account was changed.\",\"Full\",\r\n642,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user account was changed.\",\"Full\",\r\n643,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A domain policy was modified.\",\"Full\",\r\n644,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user account was auto locked.\",\"Full\",\r\n645,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A computer account was created.\",\"Full\",\r\n645,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled global group was changed.\",\"Full\",\r\n646,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A computer account was changed.\",\"Full\",\r\n647,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A computer account was deleted.\",\"Full\",\r\n648,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A local security group with security disabled was created.\",\"Full\",\r\n649,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A local security group with security disabled was changed.\",\"Full\",\r\n650,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a security-disabled local security group.\",\"Full\",\r\n651,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a security-disabled local security group.\",\"Full\",\r\n652,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled local group was deleted.\",\"Full\",\r\n653,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled global group was created.\",\"Full\",\r\n655,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a security-disabled global group.\",\"Full\",\r\n656,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a security-disabled global group.\",\"Full\",\r\n657,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled global group was deleted.\",\"Full\",\r\n658,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-enabled universal group was created.\",\"Full\",\r\n659,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-enabled universal group was changed.\",\"Full\",\r\n660,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a security-enabled universal group.\",\"Full\",\r\n661,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a security-enabled universal group.\",\"Full\",\r\n662,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-enabled universal group was deleted.\",\"Full\",\r\n663,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled universal group was created.\",\"Full\",\r\n664,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled universal group was changed.\",\"Full\",\r\n665,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a security-disabled universal group.\",\"Full\",\r\n666,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a security-disabled universal group.\",\"Full\",\r\n667,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled universal group was deleted.\",\"Full\",\r\n668,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A group type was changed.\",\"Full\",\r\n672,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"An authentication service (AS) ticket was successfully issued and validated.\",\"Full\",\r\n673,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A ticket granting service (TGS) ticket was granted.\",\"Full\",\r\n674,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A security principal renewed an AS ticket or TGS ticket.\",\"Full\",\r\n675,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.\",\"Full\",\r\n676,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"Authentication ticket request failed. This event is not generated in Windows XP or in the Windows Server 2003 family.\",\"Full\",\r\n677,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family.\",\"Full\",\r\n678,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"An account was successfully mapped to a domain account.\",\"Full\",\r\n681,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family.\",\"Full\",\r\n682,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A user has reconnected to a disconnected terminal server session.\",\"Full\",\r\n683,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A user disconnected a terminal server session without logging off.\",\"Full\",\r\n684,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"Set the security descriptor of members of administrative groups.\",\"Full\",\r\n685,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"Set the security descriptor of members of administrative groups. (Recorded every 60 sec on DCs)\",\"Full\",\r\n768,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A collision was detected between a namespace element in one forest and a namespace element in another forest.\",\"Full\",\r\n769,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Trusted forest information was added.\",\"Full\",\r\n770,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Trusted forest information was deleted.\",\"Full\",\r\n771,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Trusted forest information was modified.\",\"Full\",\r\n772,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The certificate manager denied a pending certificate request.\",\"Full\",\r\n773,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services received a resubmitted certificate request.\",\"Full\",\r\n774,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services revoked a certificate.\",\"Full\",\r\n775,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services received a request to publish the certificate revocation list (CRL).\",\"Full\",\r\n776,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services published the certificate revocation list (CRL).\",\"Full\",\r\n777,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A certificate request extension was made.\",\"Full\",\r\n778,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"One or more certificate request attributes changed.\",\"Full\",\r\n779,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services received a request to shutdown.\",\"Full\",\r\n780,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services backup started.\",\"Full\",\r\n781,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services backup completed\",\"Full\",\r\n782,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services restore started.\",\"Full\",\r\n783,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services restore completed.\",\"Full\",\r\n784,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services started.\",\"Full\",\r\n785,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services stopped.\",\"Full\",\r\n786,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The security permissions for Certificate Services changed.\",\"Full\",\r\n787,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services retrieved an archived key.\",\"Full\",\r\n788,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services imported a certificate into its database.\",\"Full\",\r\n789,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The audit filter for Certificate Services changed.\",\"Full\",\r\n790,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services received a certificate request.\",\"Full\",\r\n791,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services approved a certificate request and issued a certificate.\",\"Full\",\r\n792,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services denied a certificate request.\",\"Full\",\r\n793,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services set the status of a certificate request to pending.\",\"Full\",\r\n794,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The certificate manager settings for Certificate Services changed.\",\"Full\",\r\n795,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A configuration entry changed in Certificate Services.\",\"Full\",\r\n796,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A property of Certificate Services changed.\",\"Full\",\r\n797,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services archived a key.\",\"Full\",\r\n798,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services imported and archived a key.\",\"Full\",\r\n799,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services published the CA certificate to Active Directory.\",\"Full\",\r\n800,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"One or more rows have been deleted from the certificate database.\",\"Full\",\r\n801,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Role separation enabled.\",\"Full\",\r\n805,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"The event log service read the security log configuration for a session.\",\"Full\",\r\n1100,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"The event logging service has shut down.\",\"Common\",\r\n1101,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Audit events have been dropped by the transport.\",\"Full\",\r\n1102,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"The audit log was cleared.\",\"Minimal\",\r\n1104,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"The security log is now full.\",\"Full\",\r\n1105,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"Event log automatic backup.\",\"Full\",\r\n1107,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Unknown\",\"Common\",\r\n1108,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"The event logging service encountered an error while processing an incoming event published from %1\",\"Common\",\r\n2825,\"\",\"\",\"Success\",\"\",\"Unknown\",\"A user was denied the access to Remote Desktop.\",\"Minimal\",\r\n4608,\"\",\"Advanced\",\"Success\",\"\",\"Security State Change\",\"Windows is starting up.\",\"Common\",\r\n4609,\"\",\"Advanced\",\"Success\",\"\",\"Security State Change\",\"Windows is shutting down\",\"Full\",\r\n4610,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"An authentication package has been loaded by the Local Security Authority.\",\"Common\",\r\n4611,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"A trusted logon process has been registered with the Local Security Authority.\",\"Common\",\r\n4612,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.\",\"Full\",\r\n4614,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"A notification package has been loaded by the Security Account Manager.\",\"Common\",\r\n4615,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"Invalid use of LPC port.\",\"Full\",\r\n4616,\"\",\"Advanced\",\"Success\",\"\",\"Security State Change\",\"The system time was changed.\",\"Full\",\r\n4618,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"A monitored security event pattern has occurred.\",\"Full\",\r\n4621,\"\",\"Advanced\",\"Success\",\"\",\"Security State Change\",\"Administrator recovered system from CrashOnAuditFail.\",\"Full\",\r\n4622,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"A security package has been loaded by the Local Security Authority.\",\"Common\",\r\n4624,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.\",\"Minimal\",\r\n4624,\"\",\"Advanced\",\"Success\",\"\",\"Logon\",\"An account was successfully logged on.\",\"Minimal\",\r\n4625,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.\",\"Minimal\",\r\n4625,\"\",\"Advanced\",\"Fail\",\"\",\"Logon\",\"An account failed to log on.\",\"Minimal\",\r\n4626,\"\",\"Advanced\",\"Success\",\"\",\"User/Device Claims\",\"User/Device claims information.\",\"Full\",\r\n4627,\"\",\"Advanced\",\"Success\",\"\",\"Group Membership\",\"Group membership information\",\"Full\",\r\n4634,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"The logoff process was completed for a user.\",\"Common\",\r\n4634,\"\",\"Advanced\",\"Success\",\"\",\"Logoff\",\"An account was logged off.\",\"Common\",\r\n4646,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"0.01\",\"Full\",\r\n4647,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"A user initiated the logoff process.\",\"Common\",\r\n4647,\"\",\"Advanced\",\"Success\",\"\",\"Logoff\",\"User initiated logoff.\",\"Common\",\r\n4648,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"A user successfully logged on to a computer using explicit credentials while already logged on as a different user.\",\"Common\",\r\n4648,\"\",\"Advanced\",\"Success\",\"\",\"Logon\",\"A logon was attempted using explicit credentials.\",\"Common\",\r\n4649,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A replay attack was detected.\",\"Common\",\r\n4650,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.\",\"Full\",\r\n4651,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.\",\"Full\",\r\n4652,\"\",\"Advanced\",\"Fail\",\"\",\"IPSec\",\"An IPsec Main Mode negotiation failed.\",\"Full\",\r\n4653,\"\",\"Advanced\",\"Fail\",\"\",\"IPSec\",\"An IPsec Main Mode negotiation failed.\",\"Full\",\r\n4654,\"\",\"Advanced\",\"Fail\",\"\",\"IPSec\",\"An IPsec Quick Mode negotiation failed\",\"Full\",\r\n4655,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Main Mode security association ended.\",\"Full\",\r\n4656,\"\",\"Advanced\",\"Either\",\"\",\"File System\",\"A handle to an object was requested.\",\"Full\",\r\n4656,\"\",\"Advanced\",\"Either\",\"\",\"Kernel Object\",\"A handle to an object was requested.\",\"Full\",\r\n4656,\"\",\"Advanced\",\"Either\",\"\",\"Registry\",\"A handle to an object was requested.\",\"Full\",\r\n4656,\"\",\"Advanced\",\"Either\",\"\",\"Removable Storage\",\"A handle to an object was requested.\",\"Full\",\r\n4657,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"A registry value was modified.\",\"Minimal\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"The handle to an object was closed.\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Handle Manipulation\",\"The handle to an object was closed.\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Handle Manipulation\",\"The handle to an object was closed. For a description of the event, see 4658(S)\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Kernel Object\",\"The handle to an object was closed.\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"The handle to an object was closed.\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Removable Storage\",\"The handle to an object was closed.\",\"Full\",\r\n4659,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"A handle to an object was requested with intent to delete\",\"Full\",\r\n4660,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"An object was deleted.\",\"Full\",\r\n4660,\"\",\"Advanced\",\"Success\",\"\",\"Kernel Object\",\"An object was deleted.\",\"Full\",\r\n4660,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"An object was deleted.\",\"Full\",\r\n4661,\"\",\"Advanced\",\"Either\",\"\",\"Directory Service Access\",\"A handle to an object was requested.\",\"Common\",\r\n4661,\"\",\"Advanced\",\"Either\",\"\",\"SAM\",\"A handle to an object was requested.\",\"Common\",\r\n4662,\"\",\"Advanced\",\"Either\",\"\",\"Directory Service Access\",\"An operation was performed on an object.\",\"Common\",\r\n4663,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"An attempt was made to access an object.\",\"Minimal\",\r\n4663,\"\",\"Advanced\",\"Success\",\"\",\"Kernel Object\",\"An attempt was made to access an object.\",\"Minimal\",\r\n4663,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"An attempt was made to access an object.\",\"Minimal\",\r\n4663,\"\",\"Advanced\",\"Success\",\"\",\"Removable Storage\",\"An attempt was made to access an object.\",\"Minimal\",\r\n4664,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"An attempt was made to create a hard link.\",\"Full\",\r\n4665,\"\",\"Advanced\",\"\",\"\",\"Application Generated\",\"An attempt was made to create an application client context.\",\"Common\",\r\n4666,\"\",\"Advanced\",\"\",\"\",\"Application Generated\",\"An application attempted an operation.\",\"Common\",\r\n4667,\"\",\"Advanced\",\"\",\"\",\"Application Generated\",\"An application client context was deleted.\",\"Common\",\r\n4668,\"\",\"Advanced\",\"\",\"\",\"Application Generated\",\"An application was initialized.\",\"Full\",\r\n4670,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"Permissions on an object were changed.\",\"Common\",\r\n4670,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"Permissions on an object were changed.\",\"Common\",\r\n4670,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"Permissions on an object were changed\",\"Common\",\r\n4670,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"Permissions on an object were changed.\",\"Common\",\r\n4671,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"An application attempted to access a blocked ordinal through the TBS.\",\"Full\",\r\n4672,\"\",\"Advanced\",\"Success\",\"\",\"Special Logon\",\"Special privileges assigned to new logon.\",\"Common\",\r\n4673,\"\",\"Advanced\",\"Either\",\"\",\"Sensitive Privilege Use\",\"A privileged service was called.\",\"Common\",\r\n4673,\"\",\"Advanced\",\"Either\",\"\",\"Non-Sensitive Privilege Use\",\"A privileged service was called.\",\"Common\",\r\n4674,\"\",\"Advanced\",\"Either\",\"\",\"Sensitive Privilege Use\",\"An operation was attempted on a privileged object.\",\"Common\",\r\n4674,\"\",\"Advanced\",\"Either\",\"\",\"Non-Sensitive Privilege Use\",\"An operation was attempted on a privileged object.\",\"Common\",\r\n4675,\"\",\"Advanced\",\"Success\",\"\",\"Logon\",\"SIDs were filtered.\",\"Common\",\r\n4688,\"\",\"Advanced\",\"Success\",\"\",\"Process Creation\",\"A new process has been created.\",\"Minimal\",\r\n4689,\"\",\"Advanced\",\"Success\",\"\",\"Process Termination\",\"A process has exited.\",\"Common\",\r\n4690,\"\",\"Advanced\",\"Success\",\"\",\"Handle Manipulation\",\"An attempt was made to duplicate a handle to an object.\",\"Full\",\r\n4691,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"Indirect access to an object was requested.\",\"Full\",\r\n4692,\"\",\"Advanced\",\"Either\",\"\",\"DPAPI Activity\",\"Backup of data protection master key was attempted.\",\"Full\",\r\n4693,\"\",\"Advanced\",\"Either\",\"\",\"DPAPI Activity\",\"Recovery of data protection master key was attempted.\",\"Full\",\r\n4694,\"\",\"Advanced\",\"Either\",\"\",\"DPAPI Activity\",\"Protection of auditable protected data was attempted.\",\"Full\",\r\n4695,\"\",\"Advanced\",\"Either\",\"\",\"DPAPI Activity\",\"Unprotection of auditable protected data was attempted.\",\"Full\",\r\n4696,\"\",\"Advanced\",\"Success\",\"\",\"Process Creation\",\"A primary token was assigned to process.\",\"Full\",\r\n4697,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"A service was installed in the system.\",\"Common\",\r\n4698,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was created.\",\"Full\",\r\n4699,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was deleted.\",\"Full\",\r\n4700,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was enabled.\",\"Minimal\",\r\n4701,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was disabled.\",\"Full\",\r\n4702,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was updated.\",\"Minimal\",\r\n4703,\"\",\"Advanced\",\"Success\",\"\",\"Token Right\",\"A user right was adjusted.\",\"Full\",\r\n4703,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"A user right was adjusted.\",\"Full\",\r\n4704,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"A user right was assigned.\",\"Common\",\r\n4705,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"A user right was removed.\",\"Common\",\r\n4706,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A new trust was created to a domain.\",\"Full\",\r\n4707,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A trust to a domain was removed.\",\"Full\",\r\n4709,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"IPsec Services was started.\",\"Full\",\r\n4710,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"IPsec Services was disabled.\",\"Full\",\r\n4711,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"May contain any one of the following\",\"Full\",\r\n4712,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"IPsec Services encountered a potentially serious failure.\",\"Full\",\r\n4713,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"Kerberos policy was changed.\",\"Full\",\r\n4714,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Encrypted data recovery policy was changed.\",\"Full\",\r\n4715,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"The audit policy (SACL) on an object was changed.\",\"Full\",\r\n4716,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"Trusted domain information was modified.\",\"Common\",\r\n4717,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"System security access was granted to an account.\",\"Common\",\r\n4718,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"System security access was removed from an account.\",\"Common\",\r\n4719,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"System audit policy was changed.\",\"Minimal\",\r\n4720,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was created.\",\"Minimal\",\r\n4722,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was enabled.\",\"Minimal\",\r\n4723,\"\",\"Advanced\",\"Either\",\"\",\"User Account\",\"An attempt was made to change an account's password.\",\"Minimal\",\r\n4724,\"\",\"Advanced\",\"Either\",\"\",\"User Account\",\"An attempt was made to reset an account's password.\",\"Minimal\",\r\n4725,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was disabled.\",\"Common\",\r\n4726,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was deleted.\",\"Common\",\r\n4727,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled global group was created. See event 4731\",\"Minimal\",\r\n4728,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was added to a security-enabled global group. See event 4732\",\"Minimal\",\r\n4729,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was removed from a security-enabled global group. See event 4733\",\"Common\",\r\n4730,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled global group was deleted. See event 4734\",\"Full\",\r\n4731,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled local group was created.\",\"Full\",\r\n4732,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was added to a security-enabled local group.\",\"Minimal\",\r\n4733,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was removed from a security-enabled local group.\",\"Common\",\r\n4734,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled local group was deleted.\",\"Full\",\r\n4735,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled local group was changed.\",\"Minimal\",\r\n4737,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled global group was changed. See event 4735\",\"Minimal\",\r\n4738,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was changed.\",\"Common\",\r\n4739,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"Domain Policy was changed.\",\"Minimal\",\r\n4740,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was locked out.\",\"Minimal\",\r\n4741,\"\",\"Advanced\",\"Success\",\"\",\"Computer Account\",\"A computer account was created.\",\"Full\",\r\n4742,\"\",\"Advanced\",\"Success\",\"\",\"Computer Account\",\"A computer account was changed.\",\"Common\",\r\n4743,\"\",\"Advanced\",\"Success\",\"\",\"Computer Account\",\"A computer account was deleted.\",\"Full\",\r\n4744,\"\",\"Advanced\",\"Success\",\"\",\"Account Management\",\"A security-disabled local group was created\",\"Common\",\r\n4745,\"\",\"Advanced\",\"Success\",\"\",\"Account Management\",\"A security-disabled local group was changed\",\"Common\",\r\n4746,\"\",\"Advanced\",\"Success\",\"\",\"Account Management\",\"A member was added to a security-disabled local group\",\"Common\",\r\n4747,\"\",\"Advanced\",\"Success\",\"\",\"Account Management\",\"A member was removed from a security-disabled local group\",\"Full\",\r\n4748,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled local group was deleted\",\"Full\",\r\n4749,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled global group was created.\",\"Full\",\r\n4750,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled global group was changed.\",\"Common\",\r\n4751,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A member was added to a security-disabled global group.\",\"Common\",\r\n4752,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A member was removed from a security-disabled global group.\",\"Common\",\r\n4753,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled global group was deleted.\",\"Full\",\r\n4754,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled universal group was created. See event 4731\",\"Minimal\",\r\n4755,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled universal group was changed. See event 4735\",\"Minimal\",\r\n4756,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was added to a security-enabled universal group. See event 4732\",\"Minimal\",\r\n4757,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was removed from a security-enabled universal group. See event 4733\",\"Common\",\r\n4758,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled universal group was deleted. See event 4734\",\"Full\",\r\n4759,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled universal group was created. See event 4749\",\"Full\",\r\n4760,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled universal group was changed. See event 4750\",\"Common\",\r\n4761,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A member was added to a security-disabled universal group. See event 4751\",\"Common\",\r\n4762,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A member was removed from a security-disabled universal group. See event 4752\",\"Common\",\r\n4763,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-disabled universal group was deleted\",\"Full\",\r\n4764,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A group’s type was changed.\",\"Common\",\r\n4765,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"SID History was added to an account.\",\"Full\",\r\n4766,\"\",\"Advanced\",\"Fail\",\"\",\"User Account\",\"An attempt to add SID History to an account failed.\",\"Full\",\r\n4767,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was unlocked.\",\"Minimal\",\r\n4768,\"\",\"Advanced\",\"Either\",\"\",\"Kerberos\",\"A Kerberos authentication ticket (TGT) was requested.\",\"Common\",\r\n4769,\"\",\"Advanced\",\"Either\",\"\",\"Kerberos\",\"A Kerberos service ticket was requested.\",\"Full\",\r\n4770,\"\",\"Advanced\",\"Success\",\"\",\"Kerberos\",\"A Kerberos service ticket was renewed.\",\"Full\",\r\n4771,\"\",\"Advanced\",\"Fail\",\"\",\"Kerberos\",\"Kerberos pre-authentication failed.\",\"Common\",\r\n4772,\"\",\"Advanced\",\"Fail\",\"\",\"Kerberos\",\"A Kerberos authentication ticket request failed.\",\"Full\",\r\n4773,\"\",\"Advanced\",\"Fail\",\"\",\"Kerberos\",\"A Kerberos service ticket request failed.\",\"Full\",\r\n4774,\"\",\"Advanced\",\"Either\",\"\",\"Credential Validation\",\"An account was mapped for logon.\",\"Common\",\r\n4775,\"\",\"Advanced\",\"Fail\",\"\",\"Credential Validation\",\"An account could not be mapped for logon.\",\"Full\",\r\n4776,\"\",\"Advanced\",\"Either\",\"\",\"Credential Validation\",\"The computer attempted to validate the credentials for an account.\",\"Full\",\r\n4777,\"\",\"Advanced\",\"Fail\",\"\",\"Credential Validation\",\"The domain controller failed to validate the credentials for an account.\",\"Full\",\r\n4778,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A session was reconnected to a Window Station.\",\"Common\",\r\n4779,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"A user disconnected a terminal server session without logging off.\",\"Common\",\r\n4779,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A session was disconnected from a Window Station.\",\"Full\",\r\n4780,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"The ACL was set on accounts which are members of administrators groups.\",\"Full\",\r\n4781,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"The name of an account was changed.\",\"Common\",\r\n4782,\"\",\"Advanced\",\"Success\",\"\",\"Other Account Mgmt\",\"The password hash of an account was accessed.\",\"Full\",\r\n4783,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A basic application group was created.\",\"Full\",\r\n4784,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A basic application group was changed.\",\"Full\",\r\n4785,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A member was added to a basic application group.\",\"Full\",\r\n4786,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A member was removed from a basic application group.\",\"Full\",\r\n4787,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A non-member was added to a basic application group.\",\"Full\",\r\n4788,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A non-member was removed from a basic application group.\",\"Full\",\r\n4789,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A basic application group was deleted.\",\"Full\",\r\n4790,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"An LDAP query group was created.\",\"Full\",\r\n4791,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"An LDAP query group was changed.\",\"Full\",\r\n4792,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"An LDAP query group was deleted.\",\"Full\",\r\n4793,\"\",\"Advanced\",\"Success\",\"\",\"Other Account Mgmt\",\"The Password Policy Checking API was called.\",\"Common\",\r\n4794,\"\",\"Advanced\",\"Either\",\"\",\"User Account\",\"An attempt was made to set the Directory Services Restore Mode administrator password.\",\"Full\",\r\n4797,\"\",\"\",\"Success\",\"\",\"User Account\",\"An attempt was made to query the existence of a blank password for an account\",\"Common\",\r\n4798,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user's local group membership was enumerated.\",\"Common\",\r\n4799,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled local group membership was enumerated.\",\"Minimal\",\r\n4800,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"The workstation was locked.\",\"Common\",\r\n4801,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"The workstation was unlocked.\",\"Common\",\r\n4802,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"The screen saver was invoked.\",\"Common\",\r\n4803,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"The screen saver was dismissed.\",\"Common\",\r\n4816,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"RPC detected an integrity violation while decrypting an incoming message.\",\"Full\",\r\n4817,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"Auditing settings on object were changed.\",\"Full\",\r\n4818,\"\",\"Advanced\",\"Success\",\"\",\"Access Policy Staging\",\"Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.\",\"Full\",\r\n4819,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Central Access Policies on the machine have been changed.\",\"Full\",\r\n4820,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions\",\"Full\",\r\n4821,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions\",\"Full\",\r\n4822,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"NTLM authentication failed because the account was a member of the Protected User group\",\"Full\",\r\n4823,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"NTLM authentication failed because access control restrictions are required\",\"Full\",\r\n4824,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group\",\"Full\",\r\n4825,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group\",\"Full\",\r\n4826,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Boot Configuration Data loaded.\",\"Common\",\r\n4830,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"SID History was removed from an account\",\"Full\",\r\n4864,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A namespace collision was detected.\",\"Full\",\r\n4865,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A trusted forest information entry was added.\",\"Full\",\r\n4866,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A trusted forest information entry was removed.\",\"Full\",\r\n4867,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A trusted forest information entry was modified.\",\"Full\",\r\n4868,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"The certificate manager denied a pending certificate request.\",\"Full\",\r\n4869,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services received a resubmitted certificate request.\",\"Full\",\r\n4870,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services revoked a certificate.\",\"Common\",\r\n4871,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services received a request to publish the certificate revocation list (CRL).\",\"Full\",\r\n4872,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services published the certificate revocation list (CRL).\",\"Full\",\r\n4873,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"A certificate request extension changed.\",\"Full\",\r\n4874,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"One or more certificate request attributes changed.\",\"Full\",\r\n4875,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services received a request to shut down.\",\"Full\",\r\n4876,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services backup started.\",\"Full\",\r\n4877,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services backup completed.\",\"Full\",\r\n4878,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services restore started.\",\"Full\",\r\n4879,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services restore completed.\",\"Full\",\r\n4880,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services started.\",\"Full\",\r\n4881,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services stopped.\",\"Full\",\r\n4882,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"The security permissions for Certificate Services changed.\",\"Full\",\r\n4883,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services retrieved an archived key.\",\"Full\",\r\n4884,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services imported a certificate into its database.\",\"Full\",\r\n4885,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"The audit filter for Certificate Services changed.\",\"Full\",\r\n4886,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services received a certificate request.\",\"Common\",\r\n4887,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services approved a certificate request and issued a certificate.\",\"Common\",\r\n4888,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services denied a certificate request.\",\"Common\",\r\n4889,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services set the status of a certificate request to pending.\",\"Full\",\r\n4890,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"The certificate manager settings for Certificate Services changed.\",\"Full\",\r\n4891,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"A configuration entry changed in Certificate Services.\",\"Full\",\r\n4892,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"A property of Certificate Services changed.\",\"Full\",\r\n4893,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services archived a key.\",\"Common\",\r\n4894,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services imported and archived a key.\",\"Full\",\r\n4895,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services published the CA certificate to Active Directory Domain Services.\",\"Full\",\r\n4896,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"One or more rows have been deleted from the certificate database.\",\"Full\",\r\n4897,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Role separation enabled.\",\"Full\",\r\n4898,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services loaded a template.\",\"Common\",\r\n4899,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"A Certificate Services template was updated\",\"Full\",\r\n4900,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services template security was updated\",\"Full\",\r\n4902,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"The Per-user audit policy table was created.\",\"Common\",\r\n4904,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"An attempt was made to register a security event source.\",\"Common\",\r\n4905,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"An attempt was made to unregister a security event source.\",\"Common\",\r\n4906,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"The CrashOnAuditFail value has changed.\",\"Full\",\r\n4907,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"Auditing settings on object were changed.\",\"Common\",\r\n4908,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"Special Groups Logon table modified.\",\"Full\",\r\n4909,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"The local policy settings for the TBS were changed.\",\"Full\",\r\n4910,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"The group policy settings for the TBS were changed.\",\"Full\",\r\n4911,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"Resource attributes of the object were changed.\",\"Full\",\r\n4912,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"Per User Audit Policy was changed.\",\"Full\",\r\n4913,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"Central Access Policy on the object was changed.\",\"Full\",\r\n4928,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"An Active Directory replica source naming context was established.\",\"Full\",\r\n4929,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"An Active Directory replica source naming context was removed.\",\"Full\",\r\n4930,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"An Active Directory replica source naming context was modified.\",\"Full\",\r\n4931,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"An Active Directory replica destination naming context was modified.\",\"Common\",\r\n4932,\"\",\"Advanced\",\"Success\",\"\",\"DS Replication\",\"Synchronization of a replica of an Active Directory naming context has begun.\",\"Common\",\r\n4933,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"Synchronization of a replica of an Active Directory naming context has ended.\",\"Common\",\r\n4934,\"\",\"Advanced\",\"Success\",\"\",\"DS Replication\",\"Attributes of an Active Directory object were replicated.\",\"Full\",\r\n4935,\"\",\"Advanced\",\"Fail\",\"\",\"DS Replication\",\"Replication failure begins.\",\"Full\",\r\n4936,\"\",\"Advanced\",\"Success\",\"\",\"DS Replication\",\"Replication failure ends.\",\"Full\",\r\n4937,\"\",\"Advanced\",\"Success\",\"\",\"DS Replication\",\"A lingering object was removed from a replica.\",\"Full\",\r\n4944,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"The following policy was active when the Windows Firewall started.\",\"Full\",\r\n4945,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A rule was listed when the Windows Firewall started.\",\"Full\",\r\n4946,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A change has been made to Windows Firewall exception list. A rule was added.\",\"Minimal\",\r\n4947,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A change has been made to Windows Firewall exception list. A rule was modified.\",\"Full\",\r\n4948,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A change has been made to Windows Firewall exception list. A rule was deleted.\",\"Minimal\",\r\n4949,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall settings were restored to the default values.\",\"Full\",\r\n4950,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A Windows Firewall setting has changed.\",\"Full\",\r\n4951,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"A rule has been ignored because its major version number was not recognized by Windows Firewall.\",\"Full\",\r\n4952,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.\",\"Full\",\r\n4953,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"A rule has been ignored by Windows Firewall because it could not parse the rule.\",\"Full\",\r\n4954,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall Group Policy settings have changed. The new settings have been applied.\",\"Full\",\r\n4956,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall has changed the active profile.\",\"Minimal\",\r\n4957,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall did not apply the following rule\",\"Full\",\r\n4958,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer\",\"Full\",\r\n4960,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.\",\"Full\",\r\n4961,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.\",\"Full\",\r\n4962,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.\",\"Full\",\r\n4963,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.\",\"Full\",\r\n4964,\"\",\"Advanced\",\"Success\",\"\",\"Special Logon\",\"Special groups have been assigned to a new logon.\",\"Full\",\r\n4965,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.\",\"Full\",\r\n4976,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.\",\"Full\",\r\n4977,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.\",\"Full\",\r\n4978,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.\",\"Full\",\r\n4979,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"IPsec Main Mode and Extended Mode security associations were established.\",\"Full\",\r\n4980,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"IPsec Main Mode and Extended Mode security associations were established.\",\"Full\",\r\n4981,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"IPsec Main Mode and Extended Mode security associations were established.\",\"Full\",\r\n4982,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"IPsec Main Mode and Extended Mode security associations were established.\",\"Full\",\r\n4983,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.\",\"Full\",\r\n4984,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.\",\"Full\",\r\n4985,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"The state of a transaction has changed.\",\"Common\",\r\n4985,\"\",\"Advanced\",\"Success\",\"\",\"Sensitive Privilege Use\",\"The state of a transaction has changed.\",\"Common\",\r\n4985,\"\",\"Advanced\",\"Success\",\"\",\"Non-Sensitive Privilege Use\",\"The state of a transaction has changed.\",\"Common\",\r\n4985,\"\",\"Advanced\",\"Success\",\"\",\"Other Privilege Use\",\"The state of a transaction has changed.\",\"Common\",\r\n5024,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The Windows Firewall Service has started successfully.\",\"Minimal\",\r\n5025,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The Windows Firewall Service has been stopped.\",\"Full\",\r\n5027,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.\",\"Full\",\r\n5028,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.\",\"Full\",\r\n5029,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.\",\"Full\",\r\n5030,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Service failed to start.\",\"Full\",\r\n5031,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Firewall Service blocked an application from accepting incoming connections on the network.\",\"Full\",\r\n5032,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.\",\"Full\",\r\n5033,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The Windows Firewall Driver has started successfully.\",\"Minimal\",\r\n5034,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The Windows Firewall Driver was stopped.\",\"Full\",\r\n5035,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Driver failed to start.\",\"Full\",\r\n5037,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Driver detected critical runtime error. Terminating.\",\"Full\",\r\n5038,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\",\"Full\",\r\n5039,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"A registry key was virtualized.\",\"Full\",\r\n5040,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. An Authentication Set was added.\",\"Full\",\r\n5041,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. An Authentication Set was modified.\",\"Full\",\r\n5042,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. An Authentication Set was deleted.\",\"Full\",\r\n5043,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Connection Security Rule was added.\",\"Full\",\r\n5044,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Connection Security Rule was modified.\",\"Full\",\r\n5045,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Connection Security Rule was deleted.\",\"Full\",\r\n5046,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Crypto Set was added.\",\"Full\",\r\n5047,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Crypto Set was modified.\",\"Full\",\r\n5048,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Crypto Set was deleted.\",\"Full\",\r\n5049,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Security Association was deleted.\",\"Full\",\r\n5050,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE\",\"Full\",\r\n5051,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"A file was virtualized.\",\"Full\",\r\n5056,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"A cryptographic self-test was performed.\",\"Full\",\r\n5057,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"A cryptographic primitive operation failed.\",\"Full\",\r\n5058,\"\",\"Advanced\",\"Either\",\"\",\"Other System Events\",\"Key file operation.\",\"Full\",\r\n5059,\"\",\"Advanced\",\"Either\",\"\",\"Other System Events\",\"Key migration operation.\",\"Common\",\r\n5060,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"Verification operation failed.\",\"Full\",\r\n5061,\"\",\"Advanced\",\"Either\",\"\",\"System Integrity\",\"Cryptographic operation.\",\"Full\",\r\n5062,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"A kernel-mode cryptographic self-test was performed.\",\"Full\",\r\n5063,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic provider operation was attempted.\",\"Full\",\r\n5064,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic context operation was attempted.\",\"Full\",\r\n5065,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic context modification was attempted.\",\"Full\",\r\n5066,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function operation was attempted.\",\"Full\",\r\n5067,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function modification was attempted.\",\"Full\",\r\n5068,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function provider operation was attempted.\",\"Full\",\r\n5069,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function property operation was attempted.\",\"Full\",\r\n5070,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function property modification was attempted.\",\"Full\",\r\n5071,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"Key access denied by Microsoft key distribution service\",\"Full\",\r\n5120,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"OCSP Responder Service Started\",\"Full\",\r\n5121,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"OCSP Responder Service Stopped\",\"Full\",\r\n5122,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A Configuration entry changed in the OCSP Responder Service\",\"Full\",\r\n5123,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A configuration entry changed in the OCSP Responder Service\",\"Full\",\r\n5124,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A security setting was updated on OCSP Responder Service\",\"Full\",\r\n5125,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A request was submitted to OCSP Responder Service\",\"Full\",\r\n5126,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"Signing Certificate was automatically updated by the OCSP Responder Service\",\"Full\",\r\n5127,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"The OCSP Revocation Provider successfully updated the revocation information\",\"Full\",\r\n5136,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was modified.\",\"Common\",\r\n5137,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was created.\",\"Common\",\r\n5138,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was undeleted.\",\"Full\",\r\n5139,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was moved.\",\"Full\",\r\n5140,\"\",\"Advanced\",\"Either\",\"\",\"File Share\",\"A network share object was accessed.\",\"Common\",\r\n5141,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was deleted.\",\"Full\",\r\n5142,\"\",\"Advanced\",\"Success\",\"\",\"File Share\",\"A network share object was added.\",\"Full\",\r\n5143,\"\",\"Advanced\",\"Success\",\"\",\"File Share\",\"A network share object was modified.\",\"Full\",\r\n5144,\"\",\"Advanced\",\"Success\",\"\",\"File Share\",\"A network share object was deleted.\",\"Full\",\r\n5145,\"\",\"Advanced\",\"Either\",\"\",\"File Share\",\"A network share object was checked to see whether client can be granted desired access.\",\"Common\",\r\n5146,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"The Windows Filtering Platform has blocked a packet\",\"Full\",\r\n5147,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"A more restrictive Windows Filtering Platform filter has blocked a packet\",\"Full\",\r\n5148,\"\",\"Advanced\",\"Fail\",\"\",\"Other Object Access\",\"The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.\",\"Full\",\r\n5149,\"\",\"Advanced\",\"Fail\",\"\",\"Other Object Access\",\"The DoS attack has subsided and normal processing is being resumed.\",\"Full\",\r\n5150,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform blocked a packet.\",\"Full\",\r\n5151,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"A more restrictive Windows Filtering Platform filter has blocked a packet.\",\"Full\",\r\n5152,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform blocked a packet.\",\"Full\",\r\n5153,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"A more restrictive Windows Filtering Platform filter has blocked a packet.\",\"Full\",\r\n5154,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\",\"Full\",\r\n5155,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.\",\"Full\",\r\n5156,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has permitted a connection.\",\"Full\",\r\n5157,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has blocked a connection.\",\"Full\",\r\n5158,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has permitted a bind to a local port.\",\"Full\",\r\n5159,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has blocked a bind to a local port.\",\"Full\",\r\n5168,\"\",\"Advanced\",\"Fail\",\"\",\"File Share\",\"SPN check for SMB/SMB2 failed.\",\"Full\",\r\n5169,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"A directory service object was modified\",\"Full\",\r\n5170,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"A directory service object was modified during a background cleanup task\",\"Full\",\r\n5376,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"Credential Manager credentials were backed up.\",\"Full\",\r\n5377,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"Credential Manager credentials were restored from a backup.\",\"Full\",\r\n5378,\"\",\"Advanced\",\"Fail\",\"\",\"Other Logon/Logoff\",\"The requested credentials delegation was disallowed by policy.\",\"Full\",\r\n5379,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Credential Manager credentials were read\",\"Full\",\r\n5380,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Vault Find Credential\",\"Full\",\r\n5381,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Vault credentials were read\",\"Full\",\r\n5382,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Vault credentials were read\",\"Full\",\r\n5440,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following callout was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5441,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following filter was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5442,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following provider was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5443,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5444,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5446,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A Windows Filtering Platform callout has been changed.\",\"Full\",\r\n5447,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"A Windows Filtering Platform filter has been changed.\",\"Full\",\r\n5448,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A Windows Filtering Platform provider has been changed.\",\"Full\",\r\n5449,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A Windows Filtering Platform provider context has been changed.\",\"Full\",\r\n5450,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A Windows Filtering Platform sub-layer has been changed.\",\"Full\",\r\n5451,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Quick Mode security association was established.\",\"Full\",\r\n5452,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Quick Mode security association ended.\",\"Full\",\r\n5453,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.\",\"Full\",\r\n5456,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine applied Active Directory storage IPsec policy on the computer.\",\"Full\",\r\n5457,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.\",\"Full\",\r\n5458,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.\",\"Full\",\r\n5459,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.\",\"Full\",\r\n5460,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine applied local registry storage IPsec policy on the computer.\",\"Full\",\r\n5461,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to apply local registry storage IPsec policy on the computer.\",\"Full\",\r\n5462,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.\",\"Full\",\r\n5463,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the active IPsec policy and detected no changes.\",\"Full\",\r\n5464,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.\",\"Full\",\r\n5465,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.\",\"Full\",\r\n5466,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.\",\"Full\",\r\n5467,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.\",\"Full\",\r\n5468,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.\",\"Full\",\r\n5471,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine loaded local storage IPsec policy on the computer.\",\"Full\",\r\n5472,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to load local storage IPsec policy on the computer.\",\"Full\",\r\n5473,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine loaded directory storage IPsec policy on the computer.\",\"Full\",\r\n5474,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to load directory storage IPsec policy on the computer.\",\"Full\",\r\n5477,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to add quick mode filter.\",\"Full\",\r\n5478,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec Services has started successfully.\",\"Full\",\r\n5479,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.\",\"Full\",\r\n5480,\"\",\"Advanced\",\"Fail\",\"\",\"IPsec Driver\",\"IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.\",\"Full\",\r\n5483,\"\",\"Advanced\",\"Fail\",\"\",\"IPsec Driver\",\"IPsec Services failed to initialize RPC server. IPsec Services could not be started.\",\"Full\",\r\n5484,\"\",\"Advanced\",\"Fail\",\"\",\"IPsec Driver\",\"IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.\",\"Full\",\r\n5485,\"\",\"Advanced\",\"Fail\",\"\",\"IPsec Driver\",\"IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.\",\"Full\",\r\n5632,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A request was made to authenticate to a wireless network.\",\"Common\",\r\n5633,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A request was made to authenticate to a wired network.\",\"Full\",\r\n5712,\"\",\"Advanced\",\"Success\",\"\",\"RPC Events\",\"A Remote Procedure Call (RPC) was attempted.\",\"Full\",\r\n5888,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"An object in the COM+ Catalog was modified.\",\"Full\",\r\n5889,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"An object was deleted from the COM+ Catalog.\",\"Full\",\r\n5890,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"An object was added to the COM+ Catalog.\",\"Full\",\r\n6144,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Security policy in the group policy objects has been applied successfully.\",\"Common\",\r\n6145,\"\",\"Advanced\",\"Fail\",\"\",\"Other Policy Change\",\"One or more errors occurred while processing security policy in the group policy objects.\",\"Common\",\r\n6272,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server granted access to a user.\",\"Common\",\r\n6273,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server denied access to a user.\",\"Common\",\r\n6274,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server discarded the request for a user.\",\"Full\",\r\n6275,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server discarded the accounting request for a user.\",\"Full\",\r\n6276,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server quarantined a user.\",\"Full\",\r\n6277,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.\",\"Full\",\r\n6278,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server granted full access to a user because the host met the defined health policy.\",\"Common\",\r\n6279,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server locked the user account due to repeated failed authentication attempts.\",\"Full\",\r\n6280,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server unlocked the user account.\",\"Full\",\r\n6281,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.\",\"Full\",\r\n6400,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"Received an incorrectly formatted response while discovering availability of content.\",\"Full\",\r\n6401,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"Received invalid data from a peer. Data discarded.\",\"Full\",\r\n6402,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The message to the hosted cache offering it data is incorrectly formatted.\",\"Full\",\r\n6403,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The hosted cache sent an incorrectly formatted response to the client.\",\"Full\",\r\n6404,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"Hosted cache could not be authenticated using the provisioned SSL certificate.\",\"Full\",\r\n6405,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"%2 instance(s) of event id %1 occurred.\",\"Full\",\r\n6406,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"%1 registered to Windows Firewall to control filtering for the following\",\"Full\",\r\n6407,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"0.01\",\"Full\",\r\n6408,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"Registered product %1 failed and Windows Firewall is now controlling the filtering for %2\",\"Full\",\r\n6409,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"BranchCache\",\"Full\",\r\n6410,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"Code integrity determined that a file does not meet the security requirements to load into a process.\",\"Full\",\r\n6416,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A new external device was recognized by the System\",\"Common\",\r\n6417,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"The FIPS mode crypto selftests succeeded\",\"Full\",\r\n6418,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"The FIPS mode crypto selftests failed\",\"Full\",\r\n6419,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A request was made to disable a device\",\"Full\",\r\n6420,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A device was disabled.\",\"Full\",\r\n6421,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A request was made to enable a device.\",\"Full\",\r\n6422,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A device was enabled.\",\"Full\",\r\n6423,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"The installation of this device is forbidden by system policy.\",\"Common\",\r\n6424,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"The installation of this device was allowed, after having previously been forbidden by policy.\",\"Common\",\r\n8000,\"Error\",\"\",\"\",\"\",\"AppLocker\",\"Application Identity Policy conversion failed. Status *<%1> * Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.\",\"Full\",\r\n8001,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"The AppLocker policy was applied successfully to this computer. Indicates that the AppLocker policy was successfully applied to the computer.\",\"Minimal\",\r\n8002,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"* * was allowed to run. Specifies that the .exe or .dll file is allowed by an AppLocker rule.\",\"Minimal\",\r\n8003,\"Warning\",\"\",\"\",\"\",\"AppLocker\",\"* * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Applied only when the Audit only enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled.\",\"Minimal\",\r\n8004,\"Error\",\"\",\"\",\"\",\"AppLocker\",\"* * was not allowed to run. Access to is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.\",\"Minimal\",\r\n8005,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"* * was allowed to run. Specifies that the script or .msi file is allowed by an AppLocker rule.\",\"Minimal\",\r\n8006,\"Warning\",\"\",\"\",\"\",\"AppLocker\",\"* * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled.\",\"Minimal\",\r\n8007,\"Error\",\"\",\"\",\"\",\"AppLocker\",\"* * was not allowed to run. Access to is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.\",\"Minimal\",\r\n8008,\"Error\",\"\",\"\",\"\",\"AppLocker\",\"AppLocker disabled on the SKU. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8020,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app allowed. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8021,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app audited. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8022,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app disabled. Added in Windows Server 2012 and Windows 8.\",\"Minimal\",\r\n8023,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app installation allowed. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8024,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app installation audited. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8025,\"Warning\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app installation disabled. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8027,\"Warning\",\"\",\"\",\"\",\"AppLocker\",\"No Packaged app rule configured. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8191,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Highest System-Defined Audit Message Value\",\"Full\",\r\n26401,\"\",\"Unknown\",\"Fail\",\"\",\"MOMSDK Service Security\",\"An application attempted an operation\",\"Common\",\r\n30004,\"Unknown\",\"Unknown\",\"Unknown\",\"Unknown\",\"Unknown\",\"Unknown\",\"Common\",\r\n];\r\nlet Active = SecurityEvent | summarize count() by EventID;\r\nAuditRef\r\n| join kind = fullouter (Active) on EventID\r\n| extend Count = count_-1\r\n| where Count > 0 and isnotempty(Policy)\r\n| sort by Policy asc, Description asc\r\n| project Policy, Description, PolicyLevel, Type=Impact, Filter=Group, EventID, Count", "size": 2, "title": "Active Audit Policies - Based on EventIDs Collected (90 Days)", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Forwarder", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Facility", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "SeverityLevel", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "SyslogMessage", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "80%" } } ], "rowLimit": 2000, "filter": true, "sortBy": [ { "itemKey": "Count", "sortOrder": 2 } ] }, "sortBy": [ { "itemKey": "Count", "sortOrder": 2 } ] }, "name": "query - 4", "styleSettings": { "margin": "2px", "showBorder": true } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let AuditRef = datatable (EventID:int,Severity:string,PolicyLevel:string,Impact:string,Default:string,Policy:string,Description:string,Group:string)\r\n[\r\n1,\"\",\"Sysmon\",\"\",\"\",\"Process Created\",\"The process creation event provides extended information about a newly created process.\",\"Common\",\r\n2,\"\",\"Sysmon\",\"\",\"\",\"Process Changed\",\"A process changed a file creation time\",\"Full\",\r\n3,\"\",\"Sysmon\",\"\",\"\",\"Network Connection\",\"Network connection. It is disabled by default. Each connection is linked to a process.\",\"Full\",\r\n4,\"\",\"Sysmon\",\"\",\"\",\"Sysmon Service\",\"Sysmon service state changed (started or stopped).\",\"Full\",\r\n5,\"\",\"Sysmon\",\"\",\"\",\"Process Terminated\",\"Process terminated\",\"Full\",\r\n6,\"\",\"Sysmon\",\"\",\"\",\"Driver Loaded\",\"Driver loaded\",\"Full\",\r\n7,\"\",\"Sysmon\",\"\",\"\",\"Cmage loaded\",\"Image loaded. This event is disabled by default and needs to be configured with the –l option.\",\"Full\",\r\n8,\"\",\"Sysmon\",\"\",\"\",\"Createremotethread\",\"CreateRemoteThread. Process creates a thread in another process. This technique is used by malware to inject code and hide in other processes.\",\"Full\",\r\n9,\"\",\"Sysmon\",\"\",\"\",\"Cawaccessread\",\"RawAccessRead. Process conducts reading operations from the drive using relative path denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools.\",\"Full\",\r\n10,\"\",\"Sysmon\",\"\",\"\",\"Process Access\",\"ProcessAccess. Reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes.\",\"Full\",\r\n11,\"\",\"Sysmon\",\"\",\"\",\"Cilecreate\",\"FileCreate. Logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.\",\"Full\",\r\n12,\"\",\"Sysmon\",\"\",\"\",\"Registry Change\",\"RegistryEvent (Object create and delete)\",\"Full\",\r\n13,\"\",\"Sysmon\",\"\",\"\",\"Registry Change\",\"RegistryEvent (Value Set or Modification)\",\"Full\",\r\n14,\"\",\"Sysmon\",\"\",\"\",\"Registry Change\",\"RegistryEvent (Key and Value Rename)\",\"Full\",\r\n15,\"\",\"Sysmon\",\"\",\"\",\"File Change\",\"FileCreateStreamHash. File stream is created.\",\"Full\",\r\n16,\"\",\"Sysmon\",\"\",\"\",\"Sysmon Change\",\"ServiceConfigurationChange (Sysmon configuration change)\",\"Full\",\r\n17,\"\",\"Sysmon\",\"\",\"\",\"Pipe Change\",\"PipeEvent (Pipe Created)\",\"Full\",\r\n18,\"\",\"Sysmon\",\"\",\"\",\"Pipe Change\",\"PipeEvent (Pipe Connected) Named pipe connection is made between a client and a server.\",\"Full\",\r\n19,\"\",\"Sysmon\",\"\",\"\",\"WMI\",\"WmiEvent (WmiEventFilter activity detected) When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.\",\"Full\",\r\n20,\"\",\"Sysmon\",\"\",\"\",\"WMI\",\"WmiEvent (WmiEventConsumer activity detected)\",\"Full\",\r\n21,\"\",\"Sysmon\",\"\",\"\",\"WMI\",\"WmiEvent (WmiEventConsumerToFilter activity detected)\",\"Full\",\r\n22,\"\",\"Sysmon\",\"\",\"\",\"DNS\",\"DNSEvent (DNS query)\",\"Full\",\r\n23,\"\",\"Sysmon\",\"\",\"\",\"File Delete\",\"FileDelete (A file delete was detected)\",\"Full\",\r\n24,\"\",\"Sysmon\",\"\",\"\",\"Clipboard\",\"ClipboardChange (New content in the clipboard)\",\"Full\",\r\n25,\"\",\"Sysmon\",\"\",\"\",\"Process Tamper\",\"ProcessTampering (Process image change)\",\"Full\",\r\n255,\"\",\"Sysmon\",\"\",\"\",\"Error\",\"Error. This event is generated when an error occurred within Sysmon.\",\"Full\",\r\n299,\"\",\"Unknown\",\"\",\"Unknown\",\"Unknown\",\"Unknown\",\"Common\",\r\n300,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n324,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n340,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n403,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n404,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n410,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n411,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n412,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n413,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n431,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n500,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n501,\"\",\"Unknown\",\"\",\"Unknown\",\"Windows Hello\",\"Unknown\",\"Common\",\r\n512,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"Windows is starting up.\",\"Full\",\r\n513,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"Windows is shutting down.\",\"Full\",\r\n514,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"An authentication package was loaded by the Local Security Authority.\",\"Full\",\r\n515,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"A trusted logon process has registered with the Local Security Authority.\",\"Full\",\r\n516,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.\",\"Full\",\r\n517,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"The audit log was cleared.\",\"Full\",\r\n518,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"A notification package was loaded by the Security Accounts Manager.\",\"Full\",\r\n519,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.\",\"Full\",\r\n520,\"\",\"Basic\",\"\",\"Success on DCs\",\"System Events\",\"The system time was changed. (Normaly appears twice)\",\"Full\",\r\n528,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"Successful Logon - Includes a logon type is also listed in the event log\",\"Full\",\r\n560,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Access was granted to an already existing object.\",\"Full\",\r\n562,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A handle to an object was closed.\",\"Full\",\r\n563,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"An attempt was made to open an object with the intent to delete it.\",\"Full\",\r\n564,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A protected object was deleted.\",\"Full\",\r\n565,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Access was granted to an already existing object type.\",\"Full\",\r\n566,\"\",\"Basic\",\"\",\"Success on DCs\",\"Directory Services\",\"A generic object operation took place.\",\"Full\",\r\n567,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A permission associated with a handle was used.\",\"Full\",\r\n568,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"An attempt was made to create a hard link to a file that is being audited.\",\"Full\",\r\n569,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The resource manager in Authorization Manager attempted to create a client context.\",\"Full\",\r\n570,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A client attempted to access an object.\",\"Full\",\r\n571,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The client context was deleted by the Authorization Manager application.\",\"Full\",\r\n572,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The administrator manager initialized the application.\",\"Full\",\r\n576,\"\",\"Basic\",\"\",\"No auditing\",\"Privilege Use\",\"Specified privileges were added to a user's access token. (every logon)\",\"Full\",\r\n577,\"\",\"Basic\",\"\",\"No auditing\",\"Privilege Use\",\"A user attempted to perform a privileged system service operation.\",\"Full\",\r\n578,\"\",\"Basic\",\"\",\"No auditing\",\"Privilege Use\",\"Privileges were used on an already open handle to a protected object.\",\"Full\",\r\n592,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A new process was created.\",\"Full\",\r\n593,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A process exited.\",\"Full\",\r\n594,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A handle to an object was duplicated.\",\"Full\",\r\n595,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"Indirect access to an object was obtained.\",\"Full\",\r\n596,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A data protection master key was backed up.\",\"Full\",\r\n597,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A data protection master key was recovered from a recovery server.\",\"Full\",\r\n598,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"Auditable data was protected.\",\"Full\",\r\n599,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"Auditable data was unprotected.\",\"Full\",\r\n600,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A process was assigned a primary token.\",\"Full\",\r\n601,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A user attempted to install a service.\",\"Full\",\r\n602,\"\",\"Basic\",\"\",\"No auditing\",\"Process Tracking\",\"A scheduler job was created.\",\"Full\",\r\n608,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A user right was assigned.\",\"Full\",\r\n609,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A user right was removed.\",\"Full\",\r\n610,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A trust relationship with another domain was created.\",\"Full\",\r\n611,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A trust relationship with another domain was removed.\",\"Full\",\r\n612,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An audit policy was changed.\",\"Full\",\r\n613,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An Internet Protocol security (IPSec) policy agent started.\",\"Full\",\r\n614,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An IPSec policy agent was disabled.\",\"Full\",\r\n615,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An IPSec policy agent changed.\",\"Full\",\r\n616,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"An IPSec policy agent encountered a potentially serious failure.\",\"Full\",\r\n617,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A Kerberos policy changed.\",\"Full\",\r\n618,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Encrypted Data Recovery policy changed.\",\"Full\",\r\n620,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A trust relationship with another domain was modified.\",\"Full\",\r\n621,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"System access was granted to an account.\",\"Full\",\r\n622,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"System access was removed from an account.\",\"Full\",\r\n623,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Per user auditing policy was set for a user.\",\"Full\",\r\n624,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user account was created.\",\"Full\",\r\n625,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Per user audit policy was refreshed.\",\"Full\",\r\n627,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user password was changed.\",\"Full\",\r\n628,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user password was set.\",\"Full\",\r\n630,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user account was deleted.\",\"Full\",\r\n631,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A global group was created.\",\"Full\",\r\n632,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a global group.\",\"Full\",\r\n633,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a global group.\",\"Full\",\r\n634,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A global group was deleted.\",\"Full\",\r\n635,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A new local group was created.\",\"Full\",\r\n636,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a local group.\",\"Full\",\r\n637,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a local group.\",\"Full\",\r\n638,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A local group was deleted.\",\"Full\",\r\n639,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A local group account was changed.\",\"Full\",\r\n641,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A global group account was changed.\",\"Full\",\r\n642,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user account was changed.\",\"Full\",\r\n643,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A domain policy was modified.\",\"Full\",\r\n644,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A user account was auto locked.\",\"Full\",\r\n645,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A computer account was created.\",\"Full\",\r\n645,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled global group was changed.\",\"Full\",\r\n646,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A computer account was changed.\",\"Full\",\r\n647,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A computer account was deleted.\",\"Full\",\r\n648,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A local security group with security disabled was created.\",\"Full\",\r\n649,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A local security group with security disabled was changed.\",\"Full\",\r\n650,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a security-disabled local security group.\",\"Full\",\r\n651,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a security-disabled local security group.\",\"Full\",\r\n652,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled local group was deleted.\",\"Full\",\r\n653,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled global group was created.\",\"Full\",\r\n655,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a security-disabled global group.\",\"Full\",\r\n656,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a security-disabled global group.\",\"Full\",\r\n657,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled global group was deleted.\",\"Full\",\r\n658,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-enabled universal group was created.\",\"Full\",\r\n659,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-enabled universal group was changed.\",\"Full\",\r\n660,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a security-enabled universal group.\",\"Full\",\r\n661,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a security-enabled universal group.\",\"Full\",\r\n662,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-enabled universal group was deleted.\",\"Full\",\r\n663,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled universal group was created.\",\"Full\",\r\n664,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled universal group was changed.\",\"Full\",\r\n665,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was added to a security-disabled universal group.\",\"Full\",\r\n666,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A member was removed from a security-disabled universal group.\",\"Full\",\r\n667,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A security-disabled universal group was deleted.\",\"Full\",\r\n668,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"A group type was changed.\",\"Full\",\r\n672,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"An authentication service (AS) ticket was successfully issued and validated.\",\"Full\",\r\n673,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A ticket granting service (TGS) ticket was granted.\",\"Full\",\r\n674,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A security principal renewed an AS ticket or TGS ticket.\",\"Full\",\r\n675,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.\",\"Full\",\r\n676,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"Authentication ticket request failed. This event is not generated in Windows XP or in the Windows Server 2003 family.\",\"Full\",\r\n677,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family.\",\"Full\",\r\n678,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"An account was successfully mapped to a domain account.\",\"Full\",\r\n681,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family.\",\"Full\",\r\n682,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A user has reconnected to a disconnected terminal server session.\",\"Full\",\r\n683,\"\",\"Basic\",\"\",\"Success\",\"Logon Events\",\"A user disconnected a terminal server session without logging off.\",\"Full\",\r\n684,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"Set the security descriptor of members of administrative groups.\",\"Full\",\r\n685,\"\",\"Basic\",\"\",\"Success on DCs\",\"Account Management\",\"Set the security descriptor of members of administrative groups. (Recorded every 60 sec on DCs)\",\"Full\",\r\n768,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"A collision was detected between a namespace element in one forest and a namespace element in another forest.\",\"Full\",\r\n769,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Trusted forest information was added.\",\"Full\",\r\n770,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Trusted forest information was deleted.\",\"Full\",\r\n771,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"Trusted forest information was modified.\",\"Full\",\r\n772,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The certificate manager denied a pending certificate request.\",\"Full\",\r\n773,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services received a resubmitted certificate request.\",\"Full\",\r\n774,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services revoked a certificate.\",\"Full\",\r\n775,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services received a request to publish the certificate revocation list (CRL).\",\"Full\",\r\n776,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services published the certificate revocation list (CRL).\",\"Full\",\r\n777,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A certificate request extension was made.\",\"Full\",\r\n778,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"One or more certificate request attributes changed.\",\"Full\",\r\n779,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services received a request to shutdown.\",\"Full\",\r\n780,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services backup started.\",\"Full\",\r\n781,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services backup completed\",\"Full\",\r\n782,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services restore started.\",\"Full\",\r\n783,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services restore completed.\",\"Full\",\r\n784,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services started.\",\"Full\",\r\n785,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services stopped.\",\"Full\",\r\n786,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The security permissions for Certificate Services changed.\",\"Full\",\r\n787,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services retrieved an archived key.\",\"Full\",\r\n788,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services imported a certificate into its database.\",\"Full\",\r\n789,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The audit filter for Certificate Services changed.\",\"Full\",\r\n790,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services received a certificate request.\",\"Full\",\r\n791,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services approved a certificate request and issued a certificate.\",\"Full\",\r\n792,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services denied a certificate request.\",\"Full\",\r\n793,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services set the status of a certificate request to pending.\",\"Full\",\r\n794,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"The certificate manager settings for Certificate Services changed.\",\"Full\",\r\n795,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A configuration entry changed in Certificate Services.\",\"Full\",\r\n796,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"A property of Certificate Services changed.\",\"Full\",\r\n797,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services archived a key.\",\"Full\",\r\n798,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services imported and archived a key.\",\"Full\",\r\n799,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Certificate Services published the CA certificate to Active Directory.\",\"Full\",\r\n800,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"One or more rows have been deleted from the certificate database.\",\"Full\",\r\n801,\"\",\"Basic\",\"\",\"No auditing\",\"Object Access\",\"Role separation enabled.\",\"Full\",\r\n805,\"\",\"Basic\",\"\",\"Success on DCs\",\"Policy Change\",\"The event log service read the security log configuration for a session.\",\"Full\",\r\n1100,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"The event logging service has shut down.\",\"Common\",\r\n1101,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Audit events have been dropped by the transport.\",\"Full\",\r\n1102,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"The audit log was cleared.\",\"Minimal\",\r\n1104,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"The security log is now full.\",\"Full\",\r\n1105,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"Event log automatic backup.\",\"Full\",\r\n1107,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Unknown\",\"Common\",\r\n1108,\"\",\"Advanced\",\"Success\",\"\",\"Other Events\",\"The event logging service encountered an error while processing an incoming event published from %1\",\"Common\",\r\n2825,\"\",\"\",\"Success\",\"\",\"Unknown\",\"A user was denied the access to Remote Desktop.\",\"Minimal\",\r\n4608,\"\",\"Advanced\",\"Success\",\"\",\"Security State Change\",\"Windows is starting up.\",\"Common\",\r\n4609,\"\",\"Advanced\",\"Success\",\"\",\"Security State Change\",\"Windows is shutting down\",\"Full\",\r\n4610,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"An authentication package has been loaded by the Local Security Authority.\",\"Common\",\r\n4611,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"A trusted logon process has been registered with the Local Security Authority.\",\"Common\",\r\n4612,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.\",\"Full\",\r\n4614,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"A notification package has been loaded by the Security Account Manager.\",\"Common\",\r\n4615,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"Invalid use of LPC port.\",\"Full\",\r\n4616,\"\",\"Advanced\",\"Success\",\"\",\"Security State Change\",\"The system time was changed.\",\"Full\",\r\n4618,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"A monitored security event pattern has occurred.\",\"Full\",\r\n4621,\"\",\"Advanced\",\"Success\",\"\",\"Security State Change\",\"Administrator recovered system from CrashOnAuditFail.\",\"Full\",\r\n4622,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"A security package has been loaded by the Local Security Authority.\",\"Common\",\r\n4624,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.\",\"Minimal\",\r\n4624,\"\",\"Advanced\",\"Success\",\"\",\"Logon\",\"An account was successfully logged on.\",\"Minimal\",\r\n4625,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.\",\"Minimal\",\r\n4625,\"\",\"Advanced\",\"Fail\",\"\",\"Logon\",\"An account failed to log on.\",\"Minimal\",\r\n4626,\"\",\"Advanced\",\"Success\",\"\",\"User/Device Claims\",\"User/Device claims information.\",\"Full\",\r\n4627,\"\",\"Advanced\",\"Success\",\"\",\"Group Membership\",\"Group membership information\",\"Full\",\r\n4634,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"The logoff process was completed for a user.\",\"Common\",\r\n4634,\"\",\"Advanced\",\"Success\",\"\",\"Logoff\",\"An account was logged off.\",\"Common\",\r\n4646,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"0.01\",\"Full\",\r\n4647,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"A user initiated the logoff process.\",\"Common\",\r\n4647,\"\",\"Advanced\",\"Success\",\"\",\"Logoff\",\"User initiated logoff.\",\"Common\",\r\n4648,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"A user successfully logged on to a computer using explicit credentials while already logged on as a different user.\",\"Common\",\r\n4648,\"\",\"Advanced\",\"Success\",\"\",\"Logon\",\"A logon was attempted using explicit credentials.\",\"Common\",\r\n4649,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A replay attack was detected.\",\"Common\",\r\n4650,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.\",\"Full\",\r\n4651,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.\",\"Full\",\r\n4652,\"\",\"Advanced\",\"Fail\",\"\",\"IPSec\",\"An IPsec Main Mode negotiation failed.\",\"Full\",\r\n4653,\"\",\"Advanced\",\"Fail\",\"\",\"IPSec\",\"An IPsec Main Mode negotiation failed.\",\"Full\",\r\n4654,\"\",\"Advanced\",\"Fail\",\"\",\"IPSec\",\"An IPsec Quick Mode negotiation failed\",\"Full\",\r\n4655,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Main Mode security association ended.\",\"Full\",\r\n4656,\"\",\"Advanced\",\"Either\",\"\",\"File System\",\"A handle to an object was requested.\",\"Full\",\r\n4656,\"\",\"Advanced\",\"Either\",\"\",\"Kernel Object\",\"A handle to an object was requested.\",\"Full\",\r\n4656,\"\",\"Advanced\",\"Either\",\"\",\"Registry\",\"A handle to an object was requested.\",\"Full\",\r\n4656,\"\",\"Advanced\",\"Either\",\"\",\"Removable Storage\",\"A handle to an object was requested.\",\"Full\",\r\n4657,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"A registry value was modified.\",\"Minimal\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"The handle to an object was closed.\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Handle Manipulation\",\"The handle to an object was closed.\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Handle Manipulation\",\"The handle to an object was closed. For a description of the event, see 4658(S)\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Kernel Object\",\"The handle to an object was closed.\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"The handle to an object was closed.\",\"Full\",\r\n4658,\"\",\"Advanced\",\"Success\",\"\",\"Removable Storage\",\"The handle to an object was closed.\",\"Full\",\r\n4659,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"A handle to an object was requested with intent to delete\",\"Full\",\r\n4660,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"An object was deleted.\",\"Full\",\r\n4660,\"\",\"Advanced\",\"Success\",\"\",\"Kernel Object\",\"An object was deleted.\",\"Full\",\r\n4660,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"An object was deleted.\",\"Full\",\r\n4661,\"\",\"Advanced\",\"Either\",\"\",\"Directory Service Access\",\"A handle to an object was requested.\",\"Common\",\r\n4661,\"\",\"Advanced\",\"Either\",\"\",\"SAM\",\"A handle to an object was requested.\",\"Common\",\r\n4662,\"\",\"Advanced\",\"Either\",\"\",\"Directory Service Access\",\"An operation was performed on an object.\",\"Common\",\r\n4663,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"An attempt was made to access an object.\",\"Minimal\",\r\n4663,\"\",\"Advanced\",\"Success\",\"\",\"Kernel Object\",\"An attempt was made to access an object.\",\"Minimal\",\r\n4663,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"An attempt was made to access an object.\",\"Minimal\",\r\n4663,\"\",\"Advanced\",\"Success\",\"\",\"Removable Storage\",\"An attempt was made to access an object.\",\"Minimal\",\r\n4664,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"An attempt was made to create a hard link.\",\"Full\",\r\n4665,\"\",\"Advanced\",\"\",\"\",\"Application Generated\",\"An attempt was made to create an application client context.\",\"Common\",\r\n4666,\"\",\"Advanced\",\"\",\"\",\"Application Generated\",\"An application attempted an operation.\",\"Common\",\r\n4667,\"\",\"Advanced\",\"\",\"\",\"Application Generated\",\"An application client context was deleted.\",\"Common\",\r\n4668,\"\",\"Advanced\",\"\",\"\",\"Application Generated\",\"An application was initialized.\",\"Full\",\r\n4670,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"Permissions on an object were changed.\",\"Common\",\r\n4670,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"Permissions on an object were changed.\",\"Common\",\r\n4670,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"Permissions on an object were changed\",\"Common\",\r\n4670,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"Permissions on an object were changed.\",\"Common\",\r\n4671,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"An application attempted to access a blocked ordinal through the TBS.\",\"Full\",\r\n4672,\"\",\"Advanced\",\"Success\",\"\",\"Special Logon\",\"Special privileges assigned to new logon.\",\"Common\",\r\n4673,\"\",\"Advanced\",\"Either\",\"\",\"Sensitive Privilege Use\",\"A privileged service was called.\",\"Common\",\r\n4673,\"\",\"Advanced\",\"Either\",\"\",\"Non-Sensitive Privilege Use\",\"A privileged service was called.\",\"Common\",\r\n4674,\"\",\"Advanced\",\"Either\",\"\",\"Sensitive Privilege Use\",\"An operation was attempted on a privileged object.\",\"Common\",\r\n4674,\"\",\"Advanced\",\"Either\",\"\",\"Non-Sensitive Privilege Use\",\"An operation was attempted on a privileged object.\",\"Common\",\r\n4675,\"\",\"Advanced\",\"Success\",\"\",\"Logon\",\"SIDs were filtered.\",\"Common\",\r\n4688,\"\",\"Advanced\",\"Success\",\"\",\"Process Creation\",\"A new process has been created.\",\"Minimal\",\r\n4689,\"\",\"Advanced\",\"Success\",\"\",\"Process Termination\",\"A process has exited.\",\"Common\",\r\n4690,\"\",\"Advanced\",\"Success\",\"\",\"Handle Manipulation\",\"An attempt was made to duplicate a handle to an object.\",\"Full\",\r\n4691,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"Indirect access to an object was requested.\",\"Full\",\r\n4692,\"\",\"Advanced\",\"Either\",\"\",\"DPAPI Activity\",\"Backup of data protection master key was attempted.\",\"Full\",\r\n4693,\"\",\"Advanced\",\"Either\",\"\",\"DPAPI Activity\",\"Recovery of data protection master key was attempted.\",\"Full\",\r\n4694,\"\",\"Advanced\",\"Either\",\"\",\"DPAPI Activity\",\"Protection of auditable protected data was attempted.\",\"Full\",\r\n4695,\"\",\"Advanced\",\"Either\",\"\",\"DPAPI Activity\",\"Unprotection of auditable protected data was attempted.\",\"Full\",\r\n4696,\"\",\"Advanced\",\"Success\",\"\",\"Process Creation\",\"A primary token was assigned to process.\",\"Full\",\r\n4697,\"\",\"Advanced\",\"Success\",\"\",\"Security System Extension\",\"A service was installed in the system.\",\"Common\",\r\n4698,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was created.\",\"Full\",\r\n4699,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was deleted.\",\"Full\",\r\n4700,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was enabled.\",\"Minimal\",\r\n4701,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was disabled.\",\"Full\",\r\n4702,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"A scheduled task was updated.\",\"Minimal\",\r\n4703,\"\",\"Advanced\",\"Success\",\"\",\"Token Right\",\"A user right was adjusted.\",\"Full\",\r\n4703,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"A user right was adjusted.\",\"Full\",\r\n4704,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"A user right was assigned.\",\"Common\",\r\n4705,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"A user right was removed.\",\"Common\",\r\n4706,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A new trust was created to a domain.\",\"Full\",\r\n4707,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A trust to a domain was removed.\",\"Full\",\r\n4709,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"IPsec Services was started.\",\"Full\",\r\n4710,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"IPsec Services was disabled.\",\"Full\",\r\n4711,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"May contain any one of the following\",\"Full\",\r\n4712,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"IPsec Services encountered a potentially serious failure.\",\"Full\",\r\n4713,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"Kerberos policy was changed.\",\"Full\",\r\n4714,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Encrypted data recovery policy was changed.\",\"Full\",\r\n4715,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"The audit policy (SACL) on an object was changed.\",\"Full\",\r\n4716,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"Trusted domain information was modified.\",\"Common\",\r\n4717,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"System security access was granted to an account.\",\"Common\",\r\n4718,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"System security access was removed from an account.\",\"Common\",\r\n4719,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"System audit policy was changed.\",\"Minimal\",\r\n4720,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was created.\",\"Minimal\",\r\n4722,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was enabled.\",\"Minimal\",\r\n4723,\"\",\"Advanced\",\"Either\",\"\",\"User Account\",\"An attempt was made to change an account's password.\",\"Minimal\",\r\n4724,\"\",\"Advanced\",\"Either\",\"\",\"User Account\",\"An attempt was made to reset an account's password.\",\"Minimal\",\r\n4725,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was disabled.\",\"Common\",\r\n4726,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was deleted.\",\"Common\",\r\n4727,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled global group was created. See event 4731\",\"Minimal\",\r\n4728,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was added to a security-enabled global group. See event 4732\",\"Minimal\",\r\n4729,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was removed from a security-enabled global group. See event 4733\",\"Common\",\r\n4730,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled global group was deleted. See event 4734\",\"Full\",\r\n4731,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled local group was created.\",\"Full\",\r\n4732,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was added to a security-enabled local group.\",\"Minimal\",\r\n4733,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was removed from a security-enabled local group.\",\"Common\",\r\n4734,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled local group was deleted.\",\"Full\",\r\n4735,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled local group was changed.\",\"Minimal\",\r\n4737,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled global group was changed. See event 4735\",\"Minimal\",\r\n4738,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was changed.\",\"Common\",\r\n4739,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"Domain Policy was changed.\",\"Minimal\",\r\n4740,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was locked out.\",\"Minimal\",\r\n4741,\"\",\"Advanced\",\"Success\",\"\",\"Computer Account\",\"A computer account was created.\",\"Full\",\r\n4742,\"\",\"Advanced\",\"Success\",\"\",\"Computer Account\",\"A computer account was changed.\",\"Common\",\r\n4743,\"\",\"Advanced\",\"Success\",\"\",\"Computer Account\",\"A computer account was deleted.\",\"Full\",\r\n4744,\"\",\"Advanced\",\"Success\",\"\",\"Account Management\",\"A security-disabled local group was created\",\"Common\",\r\n4745,\"\",\"Advanced\",\"Success\",\"\",\"Account Management\",\"A security-disabled local group was changed\",\"Common\",\r\n4746,\"\",\"Advanced\",\"Success\",\"\",\"Account Management\",\"A member was added to a security-disabled local group\",\"Common\",\r\n4747,\"\",\"Advanced\",\"Success\",\"\",\"Account Management\",\"A member was removed from a security-disabled local group\",\"Full\",\r\n4748,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled local group was deleted\",\"Full\",\r\n4749,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled global group was created.\",\"Full\",\r\n4750,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled global group was changed.\",\"Common\",\r\n4751,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A member was added to a security-disabled global group.\",\"Common\",\r\n4752,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A member was removed from a security-disabled global group.\",\"Common\",\r\n4753,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled global group was deleted.\",\"Full\",\r\n4754,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled universal group was created. See event 4731\",\"Minimal\",\r\n4755,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled universal group was changed. See event 4735\",\"Minimal\",\r\n4756,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was added to a security-enabled universal group. See event 4732\",\"Minimal\",\r\n4757,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A member was removed from a security-enabled universal group. See event 4733\",\"Common\",\r\n4758,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled universal group was deleted. See event 4734\",\"Full\",\r\n4759,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled universal group was created. See event 4749\",\"Full\",\r\n4760,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A security-disabled universal group was changed. See event 4750\",\"Common\",\r\n4761,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A member was added to a security-disabled universal group. See event 4751\",\"Common\",\r\n4762,\"\",\"Advanced\",\"Success\",\"\",\"Distribution Group\",\"A member was removed from a security-disabled universal group. See event 4752\",\"Common\",\r\n4763,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-disabled universal group was deleted\",\"Full\",\r\n4764,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A group’s type was changed.\",\"Common\",\r\n4765,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"SID History was added to an account.\",\"Full\",\r\n4766,\"\",\"Advanced\",\"Fail\",\"\",\"User Account\",\"An attempt to add SID History to an account failed.\",\"Full\",\r\n4767,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user account was unlocked.\",\"Minimal\",\r\n4768,\"\",\"Advanced\",\"Either\",\"\",\"Kerberos\",\"A Kerberos authentication ticket (TGT) was requested.\",\"Common\",\r\n4769,\"\",\"Advanced\",\"Either\",\"\",\"Kerberos\",\"A Kerberos service ticket was requested.\",\"Full\",\r\n4770,\"\",\"Advanced\",\"Success\",\"\",\"Kerberos\",\"A Kerberos service ticket was renewed.\",\"Full\",\r\n4771,\"\",\"Advanced\",\"Fail\",\"\",\"Kerberos\",\"Kerberos pre-authentication failed.\",\"Common\",\r\n4772,\"\",\"Advanced\",\"Fail\",\"\",\"Kerberos\",\"A Kerberos authentication ticket request failed.\",\"Full\",\r\n4773,\"\",\"Advanced\",\"Fail\",\"\",\"Kerberos\",\"A Kerberos service ticket request failed.\",\"Full\",\r\n4774,\"\",\"Advanced\",\"Either\",\"\",\"Credential Validation\",\"An account was mapped for logon.\",\"Common\",\r\n4775,\"\",\"Advanced\",\"Fail\",\"\",\"Credential Validation\",\"An account could not be mapped for logon.\",\"Full\",\r\n4776,\"\",\"Advanced\",\"Either\",\"\",\"Credential Validation\",\"The computer attempted to validate the credentials for an account.\",\"Full\",\r\n4777,\"\",\"Advanced\",\"Fail\",\"\",\"Credential Validation\",\"The domain controller failed to validate the credentials for an account.\",\"Full\",\r\n4778,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A session was reconnected to a Window Station.\",\"Common\",\r\n4779,\"\",\"Basic\",\"\",\"\",\"Account Logon\",\"A user disconnected a terminal server session without logging off.\",\"Common\",\r\n4779,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A session was disconnected from a Window Station.\",\"Full\",\r\n4780,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"The ACL was set on accounts which are members of administrators groups.\",\"Full\",\r\n4781,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"The name of an account was changed.\",\"Common\",\r\n4782,\"\",\"Advanced\",\"Success\",\"\",\"Other Account Mgmt\",\"The password hash of an account was accessed.\",\"Full\",\r\n4783,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A basic application group was created.\",\"Full\",\r\n4784,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A basic application group was changed.\",\"Full\",\r\n4785,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A member was added to a basic application group.\",\"Full\",\r\n4786,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A member was removed from a basic application group.\",\"Full\",\r\n4787,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A non-member was added to a basic application group.\",\"Full\",\r\n4788,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A non-member was removed from a basic application group.\",\"Full\",\r\n4789,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"A basic application group was deleted.\",\"Full\",\r\n4790,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"An LDAP query group was created.\",\"Full\",\r\n4791,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"An LDAP query group was changed.\",\"Full\",\r\n4792,\"\",\"Advanced\",\"Success\",\"\",\"App Group Mgmt\",\"An LDAP query group was deleted.\",\"Full\",\r\n4793,\"\",\"Advanced\",\"Success\",\"\",\"Other Account Mgmt\",\"The Password Policy Checking API was called.\",\"Common\",\r\n4794,\"\",\"Advanced\",\"Either\",\"\",\"User Account\",\"An attempt was made to set the Directory Services Restore Mode administrator password.\",\"Full\",\r\n4797,\"\",\"\",\"Success\",\"\",\"User Account\",\"An attempt was made to query the existence of a blank password for an account\",\"Common\",\r\n4798,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"A user's local group membership was enumerated.\",\"Common\",\r\n4799,\"\",\"Advanced\",\"Success\",\"\",\"Security Group\",\"A security-enabled local group membership was enumerated.\",\"Minimal\",\r\n4800,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"The workstation was locked.\",\"Common\",\r\n4801,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"The workstation was unlocked.\",\"Common\",\r\n4802,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"The screen saver was invoked.\",\"Common\",\r\n4803,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"The screen saver was dismissed.\",\"Common\",\r\n4816,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"RPC detected an integrity violation while decrypting an incoming message.\",\"Full\",\r\n4817,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"Auditing settings on object were changed.\",\"Full\",\r\n4818,\"\",\"Advanced\",\"Success\",\"\",\"Access Policy Staging\",\"Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.\",\"Full\",\r\n4819,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Central Access Policies on the machine have been changed.\",\"Full\",\r\n4820,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions\",\"Full\",\r\n4821,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions\",\"Full\",\r\n4822,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"NTLM authentication failed because the account was a member of the Protected User group\",\"Full\",\r\n4823,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"NTLM authentication failed because access control restrictions are required\",\"Full\",\r\n4824,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group\",\"Full\",\r\n4825,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group\",\"Full\",\r\n4826,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Boot Configuration Data loaded.\",\"Common\",\r\n4830,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"SID History was removed from an account\",\"Full\",\r\n4864,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A namespace collision was detected.\",\"Full\",\r\n4865,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A trusted forest information entry was added.\",\"Full\",\r\n4866,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A trusted forest information entry was removed.\",\"Full\",\r\n4867,\"\",\"Advanced\",\"Success\",\"\",\"Authentication Policy\",\"A trusted forest information entry was modified.\",\"Full\",\r\n4868,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"The certificate manager denied a pending certificate request.\",\"Full\",\r\n4869,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services received a resubmitted certificate request.\",\"Full\",\r\n4870,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services revoked a certificate.\",\"Common\",\r\n4871,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services received a request to publish the certificate revocation list (CRL).\",\"Full\",\r\n4872,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services published the certificate revocation list (CRL).\",\"Full\",\r\n4873,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"A certificate request extension changed.\",\"Full\",\r\n4874,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"One or more certificate request attributes changed.\",\"Full\",\r\n4875,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services received a request to shut down.\",\"Full\",\r\n4876,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services backup started.\",\"Full\",\r\n4877,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services backup completed.\",\"Full\",\r\n4878,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services restore started.\",\"Full\",\r\n4879,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services restore completed.\",\"Full\",\r\n4880,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services started.\",\"Full\",\r\n4881,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services stopped.\",\"Full\",\r\n4882,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"The security permissions for Certificate Services changed.\",\"Full\",\r\n4883,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services retrieved an archived key.\",\"Full\",\r\n4884,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services imported a certificate into its database.\",\"Full\",\r\n4885,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"The audit filter for Certificate Services changed.\",\"Full\",\r\n4886,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services received a certificate request.\",\"Common\",\r\n4887,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services approved a certificate request and issued a certificate.\",\"Common\",\r\n4888,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services denied a certificate request.\",\"Common\",\r\n4889,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services set the status of a certificate request to pending.\",\"Full\",\r\n4890,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"The certificate manager settings for Certificate Services changed.\",\"Full\",\r\n4891,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"A configuration entry changed in Certificate Services.\",\"Full\",\r\n4892,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"A property of Certificate Services changed.\",\"Full\",\r\n4893,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services archived a key.\",\"Common\",\r\n4894,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services imported and archived a key.\",\"Full\",\r\n4895,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services published the CA certificate to Active Directory Domain Services.\",\"Full\",\r\n4896,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"One or more rows have been deleted from the certificate database.\",\"Full\",\r\n4897,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Role separation enabled.\",\"Full\",\r\n4898,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services loaded a template.\",\"Common\",\r\n4899,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"A Certificate Services template was updated\",\"Full\",\r\n4900,\"\",\"Advanced\",\"\",\"\",\"Certification Services\",\"Certificate Services template security was updated\",\"Full\",\r\n4902,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"The Per-user audit policy table was created.\",\"Common\",\r\n4904,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"An attempt was made to register a security event source.\",\"Common\",\r\n4905,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"An attempt was made to unregister a security event source.\",\"Common\",\r\n4906,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"The CrashOnAuditFail value has changed.\",\"Full\",\r\n4907,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"Auditing settings on object were changed.\",\"Common\",\r\n4908,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"Special Groups Logon table modified.\",\"Full\",\r\n4909,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"The local policy settings for the TBS were changed.\",\"Full\",\r\n4910,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"The group policy settings for the TBS were changed.\",\"Full\",\r\n4911,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"Resource attributes of the object were changed.\",\"Full\",\r\n4912,\"\",\"Advanced\",\"Success\",\"\",\"Audit Policy Change\",\"Per User Audit Policy was changed.\",\"Full\",\r\n4913,\"\",\"Advanced\",\"Success\",\"\",\"Authorization Policy\",\"Central Access Policy on the object was changed.\",\"Full\",\r\n4928,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"An Active Directory replica source naming context was established.\",\"Full\",\r\n4929,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"An Active Directory replica source naming context was removed.\",\"Full\",\r\n4930,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"An Active Directory replica source naming context was modified.\",\"Full\",\r\n4931,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"An Active Directory replica destination naming context was modified.\",\"Common\",\r\n4932,\"\",\"Advanced\",\"Success\",\"\",\"DS Replication\",\"Synchronization of a replica of an Active Directory naming context has begun.\",\"Common\",\r\n4933,\"\",\"Advanced\",\"Either\",\"\",\"DS Replication\",\"Synchronization of a replica of an Active Directory naming context has ended.\",\"Common\",\r\n4934,\"\",\"Advanced\",\"Success\",\"\",\"DS Replication\",\"Attributes of an Active Directory object were replicated.\",\"Full\",\r\n4935,\"\",\"Advanced\",\"Fail\",\"\",\"DS Replication\",\"Replication failure begins.\",\"Full\",\r\n4936,\"\",\"Advanced\",\"Success\",\"\",\"DS Replication\",\"Replication failure ends.\",\"Full\",\r\n4937,\"\",\"Advanced\",\"Success\",\"\",\"DS Replication\",\"A lingering object was removed from a replica.\",\"Full\",\r\n4944,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"The following policy was active when the Windows Firewall started.\",\"Full\",\r\n4945,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A rule was listed when the Windows Firewall started.\",\"Full\",\r\n4946,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A change has been made to Windows Firewall exception list. A rule was added.\",\"Minimal\",\r\n4947,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A change has been made to Windows Firewall exception list. A rule was modified.\",\"Full\",\r\n4948,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A change has been made to Windows Firewall exception list. A rule was deleted.\",\"Minimal\",\r\n4949,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall settings were restored to the default values.\",\"Full\",\r\n4950,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"A Windows Firewall setting has changed.\",\"Full\",\r\n4951,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"A rule has been ignored because its major version number was not recognized by Windows Firewall.\",\"Full\",\r\n4952,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.\",\"Full\",\r\n4953,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"A rule has been ignored by Windows Firewall because it could not parse the rule.\",\"Full\",\r\n4954,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall Group Policy settings have changed. The new settings have been applied.\",\"Full\",\r\n4956,\"\",\"Advanced\",\"Success\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall has changed the active profile.\",\"Minimal\",\r\n4957,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall did not apply the following rule\",\"Full\",\r\n4958,\"\",\"Advanced\",\"Fail\",\"\",\"MPSSVC Policy Change\",\"Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer\",\"Full\",\r\n4960,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.\",\"Full\",\r\n4961,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.\",\"Full\",\r\n4962,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.\",\"Full\",\r\n4963,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.\",\"Full\",\r\n4964,\"\",\"Advanced\",\"Success\",\"\",\"Special Logon\",\"Special groups have been assigned to a new logon.\",\"Full\",\r\n4965,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.\",\"Full\",\r\n4976,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.\",\"Full\",\r\n4977,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.\",\"Full\",\r\n4978,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.\",\"Full\",\r\n4979,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"IPsec Main Mode and Extended Mode security associations were established.\",\"Full\",\r\n4980,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"IPsec Main Mode and Extended Mode security associations were established.\",\"Full\",\r\n4981,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"IPsec Main Mode and Extended Mode security associations were established.\",\"Full\",\r\n4982,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"IPsec Main Mode and Extended Mode security associations were established.\",\"Full\",\r\n4983,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.\",\"Full\",\r\n4984,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.\",\"Full\",\r\n4985,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"The state of a transaction has changed.\",\"Common\",\r\n4985,\"\",\"Advanced\",\"Success\",\"\",\"Sensitive Privilege Use\",\"The state of a transaction has changed.\",\"Common\",\r\n4985,\"\",\"Advanced\",\"Success\",\"\",\"Non-Sensitive Privilege Use\",\"The state of a transaction has changed.\",\"Common\",\r\n4985,\"\",\"Advanced\",\"Success\",\"\",\"Other Privilege Use\",\"The state of a transaction has changed.\",\"Common\",\r\n5024,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The Windows Firewall Service has started successfully.\",\"Minimal\",\r\n5025,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The Windows Firewall Service has been stopped.\",\"Full\",\r\n5027,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.\",\"Full\",\r\n5028,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.\",\"Full\",\r\n5029,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.\",\"Full\",\r\n5030,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Service failed to start.\",\"Full\",\r\n5031,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Firewall Service blocked an application from accepting incoming connections on the network.\",\"Full\",\r\n5032,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.\",\"Full\",\r\n5033,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The Windows Firewall Driver has started successfully.\",\"Minimal\",\r\n5034,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The Windows Firewall Driver was stopped.\",\"Full\",\r\n5035,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Driver failed to start.\",\"Full\",\r\n5037,\"\",\"Advanced\",\"Fail\",\"\",\"Other System Events\",\"The Windows Firewall Driver detected critical runtime error. Terminating.\",\"Full\",\r\n5038,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\",\"Full\",\r\n5039,\"\",\"Advanced\",\"Success\",\"\",\"Registry\",\"A registry key was virtualized.\",\"Full\",\r\n5040,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. An Authentication Set was added.\",\"Full\",\r\n5041,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. An Authentication Set was modified.\",\"Full\",\r\n5042,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. An Authentication Set was deleted.\",\"Full\",\r\n5043,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Connection Security Rule was added.\",\"Full\",\r\n5044,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Connection Security Rule was modified.\",\"Full\",\r\n5045,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Connection Security Rule was deleted.\",\"Full\",\r\n5046,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Crypto Set was added.\",\"Full\",\r\n5047,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Crypto Set was modified.\",\"Full\",\r\n5048,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A change has been made to IPsec settings. A Crypto Set was deleted.\",\"Full\",\r\n5049,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Security Association was deleted.\",\"Full\",\r\n5050,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE\",\"Full\",\r\n5051,\"\",\"Advanced\",\"Success\",\"\",\"File System\",\"A file was virtualized.\",\"Full\",\r\n5056,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"A cryptographic self-test was performed.\",\"Full\",\r\n5057,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"A cryptographic primitive operation failed.\",\"Full\",\r\n5058,\"\",\"Advanced\",\"Either\",\"\",\"Other System Events\",\"Key file operation.\",\"Full\",\r\n5059,\"\",\"Advanced\",\"Either\",\"\",\"Other System Events\",\"Key migration operation.\",\"Common\",\r\n5060,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"Verification operation failed.\",\"Full\",\r\n5061,\"\",\"Advanced\",\"Either\",\"\",\"System Integrity\",\"Cryptographic operation.\",\"Full\",\r\n5062,\"\",\"Advanced\",\"Success\",\"\",\"System Integrity\",\"A kernel-mode cryptographic self-test was performed.\",\"Full\",\r\n5063,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic provider operation was attempted.\",\"Full\",\r\n5064,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic context operation was attempted.\",\"Full\",\r\n5065,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic context modification was attempted.\",\"Full\",\r\n5066,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function operation was attempted.\",\"Full\",\r\n5067,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function modification was attempted.\",\"Full\",\r\n5068,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function provider operation was attempted.\",\"Full\",\r\n5069,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function property operation was attempted.\",\"Full\",\r\n5070,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A cryptographic function property modification was attempted.\",\"Full\",\r\n5071,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"Key access denied by Microsoft key distribution service\",\"Full\",\r\n5120,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"OCSP Responder Service Started\",\"Full\",\r\n5121,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"OCSP Responder Service Stopped\",\"Full\",\r\n5122,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A Configuration entry changed in the OCSP Responder Service\",\"Full\",\r\n5123,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A configuration entry changed in the OCSP Responder Service\",\"Full\",\r\n5124,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A security setting was updated on OCSP Responder Service\",\"Full\",\r\n5125,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"A request was submitted to OCSP Responder Service\",\"Full\",\r\n5126,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"Signing Certificate was automatically updated by the OCSP Responder Service\",\"Full\",\r\n5127,\"\",\"Advanced\",\"Either\",\"\",\"Other Policy Change\",\"The OCSP Revocation Provider successfully updated the revocation information\",\"Full\",\r\n5136,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was modified.\",\"Common\",\r\n5137,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was created.\",\"Common\",\r\n5138,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was undeleted.\",\"Full\",\r\n5139,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was moved.\",\"Full\",\r\n5140,\"\",\"Advanced\",\"Either\",\"\",\"File Share\",\"A network share object was accessed.\",\"Common\",\r\n5141,\"\",\"Advanced\",\"Success\",\"\",\"Directory Service Changes\",\"A directory service object was deleted.\",\"Full\",\r\n5142,\"\",\"Advanced\",\"Success\",\"\",\"File Share\",\"A network share object was added.\",\"Full\",\r\n5143,\"\",\"Advanced\",\"Success\",\"\",\"File Share\",\"A network share object was modified.\",\"Full\",\r\n5144,\"\",\"Advanced\",\"Success\",\"\",\"File Share\",\"A network share object was deleted.\",\"Full\",\r\n5145,\"\",\"Advanced\",\"Either\",\"\",\"File Share\",\"A network share object was checked to see whether client can be granted desired access.\",\"Common\",\r\n5146,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"The Windows Filtering Platform has blocked a packet\",\"Full\",\r\n5147,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"A more restrictive Windows Filtering Platform filter has blocked a packet\",\"Full\",\r\n5148,\"\",\"Advanced\",\"Fail\",\"\",\"Other Object Access\",\"The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.\",\"Full\",\r\n5149,\"\",\"Advanced\",\"Fail\",\"\",\"Other Object Access\",\"The DoS attack has subsided and normal processing is being resumed.\",\"Full\",\r\n5150,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform blocked a packet.\",\"Full\",\r\n5151,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"A more restrictive Windows Filtering Platform filter has blocked a packet.\",\"Full\",\r\n5152,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform blocked a packet.\",\"Full\",\r\n5153,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"A more restrictive Windows Filtering Platform filter has blocked a packet.\",\"Full\",\r\n5154,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\",\"Full\",\r\n5155,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.\",\"Full\",\r\n5156,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has permitted a connection.\",\"Full\",\r\n5157,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has blocked a connection.\",\"Full\",\r\n5158,\"\",\"Advanced\",\"Success\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has permitted a bind to a local port.\",\"Full\",\r\n5159,\"\",\"Advanced\",\"Fail\",\"\",\"Filtering Platform\",\"The Windows Filtering Platform has blocked a bind to a local port.\",\"Full\",\r\n5168,\"\",\"Advanced\",\"Fail\",\"\",\"File Share\",\"SPN check for SMB/SMB2 failed.\",\"Full\",\r\n5169,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"A directory service object was modified\",\"Full\",\r\n5170,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"A directory service object was modified during a background cleanup task\",\"Full\",\r\n5376,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"Credential Manager credentials were backed up.\",\"Full\",\r\n5377,\"\",\"Advanced\",\"Success\",\"\",\"User Account\",\"Credential Manager credentials were restored from a backup.\",\"Full\",\r\n5378,\"\",\"Advanced\",\"Fail\",\"\",\"Other Logon/Logoff\",\"The requested credentials delegation was disallowed by policy.\",\"Full\",\r\n5379,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Credential Manager credentials were read\",\"Full\",\r\n5380,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Vault Find Credential\",\"Full\",\r\n5381,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Vault credentials were read\",\"Full\",\r\n5382,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Vault credentials were read\",\"Full\",\r\n5440,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following callout was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5441,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following filter was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5442,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following provider was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5443,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5444,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.\",\"Full\",\r\n5446,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A Windows Filtering Platform callout has been changed.\",\"Full\",\r\n5447,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"A Windows Filtering Platform filter has been changed.\",\"Full\",\r\n5448,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A Windows Filtering Platform provider has been changed.\",\"Full\",\r\n5449,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A Windows Filtering Platform provider context has been changed.\",\"Full\",\r\n5450,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"A Windows Filtering Platform sub-layer has been changed.\",\"Full\",\r\n5451,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Quick Mode security association was established.\",\"Full\",\r\n5452,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec Quick Mode security association ended.\",\"Full\",\r\n5453,\"\",\"Advanced\",\"Success\",\"\",\"IPSec\",\"An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.\",\"Full\",\r\n5456,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine applied Active Directory storage IPsec policy on the computer.\",\"Full\",\r\n5457,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.\",\"Full\",\r\n5458,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.\",\"Full\",\r\n5459,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.\",\"Full\",\r\n5460,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine applied local registry storage IPsec policy on the computer.\",\"Full\",\r\n5461,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to apply local registry storage IPsec policy on the computer.\",\"Full\",\r\n5462,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.\",\"Full\",\r\n5463,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the active IPsec policy and detected no changes.\",\"Full\",\r\n5464,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.\",\"Full\",\r\n5465,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.\",\"Full\",\r\n5466,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.\",\"Full\",\r\n5467,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.\",\"Full\",\r\n5468,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.\",\"Full\",\r\n5471,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine loaded local storage IPsec policy on the computer.\",\"Full\",\r\n5472,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to load local storage IPsec policy on the computer.\",\"Full\",\r\n5473,\"\",\"Advanced\",\"Success\",\"\",\"Platform Policy Change\",\"PAStore Engine loaded directory storage IPsec policy on the computer.\",\"Full\",\r\n5474,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to load directory storage IPsec policy on the computer.\",\"Full\",\r\n5477,\"\",\"Advanced\",\"Fail\",\"\",\"Platform Policy Change\",\"PAStore Engine failed to add quick mode filter.\",\"Full\",\r\n5478,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec Services has started successfully.\",\"Full\",\r\n5479,\"\",\"Advanced\",\"Success\",\"\",\"IPsec Driver\",\"IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.\",\"Full\",\r\n5480,\"\",\"Advanced\",\"Fail\",\"\",\"IPsec Driver\",\"IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.\",\"Full\",\r\n5483,\"\",\"Advanced\",\"Fail\",\"\",\"IPsec Driver\",\"IPsec Services failed to initialize RPC server. IPsec Services could not be started.\",\"Full\",\r\n5484,\"\",\"Advanced\",\"Fail\",\"\",\"IPsec Driver\",\"IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.\",\"Full\",\r\n5485,\"\",\"Advanced\",\"Fail\",\"\",\"IPsec Driver\",\"IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.\",\"Full\",\r\n5632,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A request was made to authenticate to a wireless network.\",\"Common\",\r\n5633,\"\",\"Advanced\",\"Success\",\"\",\"Other Logon/Logoff\",\"A request was made to authenticate to a wired network.\",\"Full\",\r\n5712,\"\",\"Advanced\",\"Success\",\"\",\"RPC Events\",\"A Remote Procedure Call (RPC) was attempted.\",\"Full\",\r\n5888,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"An object in the COM+ Catalog was modified.\",\"Full\",\r\n5889,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"An object was deleted from the COM+ Catalog.\",\"Full\",\r\n5890,\"\",\"Advanced\",\"Success\",\"\",\"Other Object Access\",\"An object was added to the COM+ Catalog.\",\"Full\",\r\n6144,\"\",\"Advanced\",\"Success\",\"\",\"Other Policy Change\",\"Security policy in the group policy objects has been applied successfully.\",\"Common\",\r\n6145,\"\",\"Advanced\",\"Fail\",\"\",\"Other Policy Change\",\"One or more errors occurred while processing security policy in the group policy objects.\",\"Common\",\r\n6272,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server granted access to a user.\",\"Common\",\r\n6273,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server denied access to a user.\",\"Common\",\r\n6274,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server discarded the request for a user.\",\"Full\",\r\n6275,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server discarded the accounting request for a user.\",\"Full\",\r\n6276,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server quarantined a user.\",\"Full\",\r\n6277,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.\",\"Full\",\r\n6278,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server granted full access to a user because the host met the defined health policy.\",\"Common\",\r\n6279,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server locked the user account due to repeated failed authentication attempts.\",\"Full\",\r\n6280,\"\",\"Advanced\",\"\",\"\",\"Network Policy Server\",\"Network Policy Server unlocked the user account.\",\"Full\",\r\n6281,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.\",\"Full\",\r\n6400,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"Received an incorrectly formatted response while discovering availability of content.\",\"Full\",\r\n6401,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"Received invalid data from a peer. Data discarded.\",\"Full\",\r\n6402,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The message to the hosted cache offering it data is incorrectly formatted.\",\"Full\",\r\n6403,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"The hosted cache sent an incorrectly formatted response to the client.\",\"Full\",\r\n6404,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"Hosted cache could not be authenticated using the provisioned SSL certificate.\",\"Full\",\r\n6405,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"%2 instance(s) of event id %1 occurred.\",\"Full\",\r\n6406,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"%1 registered to Windows Firewall to control filtering for the following\",\"Full\",\r\n6407,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"0.01\",\"Full\",\r\n6408,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"Registered product %1 failed and Windows Firewall is now controlling the filtering for %2\",\"Full\",\r\n6409,\"\",\"Advanced\",\"Success\",\"\",\"Other System Events\",\"BranchCache\",\"Full\",\r\n6410,\"\",\"Advanced\",\"Fail\",\"\",\"System Integrity\",\"Code integrity determined that a file does not meet the security requirements to load into a process.\",\"Full\",\r\n6416,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A new external device was recognized by the System\",\"Common\",\r\n6417,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"The FIPS mode crypto selftests succeeded\",\"Full\",\r\n6418,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"The FIPS mode crypto selftests failed\",\"Full\",\r\n6419,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A request was made to disable a device\",\"Full\",\r\n6420,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A device was disabled.\",\"Full\",\r\n6421,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A request was made to enable a device.\",\"Full\",\r\n6422,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"A device was enabled.\",\"Full\",\r\n6423,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"The installation of this device is forbidden by system policy.\",\"Common\",\r\n6424,\"\",\"Advanced\",\"Success\",\"\",\"PNP Activity\",\"The installation of this device was allowed, after having previously been forbidden by policy.\",\"Common\",\r\n8000,\"Error\",\"\",\"\",\"\",\"AppLocker\",\"Application Identity Policy conversion failed. Status *<%1> * Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.\",\"Full\",\r\n8001,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"The AppLocker policy was applied successfully to this computer. Indicates that the AppLocker policy was successfully applied to the computer.\",\"Minimal\",\r\n8002,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"* * was allowed to run. Specifies that the .exe or .dll file is allowed by an AppLocker rule.\",\"Minimal\",\r\n8003,\"Warning\",\"\",\"\",\"\",\"AppLocker\",\"* * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Applied only when the Audit only enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled.\",\"Minimal\",\r\n8004,\"Error\",\"\",\"\",\"\",\"AppLocker\",\"* * was not allowed to run. Access to is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.\",\"Minimal\",\r\n8005,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"* * was allowed to run. Specifies that the script or .msi file is allowed by an AppLocker rule.\",\"Minimal\",\r\n8006,\"Warning\",\"\",\"\",\"\",\"AppLocker\",\"* * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled.\",\"Minimal\",\r\n8007,\"Error\",\"\",\"\",\"\",\"AppLocker\",\"* * was not allowed to run. Access to is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.\",\"Minimal\",\r\n8008,\"Error\",\"\",\"\",\"\",\"AppLocker\",\"AppLocker disabled on the SKU. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8020,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app allowed. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8021,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app audited. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8022,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app disabled. Added in Windows Server 2012 and Windows 8.\",\"Minimal\",\r\n8023,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app installation allowed. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8024,\"Information\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app installation audited. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8025,\"Warning\",\"\",\"\",\"\",\"AppLocker\",\"Packaged app installation disabled. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8027,\"Warning\",\"\",\"\",\"\",\"AppLocker\",\"No Packaged app rule configured. Added in Windows Server 2012 and Windows 8.\",\"Full\",\r\n8191,\"\",\"Unknown\",\"Unknown\",\"\",\"Unknown\",\"Highest System-Defined Audit Message Value\",\"Full\",\r\n26401,\"\",\"Unknown\",\"Fail\",\"\",\"MOMSDK Service Security\",\"An application attempted an operation\",\"Common\",\r\n30004,\"Unknown\",\"Unknown\",\"Unknown\",\"Unknown\",\"Unknown\",\"Unknown\",\"Common\",\r\n];\r\nlet Active = SecurityEvent | where TimeGenerated >= ago(90d) | summarize count() by EventID;\r\nAuditRef\r\n| join kind=fullouter (Active) on EventID\r\n| extend Count = count_-1\r\n| where isempty(EventID1)\r\n| sort by Policy asc, Description asc\r\n| project Policy, Description, PolicyLevel, Type=Impact, Filter=Group, EventID, Count=0", "size": 2, "title": "Inactive Audit Policies - Based on EventIDs Collected (90 Days)", "showRefreshButton": true, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "formatters": [ { "columnMatch": "TimeGenerated", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "120px" } }, { "columnMatch": "Forwarder", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "Facility", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "SeverityLevel", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "90px" } }, { "columnMatch": "SyslogMessage", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "80%" } } ], "rowLimit": 2000, "filter": true, "sortBy": [ { "itemKey": "PolicyLevel", "sortOrder": 1 } ] }, "sortBy": [ { "itemKey": "PolicyLevel", "sortOrder": 1 } ] }, "name": "query - 4 - Copy", "styleSettings": { "margin": "2px", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "getTable", "comparison": "isEqualTo", "value": "Audit" }, "name": "Security Audit" } ], "fallbackResourceIds": [ "" ], "fromTemplateId": "sentinel-SentinelWorkspaceReconTools", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }