# Copyright 2004-2014 Tenable Network Security
#
# This library may only be used with the LCE server and may not
# be used with other products or open source projects
#
# NAME:
# Windows Application Event log parser
#
# DESCRIPTION:
# This library is used to process logs from Windows systems. Windows
# XP or W2K servers can be configured with a LCE Client for Windows
# or can forward their events via netbios to another Windows server
# which runs the LCE Client. In both cases, the Windows LCE
# Client will attempt to conduct a reverse netbios or DNS lookup of
# the hostname to convert it to an API address for the LCE server.
#
# LAST UPDATE: $Date$
################
# APPLICATIONS #
################
id=3000
name=This Windows application log event indicates that an application is hung.
match=ion
match=Application
match=pp
match=rr
match=,Error,
match=,Application Hang,
match=,Application Hang,1001,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Hung type:process sensor:$1 dstip:$2 event2:WindowsEvent-1001
NEXT
id=3001
name=This Windows application log event indicates that an application is hung.
match=ion
match=Application
match=pp
match=rr
match=,Error,
match=,Application Hang,
match=,Application Hang,1002,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Hung type:process sensor:$1 dstip:$2 event2:WindowsEvent-1002
NEXT
id=3002
name=This Windows application log event indicates that an application has been failing.
match=ion
match=Application
match=pp
match=rr
match=,Error,
match=,Application Error,1000,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Fault type:process sensor:$1 dstip:$2 event2:WindowsEvent-1000
NEXT
id=3003
name=This Windows application log event indicates that software was removed.
match=ion
match=Application
match=pp
match=sta
match=le
match=,MsiInstaller,
match=nstall
match=,Product:
match=ce
match=ed
match=ss
match= -- Removal completed successfully.
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Removed type:system sensor:$1 dstip:$2 event2:WindowsEvent-11724
NEXT
id=3004
name=This Windows application log event indicates that software failed to install.
match=ion
match=Application
match=pp
match=sta
match=le
match=,MsiInstaller,
match=,Product:
match=ail
match=ed
match= -- Installation failed
match=nstall
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Failed_Install type:error sensor:$1 dstip:$2 event2:WindowsEvent-11708
NEXT
id=3005
name=This Windows application log event indicates that a software installation completed.
match=ion
match=Application
match=pp
match=sta
match=le
match=,MsiInstaller,
match=nstall
match=,Information,
match=,Product:
match=ce
match=ed
match=ss
match= -- Installation completed successfully.
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Installed type:system sensor:$1 dstip:$2 event2:WindowsEvent-11728
NEXT
id=3007
name=This Windows application log event indicates that a WinVNC login has failed.
match=ion
match=Application
match=pp
match=,Information,
match=lo
match=ed
match=,Connections: closed:
match=ect
match=onnect
match=onnection
match=ail
match=ailure
match=ent
match= (Authentication failure)
match=,WinVNC4,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Connections: closed: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:\:([0-9]+)
log=event:VNC-Logon_Failure type:login-failure sensor:$1 srcip:$3 dstip:$2 srcport:$4 proto:6 event2:WindowsEvent-1
NEXT
id=3008
name=This Windows application log event indicates that the Group policy objects have been applied successfully.
match=ion
match=Application
match=pp
match=ce
match=,SceCli,
match=,Information,
match=ecu
match=ol
match=ar
match=ed
match=ty
match=ss
match=,Security policy in the Group policy objects are applied successfully.
match=ect
log=event:Windows-System_Security_Policy_Applied type:system
NEXT
# IDs 3009 through 3018 are now part of the sql_mssql.prm library
id=3019
name=This Windows application log event indicates that a VNC login session has started. A user may or may not have logged in, but a connection was established.
match=ion
match=Application
match=pp
match=,Information,
match=,WinVNC4,
match=ce
match=ed
match=pt
match=,Connections: accepted:
match=ect
match=onnect
match=onnection
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Connections: accepted: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:\:([0-9]+)
log=event:VNC-Logon type:login sensor:$1 srcip:$3 dstip:$2 srcport:$4 proto:6 event2:WindowsEvent-1
NEXT
id=3020
name=This Windows application log event indicates that vnc logoff has occurred.
match=ion
match=Application
match=pp
match=,WinVNC4,
match=,Information,
match=lo
match=ed
match=,Connections: closed:
match=ect
match=onnect
match=onnection
match=! (Authentication failure)
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Connections: closed: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:\:([0-9]+)
log=event:VNC-Logoff type:logout sensor:$1 srcip:$3 dstip:$2 srcport:$4 proto:6 event2:WindowsEvent-1
NEXT
id=3021
name=This Windows application log event indicates that a software installation completed normally.
match=ion
match=Application
match=pp
match=sta
match=le
match=,MsiInstaller,
match=nstall
match=,Information,
match=,Product:
match=ce
match=ed
match=ss
match=-- Configuration completed successfully.
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Installed type:system sensor:$1 dstip:$2 event2:WindowsEvent-11728
NEXT
id=3022
name=This Windows application log event indicates that VNC connection has been blacklisted.
match=ion
match=Application
match=pp
match=,WinVNC4,
match=ack
match=ed
match=,Connections: blacklisted:
match=ect
match=onnect
match=onnection
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),Connections: blacklisted: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:VNC-Blacklisted type:login-failure sensor:$1 srcip:$3 dstip:$2 proto:6 event2:WindowsEvent-1
NEXT
id=3023
name=This Windows application log event indicates that a critical process failed, and the system must be restarted due to an LSASS crash.
match=ion
match=Application
match=pp
match=tem
match=ce
match=ss
match=,A critical system process,
match=cal
match=ass
match=lsass.exe
match=sta
match=ail
match=le
match=ed
match=, failed with status code
match=status
match=ailed
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-LSASS_Process_Failure_With_System_Restart type:error sensor:$1 srcip:$2 dstip:$2 proto:6
NEXT
id=3024
name=This Windows application log event indicates that a critical process has failed and the system must be restarted (generically, not due to LSASS).
match=ion
match=Application
match=pp
match=tem
match=ce
match=ss
match=,A critical system process,
match=cal
match=!lsass.exe,
match=sta
match=ail
match=le
match=ed
match=, failed with status code
match=ailed
match=status
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Process_Failure_With_System_Restart type:error sensor:$1 srcip:$2 dstip:$2 proto:6
NEXT
id=3034
name=This Windows application log event indicates Group Policy errors.
match=ion
match=Application
match=pp
match=ol
match=Err
match=Error
match=Userenv
match=ed
match=Group Policy
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Group_Policy_Failed type:error sensor:$1 srcip:$2 proto:6
NEXT
id=3035
name=This Windows application log event indicates windows cannot bind to domain, Invalid Credentials.
match=ion
match=Application
match=pp
match=indo
match=Windows
match=,Windows cannot bind to
match=ent
match=ed
match= (Invalid Credentials).
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Cannot_Bind_To_Domain type:error sensor:$1 srcip:$2 proto:6
NEXT
id=3036
name=This Windows application has terminated a thread due to it taking too long to complete a request.
match=ion
match=Application
match=pp
match=Log
match=Lo
match=Ev
match=Event
match=,McLogEvent,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-McLogEvent type:process sensor:$1 srcip:$2
NEXT
id=3037
name=This Windows application SharePoint could not open database due to a login failure.
match=ion
match=Application
match=pp
match=ar
match=SharePoint Ser
match= Cannot open database
match=ail
match=le
match=ed
match=ailed
match=lo
match=log
match=ser
match=est
match=Lo
match=requested by the login. The login failed. Login failed for user
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SharePoint_Login_Failed type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-6398
NEXT
id=3038
name=This Windows application SharePoint has timed out or the server is not responding.
match=ion
match=Application
match=pp
match=ar
match=SharePoint Ser
match=ser
match=ing
match=le
match=ed
match=The timeout period elapsed prior to completion of the operation or the server is not responding.
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SharePoint_Server_Not_Responding type:error sensor:$1 srcip:$2 event2:WindowsEvent-7888
NEXT
id=3039
name=This Windows application log event indicates that the Group policy objects have not been propagated.
match=ion
match=Application
match=pp
match=ce
match=,SceCli,
match=rr
match=,Error,
match=ecu
match=ol
match=ate
match=ed
match=ty
match=,Security policy cannot be propagated.
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Security_Policy_Not_Propagated sensor:$1 srcip:$2 type:error
NEXT
id=3040
name=This Windows application log event indicates that the Group policy objects have been propagated but with a warning.
match=ion
match=Application
match=pp
match=ce
match=,SceCli,
match=ar
match=arn
match=ing
match=,Warning,
match=ecu
match=ol
match=ate
match=ed
match=ty
match=,Security policies were propagated with warning.
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Security_Policy_Propagated_Warning sensor:$1 srcip:$2 type:system
NEXT
id=3041
name=This Windows application log event indicates that an automatic certificate enrollment for a local system was received and was sucessfull.
match=ion
match=Application
match=pp
match=ent
match=ol
match=,AutoEnrollment,
match=tem
match=ystem
match=rom
match=lo
match=ate
match=ce
match=ed
match=ty
match=ss
match=Automatic certificate enrollment for local system successfully received one Computer certificate from certificate authority
match=cal
match=,Unknown,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Security_Successful_Certificate_Enrollment sensor:$1 srcip:$2 type:system event2:WindowsEvent-19
NEXT
id=3042
name=This Windows application log event indicates that an automatic certificate enrollment for a local system failed to contact the directory.
match=ion
match=Application
match=pp
match=ent
match=ol
match=,AutoEnrollment,
match=ail
match=le
match=ed
match=ailed
match=tem
match=ire
match=ont
match=lo
match=ate
match=ce
match=Automatic certificate enrollment for local system failed to contact the active directory
match=ect
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Security_Failed_Certificate_Enrollment sensor:$1 srcip:$2 type:error
NEXT
id=3043
name=This Windows application log event indicates the Windows license was validated.
match=ion
match=Application,
match=pp
match=ate
match=indo
match=ce
match=ed
match=Windows license validated.
match=date
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-License_Validated sensor:$1 srcip:$2 type:system
NEXT
id=3044
name=This Windows application log event indicates that the system has created a restore point.
match=ion
match=Application
match=pp
match=tem
match=est
match=,System Restore,
match=ate
match=ce
match=ed
match=ss
match=Successfully created
match=restore point
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Created_Restore_Point type:system sensor:$1 srcip:$2 event2:WindowsEvent-8194
NEXT
id=3045
name=This Windows application log event has recorded some Outlook messages.
match=ion
match=Application
match=pp
match=tion
match=Outlook
match=lo
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Outlook_Messages type:system sensor:$1 srcip:$2
NEXT
id=3046
name=This Windows application log event has detected a security policy has been updated.
match=ion
match=Application
match=pp
match=ecu
match=ty
match=Security
match=Secur
match=ol
match=ce
match=ed
match=ss
match=Security policy in the Group policy objects has been applied successfully.
match=ect
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Policy_Updated type:system sensor:$1 srcip:$2
NEXT
id=3047
name=This Windows application log event Microsoft Group Policy Management Console with SP1 could not be installed because its not compatible.
match=ion
match=Application
match=pp
match=indo
match=Windows
match=ent
match=sta
match=ol
match=le
match=ed
match=The application 'Microsoft Group Policy Management Console with SP1' cannot be installed because it is not compatible with this version of Windows.
match=nstall
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Not_Compatible type:error sensor:$1 srcip:$2 event2:WindowsEvent-1018
NEXT
id=3048
name=This Windows application UltraVnc logged invalid attempt from the client.
match=ion
match=Application
match=pp
match=UltraVnc
match=ent
match=client
match=tem
match=rom
match=pt
match=Invalid attempt from client
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-UltraVnc_Invalid_Attempt type:login-failure sensor:$1 dstip:$2 srcip:$3
NEXT
id=3049
name=This Windows server has had a searching error.
match=ion
match=Application
match=pp
match=indo
match=Windows
match=ar
match=ce
match=Windows Search Service
match=tem
match=ed
match=rr
match=Error
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Search_Error type:error sensor:$1 srcip:$2
NEXT
id=3050
name=This Windows server has found that the LCE client has failed to install.
match=ion
match=Application
match=pp
match=--
match=ail
match=le
match=ed
match=ailed
match=sta
match=,MsiInstaller
match=nstall
match=ent
match=Tenable_LCE_Client -- Installation operation failed.
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-LCE_Client_Installation_Failed type:error sensor:$1 srcip:$2
NEXT
# need to jump to 30500
id=30500
name=This Windows server encountered an unhandled exception.
match=ion
match=Application
match=pp
match=ar
match=arn
match=ing
match=,Warning
match=rr
match=ce
match=le
match=ed
match=pt
match=An unhandled exception has occurred.
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Unhandled_Exception type:error sensor:$1 srcip:$2 event2:WindowsEvent-50727
NEXT
id=30501
name=This Windows server has recorded an application termination failure event.
match=ion
match=Application
match=pp
match=indo
match=Windows
match=rr
match=ing
match=Windows Error Reporting,1001,
match=Fault bucket
match=ent
match=ail
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Failure_Event type:process sensor:$1 srcip:$2 event2:WindowsEvent-1001
NEXT
id=30502
name=This Windows server has recorded a database engine event, these could include backups, database activity or a new instance starting.
match=ion
match=Application
match=pp
match=EN
match=ESENT
match=SE
match=Information,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Database_Engine_Event type:system sensor:$1 srcip:$2
NEXT
id=30503
name=This Windows server has recorded an activation error that occurred in the manifest or policy file.
match=ion
match=Application
match=pp
match=ail
match=le
match=ed
match=ailed
match=ont
match=Activation context generation failed
match=rr
match=Ac
match=ion
match=xt
match=ge
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Activation_Error type:error sensor:$1 srcip:$2
NEXT
id=30504
name=This Windows server has recorded an error, it ran out of time while expanding the file specifications.
match=ion
match=Application
match=pp
match=ing
match=le
match=,Ran out of time while expanding file specification
match=This was being done for the WUA subscriber.
match=ent
match=Operation: OnPostSnapshot event
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Error_Expanding_File type:error sensor:$1 srcip:$2 event2:WindowsEvent-8219
NEXT
# consolidated with 30501
#id=30505
#name=A Windows fault has occured.
#example=Application,07/11/2011,03:00:51 AM,Windows Error Reporting,1001,Information,Classic,None,N/A,RJsComputer,IP:192.168.1.6,1001,Fault bucket , type 0 Event Name: WindowsUpdateFailure Response: Not available Cab Id: 0 Problem signature: P1: 7.3.7600.16385 P2: 80246007 P3: CC74BC46-3001-4DB6-A714-B26660C0DFDB P4: Install P5: 101 P6: Unmanaged P7: P8: P9: P10: Attached files: These files may be available here: Analysis symbol: Rechecking for solution: 0 Report Id: 82be7d25-ab8b-11e0-aa54-90e6baa594e0 Report Status: 0
#match=ion
#match=Application
#match=pp
#match=indo
#match=Windows
#match=rr
#match=ing
#match=Windows Error Reporting
#match=Windows Error Reporting,1001,
#regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
#log=event:Windows-Fault_Bucket type:error sensor:$1 srcip:$2 event2:WindowsEvent-1001
#
#NEXT
id=30506
name=A Windows MSExchange has issued a non-delivery report, possibly message was too large or users mailbox is disabled.
match=ion
match=Application
match=at
match=pp
match=MSExchangeTransport
match=SE
match=sta
match=A non-delivery report with a status code of
match=ent
match=ate
match=ed
match=was generated for recipient
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Msexchange_Non_Delivery type:error sensor:$1 srcip:$2
NEXT
id=30507
name=A Windows MSExchange has reported a message delivery is being attempted.
match=ion
match=Application
match=at
match=pp
match=MSExchangeIS
match=SE
match=ail
match=St
match=MSExchangeIS Mailbox Store
match=tem
match=ing
match=ed
match=pt
match=ss
match=Message delivery is being attempted
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Msexchange_Delivery_Attempt type:application sensor:$1 srcip:$2
NEXT
id=30508
name=A Windows MSExchange has reported a message was delivered.
match=ion
match=Application
match=at
match=pp
match=MSExchangeIS
match=SE
match=ail
match=St
match=MSExchangeIS Mailbox Store
match=ce
match=ed
match=ss
match=Message was successfully delivered
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Msexchange_Message_Delivered type:application sensor:$1 srcip:$2
NEXT
id=30509
name=A Windows MSExchange has reported a message was sent.
match=ion
match=Application
match=at
match=pp
match=MSExchangeIS
match=SE
match=ail
match=St
match=MSExchangeIS Mailbox Store
match=ent
match=ss
match=sent a message as
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Msexchange_Message_Sent type:application sensor:$1 srcip:$2
NEXT
id=30510
name=A Windows MSExchange has reported a duplicate message has arrived on database.
match=ion
match=Application
match=at
match=pp
match=MSExchangeIS
match=SE
match=ail
match=St
match=MSExchangeIS Mailbox Store
match=rr
match=ate
match=ar
match=ed
match=ss
match=A duplicate message arrived on database
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Msexchange_Duplicate_Message type:application sensor:$1 srcip:$2
NEXT
id=30511
name=A Windows xsLogging LogTest application has recorded a System.IO.IOEception.
match=System
match=xsLogging.LogText
match=pp
match=ing
match=Lo
match=ystem
match=Application
match=at
match=ion
match=tem
match=IP
match=System.IO.IOException:
match=ce
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Xslogging_System_IO_IOException type:application sensor:$1 srcip:$2 event2:WindowsEvent-0
NEXT
id=30512
name=A Windows xsLogging LogTest application has recorded an event.
match=System
match=xsLogging.LogText
match=pp
match=ing
match=Lo
match=ystem
match=Application
match=at
match=ion
match=tem
match=IP
match=ce
match=!System.IO.IOException:
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Xslogging_System_Event type:application sensor:$1 srcip:$2 event2:WindowsEvent-0
NEXT
id=30513
name=A Windows pcanywhere remote has logged off ending session.
match=pp
match=pcAnywhere
match=Application
match=Host End Session
match=Description: Remote logged off
match=ion
match=IP
match=ss
match=at
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Pcanywhere_Remote_Logoff type:logout sensor:$1 srcip:$2 event2:WindowsEvent-123
NEXT
id=30514
name=A Windows pcanywhere host has started.
match=onnect
match=Connection Object:
match=St
match=IP
match=Host Started
match=onnection
match=pp
match=pcAnywhere
match=ect
match=ed
match=Application
match=at
match=ar
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Pcanywhere_Host_Started type:application sensor:$1 srcip:$2 event2:WindowsEvent-122
NEXT
id=30515
name=A Windows shell user authentication was successful.
match=ent
match=IRIS
match=Shell: Authentication Successful for
match=IP
match=pp
match=ss
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Shell: Authentication Successful for \[([-A-Za-z0-9$._ ]{1,25})\]
log=event:Windows-IRIS_Authentication_Successful type:login sensor:$1 srcip:$2 user:$3 event2:WindowsEvent-4100
NEXT
id=30516
name=A Windows shell user signon was successful.
match=le
match=Shell Signon successful.
match=IRIS
match=IP
match=ail
match=pp
match=ss
match=ed
match=ce
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*SignOn completed for \[([-A-Za-z0-9$._ ]{1,25})\]
log=event:Windows-IRIS_Signon_Successful type:login sensor:$1 srcip:$2 user:$3 event2:WindowsEvent-4101
NEXT
id=30517
name=A Windows shell user signon failed.
match=le
match=IRIS
match=ailure
match=IP
match=lo
match=ailed
match=ail
match=pp
match=ed
match=Application
match=at
match=Shell Signon failed.
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*[Ee]mployee '([-A-Za-z0-9$._ ]{1,25})'
log=event:Windows-IRIS_Signon_Failed type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-4102
NEXT
id=30518
name=A Windows shell user has signed off.
match=le
match=Shell Signoff successful.
match=IRIS
match=IP
match=ail
match=pp
match=ss
match=ed
match=ce
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*SignOff completed for \[([-A-Za-z0-9$._ ]{1,25})\]
log=event:Windows-IRIS_Signoff_Completed type:logout sensor:$1 srcip:$2 user:$3 event2:WindowsEvent-4103
NEXT
id=30519
name=A Windows shell misc messages, system maint and purge vbs example.
match=,WSH,
match=,IRIS
match=IP
match=pp
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-IRIS_Misc_Messages type:system sensor:$1 srcip:$2
NEXT
id=30520
name=A Windows network login occurred via a terminal service session and the remote user ID and source was logged.
match=pp
match=Information
match=rom
match=,Information,
match=nformation
match=from
match=ic
match=Information,
match= from
match=at
match=Lo
match=IP
match= on
match=og
match=for
match=ogged
match=ed
match=ion
match=Application
match=Logged on from
match=,WSH,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),4,.*:(\S+) Logged on
log=event:Windows-Remote_User_Login_Record event2:WindowsEvent-4 type:login sensor:$1 srcip:$2 user:$3
NEXT
id=30521
name=The Windows installer has installed new software.
match=pp
match=,Windows
match=in
match=Information
match=nstall
match=indo
match=,Information,
match=nformation
match=ic
match=Information,
match=at
match=Windows
match=IP
match=P
match=le
match=MsiInstaller
match=for
match=install
match=er
match=sta
match=ed
match=st
match=ion
match=al
match=Application
match=,1033,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Software_Installed event2:WindowsEvent-1033 type:system sensor:$1 srcip:$2
NEXT
id=30522
name=A Windows LoadPerf service was loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
match=nformation
match=IP
match=1000
match=lo
match=Information
match=al
match=service were loaded successfully.
match=ser
match=P
match=pp
match=ont
match=,Information,
match=ss
match=Information,
match=er
match=for
match=Lo
match=ed
match=The Record Data
match=ce
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-LoadPerf_Service_Loaded event2:WindowsEvent-1000 type:system sensor:$1 srcip:$2
NEXT
id=30523
name=A Windows LoadPerf service was removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
match=ent
match=st
match=nformation
match=in
match=ic
match=service were removed successfully.
match=tem
match=IP
match=LoadPerf
match=Information
match=al
match=1001
match=ser
match=P
match=pp
match=ont
match=,Information,
match=ss
match=Information,
match=for
match= The Record Data contains the new values of the system Last Counter and Last Help registry entries.
match=Lo
match=ed
match=ystem
match=ce
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-LoadPerf_Service_Removed event2:WindowsEvent-1001 type:system sensor:$1 srcip:$2
NEXT
id=30524
name=A Windows LoadPerf service service are already in the registry, service is already in the registry, no need to reinstall.
match=install
match=st
match=sta
match=service are already in
match=in
match=ic
match=IP
match=LoadPerf
match=nstall
match=Information
match=ser
match=P
match=pp
match=1002
match=,Information,
match=Information,
match=for
match=Lo
match=ed
match=Application
match=at
match=ion
match=se
match=ea
match=ice
match=re
match=al
match=erv
match=ar
match=ce
match=er
match=service
match=rv
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-LoadPerf_Service_Already_In_Registry event2:WindowsEvent-1002 type:system sensor:$1 srcip:$2
#NEXT
#id=30525
#name=Windows cannot obtain the domain controller name for your computer network.
#example=Application,02/15/2012,06:19:04 AM,Userenv,3221226526,Error,None,N/A,NEIM1715MI25P,IP:156.40.58.119,1054,Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
#match=le
#match=rr
#match=,Windows
#match=,Error,
#match=st
#match=Windows
#match=pt
#match=in
#match=ic
#match=tem
#match=IP
#match=,Windows cannot obtain the domain controller name for your computer network
#match=indo
#match=omain
#match=Userenv
#match=Error
#match=ol
#match=ser
#match=P
#match=pp
#match=ont
#match=ss
#match=Windows cannot obtain the domain controller name for your computer network.
#match=er
#match=for
#match=ing
#match=ed
#match=ce
#match=Application
#match=at
#match=ion
#regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
#log=event:Windows-Cannot_Obtain_Domain_Controller event2:WindowsEvent-1054 type:error sensor:$1 srcip:$2
NEXT
id=30526
name=Windows ASP.NET has started registering.
match=st
match=nformation
match=Start registering
match=in
match=ic
match=St
match=IP
match=Information
match=ASP.NET
match=al
match=P
match=pp
match=,Information,
match=Information,
match=er
match=for
match=ing
match=Application
match=at
match=ar
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ASPNET_Start_Registering event2:WindowsEvent-1017 type:system sensor:$1 srcip:$2
NEXT
id=30527
name=Windows ASP.NET has finisheded regisering.
match=le
match=st
match=nformation
match=og
match=in
match=ic
match=IP
match=ailed
match=Information
match=ASP.NET
match=ail
match=P
match=pp
match=,Information,
match=Information,
match=er
match=for
match=ing
match=ed
match=Application
match=at
match=log
match=Finish registering
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ASPNET_Finish_Registering event2:WindowsEvent-1019 type:system sensor:$1 srcip:$2
NEXT
id=30528
name=Windows ASP.NET has failed while creating files and directories.
match=le
match=ent
match=rr
match=arn
match=,Warning
match=in
match=ic
match=IP
match=client
match=,Warning,
match=ailed
match=ASP.NET
match=Error
match=ail
match=P
match=pp
match=ass
match=ire
match=ss
match=ect
match=ing
match=ed
match=Failed while creating files and directories
match=Application
match=at
match=ar
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ASPNET_Failed event2:WindowsEvent-1064 type:error sensor:$1 srcip:$2
NEXT
id=30529
name=Windows MsiInstaller, beginning a Windows Installer transaction.
match=1040
match=le
match=ent
match=st
match=sta
match=nformation
match=MsiInstaller
match=Windows
match=in
match=ic
match=,MsiInstaller
match=IP
match=indo
match=nstall
match=Information
match=al
match=P
match=pp
match=Beginning a Windows Installer transaction
match=,Information,
match=,MsiInstaller,
match=ss
match=Information,
match=er
match=for
match=ing
match=ce
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Beginning_Installer_Transaction event2:WindowsEvent-1040 type:system sensor:$1 srcip:$2
NEXT
id=30530
name=Windows MsiInstaller, product update installed successfully.
match=date
match=le
match=install
match=st
match=sta
match=nformation
match=ate
match=MsiInstaller
match=in
match=ic
match=,MsiInstaller
match=IP
match=nstall
match=Information
match=al
match=P
match=pp
match=,Information,
match=,MsiInstaller,
match=ss
match=Product
match=Information,
match=er
match=for
match=ed
match=ce
match=Application
match=at
match=ion
match=success
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Update_Installed type:system sensor:$1 srcip:$2
NEXT
id=30531
name=Windows MsiInstaller, reconfigured the product.
match=le
match=rr
match=,Windows
match=st
match=sta
match=nformation
match=MsiInstaller
match=Windows
match=in
match=ic
match=,MsiInstaller
match=IP
match=status
match=indo
match=nstall
match=Information
match=al
match=P
match=pp
match=Installer reconfigured the product
match=,Information,
match=,MsiInstaller,
match=ss
match=Product
match=Information,
match=er
match=for
match=ed
match=ce
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Installer_Reconfigured_Product event2:WindowsEvent-1035 type:system sensor:$1 srcip:$2
NEXT
id=30532
name=Windows MsiInstaller, installed an update.
match=date
match=le
match=rr
match=,Windows
match=install
match=st
match=sta
match=nformation
match=ate
match=MsiInstaller
match=Windows
match=in
match=ic
match=,MsiInstaller
match=IP
match=status
match=Installer installed an update
match=indo
match=nstall
match=Information
match=al
match=P
match=pp
match=,Information,
match=,MsiInstaller,
match=ss
match=Product
match=Information,
match=er
match=for
match=ed
match=ce
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Update_Installed event2:WindowsEvent-1036 type:system sensor:$1 srcip:$2
NEXT
id=30533
name=Windows MsiInstaller, ended an installer transaction
match=le
match=ent
match=st
match=sta
match=nformation
match=MsiInstaller
match=Windows
match=in
match=ic
match=,MsiInstaller
match=IP
match=indo
match=nstall
match=Information
match=al
match=P
match=pp
match=,Information,
match=,MsiInstaller,
match=ss
match=Ending a Windows Installer transaction
match=Information,
match=er
match=for
match=ing
match=ce
match=Application
match=at
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Ended_Installer_Transaction event2:WindowsEvent-1042 type:system sensor:$1 srcip:$2
NEXT
id=30534
name=Windows vmStatsProvider successfully initialized for this Virtual Machine.
match=pp
match=Application
match=Stats
match=Provider
match=vmStatsProvider
match=Info
match=Information
match=cc
match=ss
match=successfully
match=init
match=Virtual
match=is successfully initialized for this Virtual Machine
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Initialized_Virtual_Machine event2:WindowsEvent-256_258 type:application sensor:$1 srcip:$2
NEXT
id=30535
name=Windows Active Directory Web Services encountered an error while reading the settings for the specified Active Directory Lightweight Directory Services instance. Active Directory Web Services will retry this operation periodically.
match=Active
match=Act
match=Directory
match=Dir
match=Web
match=Services
match=vi
match=Active Directory Web Services
match=ADWS
match=rr
match=error
match=encountered
match=count
match=Active Directory Web Services encountered an error
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ADWS_Error event2:WindowsEvent-1209 type:error sensor:$1 srcip:$2
NEXT
id=30536
name=Windows ERAS user has performed a 'Refresh Computer' operation.
match=pp
match=Application
match=ERAS
match=User
match=has
match=performed
match=for
match=Refresh
match=fre
match=Computer
match=Comp
match=pu
match=User has performed 'Refresh Computer' operation
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_Refresh_Computer event2:WindowsEvent-2102 type:system sensor:$1 srcip:$2
NEXT
id=30537
name=Windows ERAS user has submitted a 'Refresh Computer' operation.
match=pp
match=Application
match=ERAS
match=has
match=tt
match=submitted
match=Refresh
match=fre
match=Computer
match=Comp
match=pu
match=has submitted 'Refresh Computer' operation
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_Refresh_Computer_Submitted type:system sensor:$1 srcip:$2
NEXT
id=30538
name=Windows ERAS a Refresh Computer, was executed successfully
match=pp
match=Application
match=ERAS
match=en
match=in
match=ng
match=ing
match=Refresh
match=fre
match=Computer
match=Comp
match=pu
match=ss
match=cc
match=Refresh Computer, was executed successfully
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_Refresh_Computer_Successful type:system sensor:$1 srcip:$2
NEXT
id=30539
name=Windows ERAS user has performed 'Add User' operation.
match=pp
match=Application
match=ERAS
match=Information
match=Info
match=has
match=User
match=se
match=performed
match=for
match=Add
match=oper
match=User has performed 'Add User' operation
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_Add_User type:system sensor:$1 srcip:$2 event2:WindowsEvent-2122
NEXT
id=30540
name=Windows ERAS user has performed 'Get Challenge Response Recovery Password' operation.
match=pp
match=Application
match=ERAS
match=Information
match=Info
match=has
match=User
match=se
match=performed
match=for
match=oper
match=User has performed 'Get Challenge Response Recovery Password' operation
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_Recover_Password type:system sensor:$1 srcip:$2 event2:WindowsEvent-2180
NEXT
id=30541
name=Windows ERAS GetSuper2Response.
match=pp
match=Application
match=ERAS
match=Information
match=Info
match=se
match=Get
match=Response
match=GetSuper2Response
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_Get_Super_Response type:system sensor:$1 srcip:$2 event2:WindowsEvent-3100
NEXT
id=30542
name=Windows SMVI failed to authenticate.
match=pp
match=Application
match=SMVI
match=Error
match=rr
match=ERROR
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMVI_Failed type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-4096
NEXT
id=30543
name=Windows ERAS Client Management WMI request failed.
match=pp
match=Application
match=ERAS
match=The
match=WMI
match=request
match=que
match=fail
match=The WMI request failed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_WMI_Request_Failed type:error sensor:$1 srcip:$2 event2:WindowsEvent-5004
NEXT
id=30544
name=Windows cannot sent email alert due to no email address specified.
match=pp
match=Application
match=Error
match=Can
match=sen
match=al
match=add
match=ss
match=Can't send email alert
match=no email address specified
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Cannot_Send_Email_Alert type:error sensor:$1 srcip:$2 event2:WindowsEvent-3999
NEXT
id=30545
name=Windows had a storage warning.
match=pp
match=Application
match=WARN
match=Persistence file
match=Storage
match=does not exist
match=ile
match=doe
match=no
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Storage_Does_Not_Exist type:system sensor:$1 srcip:$2
NEXT
id=30546
name=Windows had a MSSQL CREATE DATABASE or ALTER DATABASE fail because the resulting cumulative database size would exceed your licensed limit.
match=MSSQL
match=pp
match=Application
match=rr
match=IP
match=1827
match=AT
match=ai
match=su
match=iz
match=,CREATE DATABASE or ALTER DATABASE failed
match=exceed your licensed limit
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MSSQL_License_Limit_Exceeded type:error sensor:$1 srcip:$2 event2:WindowsEvent-1827
NEXT
id=30547
name=Windows MSSQL could not allocate space because the 'PRIMARY' filegroup is full.
match=MSSQL
match=pp
match=Application
match=rr
match=IP
match=1105
match='PRIMARY'
match=PRI
match=fi
match=le
match=ou
match=full
match='PRIMARY' filegroup is full.
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MSSQL_Primary_File_Group_Full type:error sensor:$1 srcip:$2 event2:WindowsEvent-1105
NEXT
id=30548
name=Windows ERAS service started.
match=pp
match=Application
match=ERAS
match=Information
match=Info
match=Se
match=ar
match=Eras Service Started
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_Service_Started type:system sensor:$1 srcip:$2
NEXT
id=30549
name=Windows ERAS could not find PCA or CCA URL from Active Directory. Set WSKS to disabled.
match=pp
match=Application
match=ERAS
match=Information
match=Info
match=PCA
match=CCA
match=WSKS
match=bl
match=Set WSKS to disabled.
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_WSKS_Disabled type:system sensor:$1 srcip:$2 event2:WindowsEvent-3100
NEXT
id=30550
name=Windows detected your registry file is still in use by other applications or services.
match=pp
match=Application
match=Microsoft-Windows-User Profiles Service
match=cr
match=fi
match=er
match=registry file is still in use
match=gi
match=ll
match=se
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-User_Profile_Registry_In_Use type:system sensor:$1 srcip:$2 event2:WindowsEvent-1530
NEXT
id=30551
name=Windows had a successful auto update retrieval of third-party root list.
match=pp
match=Application
match=yp
match=crypt32
match=Info
match=Information
match=cc
match=ss
match=ut
match=da
match=Successful auto update retrieval
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Update_Retrieval type:system sensor:$1 srcip:$2 event2:WindowsEvent-1530
NEXT
id=30552
name=Windows has recorded a WMI error message. Events cannot be delivered through this filter until the problem is corrected.
match=pp
match=Application
match=WMI
match=rr
match=Error
match=,Microsoft-Windows-WMI,
match=ve
match=nn
match=be
match=Events cannot be delivered
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WMI_Events_Not_Delivered type:error sensor:$1 srcip:$2
NEXT
id=30553
name=Windows has recorded that then SQLServerAgent has started
match=pp
match=Application
match=Info
match=Information
match=vi
match=ss
match=ll
match=ar
match=SQLServerAgent service successfully started
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SQLServerAgent_Started type:system sensor:$1 srcip:$2
NEXT
id=30554
name=Windows has recorded a Powerware NetWatch: Netwatch Error:.
match=pp
match=Application
match=Info
match=Information
match=pw_netwatch
match=pw
match=net
match=Powerware
match=rr
match=Error
match=Net
match=Powerware NetWatch: Netwatch Error:
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Netwatch_Error type:error sensor:$1 srcip:$2
NEXT
id=30555
name=Windows has recorded a Powerware NetWatch: Netwatch Error:.
match=pp
match=Application
match=Info
match=Information
match=pw_netwatch
match=pw
match=net
match=Powerware
match=Net
match=NetWatch is experiencing a loss of communication
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Server ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Netwatch_Communication_Loss type:error sensor:$1 srcip:$2 dstip:$3
NEXT
id=30556
name=Windows has recorded a Powerware NetWatch is no longer monitoring a server
match=pp
match=Application
match=Info
match=Information
match=pw_netwatch
match=pw
match=net
match=Powerware
match=Net
match=NetWatch is no longer monitoring
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Server ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Netwatch_Not_Monitoring_Server type:error sensor:$1 srcip:$2 dstip:$3
NEXT
id=30557
name=Windows has recorded Complus is suppressing duplicate event log entries.
match=pp
match=Application
match=Info
match=Information
match=Co
match=Complus
match=sub system is suppressing duplicate event log entries
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Complus_Suppressing_Log_Entries type:system sensor:$1 srcip:$2
NEXT
id=30558
name=Windows has recorded the Software Protection service is starting, started or stopped.
match=pp
match=Application
match=Info
match=Information
match=ser
match=The Software Protection service
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SPP_Messages type:system sensor:$1 srcip:$2
NEXT
id=30559
name=Windows has recorded the Software Protection service has r-estarted.
match=pp
match=Application
match=SPP
match=Info
match=Information
match=ser
match=Successfully scheduled Software Protection service for re-start
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SPP_Re_Started type:system sensor:$1 srcip:$2
NEXT
id=30560
name=Windows has recorded the Software Protection service has issued an initialization status for service objects.
match=pp
match=Application
match=SPP
match=Info
match=Information
match=ser
match=Initialization status for service objects
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SPP_Init_Status type:system sensor:$1 srcip:$2
NEXT
id=30561
name=Windows has recorded the Software Protection service has issued a list of policies excluded due to being defined with the overrid-only attribute.
match=pp
match=Application
match=SPP
match=Info
match=Information
match=ing
match=These policies are being excluded
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SPP_Excluded_Policies type:system sensor:$1 srcip:$2
NEXT
id=30562
name=Windows has recorded the Software Protection service has completed licensing status check.
match=pp
match=Application
match=SPP
match=Info
match=Information
match=ing
match=ser
match=completed licensing status check
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SPP_License_Status type:system sensor:$1 srcip:$2
NEXT
id=30563
name=Windows had a MSSQL$VM_DBS Message.
match=pp
match=Application
match=MSSQL$VM_DBS
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MSSQL_VM_DBS_Messages type:system sensor:$1 srcip:$2
NEXT
id=30564
name=Windows had a MSSQL$ERAS Message.
match=pp
match=Application
match=MSSQL$ERAS
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MSSQL_ERAS_Messages type:system sensor:$1 srcip:$2
NEXT
id=30565
name=Windows had a MSSQL$SOLARWINDS Message.
match=pp
match=Application
match=MSSQL$SOLARWINDS
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MSSQL_SOLARWINDS_Messages type:system sensor:$1 srcip:$2
NEXT
id=30566
name=Windows Desktop Window Manager messages.
match=pp
match=Application
match=Desk
match=an
match=er
match=The Desktop Window Manager
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Desktop_Window_Manager_Messages type:system sensor:$1 srcip:$2
NEXT
id=30567
name=Windows MSDTC Started.
match=pp
match=ion
match=Application
match=MSDTC
match=MSDTC started
match=er
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MSDTC_Started type:system sensor:$1 srcip:$2
NEXT
id=30568
name=Windows VSS service is shutting down.
match=pp
match=Application
match=VSS
match=is shutting down
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-VSS_Shutting_Down type:system sensor:$1 srcip:$2
NEXT
id=30569
name=Windows VMware vSphere Update Manager -- Installation operation failed.
match=pp
match=Application
match=vSphere
match=Update
match=Installation operation failed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-vSphere_Installation_Failed type:error sensor:$1 srcip:$2
NEXT
id=30570
name=Windows Goverlan failed to open the Group Policy Registry Key, and was denied access.
match=pp
match=Application
match=Fail
match=op
match=to
match=Group
match=Group Policy
match=is
match=Failed to open the Group Policy Registry Key
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Goverlan_Access_Denied type:error sensor:$1 srcip:$2
NEXT
id=30571
name=Windows firewall INFO-EVENTS-LOST.
match=IN
match=FO
match=EVENT
match=LO
match=ST
match=INFO-EVENTS-LOST - - - -
log=event:Windows-Firewall_Events_Lost type:firewall
NEXT
id=30572
name=Windows Security Licensing SLC posted the result of Windows Right consumption.
match=pp
match=Application
match=Info
match=Information
match=Windows
match=Microsoft
match=Security
match=Microsoft-Windows-Security-Licensing-SLC
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Security_Licensing_SLC type:system sensor:$1 srcip:$2
NEXT
id=30573
name=Windows SkypeUIpdate messages, ie SkypeUpdate is shutting down.
match=pp
match=Application
match=Info
match=Information
match=SkypeUpdate
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SkypeUpdate_Messages type:system sensor:$1 srcip:$2
NEXT
id=30574
name=Windows WMI has started or initialized.
match=pp
match=Application
match=WMI
match=Service
match=Info
match=Information
match=,Microsoft-Windows-WMI,
match=full
match=ss
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WMI_Started_Initialized type:system sensor:$1 srcip:$2
#NEXT
#id=30575
#name=This Windows application log event indicates there are currently no logon servers available to service the logon request.
#example=Application,09/28/2011,22:53:15 PM,Userenv,3221226479,Error,None,N/A,NEIM1715MI25P,IP:192.168.1.2,1007,Windows cannot determine the associated site for this computer. (There are currently no logon servers available to service the logon request. ). Group Policy processing aborted.
#match=ion
#match=Application
#match=pp
#match=rr
#match=Error
#match=lo
#match=log
#match=server
#match=no
#match=to
#match=service
#match=There are currently no logon servers available to service the logon request
#regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
#log=event:Windows-No_Logon_Servers type:error sensor:$1 srcip:$2 proto:6
NEXT
id=30576
name=This Windows application log event indicates Windows cannot find the machine account, No authority could be contacted for authentication.
match=ion
match=Application
match=pp
match=rr
match=Error
match=Window
match=indo
match=Windows cannot find the machine account
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Machine_Account_Not_Found type:error sensor:$1 srcip:$2 proto:6
NEXT
id=30577
name=This Windows application log event indicates Windows failed extract of third-party root list from auto update cab. A required certificate is not within its validity period when verifying against the current system clock
match=ion
match=Application
match=pp
match=rr
match=Error
match=Window
match=indo
match=req
match=certificate
match=is
match=with
match=A required certificate is not within its validity period
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Cert_Not_In_validity_Period type:error sensor:$1 srcip:$2 proto:6
NEXT
id=30578
name=This Windows application log event indicates that the installer has encountered an unexpected error installing this package.
match=ion
match=Application
match=pp
match=sta
match=le
match=,MsiInstaller,
match=nstall
match=,Product:
match=ed
match=rr
match=Error
match=ing
match=pac
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Installer_Error type:error sensor:$1 dstip:$2
NEXT
id=30579
name=This Windows application log event indicates that the installer has encountered a file being used.
match=ion
match=Application
match=pp
match=sta
match=le
match=,MsiInstaller,
match=nstall
match=,Product:
match=is
match=use
match=ing
match=ss
match=he
match=by
match=is being
match=The file
match=by the following process
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Installer_File_Inuse type:system sensor:$1 dstip:$2
NEXT
id=30580
name=This Windows application log event indicates that system requires a restart.
match=ion
match=Application
match=pp
match=sta
match=le
match=,MsiInstaller,
match=nstall
match=Product
match=Windows
match=indo
match=req
match=system
match=start
match=Windows Installer requires a system restart
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Restart_Required type:system sensor:$1 dstip:$2
NEXT
id=30581
name=Windows Goverlan failed to register a login event for the user because the user has not logged on to the network.
match=pp
match=Application
match=Warn
match=ing
match=Fail
match=Error
match=rr
match=the user has not logged on to the network
match=he
match=user
match=net
match=logged
match=on
match=to
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Goverlan_User_Not_Logged_On type:system sensor:$1 srcip:$2
NEXT
id=30582
name=Windows UPHClean handles in user profile hive have been remapped because they were preventing the profile from unloading successfully.
match=pp
match=Application
match=Info
match=Information
match=have been remapped because they were preventing the profile from unloading successfully
match=he
match=success
match=ing
match=ve
match=be
match=re
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-UPHClean_Handles_Remapped type:system sensor:$1 srcip:$2
NEXT
id=30583
name=Windows ERAS Client Management noticed the client host computer cannot be reached.
match=pp
match=Application
match=ERAS
match=be
match=ed
match=he
match=client
match=host
match=comp
match=nn
match=The client host computer cannot be reached
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ERAS_Client_Not_Reached type:system sensor:$1 srcip:$2
NEXT
id=30584
name=Windows ASP.NET has determined IIS is either not installed or is disabled on this machine.
match=le
match=st
match=Warning
match=in
match=ic
match=IP
match=ASP.NET
match=al
match=P
match=pp
match=er
match=ing
match=ed
match=Application
match=at
match=ion
match=install
match=on
match=disable
match=or
match=is
match=IIS is either not installed or is disabled on this machine
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ASPNET_IIS_Not_Installed event2:WindowsEvent-1020 type:system sensor:$1 srcip:$2
NEXT
id=30585
name=Windows has recorded a SQLWRITER error.
match=pp
match=Application
match=Error
match=Err
match=SQLWRITER
match=ss
match=ll
match=ed
match=Server
match=er
match=ing
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SQLWRITER_Error type:error sensor:$1 srcip:$2
NEXT
id=30586
name=Windows has recorded a SQLVDI error.
match=pp
match=Application
match=Error
match=Err
match=SQLVDI
match=Inst
match=Lo
match=in
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SQLVDI_Error type:error sensor:$1 srcip:$2
NEXT
id=30587
name=Windows has recorded a CertificateServicesClient message.
match=pp
match=Application
match=Micro
match=Microsoft
match=Windows
match=Service
match=Microsoft-Windows-CertificateServices
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Certificate_Services_Messages type:application sensor:$1 srcip:$2
NEXT
id=30588
name=Windows has recorded a Microsoft-Windows-ActiveDirectory_DomainService message.
match=Micro
match=Microsoft
match=Windows
match=Service
match=Microsoft-Windows-ActiveDirectory_DomainService
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows_Active_Directory_Domain_Service_Message type:application sensor:$1 srcip:$2
NEXT
id=30589
name=Windows has recorded a Microsoft-Windows-CEIP (Customer Experience Improvement Program) message.
match=pp
match=Application
match=Micro
match=Microsoft
match=Windows
match=Microsoft-Windows-CEIP
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows_CEIP_Message type:application sensor:$1 srcip:$2 event2:WindowsEvent-1005
NEXT
id=30590
name=Windows has recorded a Microsoft-Windows-Security-Licensing-SLC activation scheduler failed.
match=pp
match=Application
match=Error
match=Micro
match=Microsoft
match=Windows
match=failed
match=ed
match=Microsoft-Windows-Security-Licensing-SLC
match=License Activation Scheduler
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows_Security_License_Failed type:application sensor:$1 srcip:$2 event2:WindowsEvent-8193
NEXT
id=30591
name=Windows has recorded that the SQLServerAgent has scheduled a job for download and the status showed failed.
match=pp
match=Application
match=Warn
match=Warning
match=ing
match=,SQLSERVERAGENT,
match=- Status: Failed -
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SQLServerAgent_Status_Failed type:error sensor:$1 srcip:$2
NEXT
id=30592
name=Windows SMVI failed to authenticate.
match=pp
match=Application
match=SMVI
match=Warn
match=Warning
match=ing
match=Incorrect password
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMVI_Failed type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-4096
NEXT
id=30593
name=Windows Networker messages.
match=pp
match=Application
match=Networker
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Networker_Messages type:application sensor:$1 srcip:$2
NEXT
id=30594
name=Windows MSExchange has had a user logon.
match=ion
match=Application
match=at
match=pp
match=MSExchangeIS
match=SE
match=ail
match=St
match=MSExchangeIS Mailbox Store
match=ed
match=ss
match=logged on as
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* logged on as /o=([-A-Za-z0-9$._]+)/
log=event:Windows-Msexchange_Logon type:login sensor:$1 srcip:$2 user:$3
NEXT
id=30595
name=Windows MSExchange has had a user logon.
match=ion
match=Application
match=at
match=pp
match=MSExchangeIS
match=SE
match=ail
match=St
match=MSExchangeIS Mailbox Store
match=ed
match=ss
match=logged on to
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* logged on to ([-A-Za-z0-9$._]+)@
log=event:Windows-Msexchange_Logon type:login sensor:$1 srcip:$2 user:$3
NEXT
id=30596
name=Windows ASP.NET has determined the forms authentication failed for the request.
match=le
match=st
match=Information
match=Info
match=ic
match=IP
match=ASP.NET
match=al
match=P
match=pp
match=er
match=ed
match=Application
match=at
match=ion
match=on
match=or
match=Forms authentication failed for the request.
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ASPNET_Forms_Authentication_Failed type:error sensor:$1 srcip:$2
NEXT
id=30597
name=Windows BlackBerry Collaboration Service has had an error.
match=Error
match=rr
match=Application
match=pp
match=ion
match=on
match=,BlackBerry Collaboration Service
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-BlackBerry_Collaboration_Service type:error sensor:$1 srcip:$2
NEXT
id=30598
name=Windows Folder Redirection warning.
match=Warning
match=ing
match=Application
match=pp
match=ion
match=on
match=,Microsoft-Windows-Folder Redirection
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Folder_Redirection type:application sensor:$1 srcip:$2
NEXT
id=30599
name=A Windows network login occurred via a terminal service session and the user ID and source was logged.
match=pp
match=ic
match=at
match=Lo
match=IP
match=P
match=og
match=og
match=ion
match=Application
match=,WSH,
match=No Smart Card --
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*User: (\S*) Computer
log=event:Windows-User_Login_Record type:login sensor:$1 srcip:$2 user:$3
NEXT
id=30600
name=A Windows smart card error occurred.
match=pp
match=Error
match=ed
match=rr
match=IP
match=P
match=error
match=cc
match=occurred
match=ion
match=Application
match=ss
match=using
match=ing
match=error occurred while signing a message using the inserted smart card
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Smart_Card_Error type:error sensor:$1 srcip:$2
NEXT
id=30601
name=A Windows Mandiant Tools message.
match=pp
match=Application
match=ion
match=Mandiant_Tools
match=oo
match=and
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Mandiant_Tools type:application sensor:$1 srcip:$2
NEXT
id=30602
name=This Windows application outlook has loaded add-in(s).
match=ion
match=Application
match=Information
match=ion
match=pp
match=oo
match=Outlook
match=ed
match=loaded
match=Outlook loaded the following add-in
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Outlook_Add_Ins type:application sensor:$1 srcip:$2
NEXT
id=30603
name=A Windows DrWatson has reported an application error.
match=pp
match=Information
match=ed
match=Info
match=IP
match=P
match=error
match=rr
match=cc
match=occurred
match=ion
match=Application
match=ss
match=generated an application error
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-DrWatson_Message type:error sensor:$1 srcip:$2
NEXT
id=30604
name=This Windows application log event indicates Windows cannot unload your classes registry file - it is still in use by other applications or services.
match=ion
match=Application
match=pp
match=ing
match=Warning
match=Window
match=indo
match=Windows cannot unload your classes registry file
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Cannot_Unload_Registry_File type:application sensor:$1 srcip:$2
NEXT
id=30605
name=This Windows application log event indicates Windows saved a user registry while an application or service was still using the registry during log off.
match=ion
match=Application
match=pp
match=ing
match=Warning
match=Window
match=indo
match=registry while an application or service
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Saved_User_Registry type:application sensor:$1 srcip:$2
NEXT
id=30606
name=This Windows application log event indicates Windows unloaded the user registry when it received a notification that no other applications or services were using the profile.
match=ion
match=Application
match=pp
match=ed
match=Information
match=Info
match=Window
match=indo
match=user
match=registry when it received a notification
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Unloaded_User_Registry type:application sensor:$1 srcip:$2
NEXT
id=30607
name=This Windows application log event indicates the description for an Event ID cannot be found.
match=EAPOL
match=ion
match=Application
match=pp
match=Information
match=Info
match=nn
match=cannot
match=description
match=The description for Event ID
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Description_For_Event_ID_Not_Found type:application sensor:$1 srcip:$2
NEXT
id=30608
name=This Windows application log event indicates the Software Protection service has completed licensing status check.
match=Office
match=ion
match=Application
match=pp
match=Information
match=Info
match=ice
match=service
match=Software
match=Protection service has completed licensing status check
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-License_Status_Check_Complete type:application sensor:$1 srcip:$2
NEXT
id=30609
name=This Windows application log event indicates Group Policy failed with an error code
match=ion
match=Application
match=pp
match=Warning
match=ing
match=failed
match=ed
match=rr
match=error
match=Group Policy
match= failed with error code
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Group_Policy_Failed type:error sensor:$1 srcip:$2
NEXT
id=30610
name=This Windows application FileMaker has put out a message.
match=ion
match=Application
match=pp
match=tion
match=,FileMaker Server
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-FileMaker_Messages type:application sensor:$1 srcip:$2
NEXT
id=30611
name=This Windows application PHP message.
match=ion
match=Application
match=pp
match=PHP-5
match=IP
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-PHP_Messages type:application sensor:$1 srcip:$2
NEXT
id=30612
name=A Windows disk defragmentor has reported its statistics.
match=pp
match=ic
match=at
match=IP
match=P
match=ion
match=Application
match=,WSH,
match=Disk Defragmenter
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),
log=event:Windows-Disk_Defragmenter_Stats type:application sensor:$1 srcip:$2
NEXT
id=30613
name=Windows has recorded the Software Protection service has failed to restart.
match=pp
match=Application
match=SPP
match=ser
match=Software Protection service
match=Failed
match=ed
match=re-start
match=Error
match=rr
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SPP_Failed_Restart type:error sensor:$1 srcip:$2
NEXT
id=30614
name=Windows has recorded LiveUpdate has issued a message.
match=pp
match=Application
match=LiveUpdate
match=Info
match=tion
match=Information
match=Automatic LiveUpdate Scheduler
match=er
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-LiveUpdate_Messages type:system sensor:$1 srcip:$2
NEXT
id=30615
name=Windows has recorded a Brother BrLog error.
match=pp
match=Application
match=Brother
match=BrLog
match=tion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Brother_BrLog_Error type:error sensor:$1 srcip:$2
NEXT
id=30616
name=Windows has recorded a CAPI2 error.
match=pp
match=Application
match=CAPI2
match=Error
match=rr
match=tion
match=Microsoft-Windows-CAPI2
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-CAPI2_Error type:error sensor:$1 srcip:$2
NEXT
id=30617
name=Windows has recorded ATI EEU maximum number of session has been surpassed.
match=pp
match=Application
match=ATIeRecord
match=Error
match=rr
match=tion
match=ATI EEU maximum number of session has been surpassed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ATIe_Maximum_Sessions type:error sensor:$1 srcip:$2
NEXT
id=30618
name=Windows has recorded BACKUP failed to complete the command BACKUP.
match=pp
match=Application
match=MSSQL
match=Error
match=rr
match=tion
match=BACKUP failed to complete
match=ed
match=failed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Backup_Database_Failed type:error sensor:$1 srcip:$2
NEXT
id=30619
name=Windows has recorded a device or program has requested attention.
match=pp
match=Application
match=Interactive Services detection
match=Info
match=Information
match=tion
match=device or program has requested attention.
match=ed
match=device
match=or
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Device_Or_Program_Attention type:application sensor:$1 srcip:$2
NEXT
id=30620
name=Windows has recorded the winlogon notification subscriber was unavailable to handle a notification event.
match=pp
match=Application
match=Winlogon
match=Info
match=Information
match=tion
match=was unavailable to handle a notification event
match=event
match=unavailable
match=to
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Winlogon_Subscriber_Unavailable type:error sensor:$1 srcip:$2
NEXT
id=30621
name=Windows has recorded the User Notification Service has started.
match=pp
match=Application
match=Info
match=Information
match=tion
match=UNS
match=User
match=start
match=User Notification Service started
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-User_Notification_Service_Started type:application sensor:$1 srcip:$2
NEXT
id=30622
name=Windows has recorded LMS has started.
match=pp
match=Application
match=Info
match=Information
match=tion
match=LMS
match=LMS started
match=start
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-LMS_Started type:application sensor:$1 srcip:$2
NEXT
id=30623
name=Windows has recorded the Event System has timed out.
match=pp
match=Application
match=Warning
match=ing
match=tion
match=Event System timed out
match=ed
match=timed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Event_System_Timeout type:application sensor:$1 srcip:$2
NEXT
id=30624
name=Windows has recorded a Smart Card login.
match=pp
match=Application
match=tion
match=cc
match=ss
match=Success Audit
match=Login
match=Smart Card Login
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* User: ([a-zA-Z0-9._-]+)
log=event:Windows-Smart_Card_Login type:login sensor:$1 srcip:$2 user:$3
NEXT
id=30625
name=Windows has recorded the Windows Security Center Service has started.
match=pp
match=Application
match=Info
match=Information
match=tion
match=Windows Security Center Service has started
match=ed
match=Service
match=has
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SecurityCenter_Started type:application sensor:$1 srcip:$2
NEXT
id=30626
name=Windows has recorded ActivClient messages.
match=pp
match=Application
match=Warning
match=ing
match=tion
match=ActivClient
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ActivClient_Messages type:application sensor:$1 srcip:$2
NEXT
id=30627
name=Windows has recorded MSSQL$BKUPEXEC server resumed execution after being idle.
match=pp
match=Application
match=Info
match=Information
match=tion
match=MSSQL$BKUPEXEC
match=Server
match=resumed
match=ed
match=Server resumed execution
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Server_Resumed_Execution type:application sensor:$1 srcip:$2
NEXT
id=30628
name=Windows has recorded NET Runtime has deleted an obsolete native image.
match=pp
match=Application
match=Warning
match=ing
match=tion
match=NET Runtime
match=deleted obsolete native image
match=deleted
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-NET_Runtime_Deleted_Image type:application sensor:$1 srcip:$2
NEXT
id=30629
name=Windows has recorded the STAgent service is running.
match=pp
match=Application
match=Info
match=Information
match=tion
match=STAgent
match=The service is running
match=is
match=ing
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Stagent_Service_Running type:application sensor:$1 srcip:$2
NEXT
id=30630
name=Windows has recorded a task scheduling error.
match=pp
match=Application
match=Error
match=rr
match=tion
match=Bonjour
match=Task Scheduling Error
match=Task
match=ing
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Bonjour_Scheduling_Error type:error sensor:$1 srcip:$2
NEXT
id=30631
name=Windows has recorded the disk defragmenter has successfully completed.
match=pp
match=Application
match=Defrag
match=Info
match=Information
match=tion
match=ll
match=ss
match=ed
match=cc
match=disk defragmenter successfully completed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Defrag_Completed type:system sensor:$1 srcip:$2
NEXT
id=30632
name=Windows has recorded a Smart Card login error occurred while retrieving a digital certificate from the inserted smart card.
match=pp
match=Application
match=tion
match=Error
match=rr
match=Logon
match=cc
match=ed
match=in
match=Smart Card Logon
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Smart_Card_Logon type:login-failure sensor:$1 srcip:$2
NEXT
id=30633
name=Windows has recorded a search message.
match=pp
match=Application
match=tion
match=Microsoft-Windows-Search
match=Micro
match=Win
match=Search
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Search_Messages type:application sensor:$1 srcip:$2
NEXT
id=30634
name=Windows has recorded a RoxWatch message. This could come from the Roxio application or could be malware.
match=pp
match=Application
match=tion
match=RoxWatch
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-RoxWatch_Possible_Malware type:intrusion sensor:$1 srcip:$2
NEXT
id=30635
name=Windows has recorded a RoxWatch message. This could come from the Roxio application or could be malware.
match=pp
match=Application
match=tion
match=ExtremeZ-IP
match=Info
match=tion
match=Information
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ExtremeZ-IP_Messages type:application sensor:$1 srcip:$2
NEXT
id=30636
name=Windows has recorded a Microsoft Office alert.
match=Alerts
match=Microsoft
match=Micro
match=ff
match=ice
match=Office
match=Information
match=Info
match=tion
regex=Microsoft Office ([0-9+]+) Alerts.*,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Microsoft_Office_Alert type:application sensor:$2 srcip:$3
NEXT
id=30637
name=This Windows application log event indicates that software was removed.
match=Information
match=nstall
match=nfo
match=,Information,
match=nformation
match=io
match=,MsiInstaller,
match=,MsiInstaller,1034,
match=sta
match=App
match= remove
match=re
match=,Windows
match=,Windows
match=in
match=Win
match=indo
match=Information,
match=,MsiInstaller
match=IP
match=ti
match=MsiInstaller
match=removed
match=er
match=Info
match=ve
match=ion
match=rm
match=Application
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Removed type:system sensor:$1 dstip:$2 event2:WindowsEvent-1034
NEXT
id=30638
name=A Windows process was terminated due to an unhandled exception.
match=,1026,
match=The process was terminated due to an unhandled exception
match=:
match=an
match=,Error,
match=io
match=Err
match=at
match=,10
match=le
match=on
match=tion
match=rror
match=App
match=ed
match=led
match=ca
match=na
match=Error
match=pp
match=and
match=or
match=ated
match=IP
match=li
match=dl
match=ex
match=handle
match=ion
match=rm
match=Application
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Process_Terminated type:process sensor:$1 dstip:$2 event2:WindowsEvent-1026
NEXT
id=30639
name=This Windows application MsiInstaller failed to connect to the server.
match=ion
match=Application
match=pp
match=sta
match=le
match=,MsiInstaller,
match=nstall
match=Warning
match=ing
match=ed
match=Failed
match=ed
match=rr
match=Error
match=nn
match=Failed to connect to server
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Applicaiton_MsiInstaller_Error type:error sensor:$1 dstip:$2 event2:WindowsEvent-1015
NEXT
id=30640
name=This Windows application SharePoint has issued a warning.
match=ion
match=Application
match=pp
match=ar
match=SharePoint
match=ing
match=Warning
match=Microsoft-SharePoint Products-SharePoint Foundation
match=Micro
match=tion
match=so
match=int
match=,Warning,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SharePoint_Warning type:application sensor:$1 srcip:$2
NEXT
id=30641
name=Windows WMI has stopped.
match=pp
match=Application
match=Warn
match=ing
match=WMI
match=pp
match=ed
match=Windows Management Instrumentation has stopped
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WMI_Has_Stopped type:application sensor:$1 srcip:$2 event2:WindowsEvent-5612
NEXT
id=30642
name=Windows has recorded the Windows logon process has failed to terminate the currently logged on user's processes.
match=pp
match=Application
match=Winlogon
match=Info
match=Information
match=tion
match=logon process has failed to terminate the currently logged on user
match=logon
match=on
match=to
match=ed
match=rr
match=gg
match=ss
match=user
match=4004
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Winlogon_Failed_Termination_Of_Proceses type:application sensor:$1 srcip:$2 event2:WindowsEvent-4004
NEXT
id=30643
name=Windows has recorded a BCAAA error.
match=pp
match=Application
match=BCAAA
match=rr
match=Error
match=IP
match=1306
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),1306
log=event:Windows-BCAAA_Error type:error sensor:$1 srcip:$2 event2:WindowsEvent-1306
NEXT
id=30644
name=Windows had a crytp32 failed extract.
match=pp
match=Application
match=yp
match=crypt32
match=Failed
match=ed
match=rr
match=or
match=Error
match=Failed extract
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Crypt32_Failed_Extract type:error sensor:$1 srcip:$2 event2:WindowsEvent-11
NEXT
id=30645
name=Windows had a crytp32 threshold reached.
match=pp
match=Application
match=yp
match=crypt32
match=ing
match=Warn
match=Warning
match=threshold of
match=events
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Crypt32_Threshold type:application sensor:$1 srcip:$2 event2:WindowsEvent-6
NEXT
id=30646
name=Windows had a crytp32 fail auto update retrieval message.
match=pp
match=Application
match=yp
match=crypt32
match=or
match=rr
match=Error
match=Failed auto update retrieval
match=ed
match=Failed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Crypt32_Failed_Auto_Update type:error sensor:$1 srcip:$2 event2:WindowsEvent-8
NEXT
id=30647
name=A Windows shell has issued a backup of IRIS.
match=WSH
match=IRIS
match=pp
match=Application
match=at
match=ion
match=ing
match=up
match=to
match=ed
match=cc
match=ed
match=ll
match=Backing up files to
match=completed successfully.
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-IRIS_Backup type:system srcip:$1
NEXT
id=30648
name=A Windows shell has has successfully updated the registery.
match=WSH
match=IRIS
match=cc
match=ed
match=ll
match=ss
match=update
match=Successfully applied update
log=event:Windows-IRIS_Updated_Registry type:system
NEXT
# id=30649 moved to threat_ms_emet.prm
# id=30650 moved to threat_ms_emet.prm
# id=30651 moved to threat_ms_emet.prm
id=30652
name=This Windows application SharePoint has issued an error.
match=ion
match=Application
match=pp
match=ar
match=SharePoint
match=rr
match=Error
match=Microsoft-SharePoint Products-SharePoint Foundation
match=Micro
match=tion
match=so
match=int
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SharePoint_Error type:error sensor:$1 srcip:$2
NEXT
id=30653
name=This Windows application SiteMinder messages.
match=ion
match=Application
match=pp
match=SiteMinder
match=Info
match=Information
match=,Information,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SiteMinder_Messages type:application sensor:$1 srcip:$2
NEXT
id=30654
name=This Windows application SharePoint has issued a critical message.
match=ion
match=Application
match=pp
match=ar
match=SharePoint
match=Critical
match=Microsoft-SharePoint Products-SharePoint Foundation
match=Micro
match=tion
match=so
match=int
match=,Critical,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SharePoint_Critical_Message type:application sensor:$1 srcip:$2
NEXT
id=30655
name=This Windows application LANrev has issued an error message.
match=ion
match=Application
match=pp
match=LANrev
match=er
match=Error
match=tion
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-LANrev_Error type:error sensor:$1 srcip:$2
NEXT
id=30656
name=This Windows application IIS has issued an error message.
match=Application
match=ion
match=pp
match=IIS
match=er
match=Error
match=gg
match=ing
match=ed
match=IIS Advanced Logging Module
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-IIS_Error type:error sensor:$1 srcip:$2
NEXT
id=30657
name=This Windows server has recorded an unexpected VSS error.
match=ion
match=Application
match=pp
match=rr
match=Error
match=VSS
match=Volume Shadow Copy Service error
match=ice
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-VSS_Unexpected_Error type:error sensor:$1 srcip:$2
NEXT
id=30658
name=Windows has recorded the Software Protection service has processed an activation response from the key management service machine.
match=pp
match=Application
match=SPP
match=Info
match=Information
match=ser
match=ion
match=ed
match=client
match=The client has processed an activation response
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SPP_Activation_Response_Processed type:system sensor:$1 srcip:$2
NEXT
id=30659
name=Windows has recorded the Software Protection service has sent an activation request to the key management service machine.
match=pp
match=Application
match=SPP
match=Info
match=Information
match=ser
match=ion
match=sent
match=client
match=The client has sent an activation request
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SPP_Activation_Request_Sent type:system sensor:$1 srcip:$2
NEXT
id=30660
name=Windows has recorded the VSS has run out of time while deleting files.
match=pp
match=Application
match=VSS
match=Info
match=Information
match=ing
match=ion
match=files
match=Ran out of time while deleting files
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-VSS_Timed_Out_Deleting_Files type:system sensor:$1 srcip:$2
NEXT
id=30661
name=Windows has an application attempted to veto the shutdown.
match=pp
match=Application
match=Winsrv
match=Info
match=Information
match=ing
match=ion
match=app
match=ed
match=The following application attempted to veto the shutdown
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Attempted_To_Stop_Shutdown type:application sensor:$1 srcip:$2
NEXT
id=30662
name=This Windows server has had a searching error..
match=ion
match=Application
match=pp
match=indo
match=Windows
match=ar
match=ce
match=Windows Search Service
match=tem
match=ed
match=ing
match=Warning
match=rr
match=Unspecified error
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Search_Error type:error sensor:$1 srcip:$2
NEXT
id=30663
name=This Windows Listener Adapter protocol successfully connected to Windows Process Activation Service.
match=ion
match=Application
match=pp
match=indo
match=Windows
match=WAS
match=Info
match=Information
match=ion
match=,Microsoft-Windows-WAS
match=successfully connected to Windows Process
match=cc
match=ss
match=ll
match=nn
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Listener_Adapter_Connected type:application sensor:$1 srcip:$2
NEXT
id=30664
name=This Windows server had an error, script had not responded within the configured timeout period.
match=ion
match=Application
match=rr
match=Error
match=W3SVC-WP
match=ed
match=con
match=period
match=configured timeout period
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Script_Timeout type:error sensor:$1 srcip:$2
NEXT
# id=30665 moved to threat_ms_emet.prm
# id=30666 moved to threat_ms_emet.prm
# id=30667 moved to threat_ms_emet.prm
# id=30668 moved to threat_ms_emet.prm
id=30669
name=This Windows is in the notification period, needs to be registered.
match=ion
match=Application
match=in Notification period
match=Winlogon
match=Win
match=ows
match=in
match=Not
match=fi
match=ca
match=od
match=per
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-In_Notification_Period type:application sensor:$1 srcip:$2
NEXT
id=30670
name=This Windows requires a machine restart.
match=ion
match=Application
match=Info
match=Machine restart is required
match=ine
match=re
match=art
match=is
match=ed
match=re
match=qui
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Restart_Required type:application sensor:$1 srcip:$2
NEXT
id=30671
name=This Windows is starting or ending its first session.
match=RestartManager
match=ion
match=Application
match=Info
match=ing session 1
match=ing
match=ss
match=ses
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Starting_Ending_First_Session type:application sensor:$1 srcip:$2
NEXT
id=30672
name=This Windows restart was deferred to a later time.
match=ion
match=Application
match=Info
match=restart was deferred to a later time
match=art
match=rr
match=ed
match=de
match=to
match=a
match=er
match=me
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Restart_Deffered type:application sensor:$1 srcip:$2
NEXT
id=30673
name=This Windows MS DTC service is stopping.
match=ion
match=Application
match=Info
match=MS DTC service is stopping
match=MS
match=DTC
match=ice
match=is
match=pp
match=ing
match=stop
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MS_DTC_Service_Stopping type:application sensor:$1 srcip:$2
NEXT
id=30674
name=This Windows had a license acquisition failure..
match=ion
match=Application
match=rr
match=Error
match=Security-SPP
match=Sec
match=PP
match=License acquisition failure
match=Li
match=se
match=acq
match=fail
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-License_Acquisition_Failure type:error sensor:$1 srcip:$2
NEXT
id=30675
name=This Windows had a license activation failure.
match=ion
match=Application
match=rr
match=Error
match=License Activation
match=Act
match=va
match=failed with the following error code
match=ing
match=ll
match=code
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-License_Activation_Failure type:error sensor:$1 srcip:$2
NEXT
id=30676
name=This Windows had the acquisition of an end User license fail.
match=ion
match=Application
match=rr
match=Error
match=Security-SPP
match=Sec
match=SPP
match=Acquisition of End User License failed
match=ed
match=Acq
match=of
match=User
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-License_Acquisition_Failure type:error sensor:$1 srcip:$2
NEXT
id=30677
name=This Windows had an error while attempting to establish a secure connection with a system.
match=ion
match=Application
match=ing
match=Warn
match=MSDTC
match=Client
match=ent
match=MSDTC encountered an error
match=rr
match=error
match=ed
match=en
match=nn
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MSDTC_Error_Attempting_Connection type:error sensor:$1 srcip:$2
NEXT
id=30678
name=This Windows had an error while attempting to remove an object.
match=ion
match=Application
match=rr
match=Error
match=Event System
match=Event
match=Event System could not remove
match=not
match=re
match=ve
match=ld
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Event_System_Unable_To_Remove_Object type:error sensor:$1 srcip:$2
NEXT
id=30679
name=A Windows MSExchange has reported a configuration update for Microsoft.Exchange Transport has successfully completed.
match=ion
match=Application
match=at
match=pp
match=MSExchangeTransport
match=SE
match=ort
match=Info
match=configuration update
match=has successfully completed
match=date
match=con
match=ed
match=ss
match=cc
match=ll
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MsexchangeTransport_Configuration_Updated type:application sensor:$1 srcip:$2
NEXT
id=30680
name=A Windows MSExchange has reported the server is unavailable.
match=ion
match=Application
match=at
match=pp
match=MSExchange ADAccess
match=ADA
match=cc
match=ss
match=Error
match=was
match=as
match=er
match=ser
match=erver
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Msexchange_ADAprocess_Server_Unavailable type:application sensor:$1 srcip:$2
NEXT
id=30681
name=A Windows MSExchange has reported the Configuration Domain Controller has been changed.
match=ion
match=Application
match=at
match=pp
match=MSExchange ADAccess
match=ADA
match=cc
match=ss
match=Info
match=Configuration Domain Controller has been changed
match=Conf
match=ll
match=er
match=ed
match=ee
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Msexchange_ADAprocess_Controller_Changed type:application sensor:$1 srcip:$2
NEXT
id=30682
name=A Windows Extensible Authentication Protocol method DLL path validation failed.
match=ion
match=Application
match=at
match=pp
match=EapHost
match=st
match=rr
match=Error
match=validation failed
match=ed
match=val
match=da
match=fa
match=fail
match=id
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-EapHost_Validation_Failed type:error sensor:$1 srcip:$2
NEXT
id=30683
name=A Windows ACECLIENT Authentication Manager is not responding.
match=ion
match=Application
match=at
match=pp
match=ACECLIENT
match=rr
match=Error
match=Authentication Manager is not responding
match=Auth
match=ger
match=is
match=not
match=ing
match=res
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Aceclient_Authentication_Manager_Not_Responding type:error sensor:$1 srcip:$2
NEXT
id=30684
name=A Windows Ipswitch Alert Center notification 'Email Network' of the policy 'Email Network' has succeeded.
match=ion
match=Application
match=at
match=pp
match=Ipswitch Alert Center
match=Ip
match=ch
match=Alert
match=er
match=Cen
match=Email Network'
match=has succeeded
match=cc
match=ee
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Ipswitch_Email_Network_Succeeded type:application sensor:$1 srcip:$2
NEXT
id=30685
name=A Windows filtering message.
match=ion
match=Application
match=at
match=pp
match=Microsoft-Filtering-FIPFS
match=FS
match=FI
match=Mic
match=sof
match=ing
match=Fil
match=ter
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Filtering_FIPFS type:application sensor:$1 srcip:$2
NEXT
id=30686
name=Microsoft Windows remote management activity transfer.
match=Client
match=Cli
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Act
match=ty
match=Tr
match=fer
match=Activity Transfer
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_ACtivity_Transfer type:application sensor:$1 srcip:$2
NEXT
id=30687
name=Microsoft Windows WinRM setting WSMan session option.
match=Client
match=Cli
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Setting WSMan Session Option
match=com
match=ed
match=cc
match=ss
match=ll
match=tt
match=tt
match=WSMan
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WSMan_Session_Option_Set type:application sensor:$1 srcip:$2
NEXT
id=30688
name=Microsoft Windows WinRM client cannot connect to the destination specified in the request.
match=lient
match=li
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=rr
match=Error
match=client cannot connect to the destination specified
match=nn
match=ot
match=ect
match=des
match=ion
match=ed
match=spe
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Client_Cannot_Connect type:error sensor:$1 srcip:$2
NEXT
id=30689
name=Microsoft Windows WinRM client WSMan create session operation completed successfuly.
match=lient
match=li
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=WSMan
match=Creat
match=Session
match=WSMan
match=eat
match=ss
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WSMan_Created_Session type:application sensor:$1 srcip:$2
NEXT
id=30690
name=Microsoft-Windows-IIS-W3SVC-WP worker process for application pool encountered an error.
match=Application
match=ion
match=Windows-IIS-W3SVC-WP
match=IIS
match=W3SVC
match=WP
match=rr
match=rror
match=worker process for application pool
match=er
match=ss
match=app
match=oo
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-IIS_W3SVC_WP_Worker_Process_Error type:error sensor:$1 srcip:$2
NEXT
id=30691
name=Microsoft Windows WinRM WSMan API call.
match=lient
match=li
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=WSMan API call
match=WS
match=Ma
match=API
match=all
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_WSMan_API_Call type:application sensor:$1 srcip:$2
NEXT
id=30692
name=Microsoft Windows PowerShell messages
match=Windows
match=PowerShell
match=dow
match=Win
match=Po
match=er
match=ll
match=Sh
match=ll
match=wer
match=ell
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-PowerShell_Messages type:application sensor:$1 srcip:$2
NEXT
id=30693
name=Microsoft Windows WinRM client WSMan Session deinitialize and closing.
match=li
match=lient
match=li
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=WSMan Session deinitialize
match=ss
match=ion
match=de
match=WSMan
match=ze
match=ial
match=ini
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WSMan_Session_Closed type:application sensor:$1 srcip:$2
NEXT
id=30694
name=Microsoft Windows WinRM WSMan operation CreateShell failed.
match=Microsoft-Windows-WinRM
match=ient
match=nt
match=Error
match=rr
match=or
match=dow
match=Win
match=WSMan operation CreateShell failed
match=WSMan
match=ion
match=ed
match=ate
match=Cr
match=fa
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WSMan_CreateShell_Failed type:error sensor:$1 srcip:$2
NEXT
id=30695
name=Microsoft Windows Application infrastructure error.
match=Microsoft-Windows-Application
match=Infrastructure
match=Server
match=Error
match=rr
match=or
match=dow
match=Win
match=ion
match=App
match=pp
match=ure
match=In
match=ast
match=er
match=Ser
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Infrastructure_Error type:error sensor:$1 srcip:$2
NEXT
id=30696
name=Microsoft Windows-GroupPolicy messages.
match=Microsoft-Windows-GroupPolicy
match=Operational
match=Info
match=ion
match=nal
match=Oper
match=dow
match=Win
match=nal
match=oup
match=Gr
match=Po
match=icy
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-GroupPolicy_Messages type:application sensor:$1 srcip:$2
NEXT
id=30697
name=Microsoft Windows WMI Activity messages.
match=Microsoft-Windows-WMI-Activity
match=Operational
match=WMI
match=ity
match=Act
match=Info
match=ion
match=nal
match=Oper
match=dow
match=Win
match=nal
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WMI_Activity_Messages type:application sensor:$1 srcip:$2
NEXT
id=30698
name=Microsoft Windows WinRM got a timeout.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Response handling
match=Re
match=se
match=ha
match=ng
match=timeout
match=ti
match=me
match=out
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Timeout type:error sensor:$1 srcip:$2
NEXT
id=30699
name=Microsoft Windows RPC Proxy successfully loaded in Internet Information Services (IIS).
match=Application
match=pp
match=ion
match=Info
match=RPC Proxy successfully loaded in Internet Information Services (IIS)
match=RPC
match=Pr
match=xy
match=ed
match=lo
match=Int
match=net
match=ice
match=Ser
match=IIS
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-RPC_Proxy_Loaded_In_IIS type:application sensor:$1 srcip:$2
NEXT
id=30700
name=This Windows security database appears to be corrupt. Specifically some JET database is corrupt.
match=ion
match=Application
match=pp
match=ce
match=,SceCli,
match=rr
match=,Error,
match=So
match=JET
match=da
match=se
match=pt
match=Some JET database is corrupt
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-JET_Database_Corrupt sensor:$1 srcip:$2 type:error
NEXT
id=30701
name=Windows has recorded a WMI unknown error.
match=WMI
match=rr
match=Error
match=,Microsoft-Windows-WMI
match=PossibleCause
match=Unknown
match=Po
match=ss
match=le
match=Ca
match=se
match=Un
match=own
match=PossibleCause = Unknown
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WMI_Unknown_Error type:error sensor:$1 srcip:$2
NEXT
id=30702
name=Windows has recorded a GroupPolicy error. Completed Security Extension Processing.
match=rr
match=Error
match=,Microsoft-Windows-GroupPolicy
match=Gr
match=Po
match=Win
match=Mi
match=ft
match=cy
match=ws
match=li
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Group_Policy_Error type:error sensor:$1 srcip:$2
NEXT
id=30703
name=Windows KnownFolders has recorded an error
match=ing
match=War
match=Microsoft-Windows-KnownFolders
match=rror
match=rr
match=Kno
match=wn
match=ers
match=Fo
match=cc
match=rr
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Known_Folders_Error type:error sensor:$1 srcip:$2
NEXT
id=30704
name=Microsoft Windows remote management activity Initializing or initialized WSMan API.
match=Client
match=Cli
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=WSMan
match=Initial
match= WSMan API
match=In
match=Man
match=API
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_WSMan_Initializing type:application sensor:$1 srcip:$2
NEXT
id=30705
name=Microsoft Windows remote management activity WSMan operation Identify completed successfully.
match=Client
match=Cli
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=WSMan
match=operation
match=completed successfully
match=ion
match=ed
match=com
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_WSMan_Operation_Completed type:application sensor:$1 srcip:$2
NEXT
id=30706
name=Microsoft Windows remote management activity is sending a response for the operation.
match=Server
match=er
match=Se
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Info
match=ion
match=Sending response for operation
match=ing
match=re
match=se
match=op
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Response_For_Operation type:application sensor:$1 srcip:$2
NEXT
id=30707
name=Microsoft Windows remote management activity is processing s client request for sn operation.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Info
match=ion
match=Processing client request for operation
match=ing
match=re
match=st
match=op
match=cl
match=nt
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Client_Request_For_Operation type:application sensor:$1 srcip:$2
NEXT
id=30708
name=Microsoft Windows remote management activity is entering or leaving the plugin for operation.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Info
match=ion
match=the plugin for operation
match=plu
match=in
match=op
match=er
match=at
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Entering_Leaving_For_Operation type:application sensor:$1 srcip:$2
NEXT
id=30709
name=Microsoft Windows remote management activity is sending a request for the operation.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Info
match=ion
match=Sending the request for operation
match=Se
match=ing
match=re
match=st
match=oper
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Sending_Request_For_Operation type:application sensor:$1 srcip:$2
NEXT
id=30710
name=Windows diagnosis.
match=Microsoft-Windows-Diagnosis
match=Win
match=ows
match=Dia
match=Mi
match=cro
match=nos
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Diagnosis sensor:$1 srcip:$2 type:application
NEXT
id=30711
name=Windows resource exhaustion.
match=Microsoft-Windows-Resource-Exhaustion-Detector
match=Win
match=ows
match=Det
match=or
match=cro
match=Mi
match=Re
match=ion
match=Exh
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Resource_Exhaustion sensor:$1 srcip:$2 type:application
NEXT
id=30712
name=Microsoft Windows remote procedure call in data.
match=RPC_IN_DATA
match=RP
match=C_
match=IN
match=IN_
match=_D
match=AT
match=DA
match=TA
log=event:Windows-RPC_IN_DATA type:application
NEXT
id=30713
name=Microsoft Windows remote procedure call out data.
match=RPC_OUT_DATA
match=RP
match=C_
match=OUT
match=UT_
match=_D
match=AT
match=DA
match=TA
log=event:Windows-RPC_OUT_DATA type:application
NEXT
id=30714
name=Microsoft Windows PowerShell messages
match=powershell
match=/p
match=ow
match=er
match=ll
match=sh
match=el
match=T /powershell
log=event:Windows-PowerShell_Messages type:application
NEXT
id=30715
name=Microsoft Windows PowerShell messages
match=PowerShell
match=/P
match=ow
match=er
match=ll
match=Sh
match=el
match=T /PowerShell
log=event:Windows-PowerShell_Messages type:application
NEXT
id=30716
name=Microsoft Windows remote management activity.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=WinRM,91,Information
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_ACtivity type:application sensor:$1 srcip:$2
NEXT
id=30717
name=Microsoft Windows remote management activity.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=User authentication
match=Us
match=er
match=auth
match=ion
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_User_Authentication type:login sensor:$1 srcip:$2
NEXT
id=30718
name=Microsoft Windows remote management error HTTP_STATUS_DENIED.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=HTTP_STATUS_DENIED
match=HT
match=TT
match=STA
match=US
match=DEN
match=ED
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_HTTP_Status_Denied type:web-error sensor:$1 srcip:$2
NEXT
id=30719
name=Microsoft Windows remote management HTTP_STATUS_OK.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=HTTP_STATUS_OK
match=HT
match=TT
match=STA
match=US
match=OK
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_HTTP_Status_OK type:web-access sensor:$1 srcip:$2
NEXT
id=30720
name=Microsoft Windows remote management error shell output failed.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=operation ReceiveShellOutput failed
match=rr
match=error
match=op
match=ion
match=ed
match=Re
match=put
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Shell_Output_Failed type:error sensor:$1 srcip:$2
NEXT
id=30721
name=Microsoft Windows remote management error signal shell failed.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=operation SignalShell failed
match=rr
match=error
match=op
match=ion
match=ed
match=Si
match=ll
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Signal_Shell_Failed type:error sensor:$1 srcip:$2
NEXT
id=30722
name=Microsoft Windows remote management error WINHTTP CANNOT CONNECT.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=ERROR_WINHTTP_CANNOT_CONNECT
match=RR
match=ERR
match=WIN
match=NN
match=OT
match=CO
match=CT
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Win_HTTP_Cannot_Connect type:error sensor:$1 srcip:$2
NEXT
id=30723
name=Microsoft Windows remote management error delete shell failed.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=operation DeleteShell failed
match=rr
match=err
match=ion
match=op
match=ll
match=De
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Delete_Shell_Failed type:error sensor:$1 srcip:$2
NEXT
id=30724
name=Microsoft Windows remote management HTTP_STATUS_SERVICE_UNAVAIL.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=HTTP_STATUS_SERVICE_UNAVAIL
match=HT
match=TT
match=STA
match=US
match=ICE
match=UN
match=AVA
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_HTTP_Status_Service_Unavailable type:error sensor:$1 srcip:$2
NEXT
id=30725
name=Microsoft Windows remote management deinitializing WSMan API.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Deinitial
match=WSMan API
match=De
match=al
match=WS
match=Man
match=API
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Deinitialize_WSMan_API type:application sensor:$1 srcip:$2
NEXT
id=30726
name=Microsoft Windows remote management service starting or has started.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Winrm service
match=start
match=Winrm
match=se
match=ice
match=st
match=rt
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Service_Start type:application sensor:$1 srcip:$2
NEXT
id=30727
name=Microsoft Windows Forefront protection messages.
match=Forefront Protection
match=Forefront
match=Protection
match=Fore
match=fro
match=Pro
match=tec
match=ion
match=nt
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Forefront_Protection_Messages type:application sensor:$1 srcip:$2
NEXT
id=30728
name=Microsoft Windows Bits messages.
match=Microsoft-Windows-Bits
match=Mi
match=ro
match=oft
match=Win
match=ows
match=do
match=Bi
match=ts
match=it
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Bits_Messages type:application sensor:$1 srcip:$2
NEXT
id=30729
name=Microsoft Windows Application Impact Telemetry (AIT) Agent is not running because AIT is disabled.
match=Microsoft-Windows-Application-Experience
match=Agent is not running because AIT is disabled
match=Mi
match=ro
match=oft
match=Win
match=ows
match=do
match=App
match=ion
match=Ex
match=Ag
match=nn
match=ing
match=dis
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Impact_Telemetry_Not_Running type:error sensor:$1 srcip:$2
NEXT
id=30730
name=Microsoft Windows Update Client has changed.
match=Microsoft-Windows-WindowsUpdateClient
match=a change in the health of Windows Update
match=Mi
match=ro
match=oft
match=Win
match=ows
match=do
match=Up
match=te
match=Cl
match=nt
match=ch
match=ge
match=he
match=th
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Update_Client_Change type:application sensor:$1 srcip:$2
NEXT
id=30731
name=Microsoft Windows Restart Manager messages.
match=Microsoft-Windows-RestartManager
match=Mi
match=ro
match=oft
match=Win
match=ows
match=do
match=Re
match=st
match=art
match=Ma
match=na
match=ger
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Restart_Manager_Messages type:application sensor:$1 srcip:$2
NEXT
id=30732
name=Microsoft Windows FSCRealtimeScanner is disabled
match=FSCRealtimeScanner
match=Realtime scan disabled
match=FSC
match=Real
match=time
match=nn
match=Scan
match=dis
match=abl
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-FSCRealtimeScanner_Disabled type:application sensor:$1 srcip:$2
NEXT
id=30733
name=Microsoft Windows FSCTransportScanner is disabled or enabled.
match=FSCTransportScanner
match=Transport scan
match=abled
match=FSC
match=Tran
match=port
match=nn
match=Scan
match=abl
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-FSCTransportScanner_Disabled_Enabled type:application sensor:$1 srcip:$2
NEXT
id=30734
name=Microsoft Windows FSCRealtimeScanner is enabled
match=FSCRealtimeScanner
match=Realtime scan enabled
match=FSC
match=Real
match=time
match=nn
match=Scan
match=en
match=abl
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-FSCRealtimeScanner_Enabled type:application sensor:$1 srcip:$2
NEXT
id=30735
name=Microsoft Windows FSCScheduledScanner is enabled
match=FSCScheduledScanner
match=Scheduled scan enabled
match=FSC
match=Sch
match=led
match=nn
match=Scan
match=en
match=abl
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-FSCScheduledScanner_Enabled type:application sensor:$1 srcip:$2
NEXT
id=30736
name=Microsoft Windows FSCScheduledScanner is disabled
match=FSCScheduledScanner
match=Scheduled scan disabled
match=FSC
match=Sch
match=led
match=nn
match=Scan
match=dis
match=abl
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-FSCScheduledScanner_Disabled type:application sensor:$1 srcip:$2
NEXT
id=30737
name=Microsoft Windows FSCController messages.
match=Application
match=pp
match=ion
match=FSCController
match=FSC
match=Con
match=tr
match=ol
match=ll
match=er
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-FSCController_Messages type:application sensor:$1 srcip:$2
NEXT
id=30738
name=Microsoft Windows FSEIMC started or stopped.
match=Application
match=pp
match=ion
match=FSEIMC
match=FS
match=EI
match=MC
match=st
match=ser
match=ice
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-FSEIMC_Started_Stopped type:application sensor:$1 srcip:$2
NEXT
id=30739
name=Microsoft Windows program inventory.
match=Application
match=pp
match=ion
match=Info
match=Microsoft-Windows-Application-Experience
match=A program was installed on the system
match=Mi
match=Win
match=Ex
match=ed
match=pro
match=sys
match=on
match=as
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Program_Inventory type:application sensor:$1 srcip:$2
NEXT
id=30740
name=Microsoft Windows Language Pack cleanup functionality.
match=ion
match=Microsoft-Windows-LanguagePackSetup
match=Language Pack cleanup functionality
match=Mi
match=Win
match=Lan
match=Pa
match=Se
match=cl
match=up
match=fu
match=ty
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Language_Pack_Cleanup type:application sensor:$1 srcip:$2
NEXT
id=30741
name=Microsoft Windows ASP.NET request has been aborted.
match=Application
match=pp
match=ion
match=ASP.NET
match=request has been aborted
match=ASP
match=NET
match=AS
match=re
match=qu
match=st
match=ee
match=ab
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ASP_NET_Request_Aborted type:error sensor:$1 srcip:$2
NEXT
id=30742
name=Microsoft Windows program data updater statistics.
match=Application
match=pp
match=ion
match=Info
match=Microsoft-Windows-Application-Experience
match=An instance of Program Data Updater
match=Mi
match=Win
match=Ex
match=er
match=Pro
match=in
match=ran
match=Da
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Program_Updater_Statistics type:application sensor:$1 srcip:$2
NEXT
id=30743
name=Microsoft Windows DB2 event monitor has reached its file capacity. Delete the files in the target directory or move them to another directory.
match=Application
match=pp
match=ion
match=ing
match=Instance:DB2
match=Event Monitor
match=has reached its file capacity
match=In
match=DB2
match=ca
match=ty
match=fi
match=le
match=re
match=ed
match=ha
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-DB2_Monitor_Capacity_Reached type:application sensor:$1 srcip:$2
NEXT
id=30744
name=Microsoft Windows Security Client successfully applied security policy.
match=Application
match=pp
match=ion
match=Sec
match=ty
match=Microsoft Security Client successfully applied security policy
match=Mi
match=Cl
match=cc
match=ss
match=ll
match=pp
match=cy
match=ft
match=nt
match=ur
match=su
match=Info
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Successfully_Applied_Security_Policy type:application sensor:$1 srcip:$2
NEXT
id=30745
name=Microsoft Windows SMS Server message, the Site Component Manager could not access site system. The network path was not found.
match=Application
match=pp
match=ion
match=SMS Server
match=SM
match=Error
match=rr
match=Se
match=The network path was not found.
match=Th
match=ne
match=rk
match=pa
match=not
match=fo
match=nd
match=wa
match=as
match=he
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMS_Network_Path_Not_Found type:error sensor:$1 srcip:$2
NEXT
id=30746
name=This Windows application SharePoint has issued n information message.
match=ion
match=Application
match=pp
match=ar
match=SharePoint
match=Info
match=To
match=Microsoft-SharePoint Products-SharePoint Foundation
match=Micro
match=tion
match=so
match=int
match=Information
match=,Information,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SharePoint_Information type:application sensor:$1 srcip:$2
NEXT
id=30747
name=This Windows application SharePoint Managed Metadata Service has connected successfully.
match=ion
match=Application
match=pp
match=ar
match=SharePoint
match=Info
match=Ta
match=Microsoft-SharePoint Products-SharePoint Server
match=Micro
match=tion
match=so
match=int
match=Information
match=er
match=Managed Metadata Service
match=has connected successfully
match=Ma
match=Ser
match=nn
match=cc
match=ss
match=ll
match=,Information,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SharePoint_Metadata_Service_Connected type:application sensor:$1 srcip:$2
NEXT
id=30748
name=This Windows application SharePoint Server database error occurred.
match=ion
match=Application
match=pp
match=ar
match=SharePoint
match=ing
match=Wa
match=Microsoft-SharePoint Products-SharePoint Server
match=Micro
match=so
match=int
match=er
match=A database error occurred
match=da
match=ba
match=rr
match=rr
match=ed
match=,Warning,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SharePoint_Database_Error type:error sensor:$1 srcip:$2
NEXT
id=30749
name=Windows has recorded MSSQL$BKUPEXEC server had some database maintenance or reconfigure operations.
match=pp
match=Application
match=Info
match=Information
match=tion
match=MSSQL$BKUPEXEC
match=Server
match=database maintenance or reconfigure operations
match=da
match=se
match=ma
match=ce
match=or
match=re
match=op
match=con
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Server_Database_Maint_Or_Reconfig type:application sensor:$1 srcip:$2
NEXT
id=30750
name=Windows has recorded MSSQL$SKOPUSSQLSERVER AppDomain unloaded.
match=pp
match=Application
match=Info
match=Information
match=tion
match=MSSQL$SKOPUSSQLSERVER
match=Server
match=AppDomain
match=unloaded
match=MS
match=QL
match=PU
match=SS
match=App
match=Do
match=un
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Server_AppDomain_Unloaded type:application sensor:$1 srcip:$2
NEXT
id=30751
name=This Windows server has recorded an attempt to create a file which failed witha system error.
match=ion
match=Application
match=pp
match=EN
match=ESENT
match=SE
match=Error
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Database_Engine_Event_Error type:system sensor:$1 srcip:$2
NEXT
id=30752
name=This Windows server has recorded an error, unable to create a shadow copy.
match=ion
match=Application
match=pp
match=Error
match=rr
match=VSS
match=Unable to create a shadow copy
match=Un
match=le
match=to
match=cr
match=sh
match=ow
match=co
match=py
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Unable_Create_Shadow_Copy type:error sensor:$1 srcip:$2
NEXT
id=30753
name=This Windowss Report server has recorded an error, it has not been granted access to the catalog content.
match=ion
match=Application
match=pp
match=Error
match=rr
match=Report Server Windows Service
match=Re
match=rt
match=Se
match=er
match=Wi
match=do
match=ce
match=ws
match=po
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Report_Server_Error type:error sensor:$1 srcip:$2
NEXT
id=30754
name=This Windowss Server Update Services is working correctly.
match=ion
match=Application
match=pp
match=Info
match=ion
match=Windows Server Update Services
match=WSUS is working correctly
match=WS
match=US
match=ing
match=rr
match=co
match=Up
match=Se
match=ce
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WSUS_Working_Correctly type:system sensor:$1 srcip:$2
NEXT
id=30755
name=A Windows Forescout HTTP upload was started.
match=Info
match=,WSH,
match=Forescout: HTTP upload was started
match=IP
match=pp
match=Application
match=at
match=ion
match=Fo
match=ut
match=HTTP
match=up
match=st
match=ed
match=was
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Forescout_HTTP_Upload_Started type:application sensor:$1 srcip:$2
NEXT
id=30756
name=A Windows Forescout system cannot locate the resource specified.
match=Error
match=,WSH,
match=Forescout:
match=system cannot locate the resource specified
match=IP
match=pp
match=Application
match=at
match=ion
match=Fo
match=ut
match=em
match=nn
match=lo
match=re
match=ed
match=sp
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Forescout_Cannot_Locate_Resource type:error sensor:$1 srcip:$2
NEXT
id=30757
name=A Windows Forescout system vulnerabilities inspection was started.
match=Info
match=,WSH,
match=Forescout:
match=Vulnerabilities inspection was started
match=IP
match=pp
match=Application
match=at
match=ion
match=Fo
match=ut
match=Vu
match=es
match=in
match=ion
match=was
match=st
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Forescout_Vulnerabilities_Inspection_Started type:application sensor:$1 srcip:$2
NEXT
id=30758
name=A Windows Forescout system vulnerabilities inspection, HPS doesn't find any updates to download.
match=Info
match=,WSH,
match=Forescout:
match=HPS don't find updates to download
match=IP
match=pp
match=Application
match=at
match=ion
match=Fo
match=ut
match=Vu
match=es
match=HPS
match=do
match=fi
match=up
match=es
match=do
match=ad
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Forescout_HPS_No_Updates type:application sensor:$1 srcip:$2
NEXT
id=30759
name=A Windows Forescout system vulnerabilities inspection, search finished.
match=Info
match=,WSH,
match=Forescout:
match=Search finished
match=IP
match=pp
match=Application
match=at
match=ion
match=Fo
match=ut
match=Vu
match=es
match=Se
match=ch
match=fi
match=ed
match=ies
match=ea
match=ni
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Forescout_Search_Finished type:application sensor:$1 srcip:$2
NEXT
id=30760
name=A Windows System Restore failed to create restore point.
match=Error
match=rr
match=IP
match=pp
match=Application
match=at
match=ion
match=System Restore
match=Failed to create restore point
match=Fa
match=ed
match=to
match=cr
match=te
match=re
match=po
match=nt
match=Sy
match=Re
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Failed_Restore_Point_Creation type:error sensor:$1 srcip:$2
NEXT
id=30761
name=Windows has recorded a WMI warning message. The namespace is marked with the RequiresEncryption flag. Change the authentication level to Pkt_Privacy and run the script or application again.
match=pp
match=Application
match=WMI
match=Wa
match=ing
match=,Microsoft-Windows-WMI,
match=marked with the RequiresEncryption flag
match=ma
match=ed
match=Re
match=ion
match=En
match=fl
match=ag
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WMI_RequiresEncryption_Flag type:application sensor:$1 srcip:$2
NEXT
id=30762
name=Microsoft Windows SMS Server has recorded an information message.
match=Application
match=pp
match=ion
match=SMS Server
match=SM
match=Information
match=In
match=Se
match=er
match=rv
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMS_Information_Messages type:application sensor:$1 srcip:$2
NEXT
id=30763
name=Microsoft Windows FailoverClustering messages.
match=Microsoft-Windows-FailoverClustering
match=Mi
match=ft
match=Wi
match=ws
match=Fa
match=er
match=Cl
match=ing
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-FailoverClustering_Messages type:application sensor:$1 srcip:$2
NEXT
id=30764
name=Microsoft Windows Server-ActiveSync.
match=Microsoft-Server-ActiveSync
match=Mi
match=ft
match=Se
match=er
match=Ac
match=Sy
match=nc
match=rv
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Server_ActiveSync type:application srcip:$1
NEXT
id=30765
name=Microsoft Windows ServerManager Deployment Provider messages.
match=Microsoft-Windows-ServerManager-DeploymentProvider
match=Mi
match=ft
match=Wi
match=ws
match=Se
match=Ma
match=er
match=De
match=Pr
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Deployment_Provider type:application sensor:$1 srcip:$2
NEXT
id=30766
name=Microsoft Windows SMBClient has timed out.
match=Microsoft-Windows-SMBClient
match=Mi
match=ft
match=Wi
match=ws
match=SMB
match=Cl
match=nt
match=Error
match=rr
match=timed out
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMBClient_Timed_Out type:error sensor:$1 srcip:$2
NEXT
id=30767
name=Windows Security SSP activation request has been processed.
match=Microsoft-Windows-Security-SPP
match=SPP
match=Info
match=Information
match=activation request has been processed
match=Mi
match=ft
match=Wi
match=ws
match=Se
match=ac
match=ion
match=re
match=ss
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SPP_Activation_Processed type:system sensor:$1 srcip:$2
NEXT
id=30768
name=Windows has recorded that the SQLServerAgent has issued a CheckServiceAlive and it was successful.
match=pp
match=Application
match=Info
match=Information
match=ion
match=In
match=,SQLSERVERAGENT,
match=success
match=CheckServiceAlive
match=SQ
match=AG
match=cc
match=ss
match=Ch
match=Al
match=Se
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SQLServerAgent_Check_Service_Successful type:application sensor:$1 srcip:$2
NEXT
id=30769
name=Windows has recorded that QLAgent$SKOPUSSQLSERVER has issued an IsAlive request.
match=pp
match=Application
match=Info
match=Information
match=Failover
match=Is
match=Al
match=ve
match=ion
match=SQLAgent$SKOPUSSQLSERVER
match=SQL
match=Ag
match=SK
match=ER
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SQLAgent_SKOPUSSQLSERVER_IsAlive_Request type:application sensor:$1 srcip:$2
NEXT
id=30770
name=Windows has recorded that QLAgent$SKOPUSSQLSERVER has issued a CheckServiceAlive, which was successful.
match=pp
match=Application
match=Info
match=Information
match=Failover
match=CheckServiceAlive
match=success
match=cc
match=ss
match=Ch
match=Se
match=Al
match=Fa
match=ion
match=SQLAgent$SKOPUSSQLSERVER
match=SQL
match=Ag
match=SK
match=ER
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SQLAgent_SKOPUSSQLSERVER_Check_Service_Successful type:application sensor:$1 srcip:$2
NEXT
id=30771
name=Windows has recorded that the SQLServerAgent has issued an IsAlive request..
match=pp
match=Application
match=Info
match=Information
match=ion
match=In
match=,SQLSERVERAGENT,
match=IsAlive request
match=Is
match=SQ
match=AG
match=ve
match=re
match=qu
match=Al
match=st
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SQLServerAgent_IsAlive_Request type:application sensor:$1 srcip:$2
NEXT
id=30772
name=Microsoft Windows SMS Server has recorded an error message.
match=Application
match=pp
match=ion
match=SMS Server
match=SM
match=Error
match=Er
match=Se
match=er
match=rv
match=rr
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMS_Error_Messages type:error sensor:$1 srcip:$2
NEXT
id=30773
name=Microsoft Windows SMS Server has recorded a warning message.
match=Application
match=pp
match=ion
match=SMS Server
match=SM
match=Warning
match=ing
match=Se
match=er
match=rv
match=Wa
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMS_Warning_Messages type:application sensor:$1 srcip:$2
NEXT
id=30774
name=Microsoft Windows CCFFilter Error.
match=Microsoft-Windows-CCFFilter
match=Error
match=Mi
match=ft
match=Wi
match=ow
match=CCF
match=Fi
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-CFFFilter_Error type:error sensor:$1 srcip:$2
NEXT
id=30775
name=Microsoft Windows SMBW Witness Service has received an information message.
match=Microsoft-Windows-SMBWitnessService
match=Info
match=Mi
match=ft
match=Wi
match=ow
match=SMBW
match=Wit
match=Information
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMBWWitness_Information_Message type:application sensor:$1 srcip:$2
NEXT
id=30776
name=Microsoft Windows SMBW Witness Service has received an error message.
match=Microsoft-Windows-SMBWitnessClient
match=Error
match=Mi
match=ft
match=Wi
match=ow
match=SMBW
match=Wit
match=rr
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMBWWitnessClient_Error_Message type:error sensor:$1 srcip:$2
NEXT
id=30777
name=Microsoft Windows Application system.servceModel error.
match=System.ServiceModel
match=Error
match=Ser
match=Sys
match=rr
match=or
match=Application
match=WebHost
match=ion
match=App
match=pp
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ServiceModel_Error type:error sensor:$1 srcip:$2
NEXT
id=30778
name=Microsoft Windows WinRM client protocol handler started to create a session.
match=lient
match=li
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Info
match=started to create a session
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Started_Create_Session type:application sensor:$1 srcip:$2
NEXT
id=30779
name=Microsoft Windows WinRM client protocol session began an operation.
match=lient
match=li
match=nt
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=ws
match=RM
match=Info
match=began an operation
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Began_An_Operation type:application sensor:$1 srcip:$2
NEXT
id=30780
name=Microsoft Windows WinRM got an access denied error.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match= error: Access is denied
match=error
match=Ac
match=de
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Access_Error type:error sensor:$1 srcip:$2
NEXT
id=30781
name=Microsoft Windows WinRM get failed.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Error
match=Get failed
match=fa
match=Ge
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Get_Failed type:error sensor:$1 srcip:$2
NEXT
id=30782
name=Microsoft Windows WinRM protocol handler closed the session.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=protocol handler closed the session
match=pro
match=ha
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Handler_Closed_Session type:application sensor:$1 srcip:$2
NEXT
id=30783
name=Microsoft Windows WinRM protocol session successfully completed the operation.
match=Microsoft-Windows-WinRM
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=session successfully completed the operation
match=se
match=co
match=op
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinRM_Session_Completed_Successfully type:application sensor:$1 srcip:$2
NEXT
id=30784
name=Microsoft Windows ServerManager MultiMachine enumerate instances error.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Enumerate instances error
match=rror
match=En
match=ra
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Enumerate_Error type:error sensor:$1 srcip:$2
NEXT
id=30785
name=Microsoft Windows ServerManager MultiMachine exception reported to data collection.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Exception reported to data collection
match=Ex
match=re
match=col
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Data_Collection_Exception type:application sensor:$1 srcip:$2
NEXT
id=30786
name=Microsoft Windows SMBW Witness Service has received an error message.
match=Microsoft-Windows-SMBWitnessService
match=Error
match=Mi
match=ft
match=Wi
match=ow
match=SMBW
match=Wit
match=rr
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMBWWitnessService_Error_Message type:error sensor:$1 srcip:$2
NEXT
id=30787
name=Microsoft Windows SMBW Witness Client has received an unregister request message.
match=Microsoft-Windows-SMBWitnessClient
match=Information
match=Mi
match=ft
match=Wi
match=ow
match=SMBW
match=Wit
match=un
match=received unregister request
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMBWWitnessClient_Unregister_Request type:application sensor:$1 srcip:$2
NEXT
id=30788
name=Microsoft Windows ServerManager-MgmtProvider messages.
match=Microsoft-Windows-ServerManager-MgmtProvider
match=Mi
match=ft
match=Wi
match=ow
match=Mgmt
match=Se
match=Ma
match=er
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Management_Provider_Messages type:application sensor:$1 srcip:$2
NEXT
id=30789
name=Microsoft Windows ServerManager MultiMachine Invoke method started.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Invoke method started
match=In
match=me
match=st
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Invoke_Method_Started type:application sensor:$1 srcip:$2
NEXT
id=30790
name=Microsoft Windows ServerManager MultiMachine refresh session started.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Refresh session started
match=Re
match=se
match=st
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Refresh_Method_Started type:application sensor:$1 srcip:$2
NEXT
id=30791
name=Microsoft Windows ServerManager MultiMachine creating new session.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Creating new session
match=Cr
match=se
match=new
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Creating_New_Session type:application sensor:$1 srcip:$2
NEXT
id=30792
name=Microsoft Windows ServerManager MultiMachine enumerate instances started.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Enumerate instances started
match=En
match=ra
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Enumerate_Started type:application sensor:$1 srcip:$2
NEXT
id=30793
name=Microsoft Windows ServerManager MultiMachine Invoke method error.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=error
match=Invoke method error
match=In
match=me
match=rr
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Invoke_Method_Error type:error sensor:$1 srcip:$2
NEXT
id=30794
name=Microsoft Windows ServerManager MultiMachine properties refresh started.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=properties refresh started
match=pr
match=re
match=st
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Properties_Refresh_Started type:application sensor:$1 srcip:$2
NEXT
id=30795
name=Microsoft Windows ServerManager MultiMachine Completed WinRM service status check.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Completed WinRM service status check
match=Co
match=RM
match=st
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_WinRM_Check_Completed type:application sensor:$1 srcip:$2
NEXT
id=30796
name=Microsoft Windows ServerManager MultiMachine metadata failed to be retrieved.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=metadata failed to be retrieved
match=me
match=fa
match=re
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Metadata_Failed_Retrieval type:application sensor:$1 srcip:$2
NEXT
id=30797
name=Microsoft Windows ServerManager MultiMachine properties refresh completed.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=properties refresh completed
match=pr
match=re
match=co
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Properties_Refresh_Completed type:application sensor:$1 srcip:$2
NEXT
id=30798
name=Microsoft Windows ServerManager MultiMachine starting WinRM service status check.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Starting WinRM service status check
match=St
match=RM
match=ch
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_WinRM_Check_Started type:application sensor:$1 srcip:$2
NEXT
id=30799
name=Microsoft Windows ServerManager MultiMachine refresh item completed.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Refresh item completed
match=it
match=Re
match=co
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Refresh_Item_Completed type:application sensor:$1 srcip:$2
NEXT
id=30800
name=Microsoft Windows ServerManager MultiMachine Invoke method data received.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Invoke method data received
match=In
match=me
match=re
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Invoke_Method_Data_Received type:application sensor:$1 srcip:$2
NEXT
id=30801
name=Microsoft Windows ServerManager MultiMachine cluster query item message.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Cluster query item
match=Cl
match=qu
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Cluster_Query_Message type:application sensor:$1 srcip:$2
NEXT
id=30802
name=Microsoft Windows ServerManager MultiMachine invoke method completed.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Invoke method completed
match=In
match=me
match=co
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Invoke_Method_Completed type:application sensor:$1 srcip:$2
NEXT
id=30803
name=Microsoft Windows ServerManager MultiMachine refresh session completed.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Refresh session completed
match=se
match=Re
match=co
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Refresh_Session_completed type:application sensor:$1 srcip:$2
NEXT
id=30804
name=Microsoft Windows SMBW Witness Client messages.
match=Microsoft-Windows-SMBWitnessClient
match=Info
match=Mi
match=ft
match=Wi
match=ow
match=SMBW
match=Wit
match=Clien
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMBWWitnessClient_Messages type:application sensor:$1 srcip:$2
NEXT
id=30805
name=Microsoft Windows SMBClient Witness registration has completed.
match=Microsoft-Windows-SMBClient
match=Mi
match=ft
match=Wi
match=ws
match=SMB
match=Cl
match=nt
match=Info
match=Witness registration has completed
match=Wi
match=reg
match=com
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* cluster address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)
log=event:Windows-SMBClient_Registration_Completed type:application sensor:$1 srcip:$2 dstip:$3 dstport:$4
NEXT
id=30806
name=Microsoft Windows MSMQ message Queuing could not resolve the name.
match=Microsoft-Windows-MSMQ
match=Mi
match=ft
match=Wi
match=ws
match=MSMQ
match=Warn
match=Message Queuing could not resolve the name
match=Me
match=Qu
match=re
match=name
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MSMQ_Could_Not_Resolve_Name type:application sensor:$1 srcip:$2
NEXT
id=30807
name=Microsoft Windows SMBClient Witness deregistration has completed.
match=Microsoft-Windows-SMBClient
match=Mi
match=ft
match=Wi
match=ws
match=SMB
match=Cl
match=nt
match=Info
match=deregistration has completed
match=de
match=reg
match=com
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SMBClient_Deregistration_Completed type:application sensor:$1 srcip:$2
NEXT
id=30808
name=Microsoft Windows RemoteDesktopServices-RdpCoreTS connection messages
match=Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
match=Mi
match=ft
match=Wi
match=ws
match=Re
match=De
match=Se
match=Rdp
match=onnect
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-RemoteDesktopServices_RdpCoreTS type:connection sensor:$1 srcip:$2
NEXT
id=30809
name=Microsoft Windows International The NLS operation failed because the registry key Control Panel User Profile cannot be opened.
match=Microsoft-Windows-International
match=Mi
match=ft
match=Wi
match=ws
match=In
match=registry key Control Panel
match=cannot be opened
match=rror
match=Critical
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-International_Critical type:error sensor:$1 srcip:$2
NEXT
id=30810
name=Microsoft Windows NET Runtime profiler was loaded successfully.
match=NET Runtime
match=Info
match=The profiler was loaded successfully
match=pr
match=wa
match=lo
match=su
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Net_Runtime_Profiler_Loaded type:application sensor:$1 srcip:$2
NEXT
id=30811
name=Microsoft Windows Security Audit Configuration Client List of applicable GPOs.
match=Microsoft-Windows-Security-Audit-Configuration-Client
match=Info
match=Mi
match=Wi
match=Se
match=Au
match=Co
match=Cl
match=List of applicable GPOs
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-List_Of_GPOs type:application sensor:$1 srcip:$2
NEXT
id=30812
name=Microsoft Windows Plugin DSScheduler reports exception. Cannot open message.
match=App
match=MAR8Core2
match=Warn
match=Plugin DSScheduler reports exception.
match=Wa
match=MA
match=DSS
match=Pl
match=ex
match=ce
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Plugin_DSScheduler_Exception type:application sensor:$1 srcip:$2
NEXT
id=30813
name=Microsoft Windows GroupPolicy Software Installation Extension completed or deferred.
match=Microsoft-Windows-GroupPolicy
match=Warn
match=Software Installation Extension
match=rocessing
match=Mi
match=Wi
match=Gr
match=Po
match=So
match=In
match=Ex
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-GroupPolicy_Deferred_Or_Completed type:application sensor:$1 srcip:$2
NEXT
id=30814
name=Microsoft Windows System.Servicemodel message logging has been turned on. Sensitive information may be logged in the clear, even if it was encrypted on the wire.
match=App
match=System.ServiceModel
match=Message Logging has been turned on.
match=Sy
match=Se
match=Mo
match=Me
match=Lo
match=tu
match=on
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-ServiceModel_Messaging_Turned_On type:application sensor:$1 srcip:$2
NEXT
id=30815
name=Microsoft Windows RemoteDesktopServices-RdpCoreTS messages
match=Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
match=Mi
match=ft
match=Wi
match=ws
match=Re
match=De
match=Se
match=Rdp
match=!onnect
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-RemoteDesktopServices_RdpCoreTS type:application sensor:$1 srcip:$2
NEXT
id=30816
name=Microsoft Windows Shell Core messages
match=Microsoft-Windows-Shell-Core
match=Mi
match=ft
match=Wi
match=ws
match=Sh
match=ll
match=Co
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Shell_Core type:application sensor:$1 srcip:$2
NEXT
id=30817
name=Microsoft Windows WinINet config.
match=Microsoft-Windows-WinINet-Config
match=Mi
match=ft
match=Wi
match=ws
match=INe
match=Co
match=ig
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-WinINet_Config type:application sensor:$1 srcip:$2
NEXT
id=30818
name=Microsoft Windows Immersive-Shell messages.
match=Microsoft-Windows-Immersive-Shell
match=Mi
match=ft
match=Wi
match=ws
match=Im
match=Sh
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Immersive_Shell type:application sensor:$1 srcip:$2
NEXT
id=30819
name=Microsoft Windows TerminalServices RemoteConnectionManager services has taken too long to load the user configuration from server.
match=Microsoft-Windows-TerminalServices-RemoteConnectionManager
match=Mi
match=ft
match=Wi
match=ws
match=Te
match=Re
match=Co
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Remote_Desktop_Config_Time type:application sensor:$1 srcip:$2
NEXT
id=30820
name=Microsoft Windows Kernel PnPConfig new device interface.
match=Microsoft-Windows-Kernel-PnPConfig
match=Mi
match=ft
match=Wi
match=ws
match=Ke
match=PnP
match=New device interface
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-PnP_New_Device_Interface type:application sensor:$1 srcip:$2
NEXT
id=30821
name=Microsoft Windows Kernel PnP device was configured.
match=Microsoft-Windows-Kernel-PnP
match=Mi
match=ft
match=Wi
match=ws
match=Ke
match=PnP
match=Device
match=was configured
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-PnP_Device_Was_Configured type:application sensor:$1 srcip:$2
NEXT
id=30822
name=Microsoft Windows Kernel PnPConfig device is unconfigured.
match=Microsoft-Windows-Kernel-PnPConfig
match=Mi
match=ft
match=Wi
match=ws
match=Ke
match=PnP
match=Device container
match=is unconfigured
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-PnP_Device_Unconfigured type:application sensor:$1 srcip:$2
NEXT
id=30823
name=Microsoft Windows device setup manager service shutting down.
match=Microsoft-Windows-DeviceSetupManager
match=Mi
match=ft
match=Wi
match=ws
match=De
match=Se
match=Ma
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Device_Setup_Manager_Stopping type:application sensor:$1 srcip:$2
NEXT
id=30824
name=Microsoft Windows ASP.NET configuration error has occurred.
match=ASP.NET
match=A configuration error has occurred
match=Application
match=Co
match=error
match=or
match=occ
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Web_Event_Configuration_Error type:error sensor:$1 srcip:$2
NEXT
id=30825
name=Microsoft Windows AppReadiness service has completed tasks.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=service has completed tasks
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Completed_Tasks type:application sensor:$1 srcip:$2
NEXT
id=30826
name=Microsoft Windows Wcmsvc terminal services session change was processed.
match=Microsoft-Windows-Wcmsvc
match=Mi
match=ft
match=Wi
match=ws
match=Wc
match=svc
match=Services session change
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Services_Session_Changed type:application sensor:$1 srcip:$2
NEXT
id=30827
name=Microsoft Windows ServerManager MultiMachine Response Time,Server manager initialization task.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=initialization task
match=in
match=ta
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Initialization_Task type:application sensor:$1 srcip:$2
NEXT
id=30828
name=Microsoft Windows ServerManager MultiMachine Server manager startup task.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=Info
match=Server manager startup task
match=st
match=Se
match=ma
match=ta
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Startup_Task type:application sensor:$1 srcip:$2
NEXT
id=30829
name=Microsoft Windows ServerManager MultiMachine role plugin Registration information load task.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=nfo
match=plugin Registration information load task
match=pl
match=Re
match=lo
match=ta
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Plugin_Registration type:application sensor:$1 srcip:$2
NEXT
id=30830
name=Microsoft Windows ServerManager MultiMachine Server manager refresh task started.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=nfo
match=Server manager refresh task
match=Se
match=ma
match=re
match=ta
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Refresh_Task type:application sensor:$1 srcip:$2
NEXT
id=30831
name=Microsoft Windows ServerManager MultiMachine role plugin load task started.
match=Microsoft-Windows-ServerManager-MultiMachine
match=ft
match=Mi
match=cro
match=dow
match=Win
match=nfo
match=plugin load task
match=pl
match=lo
match=in
match=ta
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MultiMachine_Plugin_Load_Task type:application sensor:$1 srcip:$2
NEXT
id=30832
name=Microsoft Windows DPAPI created Master key.
match=Microsoft-Windows-Crypto-DPAPI
match=ft
match=Mi
match=cro
match=dow
match=Win
match=nfo
match=DPAPI created Master key
match=DP
match=cr
match=Ma
match=ke
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Crypto_Master_Key_Created type:application sensor:$1 srcip:$2
NEXT
id=30833
name=Windows detected your regular local profile location.
match=Microsoft-Windows-User Profiles Service
match=cr
match=fi
match=er
match=Regular Local profile
match=Re
match=pr
match=ar
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-User_Regular_Profile type:system sensor:$1 srcip:$2
NEXT
id=30834
name=Windows TerminalServices-LocalSessionManager begin or end session arbitration.
match=Microsoft-Windows-TerminalServices-LocalSessionManager
match=cr
match=er
match=session arbitration
match=ss
match=se
match=ar
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Begin_End_Session_Arbitration type:application sensor:$1 srcip:$2
NEXT
id=30835
name=Windows TerminalServices-LocalSessionManager session has been disconnected.
match=Microsoft-Windows-TerminalServices-LocalSessionManager
match=cr
match=er
match=Session
match=has been disconnected
match=Se
match=ee
match=di
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Session_Disconnected type:application sensor:$1 srcip:$2
NEXT
id=30836
name=Microsoft Windows Kernel PnPConfig device was started.
match=Microsoft-Windows-Kernel-PnP
match=Mi
match=ft
match=Wi
match=ws
match=Ke
match=PnP
match=Device
match=was started
match=De
match=st
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-PnP_Device_Started type:application sensor:$1 srcip:$2
NEXT
id=30837
name=Microsoft Windows AppXDeployment Server following packages will be installed or removed.
match=Microsoft-Windows-AppXDeployment-Server
match=Mi
match=ft
match=Wi
match=ws
match=ppX
match=Se
match=De
match=will be installed
match=be removed
match=wi
match=in
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Packages_Will_Be_Installed_Removed type:application sensor:$1 srcip:$2
NEXT
id=30838
name=Microsoft Windows AppXDeployment Server determining packages to be installed.
match=Microsoft-Windows-AppXDeployment-Server
match=Mi
match=ft
match=Wi
match=ws
match=ppX
match=Se
match=De
match=Determining packages to be installed
match=pa
match=to
match=in
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Determining_Packages_To_Be_Installed type:application sensor:$1 srcip:$2
NEXT
id=30839
name=Microsoft Windows AppReadiness service status has changed.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=status changed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Status_Changed type:application sensor:$1 srcip:$2
NEXT
id=30840
name=Microsoft Windows AppReadiness service started processing tasks.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=Started processing tasks
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Started_Processing_Tasks type:application sensor:$1 srcip:$2
NEXT
id=30841
name=Microsoft Windows AppReadiness service 'SystemUpgradeCleanup', started, finished or selected..
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match='SystemUpgradeCleanup
match=ed
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_System_Upgrade_Cleanup type:application sensor:$1 srcip:$2
NEXT
id=30842
name=Microsoft Windows AppReadiness service finished processing tasks.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=Finished processing tasks
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Finished_Processing_Tasks type:application sensor:$1 srcip:$2
NEXT
id=30843
name=Microsoft Windows Application Program Telemetry compatibility fix applied.
match=Microsoft-Windows-Application-Experience
match=Compatibility fix applied
match=Mi
match=ro
match=oft
match=Win
match=ows
match=do
match=Ex
match=Compatibility fix applied
match=Co
match=fix
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Compatibility_Fix_Applied type:application sensor:$1 srcip:$2
NEXT
id=30844
name=Microsoft Windows AppReadiness service has started.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=App Readiness service has started
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Service_Started type:application sensor:$1 srcip:$2
NEXT
id=30845
name=Microsoft Windows AppReadiness service user login has started.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=UserLogon
match=started for
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.* started for ([-A-Za-z0-9$_@#]+)
log=event:Windows-AppReadiness_User_Login_Started type:login sensor:$1 srcip:$2 user:$3
NEXT
id=30846
name=Microsoft Windows AppReadiness service has user logon has succeeded.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=UserLogon
match=succeeded for
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.* succeeded for ([-A-Za-z0-9$_@#]+)
log=event:Windows-AppReadiness_User_Login_Succeeded type:login sensor:$1 srcip:$2 user:$3
NEXT
id=30847
name=Microsoft Windows AppReadiness service has changed mode.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=has changed mode
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Mode_Changed type:application sensor:$1 srcip:$2
NEXT
id=30848
name=Microsoft Windows AppReadiness service has started a group.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=Started group
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Started_Group type:application sensor:$1 srcip:$2
NEXT
id=30849
name=Microsoft Windows AppReadiness service has finished a group.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=Finished group
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Finished_Group type:application sensor:$1 srcip:$2
NEXT
id=30850
name=Microsoft Windows AppReadiness service has selected the next task.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match=was selected as the next task
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Next_Task_Selected type:application sensor:$1 srcip:$2
NEXT
id=30851
name=Microsoft Windows AppReadiness service has finished the task.
match=Microsoft-Windows-AppReadiness
match=Mi
match=ft
match=Wi
match=ws
match=App
match=Re
match='ART:UserLogon' finished for
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-AppReadiness_Task_Finished type:application sensor:$1 srcip:$2
# id=30852 moved to threat_ms_emet.prm
NEXT
id=30853
name=Microsoft Windows MUI resource cache builder has been called.
match=,Microsoft-Windows-MUI,3003,
match=MUI resource cache builder has been called
match=Microsoft
match=Windows
match=MU
match=of
match=with
match=ing
match=cache
match=been
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MUI_Resource_Cache_Builder_Invoked sensor:$1 srcip:$2 type:application
NEXT
id=30854
name=Microsoft Windows new MUI resource cache was built and installed on this system.
match=,Microsoft-Windows-MUI,3007,
match=Microsoft
match=Windows
match=MU
match=of
match=system
match=config
match=install
match=cache
match=New
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-MUI_Resource_Cache_Built sensor:$1 srcip:$2 type:application
NEXT
id=30855
name=Microsoft Windows Update failed to check for updates due to an error.
match=,Microsoft-Windows-WindowsUpdateClient,25,
match=Microsoft
match=Windows
match=WindowsUpdateClient
match=fail
match=updates
match=error
match=for
match=with
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Update_Client_Check_Failed sensor:$1 srcip:$2 type:error
NEXT
id=30856
name=Microsoft Windows Update established connectivity.
match=,Microsoft-Windows-WindowsUpdateClient,30,
match=Microsoft
match=Windows
match=WindowsUpdateClient
match=established
match=connect
match=Update
match=vi
match=iv
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Update_Client_Connectivity_Established sensor:$1 srcip:$2 type:application
NEXT
id=30857
name=Microsoft Windows Update received a service stop request.
match=,Microsoft-Windows-WindowsUpdateClient,38,
match=Microsoft
match=Windows
match=WindowsUpdateClient
match=Update
match=service
match=received
match=request
match=stop
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Update_Client_Service_Stop_Request sensor:$1 srcip:$2 type:application
NEXT
id=30858
name=Microsoft Windows update was downloaded.
match=,Microsoft-Windows-WindowsUpdateClient,41,
match=Microsoft
match=Windows
match=WindowsUpdateClient
match=Update
match=update was downloaded
match=download
match=date
match=load
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Update_Client_Downloaded sensor:$1 srcip:$2 type:application
NEXT
id=30859
name=Microsoft Windows initiated a state change for an installation package.
match=,Microsoft-Windows-Servicing,1,
match=Microsoft
match=Windows
match=package
match=state
match=Client
match=Current
match=change
match=id
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Package_Change_Initiated sensor:$1 srcip:$2 type:application
NEXT
id=30860
name=Microsoft Windows had an installation package change state.
match=,Microsoft-Windows-Servicing,2,
match=Microsoft
match=Windows
match=ack
match=successful
match=changed
match=Pa
match=age
match=lly
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Package_Changed sensor:$1 srcip:$2 type:application
NEXT
id=30861
name=Microsoft Windows had an installation package fail to change state.
match=,Microsoft-Windows-Servicing,3,
match=Microsoft
match=Windows
match=ack
match=failed
match=changed
match=Pa
match=age
match=state
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Package_Change_Failed sensor:$1 srcip:$2 type:error
NEXT
id=30862
name=Microsoft Windows successfully auto updated a third party root certificate.
match=,Microsoft-Windows-CAPI2,4097,
match=Microsoft
match=Windows
match=certificate
match=auto
match=update
match=Success
match=Sub
match=ir
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Third_Party_Root_Certificate_Update sensor:$1 srcip:$2 type:application
NEXT
id=30863
name=This Windows application SiteMinder error messages.
match=ion
match=Application
match=pp
match=SiteMinder
match=or
match=rr
match=,Error,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SiteMinder_Messages_Error type:error sensor:$1 srcip:$2
NEXT
id=30864
name=This Windows application SiteMinder warning messages.
match=ion
match=Application
match=pp
match=SiteMinder
match=in
match=ing
match=,Warning,
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-SiteMinder_Messages_Warning type:error sensor:$1 srcip:$2
NEXT
id=30865
name=A Windows worker process was shutdown due to inactivity. A new worker process will be started when needed.
match=MSWinEventLog
match=worker process
match=Info
match=was shutdown due to inactivity
match=wa
match=do
match=sh
match=in
match=ac
match=ty
log=event:Windows-Worker_Process_Shutdown type:system
NEXT
id=30866
name=Windows had an error during job agent execution.
match=MSWinEventLog
match=Application
match=Error
match=an error during job agent execution
match=MS
match=rr
match=pp
match=on
match=ag
match=ex
log=event:Windows-Job_Agent_Execution_Error type:error
NEXT
id=30867
name=Windows service entered the running state.
match=MSWinEventLog
match=System
match=Service Control Manager
match=service entered the running state
match=MS
match=Sy
match=Se
match=en
match=nn
match=st
log=event:Windows-Service_Entered_Running_State type:system
NEXT
id=30868
name=Windows service entered the stopped state.
match=MSWinEventLog
match=System
match=Service Control Manager
match=service entered the stopped state
match=MS
match=Sy
match=en
match=pp
match=st
match=Se
log=event:Windows-Service_Entered_Stopped_State type:system
NEXT
id=30869
name=Windows MSWintEventLog information message.
match=MSWinEventLog
match=Application
match=Information
match=ofxnt
match=MS
match=pp
match=In
match=of
match=nt
match=on
log=event:Windows-MSWinEventLOg_Information_Message type:application
NEXT
id=30870
name=Windows WinHTTP Web Proxy Auto-Discovery Service was successfully sent a start control.
match=MSWinEventLog
match=System
match=service was successfully sent a start control
match=MS
match=Sy
match=ss
match=ll
match=cc
match=ce
log=event:Windows-WinHTTP_Web_Proxy_Sent_Start_Control type:system
NEXT
id=30871
name=Windows system time has changed.
match=MSWinEventLog
match=System
match=Microsoft-Windows-Kernel-General
match=The system time has changed
match=MS
match=Sy
match=Ke
match=Ge
match=ch
match=ti
log=event:Windows-System_Time_Changed type:system
NEXT
id=30873
name=Windows service will be shut down.
match=MSWinEventLog
match=System
match=Service
match=it will be shut down
match=MS
match=Sy
match=se
match=ll
match=sh
match=wn
log=event:Windows-Service_Will_Be_Shutdown type:system
NEXT
id=30874
name=Windows service suspended operation.
match=MSWinEventLog
match=Service suspended operation
match=MS
match=Sy
match=Se
match=su
match=op
match=ed
log=event:Windows-Service_Suspended_Operation type:system
NEXT
id=30875
name=A Windows network link is disconnected.
match=MSWinEventLog
match=Network link is disconnected.
match=MS
match=Sy
match=Ne
match=li
match=nn
match=ed
log=event:Windows-Network_Link_Disconnected type:network
NEXT
id=30876
name=A Windows network link is established.
match=MSWinEventLog
match=Network link has been established
match=MS
match=Sy
match=Ne
match=li
match=nn
match=ed
log=event:Windows-Network_Link_Established type:network
NEXT
id=30877
name=Windows Group Policy Registry error, there is not enough space on the disk.
match=MSWinEventLog
match=Error
match=Group Policy Registry
match=not enough space on the disk
match=MS
match=ry
match=Er
match=Gr
match=Po
match=Re
log=event:Windows-Group_Policy_Registry_Space_On_Disk type:application
NEXT
id=30878
name=A Windows network problem, connection unexpectedly closed by peer.
match=MSWinEventLog
match=connection unexpectedly closed by peer
match=Error
match=MS
match=Ne
match=nn
match=cl
match=pe
match=rr
log=event:Windows-Network_Connection_Closed_By_Peer type:error
NEXT
id=30879
name=Windows is unable to connect to the automatic updates service and therefore cannot download and install updates. Windows will continue to try to establish a connection.
match=MSWinEventLog
match=WindowsUpdateClient
match=unable to connect to the automatic updates
match=Wi
match=Up
match=Cl
match=nn
match=au
match=up
match=te
log=event:Windows-Unable_To_Connect_To_Automatic_Updates type:application
NEXT
id=30880
name=Windows has so many certificate authorities that the list has grown too long. This list has thus been truncated.
match=MSWinEventLog
match=System
match=Schannel
match=sends a list of trusted
match=certificate authorities
match=Wi
match=ds
match=li
match=st
match=ce
match=au
match=ed
log=event:Windows-Trusted_Certificate_Authorities_Truncated type:application
NEXT
id=30881
name=Windows Failed Request Tracing module failed to delete at least one log file from the directory.
match=MSWinEventLog
match=Application
match=Warning
match=error
match=Module failed to delete at least one log
match=Wi
match=Wa
match=pp
match=rr
match=Mo
match=de
match=og
log=event:Windows-Module_Failed_To_Delete_Log type:error
NEXT
id=30882
name=Windows Failed Request Tracing module failed to write buffered events to log file for the request that matched failure definition. No logs will be generated until this condition is corrected.
match=MSWinEventLog
match=Application
match=Warning
match=error
match=failed to write buffered events to log file
match=Wi
match=Wa
match=pp
match=rr
match=fa
match=ff
match=og
log=event:Windows-Module_Failed_To_Write_Events_To_Log type:error
NEXT
id=30883
name=Windows Ntfs summary of disk space usage.
match=Microsoft-Windows-Ntfs
match=Information
match=Summary of disk space usage
match=In
match=Mi
match=Nt
match=Wi
match=sk
match=ge
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Summary_Of_Disk_Space type:application sensor:$1 srcip:$2
NEXT
id=30884
name=Windows TaskScheduler is behind deadline.
match=Microsoft-Windows-TaskScheduler
match=Warning
match=Maintenance task
match=is behind deadline
match=Mi
match=Wi
match=Ta
match=Ma
match=ea
match=hi
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-TaskScheduler_Behind_Deadline type:application sensor:$1 srcip:$2
NEXT
id=30885
name=Windows TaskScheduler state has changed.
match=Microsoft-Windows-TaskScheduler
match=Information
match=Maintenance state has changed
match=Mi
match=Wi
match=Ta
match=Ma
match=In
match=st
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-TaskScheduler_State_Changed type:detected-change sensor:$1 srcip:$2
NEXT
id=30886
name=Windows TZSync.
match=Microsoft-Windows-TZSync
match=Information
match=TZ
match=Mi
match=Wi
match=Sy
match=In
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Time_Zone_Sync_Task type:application sensor:$1 srcip:$2
NEXT
id=30887
name=Windows TZSync error.
match=Microsoft-Windows-TZSync
match=Error
match=TZ
match=Mi
match=Wi
match=Sy
match=rr
regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Time_Zone_Sync_Task_Error type:error sensor:$1 srcip:$2