# Copyright 2004-2014 Tenable Network Security # # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # Windows Application Event log parser # # DESCRIPTION: # This library is used to process logs from Windows systems. Windows # XP or W2K servers can be configured with a LCE Client for Windows # or can forward their events via netbios to another Windows server # which runs the LCE Client. In both cases, the Windows LCE # Client will attempt to conduct a reverse netbios or DNS lookup of # the hostname to convert it to an API address for the LCE server. # # LAST UPDATE: $Date$ ################ # APPLICATIONS # ################ id=3000 name=This Windows application log event indicates that an application is hung. match=ion match=Application match=pp match=rr match=,Error, match=,Application Hang, match=,Application Hang,1001,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Hung type:process sensor:$1 dstip:$2 event2:WindowsEvent-1001 NEXT id=3001 name=This Windows application log event indicates that an application is hung. match=ion match=Application match=pp match=rr match=,Error, match=,Application Hang, match=,Application Hang,1002,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Hung type:process sensor:$1 dstip:$2 event2:WindowsEvent-1002 NEXT id=3002 name=This Windows application log event indicates that an application has been failing. match=ion match=Application match=pp match=rr match=,Error, match=,Application Error,1000,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Fault type:process sensor:$1 dstip:$2 event2:WindowsEvent-1000 NEXT id=3003 name=This Windows application log event indicates that software was removed. match=ion match=Application match=pp match=sta match=le match=,MsiInstaller, match=nstall match=,Product: match=ce match=ed match=ss match= -- Removal completed successfully. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Removed type:system sensor:$1 dstip:$2 event2:WindowsEvent-11724 NEXT id=3004 name=This Windows application log event indicates that software failed to install. match=ion match=Application match=pp match=sta match=le match=,MsiInstaller, match=,Product: match=ail match=ed match= -- Installation failed match=nstall regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Failed_Install type:error sensor:$1 dstip:$2 event2:WindowsEvent-11708 NEXT id=3005 name=This Windows application log event indicates that a software installation completed. match=ion match=Application match=pp match=sta match=le match=,MsiInstaller, match=nstall match=,Information, match=,Product: match=ce match=ed match=ss match= -- Installation completed successfully. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Installed type:system sensor:$1 dstip:$2 event2:WindowsEvent-11728 NEXT id=3007 name=This Windows application log event indicates that a WinVNC login has failed. match=ion match=Application match=pp match=,Information, match=lo match=ed match=,Connections: closed: match=ect match=onnect match=onnection match=ail match=ailure match=ent match= (Authentication failure) match=,WinVNC4, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Connections: closed: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:\:([0-9]+) log=event:VNC-Logon_Failure type:login-failure sensor:$1 srcip:$3 dstip:$2 srcport:$4 proto:6 event2:WindowsEvent-1 NEXT id=3008 name=This Windows application log event indicates that the Group policy objects have been applied successfully. match=ion match=Application match=pp match=ce match=,SceCli, match=,Information, match=ecu match=ol match=ar match=ed match=ty match=ss match=,Security policy in the Group policy objects are applied successfully. match=ect log=event:Windows-System_Security_Policy_Applied type:system NEXT # IDs 3009 through 3018 are now part of the sql_mssql.prm library id=3019 name=This Windows application log event indicates that a VNC login session has started. A user may or may not have logged in, but a connection was established. match=ion match=Application match=pp match=,Information, match=,WinVNC4, match=ce match=ed match=pt match=,Connections: accepted: match=ect match=onnect match=onnection regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Connections: accepted: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:\:([0-9]+) log=event:VNC-Logon type:login sensor:$1 srcip:$3 dstip:$2 srcport:$4 proto:6 event2:WindowsEvent-1 NEXT id=3020 name=This Windows application log event indicates that vnc logoff has occurred. match=ion match=Application match=pp match=,WinVNC4, match=,Information, match=lo match=ed match=,Connections: closed: match=ect match=onnect match=onnection match=! (Authentication failure) regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Connections: closed: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:\:([0-9]+) log=event:VNC-Logoff type:logout sensor:$1 srcip:$3 dstip:$2 srcport:$4 proto:6 event2:WindowsEvent-1 NEXT id=3021 name=This Windows application log event indicates that a software installation completed normally. match=ion match=Application match=pp match=sta match=le match=,MsiInstaller, match=nstall match=,Information, match=,Product: match=ce match=ed match=ss match=-- Configuration completed successfully. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Installed type:system sensor:$1 dstip:$2 event2:WindowsEvent-11728 NEXT id=3022 name=This Windows application log event indicates that VNC connection has been blacklisted. match=ion match=Application match=pp match=,WinVNC4, match=ack match=ed match=,Connections: blacklisted: match=ect match=onnect match=onnection regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),Connections: blacklisted: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:VNC-Blacklisted type:login-failure sensor:$1 srcip:$3 dstip:$2 proto:6 event2:WindowsEvent-1 NEXT id=3023 name=This Windows application log event indicates that a critical process failed, and the system must be restarted due to an LSASS crash. match=ion match=Application match=pp match=tem match=ce match=ss match=,A critical system process, match=cal match=ass match=lsass.exe match=sta match=ail match=le match=ed match=, failed with status code match=status match=ailed match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-LSASS_Process_Failure_With_System_Restart type:error sensor:$1 srcip:$2 dstip:$2 proto:6 NEXT id=3024 name=This Windows application log event indicates that a critical process has failed and the system must be restarted (generically, not due to LSASS). match=ion match=Application match=pp match=tem match=ce match=ss match=,A critical system process, match=cal match=!lsass.exe, match=sta match=ail match=le match=ed match=, failed with status code match=ailed match=status match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Process_Failure_With_System_Restart type:error sensor:$1 srcip:$2 dstip:$2 proto:6 NEXT id=3034 name=This Windows application log event indicates Group Policy errors. match=ion match=Application match=pp match=ol match=Err match=Error match=Userenv match=ed match=Group Policy match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Policy_Failed type:error sensor:$1 srcip:$2 proto:6 NEXT id=3035 name=This Windows application log event indicates windows cannot bind to domain, Invalid Credentials. match=ion match=Application match=pp match=indo match=Windows match=,Windows cannot bind to match=ent match=ed match= (Invalid Credentials). match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Cannot_Bind_To_Domain type:error sensor:$1 srcip:$2 proto:6 NEXT id=3036 name=This Windows application has terminated a thread due to it taking too long to complete a request. match=ion match=Application match=pp match=Log match=Lo match=Ev match=Event match=,McLogEvent, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-McLogEvent type:process sensor:$1 srcip:$2 NEXT id=3037 name=This Windows application SharePoint could not open database due to a login failure. match=ion match=Application match=pp match=ar match=SharePoint Ser match= Cannot open database match=ail match=le match=ed match=ailed match=lo match=log match=ser match=est match=Lo match=requested by the login. The login failed. Login failed for user match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SharePoint_Login_Failed type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-6398 NEXT id=3038 name=This Windows application SharePoint has timed out or the server is not responding. match=ion match=Application match=pp match=ar match=SharePoint Ser match=ser match=ing match=le match=ed match=The timeout period elapsed prior to completion of the operation or the server is not responding. match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SharePoint_Server_Not_Responding type:error sensor:$1 srcip:$2 event2:WindowsEvent-7888 NEXT id=3039 name=This Windows application log event indicates that the Group policy objects have not been propagated. match=ion match=Application match=pp match=ce match=,SceCli, match=rr match=,Error, match=ecu match=ol match=ate match=ed match=ty match=,Security policy cannot be propagated. match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Security_Policy_Not_Propagated sensor:$1 srcip:$2 type:error NEXT id=3040 name=This Windows application log event indicates that the Group policy objects have been propagated but with a warning. match=ion match=Application match=pp match=ce match=,SceCli, match=ar match=arn match=ing match=,Warning, match=ecu match=ol match=ate match=ed match=ty match=,Security policies were propagated with warning. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Security_Policy_Propagated_Warning sensor:$1 srcip:$2 type:system NEXT id=3041 name=This Windows application log event indicates that an automatic certificate enrollment for a local system was received and was sucessfull. match=ion match=Application match=pp match=ent match=ol match=,AutoEnrollment, match=tem match=ystem match=rom match=lo match=ate match=ce match=ed match=ty match=ss match=Automatic certificate enrollment for local system successfully received one Computer certificate from certificate authority match=cal match=,Unknown, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Security_Successful_Certificate_Enrollment sensor:$1 srcip:$2 type:system event2:WindowsEvent-19 NEXT id=3042 name=This Windows application log event indicates that an automatic certificate enrollment for a local system failed to contact the directory. match=ion match=Application match=pp match=ent match=ol match=,AutoEnrollment, match=ail match=le match=ed match=ailed match=tem match=ire match=ont match=lo match=ate match=ce match=Automatic certificate enrollment for local system failed to contact the active directory match=ect match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Security_Failed_Certificate_Enrollment sensor:$1 srcip:$2 type:error NEXT id=3043 name=This Windows application log event indicates the Windows license was validated. match=ion match=Application, match=pp match=ate match=indo match=ce match=ed match=Windows license validated. match=date regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-License_Validated sensor:$1 srcip:$2 type:system NEXT id=3044 name=This Windows application log event indicates that the system has created a restore point. match=ion match=Application match=pp match=tem match=est match=,System Restore, match=ate match=ce match=ed match=ss match=Successfully created match=restore point regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Created_Restore_Point type:system sensor:$1 srcip:$2 event2:WindowsEvent-8194 NEXT id=3045 name=This Windows application log event has recorded some Outlook messages. match=ion match=Application match=pp match=tion match=Outlook match=lo regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Outlook_Messages type:system sensor:$1 srcip:$2 NEXT id=3046 name=This Windows application log event has detected a security policy has been updated. match=ion match=Application match=pp match=ecu match=ty match=Security match=Secur match=ol match=ce match=ed match=ss match=Security policy in the Group policy objects has been applied successfully. match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Policy_Updated type:system sensor:$1 srcip:$2 NEXT id=3047 name=This Windows application log event Microsoft Group Policy Management Console with SP1 could not be installed because its not compatible. match=ion match=Application match=pp match=indo match=Windows match=ent match=sta match=ol match=le match=ed match=The application 'Microsoft Group Policy Management Console with SP1' cannot be installed because it is not compatible with this version of Windows. match=nstall regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Not_Compatible type:error sensor:$1 srcip:$2 event2:WindowsEvent-1018 NEXT id=3048 name=This Windows application UltraVnc logged invalid attempt from the client. match=ion match=Application match=pp match=UltraVnc match=ent match=client match=tem match=rom match=pt match=Invalid attempt from client regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-UltraVnc_Invalid_Attempt type:login-failure sensor:$1 dstip:$2 srcip:$3 NEXT id=3049 name=This Windows server has had a searching error. match=ion match=Application match=pp match=indo match=Windows match=ar match=ce match=Windows Search Service match=tem match=ed match=rr match=Error regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Search_Error type:error sensor:$1 srcip:$2 NEXT id=3050 name=This Windows server has found that the LCE client has failed to install. match=ion match=Application match=pp match=-- match=ail match=le match=ed match=ailed match=sta match=,MsiInstaller match=nstall match=ent match=Tenable_LCE_Client -- Installation operation failed. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-LCE_Client_Installation_Failed type:error sensor:$1 srcip:$2 NEXT # need to jump to 30500 id=30500 name=This Windows server encountered an unhandled exception. match=ion match=Application match=pp match=ar match=arn match=ing match=,Warning match=rr match=ce match=le match=ed match=pt match=An unhandled exception has occurred. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unhandled_Exception type:error sensor:$1 srcip:$2 event2:WindowsEvent-50727 NEXT id=30501 name=This Windows server has recorded an application termination failure event. match=ion match=Application match=pp match=indo match=Windows match=rr match=ing match=Windows Error Reporting,1001, match=Fault bucket match=ent match=ail regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Failure_Event type:process sensor:$1 srcip:$2 event2:WindowsEvent-1001 NEXT id=30502 name=This Windows server has recorded a database engine event, these could include backups, database activity or a new instance starting. match=ion match=Application match=pp match=EN match=ESENT match=SE match=Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Database_Engine_Event type:system sensor:$1 srcip:$2 NEXT id=30503 name=This Windows server has recorded an activation error that occurred in the manifest or policy file. match=ion match=Application match=pp match=ail match=le match=ed match=ailed match=ont match=Activation context generation failed match=rr match=Ac match=ion match=xt match=ge regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Activation_Error type:error sensor:$1 srcip:$2 NEXT id=30504 name=This Windows server has recorded an error, it ran out of time while expanding the file specifications. match=ion match=Application match=pp match=ing match=le match=,Ran out of time while expanding file specification match=This was being done for the WUA subscriber. match=ent match=Operation: OnPostSnapshot event regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Error_Expanding_File type:error sensor:$1 srcip:$2 event2:WindowsEvent-8219 NEXT # consolidated with 30501 #id=30505 #name=A Windows fault has occured. #example=Application,07/11/2011,03:00:51 AM,Windows Error Reporting,1001,Information,Classic,None,N/A,RJsComputer,IP:192.168.1.6,1001,Fault bucket , type 0 Event Name: WindowsUpdateFailure Response: Not available Cab Id: 0 Problem signature: P1: 7.3.7600.16385 P2: 80246007 P3: CC74BC46-3001-4DB6-A714-B26660C0DFDB P4: Install P5: 101 P6: Unmanaged P7: P8: P9: P10: Attached files: These files may be available here: Analysis symbol: Rechecking for solution: 0 Report Id: 82be7d25-ab8b-11e0-aa54-90e6baa594e0 Report Status: 0 #match=ion #match=Application #match=pp #match=indo #match=Windows #match=rr #match=ing #match=Windows Error Reporting #match=Windows Error Reporting,1001, #regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) #log=event:Windows-Fault_Bucket type:error sensor:$1 srcip:$2 event2:WindowsEvent-1001 # #NEXT id=30506 name=A Windows MSExchange has issued a non-delivery report, possibly message was too large or users mailbox is disabled. match=ion match=Application match=at match=pp match=MSExchangeTransport match=SE match=sta match=A non-delivery report with a status code of match=ent match=ate match=ed match=was generated for recipient regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Msexchange_Non_Delivery type:error sensor:$1 srcip:$2 NEXT id=30507 name=A Windows MSExchange has reported a message delivery is being attempted. match=ion match=Application match=at match=pp match=MSExchangeIS match=SE match=ail match=St match=MSExchangeIS Mailbox Store match=tem match=ing match=ed match=pt match=ss match=Message delivery is being attempted regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Msexchange_Delivery_Attempt type:application sensor:$1 srcip:$2 NEXT id=30508 name=A Windows MSExchange has reported a message was delivered. match=ion match=Application match=at match=pp match=MSExchangeIS match=SE match=ail match=St match=MSExchangeIS Mailbox Store match=ce match=ed match=ss match=Message was successfully delivered regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Msexchange_Message_Delivered type:application sensor:$1 srcip:$2 NEXT id=30509 name=A Windows MSExchange has reported a message was sent. match=ion match=Application match=at match=pp match=MSExchangeIS match=SE match=ail match=St match=MSExchangeIS Mailbox Store match=ent match=ss match=sent a message as regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Msexchange_Message_Sent type:application sensor:$1 srcip:$2 NEXT id=30510 name=A Windows MSExchange has reported a duplicate message has arrived on database. match=ion match=Application match=at match=pp match=MSExchangeIS match=SE match=ail match=St match=MSExchangeIS Mailbox Store match=rr match=ate match=ar match=ed match=ss match=A duplicate message arrived on database regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Msexchange_Duplicate_Message type:application sensor:$1 srcip:$2 NEXT id=30511 name=A Windows xsLogging LogTest application has recorded a System.IO.IOEception. match=System match=xsLogging.LogText match=pp match=ing match=Lo match=ystem match=Application match=at match=ion match=tem match=IP match=System.IO.IOException: match=ce regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Xslogging_System_IO_IOException type:application sensor:$1 srcip:$2 event2:WindowsEvent-0 NEXT id=30512 name=A Windows xsLogging LogTest application has recorded an event. match=System match=xsLogging.LogText match=pp match=ing match=Lo match=ystem match=Application match=at match=ion match=tem match=IP match=ce match=!System.IO.IOException: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Xslogging_System_Event type:application sensor:$1 srcip:$2 event2:WindowsEvent-0 NEXT id=30513 name=A Windows pcanywhere remote has logged off ending session. match=pp match=pcAnywhere match=Application match=Host End Session match=Description: Remote logged off match=ion match=IP match=ss match=at regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Pcanywhere_Remote_Logoff type:logout sensor:$1 srcip:$2 event2:WindowsEvent-123 NEXT id=30514 name=A Windows pcanywhere host has started. match=onnect match=Connection Object: match=St match=IP match=Host Started match=onnection match=pp match=pcAnywhere match=ect match=ed match=Application match=at match=ar regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Pcanywhere_Host_Started type:application sensor:$1 srcip:$2 event2:WindowsEvent-122 NEXT id=30515 name=A Windows shell user authentication was successful. match=ent match=IRIS match=Shell: Authentication Successful for match=IP match=pp match=ss match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Shell: Authentication Successful for \[([-A-Za-z0-9$._ ]{1,25})\] log=event:Windows-IRIS_Authentication_Successful type:login sensor:$1 srcip:$2 user:$3 event2:WindowsEvent-4100 NEXT id=30516 name=A Windows shell user signon was successful. match=le match=Shell Signon successful. match=IRIS match=IP match=ail match=pp match=ss match=ed match=ce match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*SignOn completed for \[([-A-Za-z0-9$._ ]{1,25})\] log=event:Windows-IRIS_Signon_Successful type:login sensor:$1 srcip:$2 user:$3 event2:WindowsEvent-4101 NEXT id=30517 name=A Windows shell user signon failed. match=le match=IRIS match=ailure match=IP match=lo match=ailed match=ail match=pp match=ed match=Application match=at match=Shell Signon failed. match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*[Ee]mployee '([-A-Za-z0-9$._ ]{1,25})' log=event:Windows-IRIS_Signon_Failed type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-4102 NEXT id=30518 name=A Windows shell user has signed off. match=le match=Shell Signoff successful. match=IRIS match=IP match=ail match=pp match=ss match=ed match=ce match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*SignOff completed for \[([-A-Za-z0-9$._ ]{1,25})\] log=event:Windows-IRIS_Signoff_Completed type:logout sensor:$1 srcip:$2 user:$3 event2:WindowsEvent-4103 NEXT id=30519 name=A Windows shell misc messages, system maint and purge vbs example. match=,WSH, match=,IRIS match=IP match=pp match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IRIS_Misc_Messages type:system sensor:$1 srcip:$2 NEXT id=30520 name=A Windows network login occurred via a terminal service session and the remote user ID and source was logged. match=pp match=Information match=rom match=,Information, match=nformation match=from match=ic match=Information, match= from match=at match=Lo match=IP match= on match=og match=for match=ogged match=ed match=ion match=Application match=Logged on from match=,WSH, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),4,.*:(\S+) Logged on log=event:Windows-Remote_User_Login_Record event2:WindowsEvent-4 type:login sensor:$1 srcip:$2 user:$3 NEXT id=30521 name=The Windows installer has installed new software. match=pp match=,Windows match=in match=Information match=nstall match=indo match=,Information, match=nformation match=ic match=Information, match=at match=Windows match=IP match=P match=le match=MsiInstaller match=for match=install match=er match=sta match=ed match=st match=ion match=al match=Application match=,1033, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Software_Installed event2:WindowsEvent-1033 type:system sensor:$1 srcip:$2 NEXT id=30522 name=A Windows LoadPerf service was loaded successfully. The Record Data in the data section contains the new index values assigned to this service. match=nformation match=IP match=1000 match=lo match=Information match=al match=service were loaded successfully. match=ser match=P match=pp match=ont match=,Information, match=ss match=Information, match=er match=for match=Lo match=ed match=The Record Data match=ce match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-LoadPerf_Service_Loaded event2:WindowsEvent-1000 type:system sensor:$1 srcip:$2 NEXT id=30523 name=A Windows LoadPerf service was removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries. match=ent match=st match=nformation match=in match=ic match=service were removed successfully. match=tem match=IP match=LoadPerf match=Information match=al match=1001 match=ser match=P match=pp match=ont match=,Information, match=ss match=Information, match=for match= The Record Data contains the new values of the system Last Counter and Last Help registry entries. match=Lo match=ed match=ystem match=ce match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-LoadPerf_Service_Removed event2:WindowsEvent-1001 type:system sensor:$1 srcip:$2 NEXT id=30524 name=A Windows LoadPerf service service are already in the registry, service is already in the registry, no need to reinstall. match=install match=st match=sta match=service are already in match=in match=ic match=IP match=LoadPerf match=nstall match=Information match=ser match=P match=pp match=1002 match=,Information, match=Information, match=for match=Lo match=ed match=Application match=at match=ion match=se match=ea match=ice match=re match=al match=erv match=ar match=ce match=er match=service match=rv regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-LoadPerf_Service_Already_In_Registry event2:WindowsEvent-1002 type:system sensor:$1 srcip:$2 #NEXT #id=30525 #name=Windows cannot obtain the domain controller name for your computer network. #example=Application,02/15/2012,06:19:04 AM,Userenv,3221226526,Error,None,N/A,NEIM1715MI25P,IP:156.40.58.119,1054,Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted. #match=le #match=rr #match=,Windows #match=,Error, #match=st #match=Windows #match=pt #match=in #match=ic #match=tem #match=IP #match=,Windows cannot obtain the domain controller name for your computer network #match=indo #match=omain #match=Userenv #match=Error #match=ol #match=ser #match=P #match=pp #match=ont #match=ss #match=Windows cannot obtain the domain controller name for your computer network. #match=er #match=for #match=ing #match=ed #match=ce #match=Application #match=at #match=ion #regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) #log=event:Windows-Cannot_Obtain_Domain_Controller event2:WindowsEvent-1054 type:error sensor:$1 srcip:$2 NEXT id=30526 name=Windows ASP.NET has started registering. match=st match=nformation match=Start registering match=in match=ic match=St match=IP match=Information match=ASP.NET match=al match=P match=pp match=,Information, match=Information, match=er match=for match=ing match=Application match=at match=ar match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ASPNET_Start_Registering event2:WindowsEvent-1017 type:system sensor:$1 srcip:$2 NEXT id=30527 name=Windows ASP.NET has finisheded regisering. match=le match=st match=nformation match=og match=in match=ic match=IP match=ailed match=Information match=ASP.NET match=ail match=P match=pp match=,Information, match=Information, match=er match=for match=ing match=ed match=Application match=at match=log match=Finish registering match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ASPNET_Finish_Registering event2:WindowsEvent-1019 type:system sensor:$1 srcip:$2 NEXT id=30528 name=Windows ASP.NET has failed while creating files and directories. match=le match=ent match=rr match=arn match=,Warning match=in match=ic match=IP match=client match=,Warning, match=ailed match=ASP.NET match=Error match=ail match=P match=pp match=ass match=ire match=ss match=ect match=ing match=ed match=Failed while creating files and directories match=Application match=at match=ar match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ASPNET_Failed event2:WindowsEvent-1064 type:error sensor:$1 srcip:$2 NEXT id=30529 name=Windows MsiInstaller, beginning a Windows Installer transaction. match=1040 match=le match=ent match=st match=sta match=nformation match=MsiInstaller match=Windows match=in match=ic match=,MsiInstaller match=IP match=indo match=nstall match=Information match=al match=P match=pp match=Beginning a Windows Installer transaction match=,Information, match=,MsiInstaller, match=ss match=Information, match=er match=for match=ing match=ce match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Beginning_Installer_Transaction event2:WindowsEvent-1040 type:system sensor:$1 srcip:$2 NEXT id=30530 name=Windows MsiInstaller, product update installed successfully. match=date match=le match=install match=st match=sta match=nformation match=ate match=MsiInstaller match=in match=ic match=,MsiInstaller match=IP match=nstall match=Information match=al match=P match=pp match=,Information, match=,MsiInstaller, match=ss match=Product match=Information, match=er match=for match=ed match=ce match=Application match=at match=ion match=success regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Installed type:system sensor:$1 srcip:$2 NEXT id=30531 name=Windows MsiInstaller, reconfigured the product. match=le match=rr match=,Windows match=st match=sta match=nformation match=MsiInstaller match=Windows match=in match=ic match=,MsiInstaller match=IP match=status match=indo match=nstall match=Information match=al match=P match=pp match=Installer reconfigured the product match=,Information, match=,MsiInstaller, match=ss match=Product match=Information, match=er match=for match=ed match=ce match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Installer_Reconfigured_Product event2:WindowsEvent-1035 type:system sensor:$1 srcip:$2 NEXT id=30532 name=Windows MsiInstaller, installed an update. match=date match=le match=rr match=,Windows match=install match=st match=sta match=nformation match=ate match=MsiInstaller match=Windows match=in match=ic match=,MsiInstaller match=IP match=status match=Installer installed an update match=indo match=nstall match=Information match=al match=P match=pp match=,Information, match=,MsiInstaller, match=ss match=Product match=Information, match=er match=for match=ed match=ce match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Installed event2:WindowsEvent-1036 type:system sensor:$1 srcip:$2 NEXT id=30533 name=Windows MsiInstaller, ended an installer transaction match=le match=ent match=st match=sta match=nformation match=MsiInstaller match=Windows match=in match=ic match=,MsiInstaller match=IP match=indo match=nstall match=Information match=al match=P match=pp match=,Information, match=,MsiInstaller, match=ss match=Ending a Windows Installer transaction match=Information, match=er match=for match=ing match=ce match=Application match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Ended_Installer_Transaction event2:WindowsEvent-1042 type:system sensor:$1 srcip:$2 NEXT id=30534 name=Windows vmStatsProvider successfully initialized for this Virtual Machine. match=pp match=Application match=Stats match=Provider match=vmStatsProvider match=Info match=Information match=cc match=ss match=successfully match=init match=Virtual match=is successfully initialized for this Virtual Machine regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Initialized_Virtual_Machine event2:WindowsEvent-256_258 type:application sensor:$1 srcip:$2 NEXT id=30535 name=Windows Active Directory Web Services encountered an error while reading the settings for the specified Active Directory Lightweight Directory Services instance. Active Directory Web Services will retry this operation periodically. match=Active match=Act match=Directory match=Dir match=Web match=Services match=vi match=Active Directory Web Services match=ADWS match=rr match=error match=encountered match=count match=Active Directory Web Services encountered an error regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ADWS_Error event2:WindowsEvent-1209 type:error sensor:$1 srcip:$2 NEXT id=30536 name=Windows ERAS user has performed a 'Refresh Computer' operation. match=pp match=Application match=ERAS match=User match=has match=performed match=for match=Refresh match=fre match=Computer match=Comp match=pu match=User has performed 'Refresh Computer' operation regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_Refresh_Computer event2:WindowsEvent-2102 type:system sensor:$1 srcip:$2 NEXT id=30537 name=Windows ERAS user has submitted a 'Refresh Computer' operation. match=pp match=Application match=ERAS match=has match=tt match=submitted match=Refresh match=fre match=Computer match=Comp match=pu match=has submitted 'Refresh Computer' operation regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_Refresh_Computer_Submitted type:system sensor:$1 srcip:$2 NEXT id=30538 name=Windows ERAS a Refresh Computer, was executed successfully match=pp match=Application match=ERAS match=en match=in match=ng match=ing match=Refresh match=fre match=Computer match=Comp match=pu match=ss match=cc match=Refresh Computer, was executed successfully regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_Refresh_Computer_Successful type:system sensor:$1 srcip:$2 NEXT id=30539 name=Windows ERAS user has performed 'Add User' operation. match=pp match=Application match=ERAS match=Information match=Info match=has match=User match=se match=performed match=for match=Add match=oper match=User has performed 'Add User' operation regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_Add_User type:system sensor:$1 srcip:$2 event2:WindowsEvent-2122 NEXT id=30540 name=Windows ERAS user has performed 'Get Challenge Response Recovery Password' operation. match=pp match=Application match=ERAS match=Information match=Info match=has match=User match=se match=performed match=for match=oper match=User has performed 'Get Challenge Response Recovery Password' operation regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_Recover_Password type:system sensor:$1 srcip:$2 event2:WindowsEvent-2180 NEXT id=30541 name=Windows ERAS GetSuper2Response. match=pp match=Application match=ERAS match=Information match=Info match=se match=Get match=Response match=GetSuper2Response regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_Get_Super_Response type:system sensor:$1 srcip:$2 event2:WindowsEvent-3100 NEXT id=30542 name=Windows SMVI failed to authenticate. match=pp match=Application match=SMVI match=Error match=rr match=ERROR regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMVI_Failed type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-4096 NEXT id=30543 name=Windows ERAS Client Management WMI request failed. match=pp match=Application match=ERAS match=The match=WMI match=request match=que match=fail match=The WMI request failed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_WMI_Request_Failed type:error sensor:$1 srcip:$2 event2:WindowsEvent-5004 NEXT id=30544 name=Windows cannot sent email alert due to no email address specified. match=pp match=Application match=Error match=Can match=sen match=al match=add match=ss match=Can't send email alert match=no email address specified regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Cannot_Send_Email_Alert type:error sensor:$1 srcip:$2 event2:WindowsEvent-3999 NEXT id=30545 name=Windows had a storage warning. match=pp match=Application match=WARN match=Persistence file match=Storage match=does not exist match=ile match=doe match=no regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Storage_Does_Not_Exist type:system sensor:$1 srcip:$2 NEXT id=30546 name=Windows had a MSSQL CREATE DATABASE or ALTER DATABASE fail because the resulting cumulative database size would exceed your licensed limit. match=MSSQL match=pp match=Application match=rr match=IP match=1827 match=AT match=ai match=su match=iz match=,CREATE DATABASE or ALTER DATABASE failed match=exceed your licensed limit regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MSSQL_License_Limit_Exceeded type:error sensor:$1 srcip:$2 event2:WindowsEvent-1827 NEXT id=30547 name=Windows MSSQL could not allocate space because the 'PRIMARY' filegroup is full. match=MSSQL match=pp match=Application match=rr match=IP match=1105 match='PRIMARY' match=PRI match=fi match=le match=ou match=full match='PRIMARY' filegroup is full. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MSSQL_Primary_File_Group_Full type:error sensor:$1 srcip:$2 event2:WindowsEvent-1105 NEXT id=30548 name=Windows ERAS service started. match=pp match=Application match=ERAS match=Information match=Info match=Se match=ar match=Eras Service Started regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_Service_Started type:system sensor:$1 srcip:$2 NEXT id=30549 name=Windows ERAS could not find PCA or CCA URL from Active Directory. Set WSKS to disabled. match=pp match=Application match=ERAS match=Information match=Info match=PCA match=CCA match=WSKS match=bl match=Set WSKS to disabled. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_WSKS_Disabled type:system sensor:$1 srcip:$2 event2:WindowsEvent-3100 NEXT id=30550 name=Windows detected your registry file is still in use by other applications or services. match=pp match=Application match=Microsoft-Windows-User Profiles Service match=cr match=fi match=er match=registry file is still in use match=gi match=ll match=se regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Profile_Registry_In_Use type:system sensor:$1 srcip:$2 event2:WindowsEvent-1530 NEXT id=30551 name=Windows had a successful auto update retrieval of third-party root list. match=pp match=Application match=yp match=crypt32 match=Info match=Information match=cc match=ss match=ut match=da match=Successful auto update retrieval regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Retrieval type:system sensor:$1 srcip:$2 event2:WindowsEvent-1530 NEXT id=30552 name=Windows has recorded a WMI error message. Events cannot be delivered through this filter until the problem is corrected. match=pp match=Application match=WMI match=rr match=Error match=,Microsoft-Windows-WMI, match=ve match=nn match=be match=Events cannot be delivered regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WMI_Events_Not_Delivered type:error sensor:$1 srcip:$2 NEXT id=30553 name=Windows has recorded that then SQLServerAgent has started match=pp match=Application match=Info match=Information match=vi match=ss match=ll match=ar match=SQLServerAgent service successfully started regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SQLServerAgent_Started type:system sensor:$1 srcip:$2 NEXT id=30554 name=Windows has recorded a Powerware NetWatch: Netwatch Error:. match=pp match=Application match=Info match=Information match=pw_netwatch match=pw match=net match=Powerware match=rr match=Error match=Net match=Powerware NetWatch: Netwatch Error: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Netwatch_Error type:error sensor:$1 srcip:$2 NEXT id=30555 name=Windows has recorded a Powerware NetWatch: Netwatch Error:. match=pp match=Application match=Info match=Information match=pw_netwatch match=pw match=net match=Powerware match=Net match=NetWatch is experiencing a loss of communication regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Server ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Netwatch_Communication_Loss type:error sensor:$1 srcip:$2 dstip:$3 NEXT id=30556 name=Windows has recorded a Powerware NetWatch is no longer monitoring a server match=pp match=Application match=Info match=Information match=pw_netwatch match=pw match=net match=Powerware match=Net match=NetWatch is no longer monitoring regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Server ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Netwatch_Not_Monitoring_Server type:error sensor:$1 srcip:$2 dstip:$3 NEXT id=30557 name=Windows has recorded Complus is suppressing duplicate event log entries. match=pp match=Application match=Info match=Information match=Co match=Complus match=sub system is suppressing duplicate event log entries regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Complus_Suppressing_Log_Entries type:system sensor:$1 srcip:$2 NEXT id=30558 name=Windows has recorded the Software Protection service is starting, started or stopped. match=pp match=Application match=Info match=Information match=ser match=The Software Protection service regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SPP_Messages type:system sensor:$1 srcip:$2 NEXT id=30559 name=Windows has recorded the Software Protection service has r-estarted. match=pp match=Application match=SPP match=Info match=Information match=ser match=Successfully scheduled Software Protection service for re-start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SPP_Re_Started type:system sensor:$1 srcip:$2 NEXT id=30560 name=Windows has recorded the Software Protection service has issued an initialization status for service objects. match=pp match=Application match=SPP match=Info match=Information match=ser match=Initialization status for service objects regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SPP_Init_Status type:system sensor:$1 srcip:$2 NEXT id=30561 name=Windows has recorded the Software Protection service has issued a list of policies excluded due to being defined with the overrid-only attribute. match=pp match=Application match=SPP match=Info match=Information match=ing match=These policies are being excluded regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SPP_Excluded_Policies type:system sensor:$1 srcip:$2 NEXT id=30562 name=Windows has recorded the Software Protection service has completed licensing status check. match=pp match=Application match=SPP match=Info match=Information match=ing match=ser match=completed licensing status check regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SPP_License_Status type:system sensor:$1 srcip:$2 NEXT id=30563 name=Windows had a MSSQL$VM_DBS Message. match=pp match=Application match=MSSQL$VM_DBS regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MSSQL_VM_DBS_Messages type:system sensor:$1 srcip:$2 NEXT id=30564 name=Windows had a MSSQL$ERAS Message. match=pp match=Application match=MSSQL$ERAS regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MSSQL_ERAS_Messages type:system sensor:$1 srcip:$2 NEXT id=30565 name=Windows had a MSSQL$SOLARWINDS Message. match=pp match=Application match=MSSQL$SOLARWINDS regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MSSQL_SOLARWINDS_Messages type:system sensor:$1 srcip:$2 NEXT id=30566 name=Windows Desktop Window Manager messages. match=pp match=Application match=Desk match=an match=er match=The Desktop Window Manager regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Desktop_Window_Manager_Messages type:system sensor:$1 srcip:$2 NEXT id=30567 name=Windows MSDTC Started. match=pp match=ion match=Application match=MSDTC match=MSDTC started match=er regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MSDTC_Started type:system sensor:$1 srcip:$2 NEXT id=30568 name=Windows VSS service is shutting down. match=pp match=Application match=VSS match=is shutting down regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-VSS_Shutting_Down type:system sensor:$1 srcip:$2 NEXT id=30569 name=Windows VMware vSphere Update Manager -- Installation operation failed. match=pp match=Application match=vSphere match=Update match=Installation operation failed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-vSphere_Installation_Failed type:error sensor:$1 srcip:$2 NEXT id=30570 name=Windows Goverlan failed to open the Group Policy Registry Key, and was denied access. match=pp match=Application match=Fail match=op match=to match=Group match=Group Policy match=is match=Failed to open the Group Policy Registry Key regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Goverlan_Access_Denied type:error sensor:$1 srcip:$2 NEXT id=30571 name=Windows firewall INFO-EVENTS-LOST. match=IN match=FO match=EVENT match=LO match=ST match=INFO-EVENTS-LOST - - - - log=event:Windows-Firewall_Events_Lost type:firewall NEXT id=30572 name=Windows Security Licensing SLC posted the result of Windows Right consumption. match=pp match=Application match=Info match=Information match=Windows match=Microsoft match=Security match=Microsoft-Windows-Security-Licensing-SLC regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Security_Licensing_SLC type:system sensor:$1 srcip:$2 NEXT id=30573 name=Windows SkypeUIpdate messages, ie SkypeUpdate is shutting down. match=pp match=Application match=Info match=Information match=SkypeUpdate regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SkypeUpdate_Messages type:system sensor:$1 srcip:$2 NEXT id=30574 name=Windows WMI has started or initialized. match=pp match=Application match=WMI match=Service match=Info match=Information match=,Microsoft-Windows-WMI, match=full match=ss match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WMI_Started_Initialized type:system sensor:$1 srcip:$2 #NEXT #id=30575 #name=This Windows application log event indicates there are currently no logon servers available to service the logon request. #example=Application,09/28/2011,22:53:15 PM,Userenv,3221226479,Error,None,N/A,NEIM1715MI25P,IP:192.168.1.2,1007,Windows cannot determine the associated site for this computer. (There are currently no logon servers available to service the logon request. ). Group Policy processing aborted. #match=ion #match=Application #match=pp #match=rr #match=Error #match=lo #match=log #match=server #match=no #match=to #match=service #match=There are currently no logon servers available to service the logon request #regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) #log=event:Windows-No_Logon_Servers type:error sensor:$1 srcip:$2 proto:6 NEXT id=30576 name=This Windows application log event indicates Windows cannot find the machine account, No authority could be contacted for authentication. match=ion match=Application match=pp match=rr match=Error match=Window match=indo match=Windows cannot find the machine account regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Machine_Account_Not_Found type:error sensor:$1 srcip:$2 proto:6 NEXT id=30577 name=This Windows application log event indicates Windows failed extract of third-party root list from auto update cab. A required certificate is not within its validity period when verifying against the current system clock match=ion match=Application match=pp match=rr match=Error match=Window match=indo match=req match=certificate match=is match=with match=A required certificate is not within its validity period regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Cert_Not_In_validity_Period type:error sensor:$1 srcip:$2 proto:6 NEXT id=30578 name=This Windows application log event indicates that the installer has encountered an unexpected error installing this package. match=ion match=Application match=pp match=sta match=le match=,MsiInstaller, match=nstall match=,Product: match=ed match=rr match=Error match=ing match=pac regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Installer_Error type:error sensor:$1 dstip:$2 NEXT id=30579 name=This Windows application log event indicates that the installer has encountered a file being used. match=ion match=Application match=pp match=sta match=le match=,MsiInstaller, match=nstall match=,Product: match=is match=use match=ing match=ss match=he match=by match=is being match=The file match=by the following process regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Installer_File_Inuse type:system sensor:$1 dstip:$2 NEXT id=30580 name=This Windows application log event indicates that system requires a restart. match=ion match=Application match=pp match=sta match=le match=,MsiInstaller, match=nstall match=Product match=Windows match=indo match=req match=system match=start match=Windows Installer requires a system restart regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Restart_Required type:system sensor:$1 dstip:$2 NEXT id=30581 name=Windows Goverlan failed to register a login event for the user because the user has not logged on to the network. match=pp match=Application match=Warn match=ing match=Fail match=Error match=rr match=the user has not logged on to the network match=he match=user match=net match=logged match=on match=to regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Goverlan_User_Not_Logged_On type:system sensor:$1 srcip:$2 NEXT id=30582 name=Windows UPHClean handles in user profile hive have been remapped because they were preventing the profile from unloading successfully. match=pp match=Application match=Info match=Information match=have been remapped because they were preventing the profile from unloading successfully match=he match=success match=ing match=ve match=be match=re regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-UPHClean_Handles_Remapped type:system sensor:$1 srcip:$2 NEXT id=30583 name=Windows ERAS Client Management noticed the client host computer cannot be reached. match=pp match=Application match=ERAS match=be match=ed match=he match=client match=host match=comp match=nn match=The client host computer cannot be reached regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ERAS_Client_Not_Reached type:system sensor:$1 srcip:$2 NEXT id=30584 name=Windows ASP.NET has determined IIS is either not installed or is disabled on this machine. match=le match=st match=Warning match=in match=ic match=IP match=ASP.NET match=al match=P match=pp match=er match=ing match=ed match=Application match=at match=ion match=install match=on match=disable match=or match=is match=IIS is either not installed or is disabled on this machine regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ASPNET_IIS_Not_Installed event2:WindowsEvent-1020 type:system sensor:$1 srcip:$2 NEXT id=30585 name=Windows has recorded a SQLWRITER error. match=pp match=Application match=Error match=Err match=SQLWRITER match=ss match=ll match=ed match=Server match=er match=ing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SQLWRITER_Error type:error sensor:$1 srcip:$2 NEXT id=30586 name=Windows has recorded a SQLVDI error. match=pp match=Application match=Error match=Err match=SQLVDI match=Inst match=Lo match=in regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SQLVDI_Error type:error sensor:$1 srcip:$2 NEXT id=30587 name=Windows has recorded a CertificateServicesClient message. match=pp match=Application match=Micro match=Microsoft match=Windows match=Service match=Microsoft-Windows-CertificateServices regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Certificate_Services_Messages type:application sensor:$1 srcip:$2 NEXT id=30588 name=Windows has recorded a Microsoft-Windows-ActiveDirectory_DomainService message. match=Micro match=Microsoft match=Windows match=Service match=Microsoft-Windows-ActiveDirectory_DomainService regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows_Active_Directory_Domain_Service_Message type:application sensor:$1 srcip:$2 NEXT id=30589 name=Windows has recorded a Microsoft-Windows-CEIP (Customer Experience Improvement Program) message. match=pp match=Application match=Micro match=Microsoft match=Windows match=Microsoft-Windows-CEIP regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows_CEIP_Message type:application sensor:$1 srcip:$2 event2:WindowsEvent-1005 NEXT id=30590 name=Windows has recorded a Microsoft-Windows-Security-Licensing-SLC activation scheduler failed. match=pp match=Application match=Error match=Micro match=Microsoft match=Windows match=failed match=ed match=Microsoft-Windows-Security-Licensing-SLC match=License Activation Scheduler regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows_Security_License_Failed type:application sensor:$1 srcip:$2 event2:WindowsEvent-8193 NEXT id=30591 name=Windows has recorded that the SQLServerAgent has scheduled a job for download and the status showed failed. match=pp match=Application match=Warn match=Warning match=ing match=,SQLSERVERAGENT, match=- Status: Failed - regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SQLServerAgent_Status_Failed type:error sensor:$1 srcip:$2 NEXT id=30592 name=Windows SMVI failed to authenticate. match=pp match=Application match=SMVI match=Warn match=Warning match=ing match=Incorrect password regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMVI_Failed type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-4096 NEXT id=30593 name=Windows Networker messages. match=pp match=Application match=Networker regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Networker_Messages type:application sensor:$1 srcip:$2 NEXT id=30594 name=Windows MSExchange has had a user logon. match=ion match=Application match=at match=pp match=MSExchangeIS match=SE match=ail match=St match=MSExchangeIS Mailbox Store match=ed match=ss match=logged on as regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* logged on as /o=([-A-Za-z0-9$._]+)/ log=event:Windows-Msexchange_Logon type:login sensor:$1 srcip:$2 user:$3 NEXT id=30595 name=Windows MSExchange has had a user logon. match=ion match=Application match=at match=pp match=MSExchangeIS match=SE match=ail match=St match=MSExchangeIS Mailbox Store match=ed match=ss match=logged on to regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* logged on to ([-A-Za-z0-9$._]+)@ log=event:Windows-Msexchange_Logon type:login sensor:$1 srcip:$2 user:$3 NEXT id=30596 name=Windows ASP.NET has determined the forms authentication failed for the request. match=le match=st match=Information match=Info match=ic match=IP match=ASP.NET match=al match=P match=pp match=er match=ed match=Application match=at match=ion match=on match=or match=Forms authentication failed for the request. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ASPNET_Forms_Authentication_Failed type:error sensor:$1 srcip:$2 NEXT id=30597 name=Windows BlackBerry Collaboration Service has had an error. match=Error match=rr match=Application match=pp match=ion match=on match=,BlackBerry Collaboration Service regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-BlackBerry_Collaboration_Service type:error sensor:$1 srcip:$2 NEXT id=30598 name=Windows Folder Redirection warning. match=Warning match=ing match=Application match=pp match=ion match=on match=,Microsoft-Windows-Folder Redirection regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Folder_Redirection type:application sensor:$1 srcip:$2 NEXT id=30599 name=A Windows network login occurred via a terminal service session and the user ID and source was logged. match=pp match=ic match=at match=Lo match=IP match=P match=og match=og match=ion match=Application match=,WSH, match=No Smart Card -- regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*User: (\S*) Computer log=event:Windows-User_Login_Record type:login sensor:$1 srcip:$2 user:$3 NEXT id=30600 name=A Windows smart card error occurred. match=pp match=Error match=ed match=rr match=IP match=P match=error match=cc match=occurred match=ion match=Application match=ss match=using match=ing match=error occurred while signing a message using the inserted smart card regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Smart_Card_Error type:error sensor:$1 srcip:$2 NEXT id=30601 name=A Windows Mandiant Tools message. match=pp match=Application match=ion match=Mandiant_Tools match=oo match=and regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Mandiant_Tools type:application sensor:$1 srcip:$2 NEXT id=30602 name=This Windows application outlook has loaded add-in(s). match=ion match=Application match=Information match=ion match=pp match=oo match=Outlook match=ed match=loaded match=Outlook loaded the following add-in regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Outlook_Add_Ins type:application sensor:$1 srcip:$2 NEXT id=30603 name=A Windows DrWatson has reported an application error. match=pp match=Information match=ed match=Info match=IP match=P match=error match=rr match=cc match=occurred match=ion match=Application match=ss match=generated an application error regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DrWatson_Message type:error sensor:$1 srcip:$2 NEXT id=30604 name=This Windows application log event indicates Windows cannot unload your classes registry file - it is still in use by other applications or services. match=ion match=Application match=pp match=ing match=Warning match=Window match=indo match=Windows cannot unload your classes registry file regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Cannot_Unload_Registry_File type:application sensor:$1 srcip:$2 NEXT id=30605 name=This Windows application log event indicates Windows saved a user registry while an application or service was still using the registry during log off. match=ion match=Application match=pp match=ing match=Warning match=Window match=indo match=registry while an application or service regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Saved_User_Registry type:application sensor:$1 srcip:$2 NEXT id=30606 name=This Windows application log event indicates Windows unloaded the user registry when it received a notification that no other applications or services were using the profile. match=ion match=Application match=pp match=ed match=Information match=Info match=Window match=indo match=user match=registry when it received a notification regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unloaded_User_Registry type:application sensor:$1 srcip:$2 NEXT id=30607 name=This Windows application log event indicates the description for an Event ID cannot be found. match=EAPOL match=ion match=Application match=pp match=Information match=Info match=nn match=cannot match=description match=The description for Event ID regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Description_For_Event_ID_Not_Found type:application sensor:$1 srcip:$2 NEXT id=30608 name=This Windows application log event indicates the Software Protection service has completed licensing status check. match=Office match=ion match=Application match=pp match=Information match=Info match=ice match=service match=Software match=Protection service has completed licensing status check regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-License_Status_Check_Complete type:application sensor:$1 srcip:$2 NEXT id=30609 name=This Windows application log event indicates Group Policy failed with an error code match=ion match=Application match=pp match=Warning match=ing match=failed match=ed match=rr match=error match=Group Policy match= failed with error code regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Policy_Failed type:error sensor:$1 srcip:$2 NEXT id=30610 name=This Windows application FileMaker has put out a message. match=ion match=Application match=pp match=tion match=,FileMaker Server regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-FileMaker_Messages type:application sensor:$1 srcip:$2 NEXT id=30611 name=This Windows application PHP message. match=ion match=Application match=pp match=PHP-5 match=IP regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-PHP_Messages type:application sensor:$1 srcip:$2 NEXT id=30612 name=A Windows disk defragmentor has reported its statistics. match=pp match=ic match=at match=IP match=P match=ion match=Application match=,WSH, match=Disk Defragmenter regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Disk_Defragmenter_Stats type:application sensor:$1 srcip:$2 NEXT id=30613 name=Windows has recorded the Software Protection service has failed to restart. match=pp match=Application match=SPP match=ser match=Software Protection service match=Failed match=ed match=re-start match=Error match=rr regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SPP_Failed_Restart type:error sensor:$1 srcip:$2 NEXT id=30614 name=Windows has recorded LiveUpdate has issued a message. match=pp match=Application match=LiveUpdate match=Info match=tion match=Information match=Automatic LiveUpdate Scheduler match=er regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-LiveUpdate_Messages type:system sensor:$1 srcip:$2 NEXT id=30615 name=Windows has recorded a Brother BrLog error. match=pp match=Application match=Brother match=BrLog match=tion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Brother_BrLog_Error type:error sensor:$1 srcip:$2 NEXT id=30616 name=Windows has recorded a CAPI2 error. match=pp match=Application match=CAPI2 match=Error match=rr match=tion match=Microsoft-Windows-CAPI2 regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-CAPI2_Error type:error sensor:$1 srcip:$2 NEXT id=30617 name=Windows has recorded ATI EEU maximum number of session has been surpassed. match=pp match=Application match=ATIeRecord match=Error match=rr match=tion match=ATI EEU maximum number of session has been surpassed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ATIe_Maximum_Sessions type:error sensor:$1 srcip:$2 NEXT id=30618 name=Windows has recorded BACKUP failed to complete the command BACKUP. match=pp match=Application match=MSSQL match=Error match=rr match=tion match=BACKUP failed to complete match=ed match=failed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Backup_Database_Failed type:error sensor:$1 srcip:$2 NEXT id=30619 name=Windows has recorded a device or program has requested attention. match=pp match=Application match=Interactive Services detection match=Info match=Information match=tion match=device or program has requested attention. match=ed match=device match=or regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Device_Or_Program_Attention type:application sensor:$1 srcip:$2 NEXT id=30620 name=Windows has recorded the winlogon notification subscriber was unavailable to handle a notification event. match=pp match=Application match=Winlogon match=Info match=Information match=tion match=was unavailable to handle a notification event match=event match=unavailable match=to regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Winlogon_Subscriber_Unavailable type:error sensor:$1 srcip:$2 NEXT id=30621 name=Windows has recorded the User Notification Service has started. match=pp match=Application match=Info match=Information match=tion match=UNS match=User match=start match=User Notification Service started regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Notification_Service_Started type:application sensor:$1 srcip:$2 NEXT id=30622 name=Windows has recorded LMS has started. match=pp match=Application match=Info match=Information match=tion match=LMS match=LMS started match=start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-LMS_Started type:application sensor:$1 srcip:$2 NEXT id=30623 name=Windows has recorded the Event System has timed out. match=pp match=Application match=Warning match=ing match=tion match=Event System timed out match=ed match=timed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Event_System_Timeout type:application sensor:$1 srcip:$2 NEXT id=30624 name=Windows has recorded a Smart Card login. match=pp match=Application match=tion match=cc match=ss match=Success Audit match=Login match=Smart Card Login regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* User: ([a-zA-Z0-9._-]+) log=event:Windows-Smart_Card_Login type:login sensor:$1 srcip:$2 user:$3 NEXT id=30625 name=Windows has recorded the Windows Security Center Service has started. match=pp match=Application match=Info match=Information match=tion match=Windows Security Center Service has started match=ed match=Service match=has regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SecurityCenter_Started type:application sensor:$1 srcip:$2 NEXT id=30626 name=Windows has recorded ActivClient messages. match=pp match=Application match=Warning match=ing match=tion match=ActivClient regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ActivClient_Messages type:application sensor:$1 srcip:$2 NEXT id=30627 name=Windows has recorded MSSQL$BKUPEXEC server resumed execution after being idle. match=pp match=Application match=Info match=Information match=tion match=MSSQL$BKUPEXEC match=Server match=resumed match=ed match=Server resumed execution regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Server_Resumed_Execution type:application sensor:$1 srcip:$2 NEXT id=30628 name=Windows has recorded NET Runtime has deleted an obsolete native image. match=pp match=Application match=Warning match=ing match=tion match=NET Runtime match=deleted obsolete native image match=deleted match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-NET_Runtime_Deleted_Image type:application sensor:$1 srcip:$2 NEXT id=30629 name=Windows has recorded the STAgent service is running. match=pp match=Application match=Info match=Information match=tion match=STAgent match=The service is running match=is match=ing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Stagent_Service_Running type:application sensor:$1 srcip:$2 NEXT id=30630 name=Windows has recorded a task scheduling error. match=pp match=Application match=Error match=rr match=tion match=Bonjour match=Task Scheduling Error match=Task match=ing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Bonjour_Scheduling_Error type:error sensor:$1 srcip:$2 NEXT id=30631 name=Windows has recorded the disk defragmenter has successfully completed. match=pp match=Application match=Defrag match=Info match=Information match=tion match=ll match=ss match=ed match=cc match=disk defragmenter successfully completed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Defrag_Completed type:system sensor:$1 srcip:$2 NEXT id=30632 name=Windows has recorded a Smart Card login error occurred while retrieving a digital certificate from the inserted smart card. match=pp match=Application match=tion match=Error match=rr match=Logon match=cc match=ed match=in match=Smart Card Logon regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Smart_Card_Logon type:login-failure sensor:$1 srcip:$2 NEXT id=30633 name=Windows has recorded a search message. match=pp match=Application match=tion match=Microsoft-Windows-Search match=Micro match=Win match=Search regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Search_Messages type:application sensor:$1 srcip:$2 NEXT id=30634 name=Windows has recorded a RoxWatch message. This could come from the Roxio application or could be malware. match=pp match=Application match=tion match=RoxWatch regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-RoxWatch_Possible_Malware type:intrusion sensor:$1 srcip:$2 NEXT id=30635 name=Windows has recorded a RoxWatch message. This could come from the Roxio application or could be malware. match=pp match=Application match=tion match=ExtremeZ-IP match=Info match=tion match=Information regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ExtremeZ-IP_Messages type:application sensor:$1 srcip:$2 NEXT id=30636 name=Windows has recorded a Microsoft Office alert. match=Alerts match=Microsoft match=Micro match=ff match=ice match=Office match=Information match=Info match=tion regex=Microsoft Office ([0-9+]+) Alerts.*,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Microsoft_Office_Alert type:application sensor:$2 srcip:$3 NEXT id=30637 name=This Windows application log event indicates that software was removed. match=Information match=nstall match=nfo match=,Information, match=nformation match=io match=,MsiInstaller, match=,MsiInstaller,1034, match=sta match=App match= remove match=re match=,Windows match=,Windows match=in match=Win match=indo match=Information, match=,MsiInstaller match=IP match=ti match=MsiInstaller match=removed match=er match=Info match=ve match=ion match=rm match=Application regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Removed type:system sensor:$1 dstip:$2 event2:WindowsEvent-1034 NEXT id=30638 name=A Windows process was terminated due to an unhandled exception. match=,1026, match=The process was terminated due to an unhandled exception match=: match=an match=,Error, match=io match=Err match=at match=,10 match=le match=on match=tion match=rror match=App match=ed match=led match=ca match=na match=Error match=pp match=and match=or match=ated match=IP match=li match=dl match=ex match=handle match=ion match=rm match=Application regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Process_Terminated type:process sensor:$1 dstip:$2 event2:WindowsEvent-1026 NEXT id=30639 name=This Windows application MsiInstaller failed to connect to the server. match=ion match=Application match=pp match=sta match=le match=,MsiInstaller, match=nstall match=Warning match=ing match=ed match=Failed match=ed match=rr match=Error match=nn match=Failed to connect to server regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Applicaiton_MsiInstaller_Error type:error sensor:$1 dstip:$2 event2:WindowsEvent-1015 NEXT id=30640 name=This Windows application SharePoint has issued a warning. match=ion match=Application match=pp match=ar match=SharePoint match=ing match=Warning match=Microsoft-SharePoint Products-SharePoint Foundation match=Micro match=tion match=so match=int match=,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SharePoint_Warning type:application sensor:$1 srcip:$2 NEXT id=30641 name=Windows WMI has stopped. match=pp match=Application match=Warn match=ing match=WMI match=pp match=ed match=Windows Management Instrumentation has stopped regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WMI_Has_Stopped type:application sensor:$1 srcip:$2 event2:WindowsEvent-5612 NEXT id=30642 name=Windows has recorded the Windows logon process has failed to terminate the currently logged on user's processes. match=pp match=Application match=Winlogon match=Info match=Information match=tion match=logon process has failed to terminate the currently logged on user match=logon match=on match=to match=ed match=rr match=gg match=ss match=user match=4004 regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Winlogon_Failed_Termination_Of_Proceses type:application sensor:$1 srcip:$2 event2:WindowsEvent-4004 NEXT id=30643 name=Windows has recorded a BCAAA error. match=pp match=Application match=BCAAA match=rr match=Error match=IP match=1306 regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),1306 log=event:Windows-BCAAA_Error type:error sensor:$1 srcip:$2 event2:WindowsEvent-1306 NEXT id=30644 name=Windows had a crytp32 failed extract. match=pp match=Application match=yp match=crypt32 match=Failed match=ed match=rr match=or match=Error match=Failed extract regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Crypt32_Failed_Extract type:error sensor:$1 srcip:$2 event2:WindowsEvent-11 NEXT id=30645 name=Windows had a crytp32 threshold reached. match=pp match=Application match=yp match=crypt32 match=ing match=Warn match=Warning match=threshold of match=events regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Crypt32_Threshold type:application sensor:$1 srcip:$2 event2:WindowsEvent-6 NEXT id=30646 name=Windows had a crytp32 fail auto update retrieval message. match=pp match=Application match=yp match=crypt32 match=or match=rr match=Error match=Failed auto update retrieval match=ed match=Failed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Crypt32_Failed_Auto_Update type:error sensor:$1 srcip:$2 event2:WindowsEvent-8 NEXT id=30647 name=A Windows shell has issued a backup of IRIS. match=WSH match=IRIS match=pp match=Application match=at match=ion match=ing match=up match=to match=ed match=cc match=ed match=ll match=Backing up files to match=completed successfully. regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IRIS_Backup type:system srcip:$1 NEXT id=30648 name=A Windows shell has has successfully updated the registery. match=WSH match=IRIS match=cc match=ed match=ll match=ss match=update match=Successfully applied update log=event:Windows-IRIS_Updated_Registry type:system NEXT # id=30649 moved to threat_ms_emet.prm # id=30650 moved to threat_ms_emet.prm # id=30651 moved to threat_ms_emet.prm id=30652 name=This Windows application SharePoint has issued an error. match=ion match=Application match=pp match=ar match=SharePoint match=rr match=Error match=Microsoft-SharePoint Products-SharePoint Foundation match=Micro match=tion match=so match=int match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SharePoint_Error type:error sensor:$1 srcip:$2 NEXT id=30653 name=This Windows application SiteMinder messages. match=ion match=Application match=pp match=SiteMinder match=Info match=Information match=,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SiteMinder_Messages type:application sensor:$1 srcip:$2 NEXT id=30654 name=This Windows application SharePoint has issued a critical message. match=ion match=Application match=pp match=ar match=SharePoint match=Critical match=Microsoft-SharePoint Products-SharePoint Foundation match=Micro match=tion match=so match=int match=,Critical, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SharePoint_Critical_Message type:application sensor:$1 srcip:$2 NEXT id=30655 name=This Windows application LANrev has issued an error message. match=ion match=Application match=pp match=LANrev match=er match=Error match=tion match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-LANrev_Error type:error sensor:$1 srcip:$2 NEXT id=30656 name=This Windows application IIS has issued an error message. match=Application match=ion match=pp match=IIS match=er match=Error match=gg match=ing match=ed match=IIS Advanced Logging Module match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IIS_Error type:error sensor:$1 srcip:$2 NEXT id=30657 name=This Windows server has recorded an unexpected VSS error. match=ion match=Application match=pp match=rr match=Error match=VSS match=Volume Shadow Copy Service error match=ice regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-VSS_Unexpected_Error type:error sensor:$1 srcip:$2 NEXT id=30658 name=Windows has recorded the Software Protection service has processed an activation response from the key management service machine. match=pp match=Application match=SPP match=Info match=Information match=ser match=ion match=ed match=client match=The client has processed an activation response regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SPP_Activation_Response_Processed type:system sensor:$1 srcip:$2 NEXT id=30659 name=Windows has recorded the Software Protection service has sent an activation request to the key management service machine. match=pp match=Application match=SPP match=Info match=Information match=ser match=ion match=sent match=client match=The client has sent an activation request regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SPP_Activation_Request_Sent type:system sensor:$1 srcip:$2 NEXT id=30660 name=Windows has recorded the VSS has run out of time while deleting files. match=pp match=Application match=VSS match=Info match=Information match=ing match=ion match=files match=Ran out of time while deleting files regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-VSS_Timed_Out_Deleting_Files type:system sensor:$1 srcip:$2 NEXT id=30661 name=Windows has an application attempted to veto the shutdown. match=pp match=Application match=Winsrv match=Info match=Information match=ing match=ion match=app match=ed match=The following application attempted to veto the shutdown regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Attempted_To_Stop_Shutdown type:application sensor:$1 srcip:$2 NEXT id=30662 name=This Windows server has had a searching error.. match=ion match=Application match=pp match=indo match=Windows match=ar match=ce match=Windows Search Service match=tem match=ed match=ing match=Warning match=rr match=Unspecified error regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Search_Error type:error sensor:$1 srcip:$2 NEXT id=30663 name=This Windows Listener Adapter protocol successfully connected to Windows Process Activation Service. match=ion match=Application match=pp match=indo match=Windows match=WAS match=Info match=Information match=ion match=,Microsoft-Windows-WAS match=successfully connected to Windows Process match=cc match=ss match=ll match=nn match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Listener_Adapter_Connected type:application sensor:$1 srcip:$2 NEXT id=30664 name=This Windows server had an error, script had not responded within the configured timeout period. match=ion match=Application match=rr match=Error match=W3SVC-WP match=ed match=con match=period match=configured timeout period regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Script_Timeout type:error sensor:$1 srcip:$2 NEXT # id=30665 moved to threat_ms_emet.prm # id=30666 moved to threat_ms_emet.prm # id=30667 moved to threat_ms_emet.prm # id=30668 moved to threat_ms_emet.prm id=30669 name=This Windows is in the notification period, needs to be registered. match=ion match=Application match=in Notification period match=Winlogon match=Win match=ows match=in match=Not match=fi match=ca match=od match=per regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-In_Notification_Period type:application sensor:$1 srcip:$2 NEXT id=30670 name=This Windows requires a machine restart. match=ion match=Application match=Info match=Machine restart is required match=ine match=re match=art match=is match=ed match=re match=qui regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Restart_Required type:application sensor:$1 srcip:$2 NEXT id=30671 name=This Windows is starting or ending its first session. match=RestartManager match=ion match=Application match=Info match=ing session 1 match=ing match=ss match=ses regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Starting_Ending_First_Session type:application sensor:$1 srcip:$2 NEXT id=30672 name=This Windows restart was deferred to a later time. match=ion match=Application match=Info match=restart was deferred to a later time match=art match=rr match=ed match=de match=to match=a match=er match=me regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Restart_Deffered type:application sensor:$1 srcip:$2 NEXT id=30673 name=This Windows MS DTC service is stopping. match=ion match=Application match=Info match=MS DTC service is stopping match=MS match=DTC match=ice match=is match=pp match=ing match=stop regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MS_DTC_Service_Stopping type:application sensor:$1 srcip:$2 NEXT id=30674 name=This Windows had a license acquisition failure.. match=ion match=Application match=rr match=Error match=Security-SPP match=Sec match=PP match=License acquisition failure match=Li match=se match=acq match=fail regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-License_Acquisition_Failure type:error sensor:$1 srcip:$2 NEXT id=30675 name=This Windows had a license activation failure. match=ion match=Application match=rr match=Error match=License Activation match=Act match=va match=failed with the following error code match=ing match=ll match=code match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-License_Activation_Failure type:error sensor:$1 srcip:$2 NEXT id=30676 name=This Windows had the acquisition of an end User license fail. match=ion match=Application match=rr match=Error match=Security-SPP match=Sec match=SPP match=Acquisition of End User License failed match=ed match=Acq match=of match=User regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-License_Acquisition_Failure type:error sensor:$1 srcip:$2 NEXT id=30677 name=This Windows had an error while attempting to establish a secure connection with a system. match=ion match=Application match=ing match=Warn match=MSDTC match=Client match=ent match=MSDTC encountered an error match=rr match=error match=ed match=en match=nn regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MSDTC_Error_Attempting_Connection type:error sensor:$1 srcip:$2 NEXT id=30678 name=This Windows had an error while attempting to remove an object. match=ion match=Application match=rr match=Error match=Event System match=Event match=Event System could not remove match=not match=re match=ve match=ld regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Event_System_Unable_To_Remove_Object type:error sensor:$1 srcip:$2 NEXT id=30679 name=A Windows MSExchange has reported a configuration update for Microsoft.Exchange Transport has successfully completed. match=ion match=Application match=at match=pp match=MSExchangeTransport match=SE match=ort match=Info match=configuration update match=has successfully completed match=date match=con match=ed match=ss match=cc match=ll regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MsexchangeTransport_Configuration_Updated type:application sensor:$1 srcip:$2 NEXT id=30680 name=A Windows MSExchange has reported the server is unavailable. match=ion match=Application match=at match=pp match=MSExchange ADAccess match=ADA match=cc match=ss match=Error match=was match=as match=er match=ser match=erver regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Msexchange_ADAprocess_Server_Unavailable type:application sensor:$1 srcip:$2 NEXT id=30681 name=A Windows MSExchange has reported the Configuration Domain Controller has been changed. match=ion match=Application match=at match=pp match=MSExchange ADAccess match=ADA match=cc match=ss match=Info match=Configuration Domain Controller has been changed match=Conf match=ll match=er match=ed match=ee regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Msexchange_ADAprocess_Controller_Changed type:application sensor:$1 srcip:$2 NEXT id=30682 name=A Windows Extensible Authentication Protocol method DLL path validation failed. match=ion match=Application match=at match=pp match=EapHost match=st match=rr match=Error match=validation failed match=ed match=val match=da match=fa match=fail match=id regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-EapHost_Validation_Failed type:error sensor:$1 srcip:$2 NEXT id=30683 name=A Windows ACECLIENT Authentication Manager is not responding. match=ion match=Application match=at match=pp match=ACECLIENT match=rr match=Error match=Authentication Manager is not responding match=Auth match=ger match=is match=not match=ing match=res regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Aceclient_Authentication_Manager_Not_Responding type:error sensor:$1 srcip:$2 NEXT id=30684 name=A Windows Ipswitch Alert Center notification 'Email Network' of the policy 'Email Network' has succeeded. match=ion match=Application match=at match=pp match=Ipswitch Alert Center match=Ip match=ch match=Alert match=er match=Cen match=Email Network' match=has succeeded match=cc match=ee match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Ipswitch_Email_Network_Succeeded type:application sensor:$1 srcip:$2 NEXT id=30685 name=A Windows filtering message. match=ion match=Application match=at match=pp match=Microsoft-Filtering-FIPFS match=FS match=FI match=Mic match=sof match=ing match=Fil match=ter regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Filtering_FIPFS type:application sensor:$1 srcip:$2 NEXT id=30686 name=Microsoft Windows remote management activity transfer. match=Client match=Cli match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Act match=ty match=Tr match=fer match=Activity Transfer regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_ACtivity_Transfer type:application sensor:$1 srcip:$2 NEXT id=30687 name=Microsoft Windows WinRM setting WSMan session option. match=Client match=Cli match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Setting WSMan Session Option match=com match=ed match=cc match=ss match=ll match=tt match=tt match=WSMan match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WSMan_Session_Option_Set type:application sensor:$1 srcip:$2 NEXT id=30688 name=Microsoft Windows WinRM client cannot connect to the destination specified in the request. match=lient match=li match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=rr match=Error match=client cannot connect to the destination specified match=nn match=ot match=ect match=des match=ion match=ed match=spe regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Client_Cannot_Connect type:error sensor:$1 srcip:$2 NEXT id=30689 name=Microsoft Windows WinRM client WSMan create session operation completed successfuly. match=lient match=li match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=WSMan match=Creat match=Session match=WSMan match=eat match=ss match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WSMan_Created_Session type:application sensor:$1 srcip:$2 NEXT id=30690 name=Microsoft-Windows-IIS-W3SVC-WP worker process for application pool encountered an error. match=Application match=ion match=Windows-IIS-W3SVC-WP match=IIS match=W3SVC match=WP match=rr match=rror match=worker process for application pool match=er match=ss match=app match=oo regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IIS_W3SVC_WP_Worker_Process_Error type:error sensor:$1 srcip:$2 NEXT id=30691 name=Microsoft Windows WinRM WSMan API call. match=lient match=li match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=WSMan API call match=WS match=Ma match=API match=all regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_WSMan_API_Call type:application sensor:$1 srcip:$2 NEXT id=30692 name=Microsoft Windows PowerShell messages match=Windows match=PowerShell match=dow match=Win match=Po match=er match=ll match=Sh match=ll match=wer match=ell regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-PowerShell_Messages type:application sensor:$1 srcip:$2 NEXT id=30693 name=Microsoft Windows WinRM client WSMan Session deinitialize and closing. match=li match=lient match=li match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=WSMan Session deinitialize match=ss match=ion match=de match=WSMan match=ze match=ial match=ini regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WSMan_Session_Closed type:application sensor:$1 srcip:$2 NEXT id=30694 name=Microsoft Windows WinRM WSMan operation CreateShell failed. match=Microsoft-Windows-WinRM match=ient match=nt match=Error match=rr match=or match=dow match=Win match=WSMan operation CreateShell failed match=WSMan match=ion match=ed match=ate match=Cr match=fa regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WSMan_CreateShell_Failed type:error sensor:$1 srcip:$2 NEXT id=30695 name=Microsoft Windows Application infrastructure error. match=Microsoft-Windows-Application match=Infrastructure match=Server match=Error match=rr match=or match=dow match=Win match=ion match=App match=pp match=ure match=In match=ast match=er match=Ser regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Infrastructure_Error type:error sensor:$1 srcip:$2 NEXT id=30696 name=Microsoft Windows-GroupPolicy messages. match=Microsoft-Windows-GroupPolicy match=Operational match=Info match=ion match=nal match=Oper match=dow match=Win match=nal match=oup match=Gr match=Po match=icy regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-GroupPolicy_Messages type:application sensor:$1 srcip:$2 NEXT id=30697 name=Microsoft Windows WMI Activity messages. match=Microsoft-Windows-WMI-Activity match=Operational match=WMI match=ity match=Act match=Info match=ion match=nal match=Oper match=dow match=Win match=nal regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WMI_Activity_Messages type:application sensor:$1 srcip:$2 NEXT id=30698 name=Microsoft Windows WinRM got a timeout. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=Response handling match=Re match=se match=ha match=ng match=timeout match=ti match=me match=out regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Timeout type:error sensor:$1 srcip:$2 NEXT id=30699 name=Microsoft Windows RPC Proxy successfully loaded in Internet Information Services (IIS). match=Application match=pp match=ion match=Info match=RPC Proxy successfully loaded in Internet Information Services (IIS) match=RPC match=Pr match=xy match=ed match=lo match=Int match=net match=ice match=Ser match=IIS regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-RPC_Proxy_Loaded_In_IIS type:application sensor:$1 srcip:$2 NEXT id=30700 name=This Windows security database appears to be corrupt. Specifically some JET database is corrupt. match=ion match=Application match=pp match=ce match=,SceCli, match=rr match=,Error, match=So match=JET match=da match=se match=pt match=Some JET database is corrupt regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-JET_Database_Corrupt sensor:$1 srcip:$2 type:error NEXT id=30701 name=Windows has recorded a WMI unknown error. match=WMI match=rr match=Error match=,Microsoft-Windows-WMI match=PossibleCause match=Unknown match=Po match=ss match=le match=Ca match=se match=Un match=own match=PossibleCause = Unknown regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WMI_Unknown_Error type:error sensor:$1 srcip:$2 NEXT id=30702 name=Windows has recorded a GroupPolicy error. Completed Security Extension Processing. match=rr match=Error match=,Microsoft-Windows-GroupPolicy match=Gr match=Po match=Win match=Mi match=ft match=cy match=ws match=li regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Policy_Error type:error sensor:$1 srcip:$2 NEXT id=30703 name=Windows KnownFolders has recorded an error match=ing match=War match=Microsoft-Windows-KnownFolders match=rror match=rr match=Kno match=wn match=ers match=Fo match=cc match=rr match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Known_Folders_Error type:error sensor:$1 srcip:$2 NEXT id=30704 name=Microsoft Windows remote management activity Initializing or initialized WSMan API. match=Client match=Cli match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=WSMan match=Initial match= WSMan API match=In match=Man match=API regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_WSMan_Initializing type:application sensor:$1 srcip:$2 NEXT id=30705 name=Microsoft Windows remote management activity WSMan operation Identify completed successfully. match=Client match=Cli match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=WSMan match=operation match=completed successfully match=ion match=ed match=com regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_WSMan_Operation_Completed type:application sensor:$1 srcip:$2 NEXT id=30706 name=Microsoft Windows remote management activity is sending a response for the operation. match=Server match=er match=Se match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Info match=ion match=Sending response for operation match=ing match=re match=se match=op regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Response_For_Operation type:application sensor:$1 srcip:$2 NEXT id=30707 name=Microsoft Windows remote management activity is processing s client request for sn operation. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Info match=ion match=Processing client request for operation match=ing match=re match=st match=op match=cl match=nt regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Client_Request_For_Operation type:application sensor:$1 srcip:$2 NEXT id=30708 name=Microsoft Windows remote management activity is entering or leaving the plugin for operation. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Info match=ion match=the plugin for operation match=plu match=in match=op match=er match=at regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Entering_Leaving_For_Operation type:application sensor:$1 srcip:$2 NEXT id=30709 name=Microsoft Windows remote management activity is sending a request for the operation. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Info match=ion match=Sending the request for operation match=Se match=ing match=re match=st match=oper regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Sending_Request_For_Operation type:application sensor:$1 srcip:$2 NEXT id=30710 name=Windows diagnosis. match=Microsoft-Windows-Diagnosis match=Win match=ows match=Dia match=Mi match=cro match=nos regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Diagnosis sensor:$1 srcip:$2 type:application NEXT id=30711 name=Windows resource exhaustion. match=Microsoft-Windows-Resource-Exhaustion-Detector match=Win match=ows match=Det match=or match=cro match=Mi match=Re match=ion match=Exh regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Resource_Exhaustion sensor:$1 srcip:$2 type:application NEXT id=30712 name=Microsoft Windows remote procedure call in data. match=RPC_IN_DATA match=RP match=C_ match=IN match=IN_ match=_D match=AT match=DA match=TA log=event:Windows-RPC_IN_DATA type:application NEXT id=30713 name=Microsoft Windows remote procedure call out data. match=RPC_OUT_DATA match=RP match=C_ match=OUT match=UT_ match=_D match=AT match=DA match=TA log=event:Windows-RPC_OUT_DATA type:application NEXT id=30714 name=Microsoft Windows PowerShell messages match=powershell match=/p match=ow match=er match=ll match=sh match=el match=T /powershell log=event:Windows-PowerShell_Messages type:application NEXT id=30715 name=Microsoft Windows PowerShell messages match=PowerShell match=/P match=ow match=er match=ll match=Sh match=el match=T /PowerShell log=event:Windows-PowerShell_Messages type:application NEXT id=30716 name=Microsoft Windows remote management activity. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=WinRM,91,Information regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_ACtivity type:application sensor:$1 srcip:$2 NEXT id=30717 name=Microsoft Windows remote management activity. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=User authentication match=Us match=er match=auth match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_User_Authentication type:login sensor:$1 srcip:$2 NEXT id=30718 name=Microsoft Windows remote management error HTTP_STATUS_DENIED. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=HTTP_STATUS_DENIED match=HT match=TT match=STA match=US match=DEN match=ED regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_HTTP_Status_Denied type:web-error sensor:$1 srcip:$2 NEXT id=30719 name=Microsoft Windows remote management HTTP_STATUS_OK. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=HTTP_STATUS_OK match=HT match=TT match=STA match=US match=OK regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_HTTP_Status_OK type:web-access sensor:$1 srcip:$2 NEXT id=30720 name=Microsoft Windows remote management error shell output failed. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=operation ReceiveShellOutput failed match=rr match=error match=op match=ion match=ed match=Re match=put regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Shell_Output_Failed type:error sensor:$1 srcip:$2 NEXT id=30721 name=Microsoft Windows remote management error signal shell failed. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=operation SignalShell failed match=rr match=error match=op match=ion match=ed match=Si match=ll regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Signal_Shell_Failed type:error sensor:$1 srcip:$2 NEXT id=30722 name=Microsoft Windows remote management error WINHTTP CANNOT CONNECT. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=ERROR_WINHTTP_CANNOT_CONNECT match=RR match=ERR match=WIN match=NN match=OT match=CO match=CT regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Win_HTTP_Cannot_Connect type:error sensor:$1 srcip:$2 NEXT id=30723 name=Microsoft Windows remote management error delete shell failed. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=operation DeleteShell failed match=rr match=err match=ion match=op match=ll match=De match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Delete_Shell_Failed type:error sensor:$1 srcip:$2 NEXT id=30724 name=Microsoft Windows remote management HTTP_STATUS_SERVICE_UNAVAIL. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=HTTP_STATUS_SERVICE_UNAVAIL match=HT match=TT match=STA match=US match=ICE match=UN match=AVA regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_HTTP_Status_Service_Unavailable type:error sensor:$1 srcip:$2 NEXT id=30725 name=Microsoft Windows remote management deinitializing WSMan API. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Deinitial match=WSMan API match=De match=al match=WS match=Man match=API regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Deinitialize_WSMan_API type:application sensor:$1 srcip:$2 NEXT id=30726 name=Microsoft Windows remote management service starting or has started. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Winrm service match=start match=Winrm match=se match=ice match=st match=rt regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Service_Start type:application sensor:$1 srcip:$2 NEXT id=30727 name=Microsoft Windows Forefront protection messages. match=Forefront Protection match=Forefront match=Protection match=Fore match=fro match=Pro match=tec match=ion match=nt regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Forefront_Protection_Messages type:application sensor:$1 srcip:$2 NEXT id=30728 name=Microsoft Windows Bits messages. match=Microsoft-Windows-Bits match=Mi match=ro match=oft match=Win match=ows match=do match=Bi match=ts match=it regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Bits_Messages type:application sensor:$1 srcip:$2 NEXT id=30729 name=Microsoft Windows Application Impact Telemetry (AIT) Agent is not running because AIT is disabled. match=Microsoft-Windows-Application-Experience match=Agent is not running because AIT is disabled match=Mi match=ro match=oft match=Win match=ows match=do match=App match=ion match=Ex match=Ag match=nn match=ing match=dis regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Impact_Telemetry_Not_Running type:error sensor:$1 srcip:$2 NEXT id=30730 name=Microsoft Windows Update Client has changed. match=Microsoft-Windows-WindowsUpdateClient match=a change in the health of Windows Update match=Mi match=ro match=oft match=Win match=ows match=do match=Up match=te match=Cl match=nt match=ch match=ge match=he match=th regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Client_Change type:application sensor:$1 srcip:$2 NEXT id=30731 name=Microsoft Windows Restart Manager messages. match=Microsoft-Windows-RestartManager match=Mi match=ro match=oft match=Win match=ows match=do match=Re match=st match=art match=Ma match=na match=ger regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Restart_Manager_Messages type:application sensor:$1 srcip:$2 NEXT id=30732 name=Microsoft Windows FSCRealtimeScanner is disabled match=FSCRealtimeScanner match=Realtime scan disabled match=FSC match=Real match=time match=nn match=Scan match=dis match=abl match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-FSCRealtimeScanner_Disabled type:application sensor:$1 srcip:$2 NEXT id=30733 name=Microsoft Windows FSCTransportScanner is disabled or enabled. match=FSCTransportScanner match=Transport scan match=abled match=FSC match=Tran match=port match=nn match=Scan match=abl match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-FSCTransportScanner_Disabled_Enabled type:application sensor:$1 srcip:$2 NEXT id=30734 name=Microsoft Windows FSCRealtimeScanner is enabled match=FSCRealtimeScanner match=Realtime scan enabled match=FSC match=Real match=time match=nn match=Scan match=en match=abl match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-FSCRealtimeScanner_Enabled type:application sensor:$1 srcip:$2 NEXT id=30735 name=Microsoft Windows FSCScheduledScanner is enabled match=FSCScheduledScanner match=Scheduled scan enabled match=FSC match=Sch match=led match=nn match=Scan match=en match=abl match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-FSCScheduledScanner_Enabled type:application sensor:$1 srcip:$2 NEXT id=30736 name=Microsoft Windows FSCScheduledScanner is disabled match=FSCScheduledScanner match=Scheduled scan disabled match=FSC match=Sch match=led match=nn match=Scan match=dis match=abl match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-FSCScheduledScanner_Disabled type:application sensor:$1 srcip:$2 NEXT id=30737 name=Microsoft Windows FSCController messages. match=Application match=pp match=ion match=FSCController match=FSC match=Con match=tr match=ol match=ll match=er regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-FSCController_Messages type:application sensor:$1 srcip:$2 NEXT id=30738 name=Microsoft Windows FSEIMC started or stopped. match=Application match=pp match=ion match=FSEIMC match=FS match=EI match=MC match=st match=ser match=ice regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-FSEIMC_Started_Stopped type:application sensor:$1 srcip:$2 NEXT id=30739 name=Microsoft Windows program inventory. match=Application match=pp match=ion match=Info match=Microsoft-Windows-Application-Experience match=A program was installed on the system match=Mi match=Win match=Ex match=ed match=pro match=sys match=on match=as regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Program_Inventory type:application sensor:$1 srcip:$2 NEXT id=30740 name=Microsoft Windows Language Pack cleanup functionality. match=ion match=Microsoft-Windows-LanguagePackSetup match=Language Pack cleanup functionality match=Mi match=Win match=Lan match=Pa match=Se match=cl match=up match=fu match=ty regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Language_Pack_Cleanup type:application sensor:$1 srcip:$2 NEXT id=30741 name=Microsoft Windows ASP.NET request has been aborted. match=Application match=pp match=ion match=ASP.NET match=request has been aborted match=ASP match=NET match=AS match=re match=qu match=st match=ee match=ab match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ASP_NET_Request_Aborted type:error sensor:$1 srcip:$2 NEXT id=30742 name=Microsoft Windows program data updater statistics. match=Application match=pp match=ion match=Info match=Microsoft-Windows-Application-Experience match=An instance of Program Data Updater match=Mi match=Win match=Ex match=er match=Pro match=in match=ran match=Da regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Program_Updater_Statistics type:application sensor:$1 srcip:$2 NEXT id=30743 name=Microsoft Windows DB2 event monitor has reached its file capacity. Delete the files in the target directory or move them to another directory. match=Application match=pp match=ion match=ing match=Instance:DB2 match=Event Monitor match=has reached its file capacity match=In match=DB2 match=ca match=ty match=fi match=le match=re match=ed match=ha regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DB2_Monitor_Capacity_Reached type:application sensor:$1 srcip:$2 NEXT id=30744 name=Microsoft Windows Security Client successfully applied security policy. match=Application match=pp match=ion match=Sec match=ty match=Microsoft Security Client successfully applied security policy match=Mi match=Cl match=cc match=ss match=ll match=pp match=cy match=ft match=nt match=ur match=su match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Successfully_Applied_Security_Policy type:application sensor:$1 srcip:$2 NEXT id=30745 name=Microsoft Windows SMS Server message, the Site Component Manager could not access site system. The network path was not found. match=Application match=pp match=ion match=SMS Server match=SM match=Error match=rr match=Se match=The network path was not found. match=Th match=ne match=rk match=pa match=not match=fo match=nd match=wa match=as match=he regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMS_Network_Path_Not_Found type:error sensor:$1 srcip:$2 NEXT id=30746 name=This Windows application SharePoint has issued n information message. match=ion match=Application match=pp match=ar match=SharePoint match=Info match=To match=Microsoft-SharePoint Products-SharePoint Foundation match=Micro match=tion match=so match=int match=Information match=,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SharePoint_Information type:application sensor:$1 srcip:$2 NEXT id=30747 name=This Windows application SharePoint Managed Metadata Service has connected successfully. match=ion match=Application match=pp match=ar match=SharePoint match=Info match=Ta match=Microsoft-SharePoint Products-SharePoint Server match=Micro match=tion match=so match=int match=Information match=er match=Managed Metadata Service match=has connected successfully match=Ma match=Ser match=nn match=cc match=ss match=ll match=,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SharePoint_Metadata_Service_Connected type:application sensor:$1 srcip:$2 NEXT id=30748 name=This Windows application SharePoint Server database error occurred. match=ion match=Application match=pp match=ar match=SharePoint match=ing match=Wa match=Microsoft-SharePoint Products-SharePoint Server match=Micro match=so match=int match=er match=A database error occurred match=da match=ba match=rr match=rr match=ed match=,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SharePoint_Database_Error type:error sensor:$1 srcip:$2 NEXT id=30749 name=Windows has recorded MSSQL$BKUPEXEC server had some database maintenance or reconfigure operations. match=pp match=Application match=Info match=Information match=tion match=MSSQL$BKUPEXEC match=Server match=database maintenance or reconfigure operations match=da match=se match=ma match=ce match=or match=re match=op match=con regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Server_Database_Maint_Or_Reconfig type:application sensor:$1 srcip:$2 NEXT id=30750 name=Windows has recorded MSSQL$SKOPUSSQLSERVER AppDomain unloaded. match=pp match=Application match=Info match=Information match=tion match=MSSQL$SKOPUSSQLSERVER match=Server match=AppDomain match=unloaded match=MS match=QL match=PU match=SS match=App match=Do match=un match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Server_AppDomain_Unloaded type:application sensor:$1 srcip:$2 NEXT id=30751 name=This Windows server has recorded an attempt to create a file which failed witha system error. match=ion match=Application match=pp match=EN match=ESENT match=SE match=Error regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Database_Engine_Event_Error type:system sensor:$1 srcip:$2 NEXT id=30752 name=This Windows server has recorded an error, unable to create a shadow copy. match=ion match=Application match=pp match=Error match=rr match=VSS match=Unable to create a shadow copy match=Un match=le match=to match=cr match=sh match=ow match=co match=py regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unable_Create_Shadow_Copy type:error sensor:$1 srcip:$2 NEXT id=30753 name=This Windowss Report server has recorded an error, it has not been granted access to the catalog content. match=ion match=Application match=pp match=Error match=rr match=Report Server Windows Service match=Re match=rt match=Se match=er match=Wi match=do match=ce match=ws match=po regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Report_Server_Error type:error sensor:$1 srcip:$2 NEXT id=30754 name=This Windowss Server Update Services is working correctly. match=ion match=Application match=pp match=Info match=ion match=Windows Server Update Services match=WSUS is working correctly match=WS match=US match=ing match=rr match=co match=Up match=Se match=ce regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WSUS_Working_Correctly type:system sensor:$1 srcip:$2 NEXT id=30755 name=A Windows Forescout HTTP upload was started. match=Info match=,WSH, match=Forescout: HTTP upload was started match=IP match=pp match=Application match=at match=ion match=Fo match=ut match=HTTP match=up match=st match=ed match=was regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Forescout_HTTP_Upload_Started type:application sensor:$1 srcip:$2 NEXT id=30756 name=A Windows Forescout system cannot locate the resource specified. match=Error match=,WSH, match=Forescout: match=system cannot locate the resource specified match=IP match=pp match=Application match=at match=ion match=Fo match=ut match=em match=nn match=lo match=re match=ed match=sp regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Forescout_Cannot_Locate_Resource type:error sensor:$1 srcip:$2 NEXT id=30757 name=A Windows Forescout system vulnerabilities inspection was started. match=Info match=,WSH, match=Forescout: match=Vulnerabilities inspection was started match=IP match=pp match=Application match=at match=ion match=Fo match=ut match=Vu match=es match=in match=ion match=was match=st match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Forescout_Vulnerabilities_Inspection_Started type:application sensor:$1 srcip:$2 NEXT id=30758 name=A Windows Forescout system vulnerabilities inspection, HPS doesn't find any updates to download. match=Info match=,WSH, match=Forescout: match=HPS don't find updates to download match=IP match=pp match=Application match=at match=ion match=Fo match=ut match=Vu match=es match=HPS match=do match=fi match=up match=es match=do match=ad regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Forescout_HPS_No_Updates type:application sensor:$1 srcip:$2 NEXT id=30759 name=A Windows Forescout system vulnerabilities inspection, search finished. match=Info match=,WSH, match=Forescout: match=Search finished match=IP match=pp match=Application match=at match=ion match=Fo match=ut match=Vu match=es match=Se match=ch match=fi match=ed match=ies match=ea match=ni regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Forescout_Search_Finished type:application sensor:$1 srcip:$2 NEXT id=30760 name=A Windows System Restore failed to create restore point. match=Error match=rr match=IP match=pp match=Application match=at match=ion match=System Restore match=Failed to create restore point match=Fa match=ed match=to match=cr match=te match=re match=po match=nt match=Sy match=Re regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Failed_Restore_Point_Creation type:error sensor:$1 srcip:$2 NEXT id=30761 name=Windows has recorded a WMI warning message. The namespace is marked with the RequiresEncryption flag. Change the authentication level to Pkt_Privacy and run the script or application again. match=pp match=Application match=WMI match=Wa match=ing match=,Microsoft-Windows-WMI, match=marked with the RequiresEncryption flag match=ma match=ed match=Re match=ion match=En match=fl match=ag regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WMI_RequiresEncryption_Flag type:application sensor:$1 srcip:$2 NEXT id=30762 name=Microsoft Windows SMS Server has recorded an information message. match=Application match=pp match=ion match=SMS Server match=SM match=Information match=In match=Se match=er match=rv regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMS_Information_Messages type:application sensor:$1 srcip:$2 NEXT id=30763 name=Microsoft Windows FailoverClustering messages. match=Microsoft-Windows-FailoverClustering match=Mi match=ft match=Wi match=ws match=Fa match=er match=Cl match=ing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-FailoverClustering_Messages type:application sensor:$1 srcip:$2 NEXT id=30764 name=Microsoft Windows Server-ActiveSync. match=Microsoft-Server-ActiveSync match=Mi match=ft match=Se match=er match=Ac match=Sy match=nc match=rv regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Server_ActiveSync type:application srcip:$1 NEXT id=30765 name=Microsoft Windows ServerManager Deployment Provider messages. match=Microsoft-Windows-ServerManager-DeploymentProvider match=Mi match=ft match=Wi match=ws match=Se match=Ma match=er match=De match=Pr regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Deployment_Provider type:application sensor:$1 srcip:$2 NEXT id=30766 name=Microsoft Windows SMBClient has timed out. match=Microsoft-Windows-SMBClient match=Mi match=ft match=Wi match=ws match=SMB match=Cl match=nt match=Error match=rr match=timed out regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMBClient_Timed_Out type:error sensor:$1 srcip:$2 NEXT id=30767 name=Windows Security SSP activation request has been processed. match=Microsoft-Windows-Security-SPP match=SPP match=Info match=Information match=activation request has been processed match=Mi match=ft match=Wi match=ws match=Se match=ac match=ion match=re match=ss match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SPP_Activation_Processed type:system sensor:$1 srcip:$2 NEXT id=30768 name=Windows has recorded that the SQLServerAgent has issued a CheckServiceAlive and it was successful. match=pp match=Application match=Info match=Information match=ion match=In match=,SQLSERVERAGENT, match=success match=CheckServiceAlive match=SQ match=AG match=cc match=ss match=Ch match=Al match=Se regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SQLServerAgent_Check_Service_Successful type:application sensor:$1 srcip:$2 NEXT id=30769 name=Windows has recorded that QLAgent$SKOPUSSQLSERVER has issued an IsAlive request. match=pp match=Application match=Info match=Information match=Failover match=Is match=Al match=ve match=ion match=SQLAgent$SKOPUSSQLSERVER match=SQL match=Ag match=SK match=ER regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SQLAgent_SKOPUSSQLSERVER_IsAlive_Request type:application sensor:$1 srcip:$2 NEXT id=30770 name=Windows has recorded that QLAgent$SKOPUSSQLSERVER has issued a CheckServiceAlive, which was successful. match=pp match=Application match=Info match=Information match=Failover match=CheckServiceAlive match=success match=cc match=ss match=Ch match=Se match=Al match=Fa match=ion match=SQLAgent$SKOPUSSQLSERVER match=SQL match=Ag match=SK match=ER regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SQLAgent_SKOPUSSQLSERVER_Check_Service_Successful type:application sensor:$1 srcip:$2 NEXT id=30771 name=Windows has recorded that the SQLServerAgent has issued an IsAlive request.. match=pp match=Application match=Info match=Information match=ion match=In match=,SQLSERVERAGENT, match=IsAlive request match=Is match=SQ match=AG match=ve match=re match=qu match=Al match=st regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SQLServerAgent_IsAlive_Request type:application sensor:$1 srcip:$2 NEXT id=30772 name=Microsoft Windows SMS Server has recorded an error message. match=Application match=pp match=ion match=SMS Server match=SM match=Error match=Er match=Se match=er match=rv match=rr regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMS_Error_Messages type:error sensor:$1 srcip:$2 NEXT id=30773 name=Microsoft Windows SMS Server has recorded a warning message. match=Application match=pp match=ion match=SMS Server match=SM match=Warning match=ing match=Se match=er match=rv match=Wa regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMS_Warning_Messages type:application sensor:$1 srcip:$2 NEXT id=30774 name=Microsoft Windows CCFFilter Error. match=Microsoft-Windows-CCFFilter match=Error match=Mi match=ft match=Wi match=ow match=CCF match=Fi regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-CFFFilter_Error type:error sensor:$1 srcip:$2 NEXT id=30775 name=Microsoft Windows SMBW Witness Service has received an information message. match=Microsoft-Windows-SMBWitnessService match=Info match=Mi match=ft match=Wi match=ow match=SMBW match=Wit match=Information regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMBWWitness_Information_Message type:application sensor:$1 srcip:$2 NEXT id=30776 name=Microsoft Windows SMBW Witness Service has received an error message. match=Microsoft-Windows-SMBWitnessClient match=Error match=Mi match=ft match=Wi match=ow match=SMBW match=Wit match=rr regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMBWWitnessClient_Error_Message type:error sensor:$1 srcip:$2 NEXT id=30777 name=Microsoft Windows Application system.servceModel error. match=System.ServiceModel match=Error match=Ser match=Sys match=rr match=or match=Application match=WebHost match=ion match=App match=pp regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ServiceModel_Error type:error sensor:$1 srcip:$2 NEXT id=30778 name=Microsoft Windows WinRM client protocol handler started to create a session. match=lient match=li match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Info match=started to create a session regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Started_Create_Session type:application sensor:$1 srcip:$2 NEXT id=30779 name=Microsoft Windows WinRM client protocol session began an operation. match=lient match=li match=nt match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=ws match=RM match=Info match=began an operation regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Began_An_Operation type:application sensor:$1 srcip:$2 NEXT id=30780 name=Microsoft Windows WinRM got an access denied error. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match= error: Access is denied match=error match=Ac match=de regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Access_Error type:error sensor:$1 srcip:$2 NEXT id=30781 name=Microsoft Windows WinRM get failed. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=Error match=Get failed match=fa match=Ge regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Get_Failed type:error sensor:$1 srcip:$2 NEXT id=30782 name=Microsoft Windows WinRM protocol handler closed the session. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=Info match=protocol handler closed the session match=pro match=ha regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Handler_Closed_Session type:application sensor:$1 srcip:$2 NEXT id=30783 name=Microsoft Windows WinRM protocol session successfully completed the operation. match=Microsoft-Windows-WinRM match=ft match=Mi match=cro match=dow match=Win match=Info match=session successfully completed the operation match=se match=co match=op regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinRM_Session_Completed_Successfully type:application sensor:$1 srcip:$2 NEXT id=30784 name=Microsoft Windows ServerManager MultiMachine enumerate instances error. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Enumerate instances error match=rror match=En match=ra regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Enumerate_Error type:error sensor:$1 srcip:$2 NEXT id=30785 name=Microsoft Windows ServerManager MultiMachine exception reported to data collection. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Exception reported to data collection match=Ex match=re match=col regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Data_Collection_Exception type:application sensor:$1 srcip:$2 NEXT id=30786 name=Microsoft Windows SMBW Witness Service has received an error message. match=Microsoft-Windows-SMBWitnessService match=Error match=Mi match=ft match=Wi match=ow match=SMBW match=Wit match=rr regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMBWWitnessService_Error_Message type:error sensor:$1 srcip:$2 NEXT id=30787 name=Microsoft Windows SMBW Witness Client has received an unregister request message. match=Microsoft-Windows-SMBWitnessClient match=Information match=Mi match=ft match=Wi match=ow match=SMBW match=Wit match=un match=received unregister request regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMBWWitnessClient_Unregister_Request type:application sensor:$1 srcip:$2 NEXT id=30788 name=Microsoft Windows ServerManager-MgmtProvider messages. match=Microsoft-Windows-ServerManager-MgmtProvider match=Mi match=ft match=Wi match=ow match=Mgmt match=Se match=Ma match=er regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Management_Provider_Messages type:application sensor:$1 srcip:$2 NEXT id=30789 name=Microsoft Windows ServerManager MultiMachine Invoke method started. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Invoke method started match=In match=me match=st regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Invoke_Method_Started type:application sensor:$1 srcip:$2 NEXT id=30790 name=Microsoft Windows ServerManager MultiMachine refresh session started. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Refresh session started match=Re match=se match=st regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Refresh_Method_Started type:application sensor:$1 srcip:$2 NEXT id=30791 name=Microsoft Windows ServerManager MultiMachine creating new session. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Creating new session match=Cr match=se match=new regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Creating_New_Session type:application sensor:$1 srcip:$2 NEXT id=30792 name=Microsoft Windows ServerManager MultiMachine enumerate instances started. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Enumerate instances started match=En match=ra regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Enumerate_Started type:application sensor:$1 srcip:$2 NEXT id=30793 name=Microsoft Windows ServerManager MultiMachine Invoke method error. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=error match=Invoke method error match=In match=me match=rr regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Invoke_Method_Error type:error sensor:$1 srcip:$2 NEXT id=30794 name=Microsoft Windows ServerManager MultiMachine properties refresh started. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=properties refresh started match=pr match=re match=st regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Properties_Refresh_Started type:application sensor:$1 srcip:$2 NEXT id=30795 name=Microsoft Windows ServerManager MultiMachine Completed WinRM service status check. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Completed WinRM service status check match=Co match=RM match=st regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_WinRM_Check_Completed type:application sensor:$1 srcip:$2 NEXT id=30796 name=Microsoft Windows ServerManager MultiMachine metadata failed to be retrieved. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=metadata failed to be retrieved match=me match=fa match=re regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Metadata_Failed_Retrieval type:application sensor:$1 srcip:$2 NEXT id=30797 name=Microsoft Windows ServerManager MultiMachine properties refresh completed. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=properties refresh completed match=pr match=re match=co regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Properties_Refresh_Completed type:application sensor:$1 srcip:$2 NEXT id=30798 name=Microsoft Windows ServerManager MultiMachine starting WinRM service status check. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Starting WinRM service status check match=St match=RM match=ch regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_WinRM_Check_Started type:application sensor:$1 srcip:$2 NEXT id=30799 name=Microsoft Windows ServerManager MultiMachine refresh item completed. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Refresh item completed match=it match=Re match=co regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Refresh_Item_Completed type:application sensor:$1 srcip:$2 NEXT id=30800 name=Microsoft Windows ServerManager MultiMachine Invoke method data received. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Invoke method data received match=In match=me match=re regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Invoke_Method_Data_Received type:application sensor:$1 srcip:$2 NEXT id=30801 name=Microsoft Windows ServerManager MultiMachine cluster query item message. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Cluster query item match=Cl match=qu regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Cluster_Query_Message type:application sensor:$1 srcip:$2 NEXT id=30802 name=Microsoft Windows ServerManager MultiMachine invoke method completed. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Invoke method completed match=In match=me match=co regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Invoke_Method_Completed type:application sensor:$1 srcip:$2 NEXT id=30803 name=Microsoft Windows ServerManager MultiMachine refresh session completed. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Refresh session completed match=se match=Re match=co regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Refresh_Session_completed type:application sensor:$1 srcip:$2 NEXT id=30804 name=Microsoft Windows SMBW Witness Client messages. match=Microsoft-Windows-SMBWitnessClient match=Info match=Mi match=ft match=Wi match=ow match=SMBW match=Wit match=Clien regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMBWWitnessClient_Messages type:application sensor:$1 srcip:$2 NEXT id=30805 name=Microsoft Windows SMBClient Witness registration has completed. match=Microsoft-Windows-SMBClient match=Mi match=ft match=Wi match=ws match=SMB match=Cl match=nt match=Info match=Witness registration has completed match=Wi match=reg match=com regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* cluster address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=event:Windows-SMBClient_Registration_Completed type:application sensor:$1 srcip:$2 dstip:$3 dstport:$4 NEXT id=30806 name=Microsoft Windows MSMQ message Queuing could not resolve the name. match=Microsoft-Windows-MSMQ match=Mi match=ft match=Wi match=ws match=MSMQ match=Warn match=Message Queuing could not resolve the name match=Me match=Qu match=re match=name regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MSMQ_Could_Not_Resolve_Name type:application sensor:$1 srcip:$2 NEXT id=30807 name=Microsoft Windows SMBClient Witness deregistration has completed. match=Microsoft-Windows-SMBClient match=Mi match=ft match=Wi match=ws match=SMB match=Cl match=nt match=Info match=deregistration has completed match=de match=reg match=com regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SMBClient_Deregistration_Completed type:application sensor:$1 srcip:$2 NEXT id=30808 name=Microsoft Windows RemoteDesktopServices-RdpCoreTS connection messages match=Microsoft-Windows-RemoteDesktopServices-RdpCoreTS match=Mi match=ft match=Wi match=ws match=Re match=De match=Se match=Rdp match=onnect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-RemoteDesktopServices_RdpCoreTS type:connection sensor:$1 srcip:$2 NEXT id=30809 name=Microsoft Windows International The NLS operation failed because the registry key Control Panel User Profile cannot be opened. match=Microsoft-Windows-International match=Mi match=ft match=Wi match=ws match=In match=registry key Control Panel match=cannot be opened match=rror match=Critical regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-International_Critical type:error sensor:$1 srcip:$2 NEXT id=30810 name=Microsoft Windows NET Runtime profiler was loaded successfully. match=NET Runtime match=Info match=The profiler was loaded successfully match=pr match=wa match=lo match=su regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Net_Runtime_Profiler_Loaded type:application sensor:$1 srcip:$2 NEXT id=30811 name=Microsoft Windows Security Audit Configuration Client List of applicable GPOs. match=Microsoft-Windows-Security-Audit-Configuration-Client match=Info match=Mi match=Wi match=Se match=Au match=Co match=Cl match=List of applicable GPOs regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-List_Of_GPOs type:application sensor:$1 srcip:$2 NEXT id=30812 name=Microsoft Windows Plugin DSScheduler reports exception. Cannot open message. match=App match=MAR8Core2 match=Warn match=Plugin DSScheduler reports exception. match=Wa match=MA match=DSS match=Pl match=ex match=ce regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Plugin_DSScheduler_Exception type:application sensor:$1 srcip:$2 NEXT id=30813 name=Microsoft Windows GroupPolicy Software Installation Extension completed or deferred. match=Microsoft-Windows-GroupPolicy match=Warn match=Software Installation Extension match=rocessing match=Mi match=Wi match=Gr match=Po match=So match=In match=Ex regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-GroupPolicy_Deferred_Or_Completed type:application sensor:$1 srcip:$2 NEXT id=30814 name=Microsoft Windows System.Servicemodel message logging has been turned on. Sensitive information may be logged in the clear, even if it was encrypted on the wire. match=App match=System.ServiceModel match=Message Logging has been turned on. match=Sy match=Se match=Mo match=Me match=Lo match=tu match=on regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ServiceModel_Messaging_Turned_On type:application sensor:$1 srcip:$2 NEXT id=30815 name=Microsoft Windows RemoteDesktopServices-RdpCoreTS messages match=Microsoft-Windows-RemoteDesktopServices-RdpCoreTS match=Mi match=ft match=Wi match=ws match=Re match=De match=Se match=Rdp match=!onnect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-RemoteDesktopServices_RdpCoreTS type:application sensor:$1 srcip:$2 NEXT id=30816 name=Microsoft Windows Shell Core messages match=Microsoft-Windows-Shell-Core match=Mi match=ft match=Wi match=ws match=Sh match=ll match=Co regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Shell_Core type:application sensor:$1 srcip:$2 NEXT id=30817 name=Microsoft Windows WinINet config. match=Microsoft-Windows-WinINet-Config match=Mi match=ft match=Wi match=ws match=INe match=Co match=ig regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinINet_Config type:application sensor:$1 srcip:$2 NEXT id=30818 name=Microsoft Windows Immersive-Shell messages. match=Microsoft-Windows-Immersive-Shell match=Mi match=ft match=Wi match=ws match=Im match=Sh regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Immersive_Shell type:application sensor:$1 srcip:$2 NEXT id=30819 name=Microsoft Windows TerminalServices RemoteConnectionManager services has taken too long to load the user configuration from server. match=Microsoft-Windows-TerminalServices-RemoteConnectionManager match=Mi match=ft match=Wi match=ws match=Te match=Re match=Co regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Remote_Desktop_Config_Time type:application sensor:$1 srcip:$2 NEXT id=30820 name=Microsoft Windows Kernel PnPConfig new device interface. match=Microsoft-Windows-Kernel-PnPConfig match=Mi match=ft match=Wi match=ws match=Ke match=PnP match=New device interface regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-PnP_New_Device_Interface type:application sensor:$1 srcip:$2 NEXT id=30821 name=Microsoft Windows Kernel PnP device was configured. match=Microsoft-Windows-Kernel-PnP match=Mi match=ft match=Wi match=ws match=Ke match=PnP match=Device match=was configured regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-PnP_Device_Was_Configured type:application sensor:$1 srcip:$2 NEXT id=30822 name=Microsoft Windows Kernel PnPConfig device is unconfigured. match=Microsoft-Windows-Kernel-PnPConfig match=Mi match=ft match=Wi match=ws match=Ke match=PnP match=Device container match=is unconfigured regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-PnP_Device_Unconfigured type:application sensor:$1 srcip:$2 NEXT id=30823 name=Microsoft Windows device setup manager service shutting down. match=Microsoft-Windows-DeviceSetupManager match=Mi match=ft match=Wi match=ws match=De match=Se match=Ma regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Device_Setup_Manager_Stopping type:application sensor:$1 srcip:$2 NEXT id=30824 name=Microsoft Windows ASP.NET configuration error has occurred. match=ASP.NET match=A configuration error has occurred match=Application match=Co match=error match=or match=occ regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Web_Event_Configuration_Error type:error sensor:$1 srcip:$2 NEXT id=30825 name=Microsoft Windows AppReadiness service has completed tasks. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=service has completed tasks regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Completed_Tasks type:application sensor:$1 srcip:$2 NEXT id=30826 name=Microsoft Windows Wcmsvc terminal services session change was processed. match=Microsoft-Windows-Wcmsvc match=Mi match=ft match=Wi match=ws match=Wc match=svc match=Services session change regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Services_Session_Changed type:application sensor:$1 srcip:$2 NEXT id=30827 name=Microsoft Windows ServerManager MultiMachine Response Time,Server manager initialization task. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=initialization task match=in match=ta regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Initialization_Task type:application sensor:$1 srcip:$2 NEXT id=30828 name=Microsoft Windows ServerManager MultiMachine Server manager startup task. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=Info match=Server manager startup task match=st match=Se match=ma match=ta regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Startup_Task type:application sensor:$1 srcip:$2 NEXT id=30829 name=Microsoft Windows ServerManager MultiMachine role plugin Registration information load task. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=nfo match=plugin Registration information load task match=pl match=Re match=lo match=ta regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Plugin_Registration type:application sensor:$1 srcip:$2 NEXT id=30830 name=Microsoft Windows ServerManager MultiMachine Server manager refresh task started. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=nfo match=Server manager refresh task match=Se match=ma match=re match=ta regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Refresh_Task type:application sensor:$1 srcip:$2 NEXT id=30831 name=Microsoft Windows ServerManager MultiMachine role plugin load task started. match=Microsoft-Windows-ServerManager-MultiMachine match=ft match=Mi match=cro match=dow match=Win match=nfo match=plugin load task match=pl match=lo match=in match=ta regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MultiMachine_Plugin_Load_Task type:application sensor:$1 srcip:$2 NEXT id=30832 name=Microsoft Windows DPAPI created Master key. match=Microsoft-Windows-Crypto-DPAPI match=ft match=Mi match=cro match=dow match=Win match=nfo match=DPAPI created Master key match=DP match=cr match=Ma match=ke regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Crypto_Master_Key_Created type:application sensor:$1 srcip:$2 NEXT id=30833 name=Windows detected your regular local profile location. match=Microsoft-Windows-User Profiles Service match=cr match=fi match=er match=Regular Local profile match=Re match=pr match=ar regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Regular_Profile type:system sensor:$1 srcip:$2 NEXT id=30834 name=Windows TerminalServices-LocalSessionManager begin or end session arbitration. match=Microsoft-Windows-TerminalServices-LocalSessionManager match=cr match=er match=session arbitration match=ss match=se match=ar regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Begin_End_Session_Arbitration type:application sensor:$1 srcip:$2 NEXT id=30835 name=Windows TerminalServices-LocalSessionManager session has been disconnected. match=Microsoft-Windows-TerminalServices-LocalSessionManager match=cr match=er match=Session match=has been disconnected match=Se match=ee match=di regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Session_Disconnected type:application sensor:$1 srcip:$2 NEXT id=30836 name=Microsoft Windows Kernel PnPConfig device was started. match=Microsoft-Windows-Kernel-PnP match=Mi match=ft match=Wi match=ws match=Ke match=PnP match=Device match=was started match=De match=st regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-PnP_Device_Started type:application sensor:$1 srcip:$2 NEXT id=30837 name=Microsoft Windows AppXDeployment Server following packages will be installed or removed. match=Microsoft-Windows-AppXDeployment-Server match=Mi match=ft match=Wi match=ws match=ppX match=Se match=De match=will be installed match=be removed match=wi match=in regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Packages_Will_Be_Installed_Removed type:application sensor:$1 srcip:$2 NEXT id=30838 name=Microsoft Windows AppXDeployment Server determining packages to be installed. match=Microsoft-Windows-AppXDeployment-Server match=Mi match=ft match=Wi match=ws match=ppX match=Se match=De match=Determining packages to be installed match=pa match=to match=in regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Determining_Packages_To_Be_Installed type:application sensor:$1 srcip:$2 NEXT id=30839 name=Microsoft Windows AppReadiness service status has changed. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=status changed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Status_Changed type:application sensor:$1 srcip:$2 NEXT id=30840 name=Microsoft Windows AppReadiness service started processing tasks. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=Started processing tasks regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Started_Processing_Tasks type:application sensor:$1 srcip:$2 NEXT id=30841 name=Microsoft Windows AppReadiness service 'SystemUpgradeCleanup', started, finished or selected.. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match='SystemUpgradeCleanup match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_System_Upgrade_Cleanup type:application sensor:$1 srcip:$2 NEXT id=30842 name=Microsoft Windows AppReadiness service finished processing tasks. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=Finished processing tasks regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Finished_Processing_Tasks type:application sensor:$1 srcip:$2 NEXT id=30843 name=Microsoft Windows Application Program Telemetry compatibility fix applied. match=Microsoft-Windows-Application-Experience match=Compatibility fix applied match=Mi match=ro match=oft match=Win match=ows match=do match=Ex match=Compatibility fix applied match=Co match=fix regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Compatibility_Fix_Applied type:application sensor:$1 srcip:$2 NEXT id=30844 name=Microsoft Windows AppReadiness service has started. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=App Readiness service has started regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Service_Started type:application sensor:$1 srcip:$2 NEXT id=30845 name=Microsoft Windows AppReadiness service user login has started. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=UserLogon match=started for regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.* started for ([-A-Za-z0-9$_@#]+) log=event:Windows-AppReadiness_User_Login_Started type:login sensor:$1 srcip:$2 user:$3 NEXT id=30846 name=Microsoft Windows AppReadiness service has user logon has succeeded. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=UserLogon match=succeeded for regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.* succeeded for ([-A-Za-z0-9$_@#]+) log=event:Windows-AppReadiness_User_Login_Succeeded type:login sensor:$1 srcip:$2 user:$3 NEXT id=30847 name=Microsoft Windows AppReadiness service has changed mode. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=has changed mode regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Mode_Changed type:application sensor:$1 srcip:$2 NEXT id=30848 name=Microsoft Windows AppReadiness service has started a group. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=Started group regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Started_Group type:application sensor:$1 srcip:$2 NEXT id=30849 name=Microsoft Windows AppReadiness service has finished a group. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=Finished group regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Finished_Group type:application sensor:$1 srcip:$2 NEXT id=30850 name=Microsoft Windows AppReadiness service has selected the next task. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match=was selected as the next task regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Next_Task_Selected type:application sensor:$1 srcip:$2 NEXT id=30851 name=Microsoft Windows AppReadiness service has finished the task. match=Microsoft-Windows-AppReadiness match=Mi match=ft match=Wi match=ws match=App match=Re match='ART:UserLogon' finished for regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AppReadiness_Task_Finished type:application sensor:$1 srcip:$2 # id=30852 moved to threat_ms_emet.prm NEXT id=30853 name=Microsoft Windows MUI resource cache builder has been called. match=,Microsoft-Windows-MUI,3003, match=MUI resource cache builder has been called match=Microsoft match=Windows match=MU match=of match=with match=ing match=cache match=been regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MUI_Resource_Cache_Builder_Invoked sensor:$1 srcip:$2 type:application NEXT id=30854 name=Microsoft Windows new MUI resource cache was built and installed on this system. match=,Microsoft-Windows-MUI,3007, match=Microsoft match=Windows match=MU match=of match=system match=config match=install match=cache match=New regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-MUI_Resource_Cache_Built sensor:$1 srcip:$2 type:application NEXT id=30855 name=Microsoft Windows Update failed to check for updates due to an error. match=,Microsoft-Windows-WindowsUpdateClient,25, match=Microsoft match=Windows match=WindowsUpdateClient match=fail match=updates match=error match=for match=with regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Client_Check_Failed sensor:$1 srcip:$2 type:error NEXT id=30856 name=Microsoft Windows Update established connectivity. match=,Microsoft-Windows-WindowsUpdateClient,30, match=Microsoft match=Windows match=WindowsUpdateClient match=established match=connect match=Update match=vi match=iv regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Client_Connectivity_Established sensor:$1 srcip:$2 type:application NEXT id=30857 name=Microsoft Windows Update received a service stop request. match=,Microsoft-Windows-WindowsUpdateClient,38, match=Microsoft match=Windows match=WindowsUpdateClient match=Update match=service match=received match=request match=stop regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Client_Service_Stop_Request sensor:$1 srcip:$2 type:application NEXT id=30858 name=Microsoft Windows update was downloaded. match=,Microsoft-Windows-WindowsUpdateClient,41, match=Microsoft match=Windows match=WindowsUpdateClient match=Update match=update was downloaded match=download match=date match=load regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Client_Downloaded sensor:$1 srcip:$2 type:application NEXT id=30859 name=Microsoft Windows initiated a state change for an installation package. match=,Microsoft-Windows-Servicing,1, match=Microsoft match=Windows match=package match=state match=Client match=Current match=change match=id regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Package_Change_Initiated sensor:$1 srcip:$2 type:application NEXT id=30860 name=Microsoft Windows had an installation package change state. match=,Microsoft-Windows-Servicing,2, match=Microsoft match=Windows match=ack match=successful match=changed match=Pa match=age match=lly regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Package_Changed sensor:$1 srcip:$2 type:application NEXT id=30861 name=Microsoft Windows had an installation package fail to change state. match=,Microsoft-Windows-Servicing,3, match=Microsoft match=Windows match=ack match=failed match=changed match=Pa match=age match=state regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Package_Change_Failed sensor:$1 srcip:$2 type:error NEXT id=30862 name=Microsoft Windows successfully auto updated a third party root certificate. match=,Microsoft-Windows-CAPI2,4097, match=Microsoft match=Windows match=certificate match=auto match=update match=Success match=Sub match=ir regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Third_Party_Root_Certificate_Update sensor:$1 srcip:$2 type:application NEXT id=30863 name=This Windows application SiteMinder error messages. match=ion match=Application match=pp match=SiteMinder match=or match=rr match=,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SiteMinder_Messages_Error type:error sensor:$1 srcip:$2 NEXT id=30864 name=This Windows application SiteMinder warning messages. match=ion match=Application match=pp match=SiteMinder match=in match=ing match=,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SiteMinder_Messages_Warning type:error sensor:$1 srcip:$2 NEXT id=30865 name=A Windows worker process was shutdown due to inactivity. A new worker process will be started when needed. match=MSWinEventLog match=worker process match=Info match=was shutdown due to inactivity match=wa match=do match=sh match=in match=ac match=ty log=event:Windows-Worker_Process_Shutdown type:system NEXT id=30866 name=Windows had an error during job agent execution. match=MSWinEventLog match=Application match=Error match=an error during job agent execution match=MS match=rr match=pp match=on match=ag match=ex log=event:Windows-Job_Agent_Execution_Error type:error NEXT id=30867 name=Windows service entered the running state. match=MSWinEventLog match=System match=Service Control Manager match=service entered the running state match=MS match=Sy match=Se match=en match=nn match=st log=event:Windows-Service_Entered_Running_State type:system NEXT id=30868 name=Windows service entered the stopped state. match=MSWinEventLog match=System match=Service Control Manager match=service entered the stopped state match=MS match=Sy match=en match=pp match=st match=Se log=event:Windows-Service_Entered_Stopped_State type:system NEXT id=30869 name=Windows MSWintEventLog information message. match=MSWinEventLog match=Application match=Information match=ofxnt match=MS match=pp match=In match=of match=nt match=on log=event:Windows-MSWinEventLOg_Information_Message type:application NEXT id=30870 name=Windows WinHTTP Web Proxy Auto-Discovery Service was successfully sent a start control. match=MSWinEventLog match=System match=service was successfully sent a start control match=MS match=Sy match=ss match=ll match=cc match=ce log=event:Windows-WinHTTP_Web_Proxy_Sent_Start_Control type:system NEXT id=30871 name=Windows system time has changed. match=MSWinEventLog match=System match=Microsoft-Windows-Kernel-General match=The system time has changed match=MS match=Sy match=Ke match=Ge match=ch match=ti log=event:Windows-System_Time_Changed type:system NEXT id=30873 name=Windows service will be shut down. match=MSWinEventLog match=System match=Service match=it will be shut down match=MS match=Sy match=se match=ll match=sh match=wn log=event:Windows-Service_Will_Be_Shutdown type:system NEXT id=30874 name=Windows service suspended operation. match=MSWinEventLog match=Service suspended operation match=MS match=Sy match=Se match=su match=op match=ed log=event:Windows-Service_Suspended_Operation type:system NEXT id=30875 name=A Windows network link is disconnected. match=MSWinEventLog match=Network link is disconnected. match=MS match=Sy match=Ne match=li match=nn match=ed log=event:Windows-Network_Link_Disconnected type:network NEXT id=30876 name=A Windows network link is established. match=MSWinEventLog match=Network link has been established match=MS match=Sy match=Ne match=li match=nn match=ed log=event:Windows-Network_Link_Established type:network NEXT id=30877 name=Windows Group Policy Registry error, there is not enough space on the disk. match=MSWinEventLog match=Error match=Group Policy Registry match=not enough space on the disk match=MS match=ry match=Er match=Gr match=Po match=Re log=event:Windows-Group_Policy_Registry_Space_On_Disk type:application NEXT id=30878 name=A Windows network problem, connection unexpectedly closed by peer. match=MSWinEventLog match=connection unexpectedly closed by peer match=Error match=MS match=Ne match=nn match=cl match=pe match=rr log=event:Windows-Network_Connection_Closed_By_Peer type:error NEXT id=30879 name=Windows is unable to connect to the automatic updates service and therefore cannot download and install updates. Windows will continue to try to establish a connection. match=MSWinEventLog match=WindowsUpdateClient match=unable to connect to the automatic updates match=Wi match=Up match=Cl match=nn match=au match=up match=te log=event:Windows-Unable_To_Connect_To_Automatic_Updates type:application NEXT id=30880 name=Windows has so many certificate authorities that the list has grown too long. This list has thus been truncated. match=MSWinEventLog match=System match=Schannel match=sends a list of trusted match=certificate authorities match=Wi match=ds match=li match=st match=ce match=au match=ed log=event:Windows-Trusted_Certificate_Authorities_Truncated type:application NEXT id=30881 name=Windows Failed Request Tracing module failed to delete at least one log file from the directory. match=MSWinEventLog match=Application match=Warning match=error match=Module failed to delete at least one log match=Wi match=Wa match=pp match=rr match=Mo match=de match=og log=event:Windows-Module_Failed_To_Delete_Log type:error NEXT id=30882 name=Windows Failed Request Tracing module failed to write buffered events to log file for the request that matched failure definition. No logs will be generated until this condition is corrected. match=MSWinEventLog match=Application match=Warning match=error match=failed to write buffered events to log file match=Wi match=Wa match=pp match=rr match=fa match=ff match=og log=event:Windows-Module_Failed_To_Write_Events_To_Log type:error NEXT id=30883 name=Windows Ntfs summary of disk space usage. match=Microsoft-Windows-Ntfs match=Information match=Summary of disk space usage match=In match=Mi match=Nt match=Wi match=sk match=ge regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Summary_Of_Disk_Space type:application sensor:$1 srcip:$2 NEXT id=30884 name=Windows TaskScheduler is behind deadline. match=Microsoft-Windows-TaskScheduler match=Warning match=Maintenance task match=is behind deadline match=Mi match=Wi match=Ta match=Ma match=ea match=hi regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-TaskScheduler_Behind_Deadline type:application sensor:$1 srcip:$2 NEXT id=30885 name=Windows TaskScheduler state has changed. match=Microsoft-Windows-TaskScheduler match=Information match=Maintenance state has changed match=Mi match=Wi match=Ta match=Ma match=In match=st regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-TaskScheduler_State_Changed type:detected-change sensor:$1 srcip:$2 NEXT id=30886 name=Windows TZSync. match=Microsoft-Windows-TZSync match=Information match=TZ match=Mi match=Wi match=Sy match=In regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Zone_Sync_Task type:application sensor:$1 srcip:$2 NEXT id=30887 name=Windows TZSync error. match=Microsoft-Windows-TZSync match=Error match=TZ match=Mi match=Wi match=Sy match=rr regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Zone_Sync_Task_Error type:error sensor:$1 srcip:$2