# This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # Windows System Event log parser # # DESCRIPTION: # This library is used to process logs from Windows systems. Windows # XP or W2K servers can be configured with a LCE Client for Windows # or can forward their events via netbios to another Windows server # which runs the LCE Client. In both cases, the Windows LCE # Client will attempt to conduct a reverse netbios or DNS lookup of # the hostname to convert it to an API address for the LCE server. # # LAST UPDATE: $Date$ ################ # LIVE UPDATES # ################ id=3103 name=This Windows system event log indicates that "Live" Windows updates are ready for installation. match=tem match=System, match=ion match=,Information, match=ent match=ate match=indo match=Ready match=updates match=,17,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Live_Updates_Ready type:system event2:WindowsEvent-17 NEXT id=3104 name=This Windows system event log indicates that a Service Pack hotfix was installed. match=tem match=System, match=ion match=,Information, match=indo match=,Windows match= Hotfix match=sta match=le match=ed match= was installed. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Hotfix_Installed type:system sensor:$1 dstip:$2 NEXT id=3105 name=This Windows system event log indicates that the browser service was unable to retrieve the backup list. match=tem match=System, match=rr match=,Error, match=,BROWSER, match=SE match=ER match=,BROWSER,3221233504,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Browser_Failed_To_Retrieve type:error sensor:$1 dstip:$2 NEXT id=3106 name=This Windows system event log indicates that the browser was unable to retrieve a list of servers from the browser master. match=tem match=System, match=,BROWSER, match=ER match=SE match=ar match=arn match=ing match=,Warning, match=,BROWSER,2147491669,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Browser_Unable_To_Retrieve type:error sensor:$1 dstip:$2 NEXT id=3107 name=This Windows system event indicates that a print job was started, stopped or purged. match=tem match=System, match=,Print, match=ion match=,Printer regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Print_Information type:system sensor:$1 dstip:$2 NEXT id=3108 name=This Windows system event indicates that there is a printing problem. match=tem match=System, match=,Print, match=ar match=arn match=ing match=,Warning, match=,Print,2147483650,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Print_Warning type:error sensor:$1 dstip:$2 NEXT id=3109 name=This Windows system event log indicates there has been a Windows time sync. match=tem match=System, match=ion match=,Information, match=,W32Time, match=,W32Time,1113194531,Information, regex=([a-zA-Z0-9._-]+),IP.*ntp\.d\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-5]+)->([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-5]+) log=event:Windows-Time_Sync sensor:$1 srcip:$2 dstip:$4 srcport:$3 dstport:$5 type:system NEXT id=3110 name=This Windows system event log indicates that a USB drive has been removed. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,2147745843,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Drive_Removed sensor:$1 srcip:$2 type:system NEXT id=3111 name=This Windows system event indicates that system time has not been synchronized correctly. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,W32Time, match=,W32Time,2186936356,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Timesync_Error sensor:$1 srcip:$2 type:error NEXT id=3112 name=This Windows system event log indicated a successful system update. match=tem match=System, match=ent match=ate match=indo match=,Windows Update Agent, match=ion match=,19,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Successful sensor:$1 srcip:$2 type:system event2:WindowsEvent-19 NEXT id=3113 name=This Windows system event log indicates a user was unable to login. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,MSFTPSVC, match=Logon match=failure regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Bad_Logon sensor:$1 srcip:$2 type:login-failure NEXT id=3114 name=This Windows system eventlog indicates there was a protocol error with the terminal service. match=tem match=System, match=rr match=,Error, match=,TermDD, match=an error in the protocol stream regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Protocol_Error sensor:$1 srcip:$2 type:error NEXT id=3115 name=This Windows system event log indicates that an authentication warning has been issued. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,LSASRV, match=authentication regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-LSASRV_Authentication_Warning sensor:$1 srcip:$2 type:system NEXT id=3116 name=This Windows system event log indicates the system was restarted. match=tem match=System, match=ion match=,Information, match=,USER32,2147484722,Information, match=ER match=SE regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-System_Restart sensor:$1 srcip:$2 type:restart NEXT id=3117 name=This Windows system event log indicated a Service Control Manager error. match=!terminated match=System, match=rr match=,Error, match=ont match=ol match=ce match=,Service Control Manager, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Control_Manager_Error sensor:$1 srcip:$2 type:error NEXT id=3118 name=This Windows system event log indicated a service has terminated. match=!specific match=terminated match=System, match=rr match=,Error, match=ont match=ol match=ce match=,Service Control Manager, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Terminated sensor:$1 srcip:$2 type:error NEXT id=3119 name=This Windows system event log indicates that the maximum number of TCP sessions has been reached for this server. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=cp match=,Tcpip, match=,Tcpip,2147487874,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Max_Concurrent_TCP_Sessions sensor:$1 srcip:$2 type:error NEXT id=3120 name=This Windows system event log indicates there has been a print failure. match=tem match=System, match=rr match=,Error, match=,Print, match=,Print,3221231633,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Print_Failure sensor:$1 srcip:$2 type:error NEXT id=3121 name=This Windows system event log indicates that an illegal radius client attempted to authenticate. match=tem match=System, match=rr match=,Error, match=,IAS, match=,IAS,3221225485,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\. log=event:Windows-Illegal_Radius_Client sensor:$1 dstip:$2 srcip:$3 type:access-denied NEXT id=3122 name=This Windows system event indicates that new printer drivers have been added. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,Print, match=,Print,2147483668,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Print_Drivers_Added sensor:$1 srcip:$2 type:system NEXT id=3123 name=This Windows system event indicates that a printer was deleted. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,Print, match=,Print,2147483651,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Printer_Removed sensor:$1 srcip:$2 type:system NEXT id=3124 name=This Windows system event indicates that a request for a printer that does not exist was received. This could indicate that a local system is configured for a non-existent printer, or that a network scan or probe has made an illegitimate request to gain information. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,LPDSVC, match=,LPDSVC,2147487656,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Printer_Removed sensor:$1 srcip:$2 type:system NEXT id=3125 name=This Windows systen event indicates that the reason for the last shutdown was unplanned. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ed match=the last unexpected shutdown of this computer is: Other (Unplanned) match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unplanned_Shutdown sensor:$1 srcip:$2 type:restart NEXT id=3126 name=This Windows system event indicates that a remote host has sent a very large data payload in a WINS session. This type of event is common during vulnerability scanning and worm probes. match=tem match=System, match=rr match=,Error, match=ent match=ate match=le match=ss match=,The length of the message sent by another WINS indicates a match=IN regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WINS_Corruption sensor:$1 srcip:$2 type:system NEXT id=3127 name=The Windows system has updates which are ready to be installed. match=tem match=System, match=ent match=ate match=indo match=,Windows Update Agent, match=ion match=,Information, match=,18, match=sta match=,Installation Ready: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Updates_Ready sensor:$1 srcip:$2 type:system event2:WindowsEvent-18 NEXT id=3128 name=The Windows system has installed one or more updates, but the system must be restarted to complete installation. match=tem match=System, match=ent match=ate match=indo match=,Windows Update Agent,2 match=ion match=,Information, match=sta match=ire match=est match=ar match=ed match=,Restart Required: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Restart_Required sensor:$1 srcip:$2 type:restart event2:WindowsEvent-22 NEXT id=3129 name=The Windows system has detected a space problem on a hard drive. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=le match=ed match=ty match= disk is at or near capacity. You may need to delete some files. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Disk_Full sensor:$1 srcip:$2 type:error NEXT id=3130 name=The Windows system had an access request and was discarded. match=tem match=System, match=rr match=,Error, match=ce match=ss match=,Access match=ser match=user match=est match=request for user match=ar match=ed match= was discarded regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Access_Request_Discarded sensor:$1 srcip:$2 type:system NEXT id=3131 name=The Windows system has no domain controller available. match=tem match=System, match=rr match=,Error, match=ail match=ont match=ol match=le match=,There is no domain controller available for domain regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Domain_Controller_Not_Available sensor:$1 srcip:$2 type:error NEXT id=3132 name=The Windows system DCOM got error "%1327" and was unable to logon. match=tem match=System, match=rr match=,Error, match=lo match=log match=le match=DCOM got error "%1327" and was unable to logon regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-DCOM_Unable_To_Logon sensor:$1 srcip:$2 type:error NEXT id=3133 name=The Windows system DCOM got en error because the configured identity is incorrect. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ss match=ass match=pass match=ser match=ail match=lo match=ion match=le match=ed match=,The server failed to load application match=pp match=ent match=sta match=rr match=ce match=ty match=The server process could not be started because the configured identity is incorrect. Check the username and password. match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Server_Failed_To_Load_Application sensor:$1 srcip:$2 type:error NEXT id=3134 name=The Windows system could not establish a secured connection with the server. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=sta match=ser match=est match=ecu match=ion match=ed match=ty match=The Security System could not establish a secured connection with the server match=ect match=ent match=ail match=ol match=le match=No authentication protocol was available. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Authentication_Protocol_Unavailable sensor:$1 srcip:$2 type:error NEXT id=3135 name=The Windows system detected an attempted downgrade attack for a server. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ecu match=ack match=ed match=ty match=pt match=The Security System detected an attempted downgrade attack for match=ect match=ent match=lo match=log match=ser match=ail match=rr match=ce match=le regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Attempted_Downgrade_Attack sensor:$1 srcip:$2 type:intrusion NEXT id=3136 name=The Windows system detected that no domain controller was available or was not able to set up a secure session with a domain controller. match=tem match=System, match=rr match=,Error, match=ail match=ont match=ol match=le match=ed match=computer is connected to the network match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Domain_Controller_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-5719 NEXT id=3137 name=The Windows system kerberos subsystem encountered an error. match=tem match=System, match=rr match=,Error, match=ed match=Kerberos regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Kerberos_Error sensor:$1 srcip:$2 type:error NEXT id=3138 name=The Windows system has failed to register the host within a domain. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ail match=le match=ed match=The system failed to register host match=est match=ate match=update request was because of a system problem. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Failed_To_Register_Host sensor:$1 srcip:$2 type:error NEXT id=3139 name=The Windows system could not acquire the time, none of the time sources are accessible. match=tem match=System, match=rr match=,Error, match=ire match=rom match=ce match=ed match= is configured to acquire time from one or more time sources, match=ate match= has no source of accurate time. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Failed_To_Accquire_Time sensor:$1 srcip:$2 type:error NEXT id=3140 name=The Windows system has detected a driver controller error. match=tem match=System, match=rr match=,Error, match=ont match=ol match=le match=ed match=The driver detected a controller error on match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Detected_Controller_Error sensor:$1 srcip:$2 type:error NEXT id=3141 name=The Windows system is participating in an election to be the master browser on a domain. match=tem match=System, match=rr match=,Error, match=,MRxSmb, match=ent match=ser match=ce match=ed match=The master browser has received a server announcement match=ion match=ing match=le match=The master browser is stopping or an election is being forced match=ect match=pp regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Master_Browser_Election sensor:$1 srcip:$2 type:system NEXT id=3142 name=The Windows system has encountered an unknown generic system error. match=tem match=System, match=rr match=,System Error, match=,Error, match=,Error code match=ar match=, parameter regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Generic_System_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-1003 NEXT id=3143 name=The Windows system encountered a service pack event log. match=tem match=System, match=ack match=ce match=,NtServicePack, match=!Hotfix regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-ServicePack_Log_Event sensor:$1 srcip:$2 type:system NEXT id=3144 name=The Windows system encountered an attempt to access an LSA policy handle. match=tem match=System, match=,LsaSrv, match=An a match=ect match=rom match=ion match=ed match=ss match=An anonymous session connected from match=ent match=AT match=ecu match=ing match=EN match=le match=ty match=pt match=The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information match=ST regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*An anonymous session connected from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) has log=event:Windows-LSA_Access_Attempt sensor:$1 srcip:$2 type:access-denied #NEXT #id=3145 #name=The Windows system indicates that kerveros had an error, possible bad password. #example=System,08/13/2008,06:59:38 AM,Kerberos,1073741828,Error,None,N/A,LAP6607,IP:172.20.101.164,The kerberos client received a KRB_AP_ERR_MODIFIED error from the server thor$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (CORP.TENABLESECURITY.COM), and the client realm. Please contact your system administrator. #example=System,06/18/2012,18:00:36 PM,Microsoft-Windows-Security-Kerberos,4,Error,Classic,None,N/A,NEIGGAC1Z.nei.nih.gov,IP:192.168.1.2,4,The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server neia341ll91n$. The target name used was RPCSS/neim1300rw75n.nei.nih.gov. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (NIH.GOV) is different from the client domain (NIH.GOV), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. #match=tem #match=System, #match=Kerberos, #match=ent #match=ce #match=ed #match=erberos client received a #match=ss #match=ass #match=pass #match=ate #match=pt #match=indicates that the #regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) #log=event:Windows-Kerberos_Error sensor:$1 srcip:$2 type:error #NEXT #id=3146 #name=The Windows system indicates that the target server failed to decrypt the ticket provided by the client. #example=System,08/13/2008,06:40:13 AM,Kerberos,1073741828,Error,None,N/A,thor.corp.tenablesecurity.com,IP:172.20.100.20,The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server thor$. The target name used was TENABLE\METATRON$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (CORP.TENABLESECURITY.COM) is different from the client domain (CORP.TENABLESECURworkstation #match=tem #match=System, #match=,Kerberos, #match=ent #match=ce #match=ed #match=The Kerberos client received a #match=ser #match=rr #match=rom #match=error from the server #match=ail #match=ate #match=ar #match=le #match=pt #match=This indicates that the target server failed to decrypt the ticket #regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) #log=event:Windows-Kerberos_Failed_To_Decrypt sensor:$1 srcip:$2 type:error NEXT id=3147 name=The Windows system indicates that a network adapter has been disconnected from the network match=tem match=System, match=cp match=,Tcpip, match=ect match=ed match=pt match=The system detected that network adapter match=rom match=was disconnected from the network match=ion match=le match=network configuration has been released. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Network_Adapter_Disconnected sensor:$1 srcip:$2 type:system NEXT id=3148 name=The Windows system time service is now synchronizing the system time. match=tem match=System, match=ser match=now match=ing match=ce match=The time service is now synchronizing the system time regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Synchronizing sensor:$1 srcip:$2 type:system NEXT id=3149 name=The Windows system has logged a hardware failure. match=tem match=System, match=rr match=,Error, match=ail match=ar match=ed match=Hardware failure detected match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Hardware_Failure sensor:$1 srcip:$2 type:error NEXT id=31510 name=The Windows system has logged that a device has out-of-date firmware, and that it may reduce performance. match=tem match=System, match=ce match=ed match=The driver has detected that device match=ect match=ol match=ate match=ar match= has old or out-of-date firmware regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Out-Of-Date_Firmware sensor:$1 srcip:$2 srcport:$3 type:error NEXT id=31511 name=The Windows system has logged an authentication request that could not be decoded. The request has failed. match=tem match=System, match=ent match=ail match=est match=ecu match=ion match=ce match=le match=ed match=ty match=The Security System has received an authentication request that could not be decoded. The request has failed. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Request_Not_Decoded sensor:$1 srcip:$2 srcport:$3 type:access-denied NEXT id=31512 name=The Windows system has logged that a Smart Card Reader rejected a card. match=tem match=System, match=ar match=ed match=art match=ard match=Reader match=Error match=rr match=ed match=ed match=er regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Smart_Card_Reader_Error sensor:$1 srcip:$2 srcport:$3 type:error NEXT id=31513 name=The Windows system has logged that the system failed to flush data to the transaction log. Corruption may occur. match=tem match=System, match=lo match=log match=ail match=ion match=le match=ed match=The system failed to flush data to the transaction log match=rr match=pt match=Corruption may occur regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Failed_To_Flush_Data sensor:$1 srcip:$2 srcport:$3 type:error NEXT id=31514 name=The Windows system has logged that the system failed to register a pointer resource record. match=tem match=System, match=ail match=le match=ed match=ailed match=The system failed to register pointer (PTR) match=ing match=ce match=pt match=resource records (RRs) for network adapter with settings match=TR regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Failed_To_Register_Pointer sensor:$1 srcip:$2 srcport:$3 type:error NEXT id=31515 name=The Windows system could not authenticate locally by using the target name. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ent match=lo match=ate match= could not authenticate locally by using the target name regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Could_Not_Authenticate_Target_Name sensor:$1 srcip:$2 type:error NEXT id=31516 name=The Windows system shutdown unexpectedly. match=tem match=System, match=rr match=,Error, match=The previous system shutdown match=ed match=was unexpected match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unexpected_Shutdown sensor:$1 srcip:$2 type:restart NEXT id=31517 name=The Windows file system is corrupt and unusable, time to run chkdsk. match=tem match=System, match=rr match=,Error, match=Ntfs regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*,The log=event:Windows-File_System_Corrupt sensor:$1 srcip:$2 type:error NEXT id=31518 name=The Windows system has awoke from sleep mode. match=tem match=System, match=indo match=le match=Microsoft-Windows-Power-Troubleshooter match=rom match=ed match=The system has resumed from sleep. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Resumed_From_Sleep_Mode sensor:$1 srcip:$2 type:restart event2:WindowsEvent-1 NEXT id=31519 name=The Windows system has entered sleep mode due to the system being idle. match=tem match=System, match=indo match=,Microsoft-Windows-Kernel-Power match=ent match=ing match=le match=The system is entering sleep. match=Sleep Reason: System Idle regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Entering_Sleep_Mode sensor:$1 srcip:$2 type:restart event2:WindowsEvent-42 NEXT id=31520 name=The Windows system has printed a document. match=tem match=System, match=Print match=ion match=Information match=ent match=Document match=Do match=ed match=was printed on regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Printed_Document sensor:$1 srcip:$2 type:system NEXT id=31521 name=The Windows system has recorded a Schannel error. match=tem match=System, match=Schannel match=rr match=Error match=fa match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Schannel_Error sensor:$1 srcip:$2 type:error NEXT id=31522 name=The Windows system has recorded a user logon notification for the customer experience improvement program. match=tem match=System, match=lo match=log match=ion match=indo match=Microsoft-Windows-Winlogon,7001,Information match=ent match=ser match=Lo match=ce match=User Logon Notification for Customer Experience Improvement Program match=User regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logon_Notification_Improvement_Program sensor:$1 srcip:$2 type:system event2:WindowsEvent-7001 NEXT id=31523 name=The Windows system has recorded that the Group Policy settings for the user were processed. match=tem match=System, match=ol match=indo match=Microsoft-Windows-GroupPolicy match=ion match=Information match=ing match=ce match=ed match=ss match=The Group Policy settings for the regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Policy_Settings_Processed sensor:$1 srcip:$2 type:system NEXT id=31524 name=The Windows system has recorded a Microsoft Windows Printer error. match=tem match=System, match=ce match=rr match=1111,Error match=1111,Driver match=Driver match=Error match=install match=log regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Printer_Driver_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-1111 NEXT id=31525 name=The Windows system has recorded a timeout attemping name resolution, none of the configured DNS servers responded. match=tem match=System, match=ent match=indo match=,Microsoft-Windows-DNS-Client match=ol match=ion match=Name resolution for the name match=ser match=ed match=timed out after none of the configured DNS servers responded. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DNS_Servers_Timeout sensor:$1 srcip:$2 type:error event2:WindowsEvent-1014 NEXT id=31526 name=The Windows system has recorded a bad block for a device. match=tem match=System, match=rr match=Error match=lo match=dev match=has a bad block. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Bad_Block_Detected sensor:$1 srcip:$2 type:error NEXT id=31527 name=The Windows system has recorded a user was granted access. match=tem match=System, match=IAS match=ce match=ed match=ss match=was granted access match=ent match=Client-IP-Address regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*,User (?:[^\ ]+\\)?([^ ]+) was granted access.* Client-IP-Address = ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IAS_User_Granted_Access sensor:$1 srcip:$2 user:$3 srcip:$4 type:login NEXT id=31528 name=The Windows system attempted to launch a program without permission to do so. match=tem match=System, match=,DCOM, match=Lo match=ion match=ing match=ss match=,The application-specific permission settings do not grant Local match=pp regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-DCOM_CLSID_Unable_To_Launch sensor:$1 srcip:$2 type:access-denied NEXT id=31529 name=The Windows Update Client failed to install an update. match=tem match=System, match=System match=ent match=ate match=indo match=Windows Update Agent match=,Windows match=sta match=ail match=ailure match=ion match=ed match=IP match=,Installation Failure: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-UpdateClient_Installation_Failure sensor:$1 srcip:$2 type:error event2:WindowsEvent-20 NEXT id=31530 name=The Windows Update Client has an update that is ready to install. match=tem match=System, match=ent match=ate match=indo match=,Microsoft-Windows-WindowsUpdateClient, match=sta match=ion match=,Installation Ready: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-UpdateClient_Installation_Ready sensor:$1 srcip:$2 type:system event2:WindowsEvent-18 NEXT id=31531 name=The Windows system successfully applied the forefront client security state assessment service policy. match=ent match=ecu match=ate match=IP match=Forefront Client Security State Assessment Service policy applied successfully. match=System match=ty match=ont match=ss match=ce match=FcsSas regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Forefront_Assessment_Applied sensor:$1 srcip:$2 type:system NEXT id=31532 name=The Windows system forefront signature version has been updated. match=ate match=IP match=signature version has been updated. match=System, match=ed match=FCSAM match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Forefront_Signatures_Updated sensor:$1 srcip:$2 type:system event2:WindowsEvent-2000 NEXT id=31533 name=The Windows system forefront real-time protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. match=ent match=System match=tem match=IP match=,Warning, match=System, match=ect match=ing match=Real-Time Protection agent has detected changes. match=ed match=FCSAM match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Forefront_Detected_Changes sensor:$1 srcip:$2 type:system event2:WindowsEvent-3004 NEXT id=31534 name=The Windows system has detected a restart or shutdown. match=System match=tem match=IP match=,Information, match=System, match=1074 match=lo match=ol match=ser match=user match=ing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),1074,The process .*user (?:[^\ ]+\\)?([^ ]+) for the following reason log=event:Windows-Restart_Shutdown sensor:$1 srcip:$2 user:$3 type:restart event2:WindowsEvent-1074 NEXT id=31535 name=The Windows system has reported no suitable default server credential exists on this system. match=System match=tem match=IP match=,Warning, match=System, match=3688 match=No match=ing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),3688 log=event:Windows-No_Credential sensor:$1 srcip:$2 type:system NEXT id=31536 name=The Windows system RemoteAccess user does not have Remote Access privilege. match=le match=user match=System match=tem match=IP match=,Warning, match=System, match=ser match=ss match=ect match=ing match=ed match=ce match=20258 match=does not have Remote Access privilege regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20258 log=event:Windows-User_Does_Not_Have_Remote_Access sensor:$1 srcip:$2 type:login-failure event2:WindowsEvent-20258 NEXT id=31537 name=The Windows system RemoteAccess user failed an authentication attempt due to the following reason: The account does not have permission to dial in. match=le match=ent match=failed an authentication attempt match=user match=rom match=System match=tem match=IP match=20271 match=,Warning, match=lo match=ailed match=System, match=ser match=ail match=ect match=ing match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20271 log=event:Windows-User_Does_Not_Have_Permission_For_Dial_In sensor:$1 srcip:$2 type:login-failure event2:WindowsEvent-20271 NEXT id=31538 name=This Windows system event log indicated a successful system update. match=tem match=System, match=ent match=ate match=indo match=WindowsUpdateClient, match=ion match=,Information, match=restart regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Successful_Needs_Restart sensor:$1 srcip:$2 type:system event2:WindowsEvent-21 #NEXT #id=31539 #name=The Windows system has recorded that the Group Policy settings for the user were processed successfully. #example=System,10/04/2011,19:11:29 PM,Microsoft-Windows-GroupPolicy,1502,Information,N/A,None,N/A,MasterC.pahouse.net,IP:10.10.100.12,1502,The Group Policy settings for the computer were processed successfully. New settings from 5 Group Policy objects were detected and applied. #match=The Group Policy settings for the computer were processed successfully. #match=Micro #match=System #match=tem #match=in #match=1502,Information #match=Information #match=succ #match=indo #match=,Information, #match=nformation #match=ystem #match=ic #match=Information, #match=ce #match=at #match=Windows #match=IP #match=ol #match=successfully #match=P #match=for #match=System, #match=er #match=502 #match=Microsoft-Windows-GroupPolicy #match=put #match=ing #match=ed #match=st #match=ess #match=ion #match=ss #match=150 #match=successful #match=Group #match=su #match=success #regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) #log=event:Windows-Group_Policy_Settings_Processed sensor:$1 srcip:$2 type:system event2:WindowsEvent-1502 NEXT id=31540 name=This Windows system event log indicated a service was changed. match=st match=sta match=nformation match=Service Control Manager match=art match=IP match=service was changed match=System match=Information, match=demand match=auto match=start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Changed sensor:$1 srcip:$2 type:system event2:WindowsEvent-7040 NEXT id=31541 name=This Windows system event log indicated the a service entered the running state. match=ent match=st match=sta match=nformation match=ate match=Service Control Manager match=,Service Control Manager, match=in match=ic match=System match=tem match=IP match=Information match=System, match=ol match=ser match=P match=ont match=,Information, match=Information, match=er match=for match=ing match=ed match=ystem match=ce match=at match=ion match=entered the running state. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Entered_Running_State sensor:$1 srcip:$2 type:system NEXT id=31542 name=This Windows system event log indicated the VeeamVssSupport message. match=ent match=successfully match=st match=sta match=nformation match=Service Control Manager match=art match=,Service Control Manager, match=ic match=System match=tem match=IP match=su match=Information match=System, match=ol match=ser match=P match=ont match=,Information, match=ess match=ss match=success match=Information, match=er match=for match=ystem match=ce match=at match=successful match=succ match=ar match=ion match=successfully sent a start control. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Start_Control sensor:$1 srcip:$2 type:system NEXT id=31543 name=This Windows system event log indicated that RSM(Removeable Storage Module) was stopped. match=le match=RSM was stopped match=st match=nformation match=ic match=System match=tem match=IP match=Information match=System, match=P match=Removable Storage Service match=pp match=,Information, match=Information, match=er match=for match=ed match=ystem match=ce match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-RSM_Stopped sensor:$1 srcip:$2 type:system event2:WindowsEvent-98 NEXT id=31544 name=This Windows system event log indicated that the WinHTTP Web Proxy Auto-Discovery Service is idle, and will be shut down. match=st match=nformation match=ut match=ic match=System match=tem match=IP match=WinHttpAutoProxySvc match=Information match=System, match=P match=,Information, match=will be shut down match=Information, match=er match=for match=ystem match=ce match=TP match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinHttpAutoProxySvc_Shutting_Down sensor:$1 srcip:$2 type:system event2:WindowsEvent-12503 NEXT id=31545 name=This Windows system event log indicated that the WinHTTP Web Proxy Auto-Discovery Service suspended operation. match=st match=suspended operation match=nformation match=ut match=in match=ic match=System match=tem match=IP match=WinHttpAutoProxySvc match=su match=Information match=System, match=P match=,Information, match=Information, match=er match=for match=ed match=ystem match=ce match=TP match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinHttpAutoProxySvc_Suspended sensor:$1 srcip:$2 type:system event2:WindowsEvent-12517 NEXT id=31546 name=This Windows system event has reported the system uptime. match=st match=nformation match=System match=tem match=IP match=Information match=System, match=P match=,Information, match=Information, match=for match=ystem match=The system uptime regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-System_Uptime sensor:$1 srcip:$2 type:system event2:WindowsEvent-6013 NEXT id=31547 name=This Windows system event has reported the browser service has failed to retrieve the backup list too many times on transport. match=st match=System match=tem match=IP match=System, match=P match=Error match=ystem match=rr match=The browser service has failed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Browser_Service_Failed sensor:$1 srcip:$2 type:error event2:WindowsEvent-8032 NEXT id=31548 name=This Windows service entered the stopped state. match=Service match=Control match=Manager match=Service Control Manager match=st match=nformation match=System match=tem match=IP match=System, match=P match=ystem match=entered the stopped state. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Entered_Stopped_State sensor:$1 srcip:$2 type:system NEXT id=31549 name=This Windows TermService had a terminal server receive a large number of incomplete connections. The system may be under attack. match=rm match=vi match=TermService match=Error match=rr match=System match=tem match=IP match=System, match=P match=ystem match=incomplete match=comp match=connections match=nn match=The system may be under attack. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-TermService_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-1006 NEXT id=31550 name=This Windows Srv server received an incorrectly formatted request. match=rr match=Error match=server match=rv match=received match=ei match=in match=formatted match=tt match=The server received an incorrectly formatted request from regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*\\([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Srv_Error sensor:$1 srcip:$2 dstip:$3 type:error event2:WindowsEvent-2006 NEXT id=31551 name=This Windows Service Control Manager service is waiting for a transaction response. match=System match=Service Control Manager match=Service match=vi match=ontrol match=ol match=Manager match=Error match=ag match=Timeout regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Timeout log=event:Windows-Service_Timeout sensor:$1 srcip:$2 type:system NEXT id=31552 name=This Windows Service Control Manager service was sent a stop control. match=System match=Service Control Manager match=Service match=vi match=ontrol match=ol match=Manager match=ag match=sent a stop control. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Sent_Stop_Control sensor:$1 srcip:$2 type:system NEXT id=31553 name=This Windows system event log indicates a service was installed in the system. match=st match=sta match=nformation match=Service Control Manager match=,Service Control Manager, match=System match=tem match=IP match=Information match=System, match=,Information, match=Information, match=ystem match=A service was installed in the system. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Installed sensor:$1 srcip:$2 type:system NEXT id=31554 name=This Windows system event log indicates the application has shutdown due to timeout limit reached. match=st match=nformation match=System match=Microsoft-Windows-WAS match=tem match=IP match=Information match=System, match=,Information, match=Information, match=ystem match=was shutdown due to inactivity regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Timeout_Limit_Reached sensor:$1 srcip:$2 type:system event2:WindowsEvent-5186 NEXT id=31555 name=This Windows system event log indicates a PowerPoint document was deleted. match=ent match=st match=nformation match=System match=tem match=IP match=Information match=System, match=,Information, match=Information, match=ystem match=PowerPoint match=was deleted on regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-PowerPoint_Document_Deleted sensor:$1 srcip:$2 type:system NEXT id=31556 name=This Windows system event log indicates that the browser service was unable to retrieve a list of servers from the browser master. This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. match=tem match=System, match=,Warning, match=,BROWSER, match=SE match=ER match=un match=ret match=lis match=as match=server match=ser match=,The browser service was unable to retrieve a list of servers from the browser master regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Browser_Failed_To_Retrieve_Servers type:system sensor:$1 dstip:$2 NEXT id=31557 name=This Windows system event log indicates a Popup message. match=up match=System, match=Popup match=ed match=tion match=Application regex=Application Popup.*,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Popup_Messages type:system sensor:$1 dstip:$2 NEXT id=31558 name=This Windows system event log indicates the Microsoft Windows DistributedCOM had errors. match=System, match=ys match=rr match=Err match=Error match=ed match=Windows match=Microsoft match=COM match=Microsoft-Windows-DistributedCOM regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DistributedCOM_Errors type:error sensor:$1 dstip:$2 NEXT id=31559 name=This Windows system event log indicates a document was deleted. match=System, match=ys match=Info match=Doc match=own match=ed match=by match=was match=deleted regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Document_Deleted type:system sensor:$1 dstip:$2 NEXT id=31560 name=This Windows system event log indicates a user Logoff notification for customer Experience Improvement Program. match=System, match=ys match=Info match=Win match=log match=on match=Use match=er match=Noti match=cat match=User Logoff Notification for Customer Experience Improvement Program regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logoff_Notification type:system sensor:$1 dstip:$2 event2:WindowsEvent-7002 #NEXT #id=31561 #name=This Windows system event log indicates the Microsoft Software Shadow Copy Provider service was successfully sent a start control. #example=System,04/13/2012,11:42:01 AM,Service Control Manager,7035,Information,None,N/A,NEIMAI7Z,IP:192.168.1.2,7035,The Microsoft Software Shadow Copy Provider service was successfully sent a start control. #match=System, #match=ys #match=Info #match=Sha #match=dow #match=Co #match=ser #match=vi #match=ss #match=en #match=ar #match=co #match=Shadow Copy Provider service was successfully sent a start control #regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) #log=event:Windows-Shadow_Copy_Start type:system sensor:$1 dstip:$2 event2:WindowsEvent-7035 NEXT id=31562 name=This Windows system event log indicates an authentication request failed. match=System, match=ys match=LSASRV match=Wa match=rn match=ing match=Sec match=ur match=ty match=has match=re match=ei match=ve match=authentication request that could not be match=uth match=req match=decoded regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Authentication_Request_Failed type:system sensor:$1 dstip:$2 event2:WindowsEvent-40968 NEXT id=31563 name=This Windows system event log indicates it detected a network adapter was connected to the network and has initiated normal operation. match=System, match=Information, match=Info match=ys match=tem match=cp match=Tcpip match=,Tcpip, match=has match=init match=oper match=net match=work match=ter match= has initiated normal operation regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Tcpip_Network_Adapter_Normal type:system sensor:$1 dstip:$2 NEXT id=31564 name=This Windows systen event indicates that a printer could not be restored. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=er match=printer could not be restored regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Printer_Not_Restored sensor:$1 srcip:$2 type:system NEXT id=31565 name=This Windows systen event indicates that a device name list is invalid. match=tem match=System, match=Info match=Information match=list match=invalid match=is match=name match=This device name list is invalid regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Device_Name_List_Invalid sensor:$1 srcip:$2 type:system NEXT id=31566 name=The Windows system attempted to start a DCOM Server but had an error starting the command. match=tem match=System, match=,DCOM, match=ing match=Happened while starting this command: match=pp regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-DCOM_Error_Starting_Command sensor:$1 srcip:$2 type:access-denied NEXT id=31567 name=The Windows system Server Administrator noticed a power supply detected failure. match=tem match=System, match=Server match=Admin match=Power supply detected a failure match=failure regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Power_Supply_Failure sensor:$1 srcip:$2 type:system NEXT id=31568 name=The Windows system Server Administrator noticed a fan sensor detected a failure. match=tem match=System, match=Server match=Admin match=Fan sensor detected a failure match=failure regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Fan_Failure sensor:$1 srcip:$2 type:error NEXT id=31569 name=The Windows system TerminalServices Licensing issued a warning notice. match=tem match=System, match=TerminalService match=Warn match=ing match=Microsoft-Windows-TerminalServices-Licensing match=server match=is match=Windows regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-License_Warning sensor:$1 srcip:$2 type:system NEXT id=31570 name=The Windows system TerminalServices Licensing noticed a certificate has expired. match=tem match=System, match=TerminalService match=Warn match=ing match=Licensing certificates has expired. match=certificate match=Windows match=has regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-License_Certificate_Expired sensor:$1 srcip:$2 type:system NEXT id=31571 name=The Windows system Service Control Manager Remote Scheduler Service failed to start. match=tem match=System, match=Error match=rr match=in match=Service Control Manager match=failed match=to match=start match=service match=ser match=ed match=Remote Scheduler Service service failed to start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Remote_Scheduler_Failed sensor:$1 srcip:$2 type:error NEXT id=31572 name=The Windows system has noticed that reedundancy is lost. match=tem match=System, match=Warning match=ing match=in match=Server match=Admin match=to match=ed match=st match=it match=,Redundancy lost Redundancy unit: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Redundancy_Lost sensor:$1 srcip:$2 type:system #NEXT #id=31573 #name=The Windows system has generated a Schannel fatal alert. #example=System,05/21/2012,11:17:16 AM,Schannel,36888,Error,N/A,None,N/A,NEIMAI8Z.nei.nih.gov,IP:192.168.1.2,36888,The following fatal alert was generated: 10. The internal error state is 1203. #match=tem #match=System, #match=Error #match=Err #match=ed #match=error #match=fatal #match=alert #match=was #match=gen #match=ing #match=Schannel #match=The following fatal alert was generated #regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), #log=event:Windows-Schannel_Fatal_Alert sensor:$1 srcip:$2 type:error NEXT id=31574 name=The Windows forefront client completed a security state assessment scan. match=sess match=FcsSas match=System match=tem match=ul match=Information match=an match=succ match=as match=,Information, match=nformation match=io match=sca match=In match=comp match=se match=at match=form match=le match=ecu match=on match=cc match=ent match=tion match=A security state assessment scan completed successfully regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Forefront_Assessment_Completed sensor:$1 srcip:$2 type:system NEXT id=31575 name=The Windows forefront client completed a malware signature update. match=FcsMs match=wa match=System match=tem match=Information match=an match=,Information, match=nformation match=io match=In match=at match=form match=on match=ersion match=tion match=fo match=te match=de match=ver match=re match=al match=nt match=ew match=or match=ar match=in regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Forefront_Signatures_Reloaded sensor:$1 srcip:$2 type:system NEXT id=31576 name=The Windows computer failed to authenticate, access denied. match=System match=tem match=Error match=rr match=fail match=ed match=authenticate match=auth match=The session setup match=failed to authenticate. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Sesssion_Failed_To_Authenticate sensor:$1 srcip:$2 type:access-denied NEXT id=31577 name=The Windows computer had numerous connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. match=System match=tem match=Warning match=ing match=NETLOGON match=client match=IP match=address match=IP addresses don't map to any of the existing sites regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),5807 log=event:Windows-IP_Addresses_Dont_Map sensor:$1 srcip:$2 type:system NEXT id=31578 name=The Windows computer session failed because the security database does not contain a trust account. match=System match=tem match=Error match=rr match=NETLOGON match=fail match=ed match=IP match=account match=he match=doe match=no match=failed because the security database does not contain a trust account regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),5723 log=event:Windows-No_Trust_Account sensor:$1 srcip:$2 type:error NEXT id=31579 name=The Windows computer session has recorded a print spooler message. match=System match=tem match=Microsoft match=Print match=Windows match=oo match=er match=Spooler match=Microsoft-Windows-PrintSpooler regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-PrintSpooler sensor:$1 srcip:$2 type:system NEXT id=31580 name=The Windows computer has reported that a service has terminated with an error. match=System match=tem match=Error match=Service Control Manager match=Service match=terminated match=rv match=service-specific regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Terminated_Specific sensor:$1 srcip:$2 type:error event2:WindowsEvent-7024 NEXT id=31581 name=The Windows computer session has recorded that DCOM has started a service. match=System match=tem match=Info match=Information match=DCOM started the service match=ed match=service match=start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DCOM_Started_Service sensor:$1 srcip:$2 type:system NEXT id=31582 name=The Windows computer session has recorded that the windows DHCP client service has stopped. match=System match=tem match=Info match=Information match=DHCP match=Client match=Microsoft-Windows-Dhcp-Client match=service match=stopped regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DHCP_Client_Service_Stopped sensor:$1 srcip:$2 type:system NEXT id=31583 name=The Windows computer session has recorded that the windows event log service has stopped. match=System match=tem match=Info match=Information match=Event match=log match=service match=stopped match=The Event log service was stopped regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Event_log_Stopped sensor:$1 srcip:$2 type:system NEXT id=31584 name=The Windows Server encountered a network error. match=System match=tem match=Warn match=ing match=,srv, match=the server encountered a network error. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Network_Error sensor:$1 srcip:$2 type:system NEXT id=31585 name=The Windows system has indicated the system time has changed. match=tem match=System, match=indo match=Time match=,Microsoft-Windows-Kernel-General match=Info match=Information match=The system time has changed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Changed sensor:$1 srcip:$2 type:system NEXT id=31586 name=The Windows system has noticed that the service table is full. match=tem match=System, match=in match=Info match=Information match=Server match=Admin match=to match=st match=The service table is full. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Service_Table_Full sensor:$1 srcip:$2 type:system NEXT id=31587 name=The Windows system has noticed that the service database is locked. match=tem match=System, match=in match=Info match=Information match=Server match=Admin match=to match=st match=ed match=The service database is locked. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Service_Database_Locked sensor:$1 srcip:$2 type:system NEXT id=31588 name=The Windows system has noticed that the password has expired or someone attempted to change it. match=tem match=System, match=in match=Info match=Information match=Server match=Admin match=to match=st match=The password of this user regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Password_Expired_Attempted_Change sensor:$1 srcip:$2 type:system NEXT id=31589 name=The Windows system failed to apply the settings. match=tem match=System, match=ol match=indo match=Microsoft-Windows-GroupPolicy match=ion match=ing match=ed match=failed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Failed_To_Apply_Settings sensor:$1 srcip:$2 type:error NEXT id=31590 name=The Windows system has deleted a shadow copy to keep disk storage below defined user limit. match=tem match=System, match=volsnap match=Info match=Information match=ion match=ed match=was deleted to keep disk space usage for shadow copies regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Shadow_Copy_Deleted sensor:$1 srcip:$2 type:system NEXT id=31591 name=The Windows system has requested a worker process recycle. match=tem match=System, match=Info match=Information match=has requested a recycle because regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Worker_Process_Requested_Recycle sensor:$1 srcip:$2 type:system NEXT id=31592 name=The Windows system WinRM failed to create Service Principle Names. match=tem match=System, match=Warn match=ing match=Warning match=WinRM match=SPNs match=ed match=failed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-WinRM_Failed_To_Create_SPNs sensor:$1 srcip:$2 type:system NEXT id=31593 name=This Windows service VMware VirtualCenter Server service failed to start due to logon error. match=Service match=Control match=Manager match=Service Control Manager match=System match=tem match=IP match=System, match=P match=ystem match=Error match=rr match=The service did not start due to a logon failure. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-VirtualCenter_Server_Logon_Failure sensor:$1 srcip:$2 type:login-failure NEXT id=31594 name=Windows iScsiPrt error. match=System match=tem match=IP match=System, match=P match=ystem match=Error match=rr match=iScsiPrt regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-iScsiPrt_Error sensor:$1 srcip:$2 type:error NEXT id=31595 name=Windows mfehidk warning issued. match=System match=tem match=IP match=System, match=P match=ystem match=Warning match=ing match=mfehidk regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Mfehidk_Warning sensor:$1 srcip:$2 type:application NEXT id=31596 name=The Windows system RemoteAccess user connection statistics. match=ent match=user match=System match=tem match=IP match=20272 match=Info match=Information match=System, match=ser match=ect match=ed match=The user was active for regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20272,.* The user (?:[^\ ]+\\)?([^ ]+) connected on port log=event:Windows-User_Connection_Stats sensor:$1 srcip:$2 user:$3 type:connection event2:WindowsEvent-20272 NEXT id=31597 name=The Windows system RemoteAccess user has connected and has been successfully authenticated. match=ent match=user match=System match=tem match=IP match=20266 match=Info match=Information match=System, match=ser match=ect match=ed match=has connected and has been successfully authenticated regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20266,.* The user (?:[^\ ]+\\)?([^ ]+) has connected log=event:Windows-User_Authenticated sensor:$1 srcip:$2 user:$3 type:login event2:WindowsEvent-20266 NEXT id=31598 name=The Windows system RemoteAccess user has connected and has been assigned an address. match=user match=System match=tem match=IP match=20274 match=Info match=Information match=System, match=ser match=ect match=ed match=has been assigned address regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20274,.* The user (?:[^\ ]+\\)?([^ ]+) connected on.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Assigned_Address sensor:$1 srcip:$2 user:$3 dstip:$4 type:login event2:WindowsEvent-20274 NEXT id=31599 name=The Windows system Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. match=System match=tem match=IP match=7001 match=Error match=rr match=System, match=ed match=Telephony service which failed to start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),7001 log=event:Windows-Telephony_Failed sensor:$1 srcip:$2 type:error event2:WindowsEvent-7001 NEXT id=31600 name=The Windows system WINS pulled records from a WINS while doing Pull replication or verification. match=System match=tem match=IP match=4141 match=Information match=Info match=System, match=ed match=WINS pulled records from a WINS while doing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),4141 log=event:Windows-Pull_Replication_Verification sensor:$1 srcip:$2 type:system event2:WindowsEvent-4141 NEXT id=31601 name=The Windows system WINS Pull thread encountered an error during the process of sending a push notification to another WINS. match=System match=tem match=IP match=4243 match=Error match=rr match=System, match=ed match=WINS Pull thread encountered an error during the process of sending a push regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),4243 log=event:Windows-Wins_Pull_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-4243 NEXT id=31602 name=The Windows system WINS performed a consistency check on the records. match=System match=tem match=IP match=,41 match=Info match=Information match=System, match=ed match=WINS match=consistency check on the records regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),41 log=event:Windows-Wins_Consistency_Check sensor:$1 srcip:$2 type:system NEXT id=31603 name=The Windows system connection was aborted by the remote WINS. Remote WINS may not be configured to replicate with the server. match=System match=tem match=IP match=4102 match=Error match=rr match=System, match=ed match=WINS match=The connection was aborted by the remote WINS. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),4102 log=event:Windows-Wins_Connection_Aborted sensor:$1 srcip:$2 type:error event2:WindowsEvent-4102 NEXT id=31604 name=The Windows system WINS encountered an error while processing a push trigger or update notification. match=System match=tem match=IP match=4283 match=Error match=rr match=System, match=ed match=WINS match=WINS encountered an error while processing a push trigger or update regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),4283 log=event:Windows-Wins_Push_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-4283 NEXT id=31605 name=The Windows system WINS server has started a consistency check operation. match=System match=tem match=IP match=,433 match=Info match=Information match=System, match=ed match=WINS match=consistency check regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),433 log=event:Windows-Wins_Consistency_Started_Completed sensor:$1 srcip:$2 type:system NEXT id=31606 name=The Windows system had a process serving an application pool terminate unexpectedly or exceeded time limits. match=System match=tem match=IP match=,10 match=Warn match=ing match=Warning match=System, match=ed match=SVC match=A process serving application pool regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),10 log=event:Windows-Process_Terminated_Exceeded_Time sensor:$1 srcip:$2 type:system NEXT id=31607 name=This Windows system event log indicates a user was unable to login. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,MSFTPSVC, match=has timed-out regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User ([^\ ]{1,25}).*host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logon_Timeout sensor:$1 srcip:$2 dstip:$4 type:login-failure NEXT id=31608 name=This Windows TermService had a remote session exceed the maximum allowed failed logon attempts. The session was forcibly terminated. match=rm match=vi match=TermService match=Info match=Information match=System match=tem match=IP match=System, match=P match=ystem match=ss match=Remote match=from match=client match=Remote session from client match=exceeded the maximum allowed failed logon attempts regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-TermService_Exceeded_Logon_Attempts sensor:$1 srcip:$2 type:login-failure NEXT id=31609 name=This Windows Virtual Disk Service had an unexpected failure. match=Virtual Disk Service match=Sys match=System match=Service match=IP match=System, match=P match=ystem match=Error match=rr match=Unexpected failure. match=fail match=failure regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Virtual_Disk_Service_Failure sensor:$1 srcip:$2 type:error NEXT # This is describing the rotation of a log that may contain Antimalware information, not a logging of detected malware id=31610 name=This Windows Antimalware has removed history of malware and other potentially unwanted software. match=Sys match=System match=IP match=System, match=P match=ystem match=Info match=Information match=Antimalware match=has removed history of malware and other potentially unwanted software match=ed match=removed match=and regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Removed_Malware sensor:$1 srcip:$2 type:system NEXT id=31611 name=The Windows Update Client failed to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection. match=tem match=System, match=System match=ent match=ate match=indo match=WindowsUpdateClient match=Windows match=Warning match=ing match=Windows is unable to connect to the automatic updates service match=is match=unable match=IP match=to match=nn match=connect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-UpdateClient_Cannot_Connect_To_Service sensor:$1 srcip:$2 type:system event2:WindowsEvent-16 NEXT id=31612 name=The Windows system has reported a USB driver error. match=tem match=System, match=System match=er match=Driver match=rr match=Error match=Usb match=IP match=WudfUsbccidDriver regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-USB_Driver_Error sensor:$1 srcip:$2 type:error NEXT id=31613 name=The Windows system has reported driver management has concluded the process to add or install a service. match=tem match=System, match=System match=er match=Driver match=Info match=Information match=IP match=ed match=ss match=process match=concluded the process to regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Driver_Service sensor:$1 srcip:$2 type:system NEXT id=31614 name=The Windows system has reported driver management concluded the process to install a driver file. match=tem match=System, match=System match=er match=Driver match=Info match=Information match=usb match=IP match=ed match=ss match=process match=install match=Driver Management concluded the process to install driver File regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Install_Driver_File sensor:$1 srcip:$2 type:system NEXT id=31615 name=The Windows system has reported none of the sources are currently accessible to update the system time. match=tem match=System, match=System match=W32Time match=rr match=Error match=of match=the match=ss match=none of the sources are currently accessible regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Time_Error sensor:$1 srcip:$2 type:error NEXT id=31616 name=The Windows system has reported no valid response has been received from the domain controller. match=tem match=System, match=System match=W32Time match=Warn match=ing match=has match=been match=ed match=received match=No valid response has been received regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Time_No_Valid_Response_Received sensor:$1 srcip:$2 type:system NEXT id=31617 name=The Windows system has reported a logon cache entry for user. match=tem match=System, match=System match=LsaSrv match=Info match=Information match=Logon match=Cache match=A logon cache entry for user match=user match=for regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Logon_Cache_Entry sensor:$1 srcip:$2 type:login NEXT id=31618 name=The Windows system has reported an error was detected on device. match=tem match=System, match=System match=Disk match=Warning match=ing match=rr match=error match=ed match=on match=device match=An error was detected on device regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Disk_Error sensor:$1 srcip:$2 type:error NEXT id=31619 name=The Windows system has reported the TPM Base Services service which failed to start. match=tem match=System, match=System match=Control match=Manager match=rr match=Error match=ed match=failed match=start match=TPM Base Services service which failed to start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-TPM_Failed sensor:$1 srcip:$2 type:error NEXT id=31620 name=The Windows system has reported the TPM Security Device cannot be found on this computer. match=tem match=System, match=System match=TBS match=Device match=Info match=Information match=nn match=cannot match=Security Device cannot be found on this computer match=computer regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-TPM_Security_Device_Not_Found sensor:$1 srcip:$2 type:system NEXT id=31621 name=The Windows system has reported a smartcard reader message. match=tem match=System, match=System match=Info match=Information match=Smartcard match=reader match=Smartcard reader reported the following match=ed match=reported regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Smartcard_Reader_Message sensor:$1 srcip:$2 type:system NEXT id=31622 name=The Windows system has reported the File System Filter has successfully loaded and registered with Filter Manager. match=tem match=System, match=System match=Info match=Information match=FilterManager match=has successfully loaded and registered with Filter Manager. match=has match=cc match=ss match=ll match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-System_Filter_Loaded_Registered sensor:$1 srcip:$2 type:system NEXT id=31623 name=The Windows system has reported the Program Compatibility Assistant service successfully started or initialized. match=tem match=System, match=System match=Info match=Information match=successfully match=The Program Compatibility Assistant service match=cc match=ss match=ll match=Assistant regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Compatibility_Assistant_Service sensor:$1 srcip:$2 type:system NEXT id=31624 name=The Windows system has indicated there was a windows kernel error. match=tem match=System, match=indo match=Error match=,Microsoft-Windows-Kernel-General match=rr match=Windows match=Kernel regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Kernel_Error sensor:$1 srcip:$2 type:error NEXT id=31625 name=The Windows system has indicated there was a Network Connection Link established. match=tem match=System, match=e1yexpress match=Info match=Information match=tion match=Network Connection Link has been established match=ed match=nn regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Connection_Link_Established sensor:$1 srcip:$2 type:connection NEXT id=31626 name=The Windows system has indicated there was a Network Connection Link disconnected. match=tem match=System, match=e1yexpress match=Warning match=ing match=tion match=Network Connection Link has been disconnected match=ed match=nn regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Connection_Link_Disconnected sensor:$1 srcip:$2 type:connection NEXT id=31627 name=The Windows system time service has not synchronized the system time. match=tem match=System, match=Warning match=Time-Service match=ing match=ce match=time service has not synchronized regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Not_Synchronizing sensor:$1 srcip:$2 type:system NEXT id=31628 name=The Windows system time service NtpClient was unable to set a domain peer. match=tem match=System, match=Warning match=Time-Service match=ing match=ce match=NtpClient was unable to set a domain peer regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Unable_To_Set_Domain_Peer sensor:$1 srcip:$2 type:system NEXT id=31629 name=This Windows Antimalware service is running and in a healthy state. match=Micro match=Microsoft match=System match=Sys match=tem match=A match=Information match=nfo match=,Information, match=nformation match=In match=of match=at match=form match=cr match=tion match=Anti match=fo match=150 match=al match=Antimalware match=ystem match=Information, match=Microsoft Antimalware,1150, match=for match=ma match=System, match=st match=ys match=Info match=ion match=rm regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AntiMalware_Running sensor:$1 srcip:$2 type:system NEXT id=31630 name=The Windows Defender signature set was updated. match=Micro match=Window match=Microsoft match=la match=No match=System match=Sys match=tem match=Information match=nfo match=None match=as match=,Information, match=nformation match=pda match=io match=In match=of match=at match=form match=Windows match=has match= signature version has been updated. match=,Windows match=ate match=en match=na match=,Windows match=ystem match=Information, match=IP match=P match=updated match=been match=,2000,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Defender_Running sensor:$1 srcip:$2 type:system NEXT id=31631 name=Windows has installed or updateed some of the of device drivers. match=Micro match=Window match=Microsoft match=la match=System match=Sys match=tem match=Information match=nfo match=,Information, match=nformation match=pda match=io match=In match=of match=at match=form match=Windows match=Installation or update of device drivers match=ate match=en match=na match=ystem match=Information, match=IP match=P match=update match=device match=ll match=tion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Drivers_Installed_Or_Upgraded sensor:$1 srcip:$2 type:system NEXT id=31632 name=Windows has recorded a users failed attempt to restart or shutdown a computer. match=USER32 match=Warning match=ing match=Warn match=tt match=attempt match=Sys match=tem match=ystem match=IP match=P match=by match=user match=ed match=failed match=The attempt by user match=to restart/shutdown computer match=ter match=comp match=own match=shut match=start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* by user (?:[^\ ]+\\)?([^ ]+) log=event:Windows-User_Attempted_Restart_Shutdown sensor:$1 srcip:$2 type:system NEXT id=31633 name=This Windows Antimalware has updated its signatures. match=Micro match=Microsoft match=System match=Sys match=tem match=A match=Information match=nfo match=,Information, match=nformation match=In match=of match=at match=form match=cr match=tion match=Anti match=fo match=al match=Antimalware match=ystem match=Information, match=Microsoft Antimalware,2000, match=for match=ma match=System, match=st match=ys match=Info match=ion match=rm regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-AntiMalware_Signature_Update sensor:$1 srcip:$2 type:system NEXT id=31634 name=This Windows Virtual Disk Service has either started or stopped. match=Virtual Disk Service match=Sys match=System match=Service match=IP match=System, match=P match=ystem match=st match=ed match=Info match=tion match=Information regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*,Service log=event:Windows-Virtual_Disk_Service_Start_Stop sensor:$1 srcip:$2 type:application NEXT id=31635 name=This Windows Server Administrator storage service. match=,Server Administrator match=Sys match=System match=Service match=IP match=System, match=P match=ystem match=Storage Service match=,Storage Service, match=ice match=Stor match=isk regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Server_Administrator_Storage_Service sensor:$1 srcip:$2 type:system NEXT id=31636 name=This Windows iScsiPrt initiator successfully reconnected to the target, after a connection was lost. match=cc match=ll match=Sys match=System match=iScsiPrt match=IP match=System, match=P match=ystem match=Scsi match=nn match=ed match=nitiator successfully reconnected match=,iScsiPrt, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-iScsiPrt_Reconnected sensor:$1 srcip:$2 type:system NEXT id=31637 name=This Windows iScsiPrt initiator received an asynchronous logout message. match=Sys match=System match=iScsiPrt match=IP match=System, match=P match=ystem match=sync match=logout match=ed match=ss match=,iScsiPrt, match=Initiator received an asynchronous logout message regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-iScsiPrt_Logout_Message sensor:$1 srcip:$2 type:logout NEXT id=31638 name=The Windows system has locked an account due too many invalid logon attempts or password change attempts have been requested. match=tem match=System, match=ent match=ail match=est match=ecu match=ion match=too match=ll match=ed match=ty match=The user account has been automatically locked because too many invalid logon attempts or password regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-User_Account_Locked sensor:$1 srcip:$2 srcport:$3 type:login-failure NEXT id=31639 name=The Windows system has brought up an adapter. match=tem match=System, match=Info match=tion match=Information match=Iphlpsvc match=ion match=has match=ee match=up match=has been brought up regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Adapter_Brought_Up sensor:$1 srcip:$2 srcport:$3 type:system NEXT id=31640 name=The Windows system WinRM is listening for WS-Management requests. match=tem match=System, match=Info match=tion match=Information match=WinRM match=ing match=is match=service match=The WinRM service is listening regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-WinRM_Is_Listening sensor:$1 srcip:$2 type:system NEXT id=31641 name=This Windows system has reported Tcpip failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=cp match=,Tcpip, match=TCP/IP failed to establish an outgoing connection regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Tcpip_Failed_Outgoing_Connection sensor:$1 srcip:$2 type:system NEXT id=31642 name=This Windows system has reported the Patrol Read has started or stopped. match=tem match=System, match=er match=Server match=Admin match=Administrator match=Storage match=Service match=ice match=The Patrol Read has s regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Patrol_Read_Started_Stopped sensor:$1 srcip:$2 type:system NEXT id=31643 name=This Windows system has reported the CommVault Client Event Manger service has changed. match=tem match=System, match=Service match=ice match=Control match=Manager match=er match=Info match=tion match=CommVault match=ed match=changed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-CommVault_Service_Changed sensor:$1 srcip:$2 type:system NEXT id=31644 name=This Windows system has reported that valid time data is currently being received. match=tem match=System, match=Service match=ice match=Windows match=Time match=Service match=NtpClient match=ing match=valid match=time match=data regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Currently_Receiving_Valid_Time_Data sensor:$1 srcip:$2 type:system NEXT id=31645 name=This Windows system has reported a SideBySide error. match=tem match=System, match=SideBySide match=rr match=or match=Error regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SideBySide_Error sensor:$1 srcip:$2 type:error NEXT id=31646 name=This Windows system has reported DnsApi warning of a system which failed to register the host. match=tem match=System, match=Warn match=ing match=DnsApi match=ed match=to match=system match=The system failed to register host regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DnsApi_Failed_To_Register_Host sensor:$1 srcip:$2 type:system NEXT id=31647 name=This Windows system has reported on Windows servicing. match=tem match=System, match=Microsoft-Windows-Servicing,43 match=ing match=Micro match=soft match=Windows match=Ser match=43 match=Servicing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Servicing_Messages sensor:$1 srcip:$2 type:system NEXT id=31648 name=This Windows system has reported it is unable to write to a log. match=tem match=System, match=Microsoft-Windows-HttpEvent match=Unable match=Micro match=soft match=Windows match=to match=log match=Unable to write to the log file regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-HttpEvent_Unable_To_Write_To_Log sensor:$1 srcip:$2 type:system NEXT id=31649 name=This Windows system has reported a power supply returned to normal. match=tem match=System, match=Info match=Information match=Server Administrator match=Power supply returned to normal match=pp match=ly match=ed match=to regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Power_Supply_Returned_To_Normal sensor:$1 srcip:$2 type:system NEXT id=31650 name=This Windows system has reported redundancy regained redundancy unit. match=tem match=System, match=Info match=Information match=Server Administrator match=Redundancy regained Redundancy unit match=ed match=re match=unit match=cy regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Redundancy_Regained sensor:$1 srcip:$2 type:system NEXT id=31651 name=This Windows system has reported this computer was not able to set up a secure session with a domain controller. match=tem match=System, match=rr match=Error match=NETLOGON match=computer was not able to set up a secure session match=er match=able match=ss match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-NETLOGON_Unable_To_Connect_Domain sensor:$1 srcip:$2 type:error NEXT id=31652 name=This Windows system has reported this computer was not able to connect to the automatic updates service. match=tem match=System, match=rr match=Error match=Windows Update Agent match=unable to connect to the automatic updates service match=ice match=nn match=to match=un match=the regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Agent_Unable_To_Connect sensor:$1 srcip:$2 type:error NEXT id=31653 name=This Windows system has reported this computer Antimalware configuration has changed. match=tem match=System, match=Info match=Information match=Microsoft Antimalware match=Configuration has changed match=tion match=ed match=Config match=changed match=Anti match=soft regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Antimalware_Configuration_Change sensor:$1 srcip:$2 type:system NEXT id=31654 name=This Windows system has reported this computer Antimalware scan has started. match=tem match=System, match=Info match=Information match=Microsoft Antimalware match=scan has started match=scan match=ed match=has match=started match=Anti match=soft regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Antimalware_Scan_Started sensor:$1 srcip:$2 type:application NEXT id=31655 name=This Windows system has reported this computer Antimalware scan has finished. match=tem match=System, match=Info match=Information match=Microsoft Antimalware match=scan has finished match=scan match=ed match=has match=finished match=Anti match=soft regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Antimalware_Scan_Finished sensor:$1 srcip:$2 type:application NEXT id=31656 name=This Windows system has reported this computer Antimalware engine version has been updated. match=tem match=System, match=Info match=Information match=Microsoft Antimalware match=engine version has been updated match=ine match=ed match=has match=ee match=ion match=updated regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Antimalware_Version_Updated sensor:$1 srcip:$2 type:application NEXT id=31657 name=This Windows system has reported that events originating from this service is publishing to the network. match=tem match=System, match=Info match=Information match=ResourcePublication match=service is publishing to the network match=ce match=ser match=is match=ing match=net match=rk match=pub match=to regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Publishing_To_Network sensor:$1 srcip:$2 type:application NEXT id=31658 name=This Windows system has reported the IO operation at logical block address for a disk was retried. match=tem match=System, match=Warn match=ing match=IO operation at logical block match=ed match=retried match=re match=ck match=ion match=log match=cal match=op regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Possible_Bad_Block sensor:$1 srcip:$2 type:error NEXT id=31659 name=This Windows system has reported a crash dump initialization has failed. match=tem match=System, match=rr match=or match=Error match=Crash dump initialization failed match=ed match=ion match=init match=mp match=dump match=sh match=Crash regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Crash_Dump_Failed sensor:$1 srcip:$2 type:error NEXT id=31660 name=This Windows system has reported this system has rebooted without cleanly having shutdown first. match=tem match=System, match=Cri match=al match=rr match=Critical match=system has rebooted without cleanly match=system match=oo match=ed match=re match=ly regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Rebooted_Cleanly sensor:$1 srcip:$2 type:restart NEXT id=31661 name=This Windows system has reported this systems NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error. match=tem match=System, match=ing match=Warn match=Time-Service match=Time match=ice match=NtpClient was unable to set a manual peer match=Ntp match=un match=able match=ee regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-NtpCLient_Unable_To_Set_Peer sensor:$1 srcip:$2 type:system NEXT id=31662 name=This Windows system has reported this system could not be registered on the interface with current IP address. match=tem match=System, match=rr match=Error match=could not be registered on the interface match=ed match=int match=face match=be match=not match=reg match=is regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*IP address ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unable_To_Register_Address sensor:$1 srcip:$2 dstip:$3 type:error NEXT id=31663 name=This Windows system has reported this system server could not bind to the transpor. match=tem match=System, match=rr match=Error match=The server could not bind to the transport match=er match=ser match=nd match=bin match=to match=he match=port regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Could_Not_Bind sensor:$1 srcip:$2 type:error NEXT id=31664 name=This Windows system has reported this system shadow copy was aborted because the shadow copy storage could not grow due to a user imposed limit. match=tem match=System, match=rr match=Error match=shadow copies of volume match=were aborted match=es match=ed match=me match=vol match=ow match=dow match=shadow regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Shadow_Copy_Aborted sensor:$1 srcip:$2 type:error NEXT id=31665 name=This Windows system has reported it cannot find a suitable certificate to use. match=tem match=System, match=ing match=Warning match=Kerberos-Key-Distribution-Center match=cannot find a suitable certificate to use match=nn match=os match=ion match=er match=Dist match=ate match=ot regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unable_To_Find_Suitable_Certificate sensor:$1 srcip:$2 type:system NEXT id=31666 name=This Windows system Defender has detected changes. match=tem match=System, match=ing match=Warning match=Defender match=agent has detected changes match=er match=es match=ed match=has match=det match=cha match=Def regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Defender_Detected_Changes sensor:$1 srcip:$2 type:system NEXT id=31667 name=This Windows system Defender agent has taken action to protect this machine from spyware or other potentially unwanted software. match=tem match=System, match=Info match=ion match=Defender match=agent has taken action to protect this machine from spyware match=en match=ion match=tect match=agent match=spy match=are match=ine regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Defender_Action_Taken sensor:$1 srcip:$2 type:intrusion NEXT id=31668 name=This Windows system has no suitable default server credential on this system. match=tem match=System, match=ing match=Warn match=Schannel match=No suitable default server credential exists on this system match=No match=able match=ial match=cred match=er match=ser match=ist regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-No_Server_Credential sensor:$1 srcip:$2 type:system NEXT id=31669 name=This Windows system has been successfully joined the domain. match=tem match=System, match=ion match=Info match=This computer has been successfully joined to domain match=cc match=ss match=ll match=lly match=ed match=joi match=ain match=comp regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Joined_Domain sensor:$1 srcip:$2 type:system NEXT id=31670 name=This Windows system has reported some ATI driver information. match=tem match=System, match=ion match=Info match=amdkmdag match=DVD match=OV match=UVD regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-ATI_Driver_Message sensor:$1 srcip:$2 type:system NEXT id=31671 name=This Windows system event log indicates a process serving application exceeded time limits during shut down. match=st match=Warn match=ing match=System match=Microsoft-Windows-WAS match=tem match=IP match=System, match=ystem match=ed match=ee match=shut match=down match=exceeded time limits during shut down regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Exceeded_Time_Limit_During_Shutdown sensor:$1 srcip:$2 type:system event2:WindowsEvent-5013 NEXT id=31672 name=The Windows system has reported one or more of the Plug and Play service's subsystems has changed state. match=tem match=System, match=System match=er match=UserPnp match=Info match=Information match=IP match=ed match=subsystems has changed state match=state match=sub match=as regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-UserPnp_Changed_State sensor:$1 srcip:$2 type:system NEXT id=31673 name=The Windows computer attempt to update the Active Directory failed. match=System match=tem match=Error match=rr match=fail match=ed match=Active Directory match=no more endpoints match=no match=end match=nts regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Of_Active_Directory_Failed sensor:$1 srcip:$2 type:error NEXT id=31674 name=The Windows computer attempt a session setup to the Windows NT or Windows 2000 Domain Controller is not responsive. match=System match=tem match=Error match=rr match=is not responsive match=domain match=setup match=up match=ss match=ion match= has been cancelled match=ed match=ll regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Session_Setup_Not_Responsive sensor:$1 srcip:$2 type:error NEXT id=31675 name=The Windows computer DFS messages. match=System match=tem match=Info match=ion match=DfsSvc match=has match=DFS match=ed match=sh match=Svc regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DFS_Messages sensor:$1 srcip:$2 type:system NEXT id=31676 name=The Windows computer time service has started advertising as a time source. match=System match=tem match=Info match=ion match=Time-Service match=started advertising match=time source match=ed match=ing match=time match=advert match=me match=rce match=start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Service_Advertising sensor:$1 srcip:$2 type:system NEXT id=31677 name=The Windows WINS Server could not initialize security to allow the read-only operations. match=System match=tem match=Error match=rr match=Wins match=WINS Server could not initialize security match=WINS match=not match=init match=ize match=ty match=sec match=ur match=er regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Wins_Could_Not_Initialize_Security sensor:$1 srcip:$2 type:error NEXT id=31678 name=The Windows WINS Server has initialized and is now fully operational. match=System match=tem match=Info match=ion match=Wins match=WINS initialized properly and is now fully operational match=WINS match=ed match=init match=ize match=ly match=ll match=oper match=al regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Wins_Now_Operational sensor:$1 srcip:$2 type:system NEXT id=31679 name=The Windows SNMP Service has started successfully. match=System match=tem match=Info match=ion match=SNMP match=SNMP Service has started successfully match=ice match=ed match=ss match=cc match=ll match=successfully regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-SNMP_Started sensor:$1 srcip:$2 type:system NEXT id=31680 name=The Windows Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. match=System match=tem match=Warn match=ing match=GroupPolicy match=cy match=Gro match=ings match=app match=ly match=un match=able match=Ext match=er match=Extension Folder Redirection was unable to apply one or more settings regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-GroupPoliy_Unable_To_Apply_Settings sensor:$1 srcip:$2 type:system NEXT id=31681 name=Windows was unable to write to the error log file. Disk may be full. match=System match=tem match=rror match=rr match=HttpEvent match=Unable to write to the error log file match=Un match=le match=wr match=log match=fi match=le regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-HttpEvent_Disk_Full sensor:$1 srcip:$2 type:system NEXT id=31682 name=Windows detected an IP address conflict. match=System match=wa match=wo match=ddr match=lt match=op match=vi match=Tcpip match=detected an address conflict regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Tcpip_Address_Conflict sensor:$1 srcip:$2 type:error event2:WindowsEvent-4199 NEXT id=31683 name=Windows interface isatap is no longer active. match=System match=Microsoft-Windows-Iphlpsvc match=,4201, match=Info match=ion match=Ip match=hl match=svc match=isa match=tap match=in match=act regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Isatap_No_Longer_Active sensor:$1 srcip:$2 type:system event2:WindowsEvent-4210 NEXT id=31684 name=Windows start type of the Windows Management Instrumentation service was changed. match=System match=Service Control Manager match=,7040, match=service was changed match=Info match=ion match=Ser match=ion match=ice match=Con match=Man match=ch match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Changed sensor:$1 srcip:$2 type:system event2:WindowsEvent-7040 NEXT id=31685 name=This Windows system event log indicates that an update was downloaded. match=WindowsUpdateClient match=Info match=ion match=,Information, match=update was downloaded match=ate match=indo match=,Windows Update Agent, match=WindowsUpdateClient,41, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Downloaded type:system sensor:$1 srcip:$2 event2:WindowsEvent-41 NEXT id=31686 name=The Windows system RemoteAccess user has connected and has been successfully authenticated. match=ent match=user match=System match=tem match=IP match=20142 match=Info match=Information match=System, match=ser match=ect match=ed match=has connected and has been successfully authenticated regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20142,The user (?:[^\ ]+\\)?([^ ]+) has connected log=event:Windows-User_Authenticated sensor:$1 srcip:$2 user:$3 type:login event2:WindowsEvent-20142 NEXT id=31687 name=The Windows system RemoteAccess user has connected and has been assigned an address. match=user match=System match=tem match=IP match=20200 match=Info match=Information match=System, match=ser match=ect match=ed match=has been assigned address regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20200,The user (?:[^\ ]+\\)?([^ ]+) connected on.* address ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Assigned_Address sensor:$1 srcip:$2 user:$3 dstip:$4 type:login event2:WindowsEvent-20200 NEXT id=31688 name=The Windows system RemoteAccess user connection statistics. match=ent match=user match=System match=tem match=IP match=20194 match=Info match=Information match=System, match=ser match=ect match=ed match=The user was active for regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20194,The user (?:[^\ ]+\\)?([^ ]+) connected on port log=event:Windows-User_Connection_Stats sensor:$1 srcip:$2 user:$3 type:connection event2:WindowsEvent-20194 NEXT id=31689 name=The Windows system RemoteAccess user disconnected. match=user match=System match=tem match=IP match=20201 match=Info match=Information match=System, match=ser match=ect match=ed match=has disconnected regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20201,The user with ip address ([.\d]+) log=event:Windows-User_Disconnected sensor:$1 srcip:$2 dstip:$3 type:logout event2:WindowsEvent-20201 NEXT id=31690 name=This Windows system event has reported the browser has forced an election on the network because a master browser was stopped. match=st match=System match=tem match=IP match=System, match=P match=Info match=ystem match=ion match=master browser was stopped. match=ma match=ed match=pp match=br regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Master_Browser_Stopped sensor:$1 srcip:$2 type:system event2:WindowsEvent-8033 NEXT id=31691 name=This Windows system event has reported LDAP authentication on interface failed with error. match=Microsoft-Windows-NlaSvc, match=Mi match=ft match=IP match=Win match=Error match=rr match=failed with error match=fa match=ed match=th match=or match=LDAP match=LD regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*\(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\) log=event:Windows-LDAP_Authentication_Failed sensor:$1 srcip:$2 dstip:$3 type:error NEXT id=31692 name=This Windows system event has reported the Router Advertisement settings have been changed. match=Microsoft-Windows-DHCPv6-Client match=Mi match=ft match=IP match=Win match=Info match=ion match=Cl match=DH match=Router Advertisement settings have been changed match=Ro match=Ad match=tt match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Router_Advertisement_Settings_Changed sensor:$1 srcip:$2 type:detected-change NEXT id=31693 name=This Windows system event has reported the NLB cluster will start load balancing traffic as the default host. match=Microsoft-Windows-NLB match=Mi match=ft match=IP match=Win match=Info match=ion match=NLB match=NLB cluster and will start load balancing traffic match=cl match=nd match=ll match=st match=ing match=ff regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=event:Windows-NLB_Cluster_Load_Balancing_Traffic sensor:$1 srcip:$2 dstip:$3 type:detected-change NEXT id=31694 name=This Windows system event log indicates a Windows updated has been detected. match=Microsoft-Windows-WindowsUpdateClient match=An update was detected match=Mi match=Win match=Up match=Cl match=ion match=,Information, match=up match=indo match=An match=ed match=was regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Detected sensor:$1 srcip:$2 type:system NEXT id=31695 name=This Windows system event log indicates NLB is initiating convergence a host that is joining the cluster. match=Microsoft-Windows-NLB match=NLB is initiating convergence on host match=Mi match=Win match=NLB match=is match=ion match=,Information, match=co match=ce match=ho match=st match=ing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=event:Windows-NLB_Initiating_Convergence sensor:$1 srcip:$2 dstip:$3 type:system NEXT id=31696 name=This Windows system event log indicates Listener RDP-Tcp received a connection. match=Microsoft-Windows-TerminalServices-RemoteConnectionManager match=Listener RDP-Tcp received a connection match=Mi match=Win match=Te match=Se match=Re match=nn match=Ma match=ion match=,Information, match=RDP match=Tcp match=re match=ed match=co regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-RDP_TCP_Received_Connection sensor:$1 srcip:$2 type:connection NEXT id=31697 name=This Windows system event log indicates NLB update completed successfully. match=Microsoft-Windows-NLB match=Update completed successfully match=Mi match=Win match=NLB match=Up match=te match=co match=ed match=ion match=,Information, match=su match=cc match=ss match=ll match=ly regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-NLB_Updated_Successfully sensor:$1 srcip:$2 type:system NEXT id=31698 name=This Windows system event log indicates a configuration update was started by NLB Manager. match=Microsoft-Windows-NLB match=Configuration update match=started by NLB Manager match=Mi match=Win match=NLB match=up match=te match=Con match=ed match=ion match=,Information, match=st match=Ma match=er match=fi match=ur regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-NLB_Configuration_Update_Started sensor:$1 srcip:$2 type:system NEXT id=31699 name=This Windows system event log indicates a NLB driver has successfully attached to the adapter. match=Microsoft-Windows-NLB match=The NLB driver successfully attached match=Mi match=Win match=NLB match=dr match=er match=su match=cc match=ion match=,Information, match=cc match=ss match=ll match=tt match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-NLB_Driver_Successfully_Attached sensor:$1 srcip:$2 type:system NEXT id=31700 name=This Windows system event log indicates the NLB host state was successfully updated in the registry. Current state will persist after the system restarts, if NLB has been configured to do so match=Microsoft-Windows-NLB match=NLB host state was successfully updated match=Mi match=Win match=NLB match=ho match=st match=st match=ts match=ion match=,Information, match=cc match=ss match=ll match=up match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=event:Windows-NLB_Host_Stats_Updated sensor:$1 srcip:$2 dstip:$3 type:system NEXT id=31701 name=This Windows system event log indicates the NLB driver successfully detached (unbound) from adapter. match=Microsoft-Windows-NLB match=NLB driver successfully detached match=Mi match=Win match=NLB match=dr match=iv match=er match=de match=ion match=,Information, match=cc match=ss match=ll match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-NLB_Driver_Detached sensor:$1 srcip:$2 type:system NEXT id=31702 name=This Windows system event log indicates this host is an active member of the NLB cluster. This host will start load balancing traffic as soon as it converges with the rest of the cluster hosts. match=Microsoft-Windows-NLB match=This host is an active member of the NLB cluster match=Mi match=Win match=NLB match=ho match=st match=ac match=ve match=ion match=,Information, match=me match=er match=cl match=us match=ter regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=event:Windows-NLB_Host_Active_Member sensor:$1 srcip:$2 dstip:$3 type:system NEXT id=31703 name=This Windows system event log indicates this host is no longer an active member of the NLB cluster. match=Microsoft-Windows-NLB match=This host is no longer an active member of the NLB cluster match=Mi match=Win match=NLB match=ho match=st match=ac match=ve match=ion match=,Information, match=me match=er match=cl match=us match=ter regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=event:Windows-NLB_Host_No_Longer_Active_Member sensor:$1 srcip:$2 dstip:$3 type:system NEXT id=31704 name=This Windows system event log indicates NLB has successfully reloaded registry parameters. match=Microsoft-Windows-NLB match=Registry parameters successfully reloaded match=Mi match=Win match=NLB match=Re match=ry match=pa match=rs match=ion match=,Information, match=cc match=ss match=ll match=re match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=event:Windows-NLB_Registry_Parameters_Reloaded sensor:$1 srcip:$2 dstip:$3 type:system NEXT id=31705 name=This Windows system event log indicates NetworkProfile has put out a message referencing response time, transitinsg state and Network Interface. match=Microsoft-Windows-NetworkProfile match=Mi match=Win match=Ne match=rk match=Pr match=le match=ion match=,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Network_Profile_Message sensor:$1 srcip:$2 type:system NEXT id=31706 name=This Windows system event log indicates that disabling background user hive upload task succeeded. match=Microsoft-Windows-User Profiles Service match=Disable background user hive match=Mi match=Win match=Us match=er match=Pr match=le match=ion match=,Information, match=Se match=Di match=ba match=hi match=ve regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Disable_Background_Hive_Success sensor:$1 srcip:$2 type:system NEXT id=31707 name=This Windows system event log indicates the subscription policy has changed. Forwarder is adjusting its subscriptions according to the subscription manager(s) in the updated policy. match=Microsoft-Windows-Forwarding match=Subscription policy has changed match=Mi match=Win match=Fo match=ing match=Su match=po match=ion match=,Information, match=cy match=ha match=ch match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Forwarder_Policy_Changed sensor:$1 srcip:$2 type:detected-change #NEXT #id=31708 #name=This Windows system event log indicates the GroupPolicy had an error. #example=Microsoft-Windows-GroupPolicy/Operational,04/22/2014,18:14:13 PM,Microsoft-Windows-GroupPolicy,7016,Error,N/A,None,N/A,SECS-TEACHERLOGIC.cornerstonesd.ca,IP:192.168.1.2,7016,Completed Internet Explorer Branding Extension Processing in 171 milliseconds." #match=Microsoft-Windows-GroupPolicy #match=Mi #match=Win #match=Gr #match=up #match=Po #match=cy #match=Error #match=rr #match=Er #match=or #regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) #log=event:Windows-GroupPolicy_Error sensor:$1 srcip:$2 type:error NEXT id=31709 name=This Windows system event log indicates an IPsec main mode failure. match=Microsoft-Windows-WFP match=Mi match=Win match=WFP match=IPsec: Main Mode Failure match=IP match=sec match=Ma match=in match=Mo match=Fa match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IPsec_Main_Mode_Failure sensor:$1 srcip:$2 type:error NEXT id=31710 name=This Windows system event log indicates an IIS kill command was received from user match=Microsoft-Windows-IIS-IISReset match=IIS kill command received from user match=Mi match=Win match=IIS match=Re match=se match=ki match=ll match=mm match=re match=ed match=us match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IIS_Kill_Command_Received sensor:$1 srcip:$2 type:system NEXT id=31711 name=This Windows system event log indicates an IIS Reset encountered an error while stopping services. match=Microsoft-Windows-IIS-IISReset match=IIS Reset encountered an error while stopping services match=Mi match=Win match=IIS match=Re match=se match=en match=ed match=rr match=pp match=se match=ce match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IIS_Reset_Error sensor:$1 srcip:$2 type:error NEXT id=31712 name=This Windows system event log indicates an IIS stop command received from user. match=Microsoft-Windows-IIS-IISReset match=IIS stop command received from user match=Mi match=Win match=IIS match=Re match=se match=st match=op match=mm match=re match=ed match=us match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IIS_Stop_Command_Issued sensor:$1 srcip:$2 type:system NEXT id=31713 name=This Windows system event log indicates an IIS start command received from user. match=Microsoft-Windows-IIS-IISReset match=IIS start command received from user match=Mi match=Win match=IIS match=Re match=se match=st match=rt match=mm match=re match=ed match=us match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IIS_Start_Command_Issued sensor:$1 srcip:$2 type:system NEXT id=31714 name=This Windows system event log indicates Windows Update found updates. match=Microsoft-Windows-WindowsUpdateClient match=sucessfully found match=Mi match=Win match=Up match=te match=Cl match=nt match=nd match=ss match=ll match=ly match=fo match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Found_Updates sensor:$1 srcip:$2 type:system NEXT id=31715 name=This Windows system event log indicates Windows automatic updates is now paused. match=Microsoft-Windows-WindowsUpdateClient match=Automatic Updates is now paused match=Mi match=Win match=Up match=te match=Cl match=nt match=Au match=ic match=no match=pa match=ed match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Automatic_Updates_Paused sensor:$1 srcip:$2 type:system NEXT id=31716 name=This Windows system event log indicates Windows Terminal Services-RemoteConnectionManager user authentication succeeded. match=Microsoft-Windows-TerminalServices-RemoteConnectionManager match=User authentication succeeded match=Mi match=Win match=Te match=Se match=Re match=Co match=nn match=cc match=ee match=Us match=au match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Remote_connect_Authentication_Success sensor:$1 srcip:$2 dstip:$3 type:system NEXT id=31717 name=This Windows system event log indicates Windows Terminal ServicesLocalSessionManager Remote Desktop Session has been disconnected. match=Microsoft-Windows-TerminalServices-LocalSessionManager match=Session has been disconnected match=Mi match=Win match=Te match=Se match=Lo match=Se match=ss match=Ma match=di match=nn match=ed match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Remote_Desktop_Disconnected sensor:$1 srcip:$2 type:system NEXT id=31718 name=This Windows system event log indicates Windows Terminal ServicesLocalSessionManager Remote Desktop Session logoff succeeded. match=Microsoft-Windows-TerminalServices-LocalSessionManager match=Session logoff succeeded match=Mi match=Win match=Te match=Se match=Lo match=Se match=ss match=Ma match=lo match=ff match=ee match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User: ([A-Za-z0-9.-]+)\\([A-Za-z0-9.-_#$]+) log=event:Windows-Remote_Desktop_Logout sensor:$1 srcip:$2 user:$4 type:logout NEXT id=31719 name=This Windows system event log indicates Windows Terminal ServicesLocalSessionManager Remote Desktop Session logon succeeded. match=Microsoft-Windows-TerminalServices-LocalSessionManager match=Session logon succeeded match=Mi match=Win match=Te match=Se match=Lo match=Se match=ss match=Ma match=lo match=on match=ee match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User: ([A-Za-z0-9.-]+)\\([A-Za-z0-9.-_#$]+) log=event:Windows-Remote_Desktop_Login sensor:$1 srcip:$2 user:$4 type:login NEXT id=31720 name=This Windows system event log indicates Windows Terminal ServicesLocalSessionManager Remote Desktop Session Shell start notification received. match=Microsoft-Windows-TerminalServices-LocalSessionManager match=Shell start notification received match=Mi match=Win match=Te match=Se match=Lo match=Se match=ss match=Ma match=Sh match=ll match=st match=no match=ed match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User: ([A-Za-z0-9.-]+)\\([A-Za-z0-9.-_#$]+) log=event:Windows-Remote_Desktop_Shell_Start sensor:$1 srcip:$2 user:$4 type:system NEXT id=31721 name=This Windows system event log indicates Windows User Profiles Service finished processing user logon notification. match=Microsoft-Windows-User Profiles Service match=user logon notification match=Mi match=Win match=Us match=Pr match=es match=Se match=ce match=us match=log match=no match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Profile_Login_Notification sensor:$1 srcip:$2 type:system NEXT id=31722 name=This Windows system event log indicates Windows User Profiles Service finished processing user logoff notification. match=Microsoft-Windows-User Profiles Service match=user logoff notification match=Mi match=Win match=Us match=Pr match=es match=Se match=ce match=us match=log match=ff match=no match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Profile_Logout_Notification sensor:$1 srcip:$2 type:system NEXT id=31723 name=This Windows system event log indicates Windows User Profiles Service registry file loaded. match=Microsoft-Windows-User Profiles Service match=Registry file match=loaded match=Mi match=Win match=Us match=Pr match=es match=Se match=ce match=Re match=ry match=fi match=le match=lo match=ed match=Info regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Profile_Registry_Loaded sensor:$1 srcip:$2 type:system NEXT id=31724 name=This Windows system event log indicates Windows Iphlpsvcv is unable to update the IP address on Isatap interface. match=Microsoft-Windows-Iphlpsvc match=Unable to update the IP address on Isatap interface match=Iphl match=Mi match=Win match=Un match=le match=up match=te match=IP match=dd match=ss match=Isa match=in match=ce match=Error regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Iphlpsvc_Unable_To_Update_IP sensor:$1 srcip:$2 type:error NEXT id=31725 name=This Windows WHEA Logger system event log indicates s corrected hardware error has occurred. Corrected Machine Check the details view of this entry contains further information. match=Microsoft-Windows-WHEA-Logger match=corrected hardware error has occurred match=Warn match=Mi match=Win match=WHEA match=gg match=er match=rr match=ed match=ha match=re match=rr match=cc match=oc match=error regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WHEA_Logger_Warning sensor:$1 srcip:$2 type:system NEXT id=31726 name=This Windows Kernel access history in hive was cleared updating keys and creating modified pages. match=Microsoft-Windows-Kernel-General match=access history in hive match=was cleared match=Info match=Mi match=Win match=Ke match=el match=Ge match=al match=cc match=ss match=hi match=ve match=cl match=ed match=wa regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Hive_History_Cleared sensor:$1 srcip:$2 type:system NEXT id=31727 name=This Windows DHCP Server percent full message with the number of addresses available. match=Microsoft-Windows-DHCP-Server match=IP address range of scope match=percent full with only match=IP match=dd match=ss match=DHCP match=Se match=er match=ra match=sc match=pe match=nt match=ll match=on match=ly match=wi match=th regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* scope ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DHCP_Server_Percent_Full_Message sensor:$1 srcip:$2 dstip:$3 type:system NEXT id=31728 name=This Windows system event log indicates NLB has issued a timer starvation message. match=Microsoft-Windows-NLB match=Mi match=Win match=NLB match=Timer starvation match=Ti match=er match=st match=on match=rv match=ion match=im match=me regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-NLB_Timer_Starvation_Messages sensor:$1 srcip:$2 type:system NEXT id=31729 name=The Windows Server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations. match=System match=tem match=Error match=rr match=,srv, match=all match=limit match=pool match=con match=non match=server reached the configured limit for nonpaged pool allocations regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Server_Nonpaged_Pool_Limit sensor:$1 srcip:$2 type:error NEXT id=31730 name=The Windows assignment or removal of application PresentationFonts from policy Default Domain Policy failed. match=System match=tem match=rror match=rr match=Application Management Group Policy match=Ap match=Ma match=Gr match=Po match=PresentationFonts from policy Default Domain Policy failed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Policy_PresentationFonts_Failed sensor:$1 srcip:$2 type:error NEXT id=31731 name=Windows failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon. match=System match=tem match=rror match=rr match=Application Management Group Policy match=Ap match=Ma match=Gr match=Po match=Failed to apply changes to software installation settings regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Policy_Sofware_Install_Failed sensor:$1 srcip:$2 type:error NEXT id=31732 name=Windows Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. match=System match=tem match=Warn match=Mi match=Microsoft-Windows-GroupPolicy match=Wi match=Gr match=Po match=Installation was unable to apply one or more settings regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Policy_Sofware_Install_Delayed sensor:$1 srcip:$2 type:system NEXT id=31733 name=Windows Could not read from the registry sub-key. Cause: This error can be caused by a corrupt registry or a low memory condition. Rebooting the server may correct this error. match=System match=tem match=Warn match=Foundation Agents match=corrupt registry or a low memory match=Fo match=Ag match=co match=low match=mem regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Registery_Corrupt_Or_Low_Memory sensor:$1 srcip:$2 type:error NEXT id=31734 name=Windows none of the IP addresses of this Domain Controller map to the configured site. match=System match=tem match=Warn match=NETLOGON match=None of the IP addresses match=Domain Controller map to the configured site match=No match=IP match=ad match=Do match=Con match=map match=si regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Controller_Addresses_Dont_Map sensor:$1 srcip:$2 type:system NEXT id=31735 name=Windows deleted SSL Certificate settings for a particular port on the host. match=System match=tem match=Warn match=SSL Certificate Settings deleted for Port match=HttpEvent match=Settings match=SSL match=delete match=Certificate match=for regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Port : [.\d]+:(\d+) log=event:Windows-SSL_Certificate_Settings_Deleted sensor:$1 srcip:$2 srcport:$3 type:system NEXT id=31736 name=Windows created SSL Certificate settings for a particular port on the host. match=System match=tem match=Warn match=SSL Certificate Settings created by an admin process for Port match=HttpEvent match=Settings match=SSL match=created match=Certificate match=for match=process regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Port : [.\d]+:(\d+) log=event:Windows-SSL_Certificate_Settings_Created sensor:$1 srcip:$2 srcport:$3 type:system NEXT id=31737 name=Windows system successfully changed its password for the computer account on the domain controller. match=System match=tem match=Information match=The system successfully changed its password on the domain controller match=ed match=ss match=IP match=er regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),5823 log=event:Windows-Computer_Account_Password_Changed_By_System sensor:$1 srcip:$2 type:system event2:WindowsEvent-5823 NEXT id=31738 name=Windows system SAM database was unable to lockout an account due to an error. match=System match=error match=Error match=Services match=database match=AM match=The SAM database was unable to lockout the account match=IP match=failure match=was unable to regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),12294 log=event:Windows-Computer_Account_Password_Changed_By_System sensor:$1 srcip:$2 type:error