# Copyright 2005 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # Windows System Event log parser # # DESCRIPTION: # This library is used to process logs from Windows systems. Windows # XP or W2K servers can be configured with a Thunder Client for Windows # or can forward their events via netbios to another Windows server # which runs the Thunder Client. In both cases, the Windows Thunder # Client will attempt to conduct a reverse netbios or DNS lookup of # the hostname to convert it to an API address for the Thunder server. # # LAST UPDATE: $Date: 2012/05/07 12:25:12 $ ################ # LIVE UPDATES # ################ id=3103 name=This Windows system event log indicates that "Live" Windows updates are ready for installation. match=tem match=System, match=ion match=,Information, match=ent match=ate match=indo match=,Windows Update Agent, match=,Windows Update Agent,17,Information, log=event:Windows-Live_Updates_Ready type:system event2:WindowsEvent-17 NEXT id=3104 name=This Windows system event log indicates that a Service Pack hotfix was installed. match=tem match=System, match=ion match=,Information, match=,1074663705,Information, match=indo match=,Windows match= Hotfix match=sta match=le match=ed match= was installed. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Hotfix_Installed type:system sensor:$1 dstip:$2 NEXT id=3105 name=This Windows system event log indicates that the browser service was unable to retrieve the backup list. match=tem match=System, match=rr match=,Error, match=,BROWSER, match=SE match=ER match=,BROWSER,3221233504,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Browser_Failed_To_Retrieve type:error sensor:$1 dstip:$2 NEXT id=3106 name=This Windows system event log indicates that the browser was unable to retrieve a list of servers from the browser master. match=tem match=System, match=,BROWSER, match=ER match=SE match=ar match=arn match=ing match=,Warning, match=,BROWSER,2147491669,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Browser_Unable_To_Retrieve type:error sensor:$1 dstip:$2 NEXT id=3107 name=This Windows system event indicates that a print job was started. match=tem match=System, match=,Print, match=ion match=,Information, match=,Print,2147483657,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Print_Information type:system sensor:$1 dstip:$2 NEXT id=3108 name=This Windows system event indicates that there is a printing problem. match=tem match=System, match=,Print, match=ar match=arn match=ing match=,Warning, match=,Print,2147483650,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Print_Warning type:error sensor:$1 dstip:$2 NEXT id=3109 name=This Windows system event log indicates there has been a Windows time sync. match=tem match=System, match=ion match=,Information, match=,W32Time, match=,W32Time,1113194531,Information, regex=System.*W32Time,.*,([a-zA-Z0-9._-]+),.*ntp.d\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-5]+)->([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-5]+) log=event:Windows-Time_Sync sensor:$1 srcip:$2 dstip:$4 srcport:$3 dstport:$5 type:system NEXT id=3110 name=This Windows system event log indicates that a USB drive has been removed. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,2147745843,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Drive_Removed sensor:$1 srcip:$2 type:system NEXT id=3111 name=This Windows system event indicates that system time has not been synchronized correctly. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,W32Time, match=,W32Time,2186936356,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Timesync_Error sensor:$1 srcip:$2 type:error NEXT id=3112 name=This Windows system event log indicated a successful system update. match=tem match=System, match=ent match=ate match=indo match=,Windows Update Agent, match=ion match=,Information, match=,Windows Update Agent,19,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Successful sensor:$1 srcip:$2 type:system event2:WindowsEvent-19 NEXT id=3113 name=This Windows system event log indicates a user was unable to login. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=TP match=,MSFTPSVC,2147483748,Warning, match=FTP regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Bad_Logon sensor:$1 srcip:$2 type:login-failure NEXT id=3114 name=This Windows system eventlog indicates there was a protocol error with the terminal service. match=tem match=System, match=rr match=,Error, match=,TermDD, match=,TermDD,3221880882,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Protocol_Error sensor:$1 srcip:$2 type:error NEXT id=3115 name=This Windows system event log indicates that an authentication request was received with was not decodable. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,LSASRV, match=,LSASRV,2147524616,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Authentication_Request_Not_Decoded sensor:$1 srcip:$2 type:system NEXT id=3116 name=This Windows system event log indicates the system was restarted. match=tem match=System, match=ion match=,Information, match=,USER32,2147484722,Information, match=ER match=SE regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-System_Restart sensor:$1 srcip:$2 type:restart NEXT id=3117 name=This Windows system event log indicated a process terminated unexpectedly. match=tem match=System, match=rr match=,Error, match=ont match=ol match=ce match=,Service Control Manager, match=,Service Control Manager,3221232506,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unexpected_Service_Termination sensor:$1 srcip:$2 type:process NEXT id=3119 name=This Windows system event log indicates that the maximum number of TCP sessions has been reached for this server. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=cp match=,Tcpip, match=,Tcpip,2147487874,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Max_Concurrent_TCP_Sessions sensor:$1 srcip:$2 type:error NEXT id=3120 name=This Windows system event log indicates there has been a print failure. match=tem match=System, match=rr match=,Error, match=,Print, match=,Print,3221231633,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Print_Failure sensor:$1 srcip:$2 type:error NEXT id=3121 name=This Windows system event log indicates that an illegal radius client attempted to authenticate. match=tem match=System, match=rr match=,Error, match=,IAS, match=,IAS,3221225485,Error, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\. log=event:Windows-Illegal_Radius_Client sensor:$1 dstip:$2 srcip:$3 type:access-denied NEXT id=3122 name=This Windows systen event indicates that new printer drivers have been added. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,Print, match=,Print,2147483668,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Print_Drivers_Added sensor:$1 srcip:$2 type:system NEXT id=3123 name=This Windows systen event indicates that a printer was deleted. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,Print, match=,Print,2147483651,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Printer_Removed sensor:$1 srcip:$2 type:system NEXT id=3124 name=This Windows systen event indicates that a request for a printer that does not exist was received. This could indicate that a local system is configured for a non-existent printer, or that a network scan or probe has made an illegitimate request to gain information. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=,LPDSVC, match=,LPDSVC,2147487656,Warning, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Printer_Removed sensor:$1 srcip:$2 type:system NEXT id=3125 name=This Windows systen event indicates that the reason for the last shutdown was unplanned. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ed match=the last unexpected shutdown of this computer is: Other (Unplanned) match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unplanned_Shutdown sensor:$1 srcip:$2 type:restart NEXT id=3126 name=This Windows system event indicates that a remote host has sent a very large data payload in a WINS session. This type of event is common during vulnerability scanning and worm probes. match=tem match=System, match=rr match=,Error, match=ent match=ate match=le match=ss match=,The length of the message sent by another WINS indicates a match=IN regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WINS_Corruption sensor:$1 srcip:$2 type:system NEXT id=3127 name=The Windows system has updates which are ready to be installed. match=tem match=System, match=ent match=ate match=indo match=,Windows Update Agent, match=ion match=,Information, match=,18, match=sta match=,Installation Ready: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Updates_Ready sensor:$1 srcip:$2 type:system event2:WindowsEvent-18 NEXT id=3128 name=The Windows system has installed one or more updates, but the system must be restarted to complete installation. match=tem match=System, match=ent match=ate match=indo match=,Windows Update Agent,2 match=ion match=,Information, match=sta match=ire match=est match=ar match=ed match=,Restart Required: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Restart_Required sensor:$1 srcip:$2 type:restart event2:WindowsEvent-22 NEXT id=3129 name=The Windows system has detected a space problem on a hard drive. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=le match=ed match=ty match= disk is at or near capacity. You may need to delete some files. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Disk_Full sensor:$1 srcip:$2 type:error NEXT id=3130 name=The Windows system had an access request and was discarded. match=tem match=System, match=rr match=,Error, match=ce match=ss match=,Access match=ser match=user match=est match=request for user match=ar match=ed match= was discarded regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Access_Request_Discarded sensor:$1 srcip:$2 type:system NEXT id=3131 name=The Windows system has no domain controller available. match=tem match=System, match=rr match=,Error, match=ail match=ont match=ol match=le match=,There is no domain controller available for domain regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Domain_Controller_Not_Available sensor:$1 srcip:$2 type:error NEXT id=3132 name=The Windows system DCOM got error "%1327" and was unable to logon. match=tem match=System, match=rr match=,Error, match=lo match=log match=le match=DCOM got error "%1327" and was unable to logon regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-DCOM_Unable_To_Logon sensor:$1 srcip:$2 type:error NEXT id=3133 name=The Windows system DCOM got error "%1327" and was unable to logon. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ss match=ass match=pass match=ser match=ail match=lo match=ion match=le match=ed match=,The server failed to load application match=pp match=ent match=sta match=rr match=ce match=ty match=The server process could not be started because the configured identity is incorrect. Check the username and password. match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Server_Failed_To_Load_Application sensor:$1 srcip:$2 type:error NEXT id=3134 name=The Windows system could not establish a secured connection with the server. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=sta match=ser match=est match=ecu match=ion match=ed match=ty match=The Security System could not establish a secured connection with the server match=ect match=ent match=ail match=ol match=le match=No authentication protocol was available. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Authentication_Protocol_Unavailable sensor:$1 srcip:$2 type:error NEXT id=3135 name=The Windows system detected an attempted downgrade attack for a server. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ecu match=ack match=ed match=ty match=pt match=The Security System detected an attempted downgrade attack for match=ect match=ent match=lo match=log match=ser match=ail match=rr match=ce match=le regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Attempted_Downgrade_Attack sensor:$1 srcip:$2 type:intrusion NEXT id=3136 name=The Windows system detected that no domain controller was available. match=tem match=System, match=rr match=,Error, match=ail match=ont match=ol match=le match=,No Domain Controller is available for domain match=Do match=ed match=Make sure that the computer is connected to the network and try match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Domain_Controller_Not_Available sensor:$1 srcip:$2 type:error event2:WindowsEvent-5719 NEXT id=3137 name=The Windows system kerberos subsystem encountered a Privilege Attribute Certificate verification error. match=tem match=System, match=rr match=,Error, match=ail match=ion match=ed match=The kerberos subsystem encountered a PAC verification failure match=le match=had a PAC which failed to verify or was modified regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-PAC_Verification_Error sensor:$1 srcip:$2 type:error NEXT id=3138 name=The Windows system has failed to register the host within a domain. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ail match=le match=ed match=The system failed to register host match=est match=ate match=update request was because of a system problem. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Failed_To_Register_Host sensor:$1 srcip:$2 type:error NEXT id=3139 name=The Windows system could not acquire the time, none of the time sources are accessible. match=tem match=System, match=rr match=,Error, match=ire match=rom match=ce match=ed match= is configured to acquire time from one or more time sources, match=ate match= has no source of accurate time. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Failed_To_Accquire_Time sensor:$1 srcip:$2 type:error NEXT id=3140 name=The Windows system has detected a driver controller error. match=tem match=System, match=rr match=,Error, match=ont match=ol match=le match=ed match=The driver detected a controller error on match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Detected_Controller_Error sensor:$1 srcip:$2 type:error NEXT id=3141 name=The Windows system is participating in an election to be the master browser on a domain. match=tem match=System, match=rr match=,Error, match=,MRxSmb, match=ent match=ser match=ce match=ed match=The master browser has received a server announcement match=ion match=ing match=le match=The master browser is stopping or an election is being forced match=ect match=pp regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Master_Browser_Election sensor:$1 srcip:$2 type:system NEXT id=3142 name=The Windows system has encountered an unknown generic system error. match=tem match=System, match=rr match=,System Error, match=,Error, match=,Error code match=ar match=, parameter regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Generic_System_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-1003 NEXT id=3143 name=The Windows system encountered a service pack event log. match=tem match=System, match=ack match=ce match=,NtServicePack, match=!Hotfix regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-ServicePack_Log_Event sensor:$1 srcip:$2 type:system NEXT id=3144 name=The Windows system encountered an attempt to access an LSA policy handle. match=tem match=System, match=,LsaSrv, match=An a match=ect match=rom match=ion match=ed match=ss match=An anonymous session connected from match=ent match=AT match=ecu match=ing match=EN match=le match=ty match=pt match=The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information match=ST regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*An anonymous session connected from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) has log=event:Windows-LSA_Access_Attempt sensor:$1 srcip:$2 type:access-denied NEXT id=3145 name=The Windows system indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. match=tem match=System, match=,Kerberos, match=ent match=ce match=ed match=The kerberos client received a match=ss match=ass match=pass match=ate match=pt match=indicates that the password used to encrypt regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Kerberos_Encrypt_Key_Different sensor:$1 srcip:$2 type:error NEXT id=3146 name=The Windows system indicates that the target server failed to decrypt the ticket provided by the client. match=tem match=System, match=,Kerberos, match=ent match=ce match=ed match=The Kerberos client received a match=ser match=rr match=rom match=error from the server match=ail match=ate match=ar match=le match=pt match=This indicates that the target server failed to decrypt the ticket regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Kerberos_Failed_To_Decrypt sensor:$1 srcip:$2 type:error NEXT id=3147 name=The Windows system indicates that a network adapter has been disconnected from the network match=tem match=System, match=cp match=,Tcpip, match=ect match=ed match=pt match=The system detected that network adapter match=rom match=was disconnected from the network match=ion match=le match=network configuration has been released. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Network_Adapter_Disconnected sensor:$1 srcip:$2 type:system NEXT id=3148 name=The Windows system time service is now synchronizing the system time. match=tem match=System, match=,W32Time, match=ser match=now match=ing match=ce match=The time service is now synchronizing the system time regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Synchronizing sensor:$1 srcip:$2 type:system NEXT id=3149 name=The Windows system has logged a hardware failure. match=tem match=System, match=rr match=,Error, match=ail match=ar match=ed match=Hardware failure detected match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Hardware_Failure sensor:$1 srcip:$2 type:error NEXT id=31510 name=The Windows system has logged that a device has out-of-date firmware, and that it may reduce performance. match=tem match=System, match=ce match=ed match=The driver has detected that device match=ect match=ol match=ate match=ar match= has old or out-of-date firmware regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Out-Of-Date_Firmware sensor:$1 srcip:$2 srcport:$3 type:error NEXT id=31511 name=The Windows system has logged an authentication request that could not be decoded. The request has failed. match=tem match=System, match=ent match=ail match=est match=ecu match=ion match=ce match=le match=ed match=ty match=The Security System has received an authentication request that could not be decoded. The request has failed. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Request_Not_Decoded sensor:$1 srcip:$2 srcport:$3 type:access-denied NEXT id=31512 name=The Windows system has logged that a Smart Card Reader rejected an IOCTL GET_STATE request and has been removed. match=tem match=System, match=ont match=ar match=ed match=Smart Card Reader 'Broadcom Corp Contacted SmartCard 0' match=AT match=ce match=rejected IOCTL GET_STATE: The device has been removed. match=ect match=ST match=rem match=GET regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Smart_Card_Reader_Removed sensor:$1 srcip:$2 srcport:$3 type:error event2:WindowsEvent-610 NEXT id=31513 name=The Windows system has logged that the system failed to flush data to the transaction log. Corruption may occur. match=tem match=System, match=lo match=log match=ail match=ion match=le match=ed match=The system failed to flush data to the transaction log match=rr match=pt match=Corruption may occur regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Failed_To_Flush_Data sensor:$1 srcip:$2 srcport:$3 type:error NEXT id=31514 name=The Windows system has logged that the system failed to register a pointer resource record. match=tem match=System, match=ail match=le match=ed match=ailed match=The system failed to register pointer (PTR) match=ing match=ce match=pt match=resource records (RRs) for network adapter with settings match=TR regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=event:Windows-Failed_To_Register_Pointer sensor:$1 srcip:$2 srcport:$3 type:error NEXT id=31515 name=The Windows system could not authenticate locally by using the target name. match=tem match=System, match=ar match=arn match=ing match=,Warning, match=ent match=lo match=ate match= could not authenticate locally by using the target name regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Could_Not_Authenticate_Target_Name sensor:$1 srcip:$2 type:error NEXT id=31516 name=The Windows system shutdown unexpectedly. match=tem match=System, match=rr match=,Error, match=The previous system shutdown match=ed match=was unexpected match=ect regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unexpected_Shutdown sensor:$1 srcip:$2 type:restart NEXT id=31517 name=The Windows file system is corrupt and unusable, time to run chkdsk. match=tem match=System, match=rr match=,Error, match=le match=pt match=The file system structure on the disk is corrupt and unusable regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-File_System_Corrupt sensor:$1 srcip:$2 type:error NEXT id=31518 name=The Windows system has awoke from sleep mode. match=tem match=System, match=indo match=le match=Microsoft-Windows-Power-Troubleshooter match=rom match=ed match=The system has resumed from sleep. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Resumed_From_Sleep_Mode sensor:$1 srcip:$2 type:restart event2:WindowsEvent-1 NEXT id=31519 name=The Windows system has entered sleep mode due to the system being idle. match=tem match=System, match=indo match=,Microsoft-Windows-Kernel-Power match=ent match=ing match=le match=The system is entering sleep. match=Sleep Reason: System Idle regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Entering_Sleep_Mode sensor:$1 srcip:$2 type:restart event2:WindowsEvent-42 NEXT id=31520 name=The Windows system has printed a document. match=tem match=System, match=Print match=ion match=Information match=ent match=Document match=Do match=ed match=was printed on regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Printed_Document sensor:$1 srcip:$2 type:system NEXT id=31521 name=The Windows system has recorded a fatal error when attempting to access the SSL server credential private key. match=tem match=System, match=Schannel match=36870 match=rr match=Error match=ent match=ser match=ate match=ing match=ce match=ed match=pt match=ss match=A fatal error occurred when attempting to access the SSL server credential private key. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Private_Key_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-36870 NEXT id=31522 name=The Windows system has recorded a user logon notification for the customer experience improvement program. match=tem match=System, match=lo match=log match=ion match=indo match=Microsoft-Windows-Winlogon,7001,Information match=ent match=ser match=Lo match=ce match=User Logon Notification for Customer Experience Improvement Program match=User regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logon_Notification_Improvement_Program sensor:$1 srcip:$2 type:system event2:WindowsEvent-7001 NEXT id=31523 name=The Windows system has recorded that the Group Policy settings for the user were processed successfully. match=tem match=System, match=ol match=indo match=Microsoft-Windows-GroupPolicy match=ion match=1501,Information match=ser match=ing match=ce match=ed match=ss match=The Group Policy settings for the user were processed successfully. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Policy_Settings_Processed sensor:$1 srcip:$2 type:system event2:WindowsEvent-1501 NEXT id=31524 name=The Windows system has recorded a Microsoft-Windows-TerminalServices-Printer error. match=tem match=System, match=indo match=ce match=Microsoft-Windows-TerminalServices-Printers match=rr match=1111,Error match=1111,Driver regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Printer_Driver_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-1111 NEXT id=31525 name=The Windows system has recorded a timeout attemping name resolution, none of the configured DNS servers responded. match=tem match=System, match=ent match=indo match=,Microsoft-Windows-DNS-Client match=ol match=ion match=Name resolution for the name match=ser match=ed match=timed out after none of the configured DNS servers responded. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-DNS_Servers_Timeout sensor:$1 srcip:$2 type:error event2:WindowsEvent-1014 NEXT id=31526 name=The Windows system has recorded a bad block for a device. match=tem match=System, match=Disk match=rr match=Error match=lo match=has a bad block. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Bad_Block_Detected sensor:$1 srcip:$2 type:error NEXT id=31527 name=The Windows system has recorded a user was granted access. match=tem match=System, match=IAS match=ce match=ed match=ss match=was granted access match=ent match=Client-IP-Address regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*,User ([A-Za-z0-9\$\-\_]{1,25}) was granted access.* Client-IP-Address \= ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IAS_User_Granted_Access sensor:$1 srcip:$2 user:$3 srcip:$4 type:login NEXT id=31528 name=The Windows system attempted to launch a program without permission to do so. match=tem match=System, match=,DCOM, match=Lo match=ion match=ing match=ss match=,The application-specific permission settings do not grant Local match=pp regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-DCOM_CLSID_Unable_To_Launch sensor:$1 srcip:$2 type:access-denied NEXT id=31529 name=The Windows Update Client failed to install an update. match=tem match=System, match=System match=ent match=ate match=indo match=Windows Update Agent match=,Windows match=sta match=ail match=ailure match=ion match=ed match=IP match=,Installation Failure: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-UpdateClient_Installation_Failure sensor:$1 srcip:$2 type:error event2:WindowsEvent-20 NEXT id=31530 name=The Windows Update Client has an update that is ready to install. match=tem match=System, match=ent match=ate match=indo match=,Microsoft-Windows-WindowsUpdateClient, match=sta match=ion match=,Installation Ready: regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-UpdateClient_Installation_Ready sensor:$1 srcip:$2 type:system event2:WindowsEvent-18 NEXT id=31531 name=The Windows system successfully applied the forefront client security state assessment service policy. match=ent match=ecu match=ate match=IP match=Forefront Client Security State Assessment Service policy applied successfully. match=System match=ty match=ont match=ss match=ce match=FcsSas regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Forefront_Assessment_Applied sensor:$1 srcip:$2 type:system NEXT id=31532 name=The Windows system forefront signature version has been updated. match=ate match=IP match=signature version has been updated. match=System, match=ed match=FCSAM match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Forefront_Signatures_Updated sensor:$1 srcip:$2 type:system event2:WindowsEvent-2000 NEXT id=31533 name=The Windows system forefront real-time protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. match=ent match=System match=tem match=IP match=,Warning, match=System, match=ect match=ing match=Real-Time Protection agent has detected changes. match=ed match=FCSAM match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Windows-Forefront_Detected_Changes sensor:$1 srcip:$2 type:system event2:WindowsEvent-3004 NEXT id=31534 name=The Windows system has detected a restart or shutdown. match=System match=tem match=IP match=,Information, match=System, match=,1074, match=lo match=ol match=ser match=user match=ing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),1074,The process .*user .*\\([A-Za-z0-9\$\-\_]+) for the following reason log=event:Windows-Restart_Shutdown sensor:$1 srcip:$2 user:$3 type:restart event2:WindowsEvent-1074 NEXT id=31535 name=The Windows system has reported no suitable default server credential exists on this system. match=System match=tem match=IP match=,Warning, match=System, match=,36886, match=No match=ial match=ing regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),36886 log=event:Windows-No_Credential sensor:$1 srcip:$2 type:system event2:WindowsEvent-36886 NEXT id=31536 name=The Windows system RemoteAccess user does not have Remote Access privilege. match=le match=user match=System match=tem match=IP match=,Warning, match=System, match=ser match=ss match=ect match=ing match=ed match=ce match=,20258, match=does not have Remote Access privilege regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20258 log=event:Windows-User_Does_Not_Have_Remote_Access sensor:$1 srcip:$2 type:login-failure event2:WindowsEvent-20258 NEXT id=31537 name=The Windows system RemoteAccess user failed an authentication attempt due to the following reason: The account does not have permission to dial in. match=le match=ent match=failed an authentication attempt match=user match=rom match=System match=tem match=IP match=,20271, match=,Warning, match=lo match=ailed match=System, match=ser match=ail match=ect match=ing match=ed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),20271 log=event:Windows-User_Does_Not_Have_Permission_For_Dial_In sensor:$1 srcip:$2 type:login-failure event2:WindowsEvent-20271 NEXT id=31538 name=This Windows system event log indicated a successful system update. match=tem match=System, match=ent match=ate match=indo match=WindowsUpdateClient, match=ion match=,Information, match=WindowsUpdateClient,19,Information, regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Update_Successful sensor:$1 srcip:$2 type:system event2:WindowsEvent-19 NEXT id=31539 name=The Windows system has recorded that the Group Policy settings for the user were processed successfully. match=The Group Policy settings for the computer were processed successfully. match=Micro match=System match=tem match=in match=1502,Information match=Information match=succ match=indo match=,Information, match=nformation match=ystem match=ic match=Information, match=ce match=at match=Windows match=IP match=ol match=successfully match=P match=for match=System, match=er match=502 match=Microsoft-Windows-GroupPolicy match=put match=ing match=ed match=st match=ess match=ion match=ss match=150 match=successful match=Group match=su match=success regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Policy_Settings_Processed sensor:$1 srcip:$2 type:system event2:WindowsEvent-1502 NEXT id=31540 name=This Windows system event log indicated a service was changed. match=st match=sta match=nformation match=Service Control Manager match=art match=IP match=service was changed match=System match=Information, match=demand match=auto match=start regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Changed sensor:$1 srcip:$2 type:system event2:WindowsEvent-7040 NEXT id=31541 name=This Windows system event log indicated the Shadow Copy service entered the running state. match=ent match=st match=sta match=nformation match=ate match=Service Control Manager match=,Service Control Manager, match=lum match=in match=ic match=System match=tem match=IP match=Information match=System, match=ol match=ser match=P match=ont match=,Information, match=Information, match=er match=for match=ing match=ed match=ystem match=ce match=Shadow Copy service entered the running state match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Shadow_Copy_Running sensor:$1 srcip:$2 type:system event2:WindowsEvent-7036 NEXT id=31542 name=This Windows system event log indicated the VeeamVssSupport message. match=ent match=successfully match=st match=sta match=nformation match=Service Control Manager match=art match=,Service Control Manager, match=ic match=System match=tem match=IP match=su match=Information match=System, match=ol match=ser match=P match=pp match=Sup match=VeeamVssSupport match=ont match=,Information, match=ess match=ss match=Vss match=success match=Information, match=er match=for match=ystem match=ce match=at match=successful match=succ match=ar match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_VeeamVssSupport sensor:$1 srcip:$2 type:system event2:WindowsEvent-7035 NEXT id=31543 name=This Windows system event log indicated that RSM(Removeable Storage Module) was stopped. match=le match=RSM was stopped match=st match=nformation match=ic match=System match=tem match=IP match=Information match=System, match=P match=Removable Storage Service match=pp match=,Information, match=Information, match=er match=for match=ed match=ystem match=ce match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-RSM_Stopped sensor:$1 srcip:$2 type:system event2:WindowsEvent-98 NEXT id=31544 name=This Windows system event log indicated that the WinHTTP Web Proxy Auto-Discovery Service is idle, and will be shut down. match=st match=nformation match=ut match=ic match=System match=tem match=IP match=WinHttpAutoProxySvc match=Information match=System, match=P match=,Information, match=will be shut down match=Information, match=er match=for match=ystem match=ce match=TP match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinHttpAutoProxySvc_Shutting_Down sensor:$1 srcip:$2 type:system event2:WindowsEvent-12503 NEXT id=31545 name=This Windows system event log indicated that the WinHTTP Web Proxy Auto-Discovery Service suspended operation. match=st match=suspended operation match=nformation match=ut match=in match=ic match=System match=tem match=IP match=WinHttpAutoProxySvc match=su match=Information match=System, match=P match=,Information, match=Information, match=er match=for match=ed match=ystem match=ce match=TP match=at match=ion regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinHttpAutoProxySvc_Suspended sensor:$1 srcip:$2 type:system event2:WindowsEvent-12517 NEXT id=31546 name=This Windows system event has reported the system uptime. match=st match=nformation match=System match=tem match=IP match=Information match=System, match=P match=,Information, match=Information, match=for match=ystem match=The system uptime regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-System_Uptime sensor:$1 srcip:$2 type:system event2:WindowsEvent-6013 NEXT id=31547 name=This Windows system event has reported the browser service has failed to retrieve the backup list too many times on transport. match=st match=System match=tem match=IP match=System, match=P match=Error match=ystem match=rr match=The browser service has failed regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Browser_Service_Failed sensor:$1 srcip:$2 type:error event2:WindowsEvent-8032 NEXT id=31548 name=This Windows Modules Installer service entered the stopped state. match=st match=nformation match=System match=tem match=IP match=System, match=P match=ystem match=The Windows Modules Installer service entered the stopped state regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Modules_Installer_Service_Stopped sensor:$1 srcip:$2 type:system event2:WindowsEvent-7036 NEXT id=31549 name=This Windows TermService had a terminal server receive a large number of incomplete connections. The system may be under attack. match=rm match=vi match=TermService match=Error match=rr match=System match=tem match=IP match=System, match=P match=ystem match=incomplete match=comp match=connections match=nn match=The system may be under attack. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-TermService_Error sensor:$1 srcip:$2 type:error event2:WindowsEvent-1006 NEXT id=31550 name=This Windows Srv server received an incorrectly formatted request. match=Srv match=rr match=Error match=server match=rv match=received match=ei match=incorrectly match=ly match=in match=formatted match=tt match=The server received an incorrectly formatted request from regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*\\([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Srv_Error sensor:$1 srcip:$2 dstip:$3 type:error event2:WindowsEvent-2006 NEXT id=31551 name=This Windows Service Control Manager WinHTTP Web Proxy Auto-Discovery service was successfully sent a start control. match=Service match=vi match=ontrol match=ol match=Manager match=ag match=Web match=Proxy match=ss match=start match=successfully match=sent match=The WinHTTP Web Proxy Auto-Discovery Service service was successfully sent a start control. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinHttp_Start_Control_Sent sensor:$1 srcip:$2 type:system event2:WindowsEvent-7035 NEXT id=31552 name=This Windows Service Control Manager WinHTTP Web Proxy Auto-Discovery service entered the running state. match=Service match=vi match=ontrol match=ol match=Manager match=ag match=Web match=Proxy match=enter match=entered match=nn match=running match=state match=at match=The WinHTTP Web Proxy Auto-Discovery Service service entered the running state. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-WinHttp_Enter_Running_State sensor:$1 srcip:$2 type:system event2:WindowsEvent-7036 NEXT id=31553 name=This Windows system event log indicates the Application Experience service entered the stopped state. match=ent match=st match=sta match=nformation match=ate match=Service Control Manager match=,Service Control Manager, match=System match=tem match=IP match=Information match=System, match=,Information, match=Information, match=ystem match=The Application Experience service entered the stopped state. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Experience_Stopped sensor:$1 srcip:$2 type:system event2:WindowsEvent-7036 NEXT id=31554 name=This Windows system event log indicates the Application Experience service entered the running state. match=ent match=sta match=ate match=st match=nformation match=System match=Service Control Manager match=,Service Control Manager, match=tem match=IP match=Information match=System, match=,Information, match=Information, match=ystem match=The Application Experience service entered the running state. regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Experience_Started sensor:$1 srcip:$2 type:system event2:WindowsEvent-7036 NEXT id=31555 name=This Windows system event log indicates a PowerPoint document was deleted. match=ent match=st match=nformation match=System match=tem match=IP match=Information match=System, match=,Information, match=Information, match=ystem match=PowerPoint match=was deleted on regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-PowerPoint_Document_Deleted sensor:$1 srcip:$2 type:system NEXT id=31556 name=This Windows system event log indicates that the browser service was unable to retrieve a list of servers from the browser master. This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. match=tem match=System, match=,Warning, match=,BROWSER, match=SE match=ER match=ser match=un match=ret match=lis match=ser match=brow match=mas match=,The browser service was unable to retrieve a list of servers from the browser master regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Browser_Failed_To_Retrieve_Servers type:system sensor:$1 dstip:$2 NEXT id=31557 name=This Windows system event log indicates the idle timer expired. match=up match=System, match=Pop match=Popup match=dl match=me match=ex match=ed match=Idle timer expired regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Popup_Timer_Expired type:system sensor:$1 dstip:$2 NEXT id=31558 name=This Windows system event log indicates the server did not register with DCOM within the required timeout. match=10010 match=System, match=ys match=rr match=Err match=did match=no match=st match= did not register with DCOM within the required timeout regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Expired type:error sensor:$1 dstip:$2 NEXT id=31559 name=This Windows system event log indicates a document was deleted. match=System, match=ys match=Info match=Doc match=own match=ed match=by match=was match=del match=deleted regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Document_Deleted type:system sensor:$1 dstip:$2 NEXT id=31560 name=This Windows system event log indicates a user Logoff notification for customer Experience Improvement Program. match=System, match=ys match=Info match=Win match=log match=on match=Use match=er match=Noti match=cat match=User Logoff Notification for Customer Experience Improvement Program regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logoff_Notification type:system sensor:$1 dstip:$2 event2:WindowsEvent-7002 NEXT id=31561 name=This Windows system event log indicates the Microsoft Software Shadow Copy Provider service was successfully sent a start control. match=System, match=ys match=Info match=Sha match=dow match=Co match=py match=ser match=vi match=ss match=en match=ar match=co match=Shadow Copy Provider service was successfully sent a start control regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Shadow_Copy_Start type:system sensor:$1 dstip:$2 event2:WindowsEvent-7035 NEXT id=31562 name=This Windows system event log indicates an authentication request failed. match=System, match=ys match=LSASRV match=Wa match=rn match=ing match=Sec match=ur match=ty match=has match=re match=ei match=ve match=authentication request that could not be match=uth match=req match=decoded regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Authentication_Request_Failed type:system sensor:$1 dstip:$2 event2:WindowsEvent-40968