BluSapphire
Search…
Introduction
Product Videos
Unified Cyber Defense Platform
The Stack
Features and capabilities
Operations
Architecture
Integration
Cisco pxGrid Integration
MITRE ATT&CK
MITRE ATT&CK Coverage by Tactic
MITRE ATT&CK Coverage by Technique
BluArmour Endpoint Protection
BluArmour For ICS / AirGapped Networks
BluArmour Pre-Deployment Checklist & Roll out Process
Deploy BluArmour via SCCM
BluGenie
SIGMA Rules
Use cases
Threat Intel Sources
Windows Logging Recommendations
Lateral Movement Logging Recommendations
Windows Advanced Auditing Recommendations
GPO for Service Account, WinRM and WMI
Log Forwarding - How To
Mirror / SPAN port configuration
Cloud Log Forwarding
Deploy Micro-Agent/Sysmon via GPO
Threat Hunt
Appendix A
Powered By
GitBook
Windows Logging Recommendations
Windows Event Log Recommendations By Log Source
Category
Name
ID
Level
Event Log
Event Source
1
Boot Events
Shutdown Initiate Failed
1074
Warning
User32
User32
2
Application Crashes
BSOD
1001
Error
System
Microsoft-Windows-WER-SystemErrorReporting
3
Boot Events
Windows Shutdown
13
Information
System
Microsoft-Windows-Kernel-General
4
Boot Events
Windows Startup
12
Information
System
Microsoft-Windows-Kernel-General
5
Clearing Event Logs
Event Log was Cleared
104
Information
System
Microsoft-Windows-Eventlog
6
Group Policy Errors
Generic Internal Error
1126
Error
System
Microsoft-Windows-GroupPolicy
7
Group Policy Errors
Group Policy Application Failed due to Connectivity
1129
Error
System
Microsoft-Windows-GroupPolicy
8
Group Policy Errors
Internal Error
1125
Error
System
Microsoft-Windows-GroupPolicy
9
Kernel Driver Signing
Failed Kernel Driver Loading
219
Warning
System
Microsoft-Windows-Kernel-PnP
10
Software and Service Installation
New Kernel Filter Driver
6
Information
System
Microsoft-Windows-FilterManager
11
Software and Service Installation
New Windows Service
7045
Information
System
Microsoft-Windows-FilterManager
12
Software and Service Installation
Service Start Failure
7000
Error
System
Service Control Manager
13
Software and Service Installation
Windows Update Installed
19
Information
System
Microsoft-Windows-WindowsUpdateClient
14
System Integrity
System Time Changed
1
Information
System
Microsoft-Windows-Kernel-General
15
System or Service Failures
Windows Service Fails or Crashes
7022, 7023, 7024, 7026, 7031, 7032, 7034
Error
System
Service Control Manager
16
Software and Service Installation
Update Packages Installed
2
Information
Setup
Microsoft-Windows-Servicing
17
Windows Update Errors
Hotpatching Failed
1009
Information
Setup
Microsoft-Windows-Servicing
18
Account Usage
Account Lockouts
4740
Information
Security
Microsoft-Windows-Security-Auditing
19
Account Usage
Account Login with Explicit Credentials
4648
Information
Security
Microsoft-Windows-Security-Auditing
20
Account Usage
Account Name Changed
4781
Information
Security
Microsoft-Windows-Security-Auditing
21
Account Usage
Account removed from Local Sec. Grp.
4733
Information
Security
Microsoft-Windows-Security-Auditing
22
Account Usage
Credential Authentication
4776
Information
Security
Microsoft-Windows-Security-Auditing
23
Account Usage
Credentials backed up
5376
Information
Security
Microsoft-Windows-Security-Auditing
24
Account Usage
Credentials restored
5377
Information
Security
Microsoft-Windows-Security-Auditing
25
Account Usage
Failed User Account Login
4625
Information
Security
Microsoft-Windows-Security-Auditing
26
Account Usage
Logoff Event
4634
Information
Security
Microsoft-Windows-Security-Auditing
27
Account Usage
Logon with Special Privs
4672
Information
Security
Microsoft-Windows-Security-Auditing
28
Account Usage
New User Account Created
4720
Information
Security
Microsoft-Windows-Security-Auditing
29
Account Usage
New User Account Enabled
4722
Information
Security
Microsoft-Windows-Security-Auditing
30
Account Usage
Password Hash Accessed
4782
Information
Security
Microsoft-Windows-Security-Auditing
31
Account Usage
Password Policy Checking API called
4793
Information
Security
Microsoft-Windows-Security-Auditing
32
Account Usage
Security-enabled Group Created
4731
Information
Security
Microsoft-Windows-Security-Auditing
33
Account Usage
Security-Enabled group Modification
4735
Information
Security
Microsoft-Windows-Security-Auditing
34
Account Usage
SID History add attempted on Account
4766
Information
Security
Microsoft-Windows-Security-Auditing
35
Account Usage
SID History added to Account
4765
Information
Security
Microsoft-Windows-Security-Auditing
36
Account Usage
Successful User Account Login
4624
Information
Security
Microsoft-Windows-Security-Auditing
37
Account Usage
User Account Deleted
4726
Information
Security
Microsoft-Windows-Security-Auditing
38
Account Usage
User Account Disabled
4725
Information
Security
Microsoft-Windows-Security-Auditing
39
Account Usage
User Account Unlocked
4767
Information
Security
Microsoft-Windows-Security-Auditing
40
Account Usage
User Added to Privileged Group
4728, 4732, 4756
Information
Security
Microsoft-Windows-Security-Auditing
41
Account Usage
User Right Assigned
4704
Information
Security
Microsoft-Windows-Security-Auditing
42
Application Whitelisting
Process Created
4688
Information
Security
Microsoft-Windows-Security-Auditing
43
Application Whitelisting
Process Terminated
4689
Information
Security
Microsoft-Windows-Security-Auditing
44
Certificate Services
CA Services Request
4886
Information
Security
Microsoft-Windows-Security-Auditing
45
Certificate Services
Certificate Manager Settings Changed
4890
Information
Security
Microsoft-Windows-Security-Auditing
46
Certificate Services
Certificate Request Attributes Changed
4874
Information
Security
Microsoft-Windows-Security-Auditing
47
Certificate Services
Certificate Request Extension Changed
4873
Information
Security
Microsoft-Windows-Security-Auditing
48
Certificate Services
Certificate Revoked
4870
Information
Security
Microsoft-Windows-Security-Auditing
49
Certificate Services
Certificate Services approved request
4887
Information
Security
Microsoft-Windows-Security-Auditing
50
Certificate Services
Certificate Services Audit Filter Changed
4885
Information
Security
Microsoft-Windows-Security-Auditing
51
Certificate Services
Certificate Services Configuration Changed
4891
Information
Security
Microsoft-Windows-Security-Auditing
52
Certificate Services
Certificate Services denied request
4888
Information
Security
Microsoft-Windows-Security-Auditing
53
Certificate Services
Certificate Services Loaded Template
4898
Information
Security
Microsoft-Windows-Security-Auditing
54
Certificate Services
Certificate Services Permissions Changed
4882
Information
Security
Microsoft-Windows-Security-Auditing
55
Certificate Services
Certificate Services Property Changed
4892
Information
Security
Microsoft-Windows-Security-Auditing
56
Certificate Services
Certificate Services Started
4880
Information
Security
Microsoft-Windows-Security-Auditing
57
Certificate Services
Certificate Services Stopped
4881
Information
Security
Microsoft-Windows-Security-Auditing
58
Certificate Services
Certificate Services Template Security Updated
4900
Information
Security
Microsoft-Windows-Security-Auditing
59
Certificate Services
Certificate Services Template Updated
4899
Information
Security
Microsoft-Windows-Security-Auditing
60
Certificate Services
Entries Removed from Certificate Database
4896
Information
Security
Microsoft-Windows-Security-Auditing
61
Clearing Event Logs
Event Log Service Shutdown
1100
Information
Security
Microsoft-Windows-EventLog
62
Clearing Event Logs
Event Log was Cleared
1102
Information
Security
Microsoft-Windows-Eventlog
63
DNS/Directory Services
Directory service created
5137
Information
Security
Microsoft-Windows-Security-Auditing
64
DNS/Directory Services
Directory service deleted
5141
Information
Security
Microsoft-Windows-Security-Auditing
65
DNS/Directory Services
Directory service modified
5136
Information
Security
Microsoft-Windows-Security-Auditing
66
DNS/Directory Services
Directory service moved
5139
Information
Security
Microsoft-Windows-Security-Auditing
67
DNS/Directory Services
Directory service recovered
5138
Information
Security
Microsoft-Windows-Security-Auditing
68
Kernel Driver Signing
Detected an invalid image hash of a file
5038
Information
Security
Microsoft-Windows-Security-Auditing
69
Kernel Driver Signing
Detected an invalid page hash of an image file
6281
Information
Security
Microsoft-Windows-Security-Auditing
70
Network Policy
Encrypted Data Recovery Policy Changed
4714
Information
Security
Microsoft-Windows-Security-Auditing
71
Network Policy
Kerberos Policy Changed
4713
Information
Security
Microsoft-Windows-Security-Auditing
72
Network Policy
Kerberos Service Ticket Req. Failed
4769
Information
Security
Microsoft-Windows-Security-Auditing
73
Network Policy
Network Policy Server Denied Access
6273
Information
Security
Microsoft-Windows-Security-Auditing
74
Network Policy
Network Policy Server Discarded Accounting Request
6275
Information
Security
Microsoft-Windows-Security-Auditing
75
Network Policy
Network Policy Server Discarded Request
6274
Information
Security
Microsoft-Windows-Security-Auditing
76
Network Policy
Network Policy Server Granted Access
6272
Information
Security
Microsoft-Windows-Security-Auditing
77
Network Policy
Network Policy Server Granted Full Access
6278
Information
Security
Microsoft-Windows-Security-Auditing
78
Network Policy
Network Policy Server Granted Probationary Access
6277
Information
Security
Microsoft-Windows-Security-Auditing
79
Network Policy
Network Policy Server Locked Account
6279
Information
Security
Microsoft-Windows-Security-Auditing
80
Network Policy
Network Policy Server Quarantined User
6276
Information
Security
Microsoft-Windows-Security-Auditing
81
Network Policy
Network Policy Server Unlocked Account
6280
Information
Security
Microsoft-Windows-Security-Auditing
82
Network Policy
Network share accessed
5140
Information
Security
Microsoft-Windows-Security-Auditing
83
Network Policy
Network Share Checked
5145
Information
Security
Microsoft-Windows-Security-Auditing
84
Network Policy
Network Share Created
5142
Information
Security
Microsoft-Windows-Security-Auditing
85
Network Policy
Network Share Deleted
5144
Information
Security
Microsoft-Windows-Security-Auditing
86
Network Policy
New Trust for Domain
4706
Information
Security
Microsoft-Windows-Security-Auditing
87
Network Policy
Role Separation Enabled
4897
Information
Security
Microsoft-Windows-Security-Auditing
88
Network Policy
System Audit Policy Changed
4719
Information
Security
Microsoft-Windows-Security-Auditing
89
Network Policy
Trusted Domain Information Modified
4716
Information
Security
Microsoft-Windows-Security-Auditing
90
Network Policy
TS Session Disconnect
4779
Information
Security
Microsoft-Windows-Security-Auditing
91
Network Policy
TS Session Reconnect
4778
Information
Security
Microsoft-Windows-Security-Auditing
92
Network Policy
Wireless 802.1X Auth
5632
Information
Security
Microsoft-Windows-Security-Auditing
93
System Integrity
Registry Modification
4657
Information
Security
Microsoft-Windows-Security-Auditing
94
Network Policy
RADIUS User assigned IP
20250
Success
RemoteAccess
Microsoft-Windows-MPRMSG
95
Network Policy
RADIUS User Authenticated
20274
Success
RemoteAccess
Microsoft-Windows-MPRMSG
96
Network Policy
RADIUS User Disconnected
20275
Success
RemoteAccess
Microsoft-Windows-MPRMSG
97
PowerShell Activities
Get-MessageTrackingLog cmdlet
800
Information
Powershell
Microsoft-Windows-Powershell
98
PowerShell Activities
Remote Connection
169
Information
Powershell
Microsoft-Windows-Powershell
99
Mobile Device Activities
Disconnect from Wireless connection
8003
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
100
Mobile Device Activities
Starting a Wireless connection
8000, 8011
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
101
Mobile Device Activities
Successfully connected to a Wireless connection
8001
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
102
Mobile Device Activities
Wireless Association Status
11000, 11001
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
103
Mobile Device Activities
Wireless Association Status
11002
Error
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
104
Mobile Device Activities
Wireless Authentication Started and Failed
12011, 12012
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
105
Mobile Device Activities
Wireless Authentication Started and Failed
12013
Error
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
106
Mobile Device Activities
Wireless Connection Failed
8002
Error
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
107
Mobile Device Activities
Wireless Security Started, Stopped, Successful, or Failed
11004, 11005
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
108
Mobile Device Activities
Wireless Security Started, Stopped, Successful, or Failed
11010, 11006
Error
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
109
Windows Update Errors
Windows Update Failed
20, 24, 25, 31, 34, 35
Error
Microsoft-Windows-WindowsUpdateClient/Operational
Microsoft-Windows-WindowsUpdateClient
110
Windows Firewall
Firewall Failed to load Group Policy
2009
Error
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security
111
Windows Firewall
Firewall Rule Add
2004
Information
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security
112
Windows Firewall
Firewall Rule Change
2005
Information
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security
113
Windows Firewall
Firewall Rules Deleted
2006, 2033
Information
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security
114
Windows Defender Activities
Action on Malware Failed
1008
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
115
Windows Defender Activities
Detected Malware
1006, 1116
Warning
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
116
Windows Defender Activities
Failed to remove item from quarantine
1010
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
117
Windows Defender Activities
Failed to update engine
2003
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
118
Windows Defender Activities
Failed to update signatures
2001
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
119
Windows Defender Activities
File Restored from Quarantine
1009
Information
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
120
Windows Defender Activities
Malware Removal Error
1118
Information
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
121
Windows Defender Activities
Malware Removal Fatal Error
1119
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
122
Windows Defender Activities
Malware Removed
1007, 1117
Information
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
123
Windows Defender Activities
Real-Time Protection failed
3002
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
124
Windows Defender Activities
Reverting to last known good set of signatures
2004
Warning
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
125
Windows Defender Activities
Scan Failed
1005
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
126
Windows Defender Activities
Unexpected Error
5008
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
127
External Media Detection
New Device Information
43
Information
Microsoft-Windows-USB-USBHUB3-Analytic
Microsoft-Windows-USB-USBHUB3
128
Network Policy
Outbound TS Connect Attempt
1024
Information
Microsoft-Windows-TerminalServices-RDPClient/Operational
Microsoft-Windows-TerminalServices-ClientActiveXCore
129
Task Scheduler Activities
New Task Registered
106
Information
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TaskScheduler
130
Task Scheduler Activities
Task Deleted
141
Information
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TaskScheduler
131
Task Scheduler Activities
Task Disabled
142
Information
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TaskScheduler
132
Task Scheduler Activities
Task Launched
200
Information
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TaskScheduler
133
Printing Services
Printing Document
307
Information
Microsoft-Windows-PrintService/Operational
Microsoft-Windows-PrintService
134
PowerShell Activities
Exception Raised
4103
Information
Microsoft-Windows-Powershell/Operational
Microsoft-Windows-Powershell
135
PowerShell Activities
Exception Raised
4104
Information
Microsoft-Windows-Powershell/Operational
Microsoft-Windows-Powershell
136
PowerShell Activities
Exception Raised
4105
Information
Microsoft-Windows-Powershell/Operational
Microsoft-Windows-Powershell
137
PowerShell Activities
Exception Raised
4106
Information
Microsoft-Windows-Powershell/Operational
Microsoft-Windows-Powershell
138
Mobile Device Activities
Network Connection and Disconnection Status (Wired and Wireless)
10000, 10001
Information
Microsoft-Windows-NetworkProfile/Operational
Microsoft-Windows-NetworkProfile
139
Account Usage
Group Assigned to new Session
300
Information
Microsoft-Windows-LSA/Operational
LsaSrv
140
External Media Detection
New Mass Storage Installation
400, 410
Information
Microsoft-Windows-Kernel-PnP/Device Configuration
Microsoft-Windows-Kernel-PnP
141
DNS/Directory Services
DNS Request/Response
256, 257
Information
Microsoft-Windows-DNSServer/Analytical
Microsoft-Windows-DNSServer
142
DNS/Directory Services
DNS Query Complete
3008
Information
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DNS-Client
143
DNS/Directory Services
DNS Response Complete
3020
Information
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DNS-Client
144
Kernel Driver Signing
Code Integrity Check
3001, 3002, 3003, 3004, 3010, 3023
Warning, Error
Microsoft-Windows-CodeIntegrity/Operational
Microsoft-Windows-CodeIntegrity
145
Certificate Services
CA Permissions Corrupted or Missing
90
Information
Microsoft-Windows-CertificationAuthority
Microsoft-Windows-CertificationAuthority
146
Microsoft Cryptography API
Cert Trust Chain Build Failed
11
Information
Microsoft-Windows-CAPI2/Operational
Microsoft-Windows-CAPI2
147
Microsoft Cryptography API
Private Key Accessed
70
Information
Microsoft-Windows-CAPI2/Operational
Microsoft-Windows-CAPI2
148
Microsoft Cryptography API
X.509 Object
90
Information
Microsoft-Windows-CAPI2/Operational
Microsoft-Windows-CAPI2
149
Application Whitelisting
Application Ran
8020
Information
Microsoft-Windows-AppLocker/Packaged app-Execution
Microsoft-Windows-AppLocker
150
Application Whitelisting
Application Installed
8023
Information
Microsoft-Windows-AppLocker/Packaged app-Deployment
Microsoft-Windows-AppLocker
151
Application Whitelisting
AppLocker Warning
8006
Error
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker
152
Application Whitelisting
AppLocker Warning
8007
Warning
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker
153
Application Whitelisting
Script or Installer ran
8005
Information
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker
154
Application Whitelisting
AppLocker Block
8002
Information
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker
155
Application Whitelisting
AppLocker Block
8003
Error
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker
156
Application Whitelisting
AppLocker Block
8004
Warning
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker
157
Software and Service Installation
New Application Installation