Detect User-Mode drivers loaded - for potential BadUSB detection.
EventID=2004
EventLog Diagnostics
1100: The event logging service has shut down.
1104: The security log is now full.
1105: Event log automatic backup.
1108: The event logging service encountered an error while processing an incoming event published from %1
Explicit Login Credentials
Microsoft-Windows-Security-Auditing
Level=4 or Level=0 and EventID=4648 and ProcessName != 'C:\Windows\System32\taskhost.exe'
Firewall Events
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
4944: The following policy was active when the Windows Firewall started.
4945: A rule was listed when the Windows Firewall started.
4946: A change has been made to Windows Firewall exception list. A rule was added.
4947: A change has been made to Windows Firewall exception list. A rule was modified.
4948: A change has been made to Windows Firewall exception list. A rule was deleted.
4949: Windows Firewall settings were restored to the default values.
4950: A Windows Firewall setting has changed.
4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953: A rule has been ignored by Windows Firewall because it could not parse the rule.
4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956: Windows Firewall has changed the active profile.
4957: Windows Firewall did not apply the following rule
4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Security Log
5024: The Windows Firewall Service has started successfully.
5025: The Windows Firewall Service has been stopped.
5027: The Windows Firewall Service was unable to retrieve the security policy from local storage. The service will continue enforcing the current policy.
5028: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030: The Windows Firewall Service failed to start.
5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033: The Windows Firewall Driver has started successfully.
5034: The Windows Firewall Driver was stopped.
5035: The Windows Firewall Driver failed to start.
5037: The Windows Firewall Driver detected critical runtime error. Terminating.
External Devices Log
Security
6416: A new external device was recognized by the System.
6419: A request was made to disable a device.
6420: A device was disabled.
6421: A request was made to enable a device.
6422: A device was enabled..
6423: The installation of this device is forbidden by system policy.
6424: The installation of this device was allowed after having previously been forbidden by policy.
Microsoft-Windows-USB-USBHUB3-Analytic
Level=4 and EventID=43
EventData[Data[@Name='fid_DeviceDescription']="USB Mass Storage Device
Microsoft-Windows-Kernel-PnP/Configuration
400, 410: New Mass Storage Device Installation
Level=4 and
EventID=400 or EventID=410
and EventData[Data[@Name='DriverName']=usbstor.inf
GPO logs
Microsoft-Windows-GroupPolicy
Level 2 and
1085: Application of Group Policy failures
1125: Group Policy Service
1127: Group Policy Service
1129: Group Policy Preprocessing Networking
Security
6144: Security policy in the group policy objects has been applied successfully.
6145: One or more errors occurred while processing security policy in the group policy object.
Kerberos
Security
4768 - A Kerberos authentication ticket (TGT) was requested
4769 - A Kerberos service ticket was requested
4770 - A Kerberos service ticket was renewed
4771 - A Kerberos pre-authentication failed.
4772 - A Kerberos authentication ticket request failed.
4773 - A Kerberos service ticket request failed.
LOG Deletion
Security
1102: Security Log File Cleared
System
104: Log File Cleared
Object Manipulation
Security
4715: The audit policy (SACL) on an object was changed.
4817: Auditing settings on object were changed.
4656: A handle to an object was requested.
4658: The handle to an object was closed.
4660: An object was deleted.
4663: An attempt was made to access an object.
4670: Permissions on an object were changed.
Operating System
System
41: The system has rebooted without cleanly shutting down first
1001: Application crashes, hangs, and generic reports
4621: Administrator recovered system from CrashOnAuditFail.
6008: The previous system shutdown was unexpected.
1074: Shutdown initiate requests, with user, process and reason (if supplied)
12: System startup (12 - includes OS/SP/Version) and shutdown
16962: A remote call to the SAM database has been denied
16965: Remote calls to the SAM database have been denied in the past 900 seconds throttling window
16968: The following client would have been normally been denied access to the SAM database
16969: Remote calls to the SAM database are being restricted using the default security descriptor
16965: is enabled via a registry key
Security
4719: System audit policy was changed.
4817: A trusted logon process has been registered with the Local Security Authority.
4902: The Per-user audit policy table was created.
4906: The CrashOnAuditFail value has changed.
4908: Special Groups Logon table modified.
4912: Per User Audit Policy was changed.
4904: An attempt was made to register a security event source..
4905: An attempt was made to unregister a security event source.
4610: An authentication package has been loaded by the Local Security Authority.
4611: A trusted logon process has been registered with the Local Security Authority.
4614: A notification package has been loaded by the Security Account Manager.
4622: A security package has been loaded by the Local Security Authority.
4697: A service was installed in the system.
4817: Auditing settings on object were changed.
4826 Boot Configuration Data loaded.
4608: Windows is starting up
Microsoft-Windows-SMBServer/Audit
3000: Client attempted to use SMBv1
Privilege Use
Security
4673: A privileged service was called..
4674: An operation was attempted on a privileged object..
4985: The state of a transaction has changed.
Process execution
Security
4688: Process Created
4699: Process Terminated
Registry
Security
4657: Registry modified events for Operations
and EventData[Data[@Name=OperationType]] =
1904: New Registry Value created OR
1905: Existing Registry Value modified OR
1906: Registry Value Deleted
Services
System
Level 0 OR 1 OR 2 OR 3 OR 4
7022: The service hung on starting
7023: The service terminated with the following error
7023: The service terminated with the following error
7024: The service terminated with service-specific error
7026: The following boot-start or system-start driver(s) failed to load
7031: The service terminated unexpectedly. It has done this x time(s).
7040: Service Start Type Changed
7045: Service Installed
Network Shares
Security
5140: Network share object access
5142: Network Share create
5144: Network Share Delete
5145: A network share object was checked to see whether client can be granted desired access