├── README.md
└── windows-sources-event-ids


/README.md:
--------------------------------------------------------------------------------
1 | # Windows-Event-Logs-With-Event-IDs
2 | The following is a compiled list of some of the various Windows Event Logs and some of the event ids that may be found in the log. This initial list was pulled from [Hayabusa](https://github.com/Yamato-Security/) and [Events Ripper](https://github.com/keydet89/Events-Ripper).
3 | 
4 | Please note that some of these may not be available on a system since the source may have been disabled, or the auditing of the object has not be enabled. Yamato has an excellent guide on how to set up logging which can be found [here](https://github.com/Yamato-Security/EnableWindowsLogSettings).
5 | 


--------------------------------------------------------------------------------
/windows-sources-event-ids:
--------------------------------------------------------------------------------
  1 | ## Security
  2 | - EID: 1100 - Event logging service shutdown
  3 | - EID: 1101 - Audit events dropped by transport
  4 | - EID: 1102 - Audit log cleared
  5 | - EID: 1104 - Security log is full
  6 | - EID: 1105 - Event log automatic backup
  7 | - EID: 1108 - Event logging service error
  8 | - EID: 4608 - Windows startup
  9 | - EID: 4609 - Windows shutdown
 10 | - EID: 4610 - LSA loaded an authentication package
 11 | - EID: 4611 - A trusted logon process has been registered with the Local Security Authority
 12 | - EID: 4612 - Audit message queuing resoures exhausted (Possible loss of logs)
 13 | - EID: 4614 - LSA loaded notification package
 14 | - EID: 4615 - Invalid use of LPC port
 15 | - EID: 4616 - System time changed
 16 | - EID: 4618 - A monitored security event pattern has occurred
 17 | - EID: 4621 - Administrator recovered system from CrashOnAuditFail
 18 | - EID: 4622 - LSA loaded security package
 19 | - EID: 4624 - Logon success
 20 | - EID: 4625 - Logon failure
 21 | - EID: 4634 - Account logoff
 22 | - EID: 4646 - IKE DoS-prevention mode started
 23 | - EID: 4647 - User initiated logoff
 24 | - EID: 4648 - Explicit logon
 25 | - EID: 4649 - Replay attack was detected
 26 | - EID: 4650 - An IPsec Main Mode security association was established
 27 | - EID: 4651 - An IPsec Main Mode security association was established
 28 | - EID: 4652 - An IPsec Main Mode negotiation failed
 29 | - EID: 4653 - An IPsec Main Mode negotiation failed
 30 | - EID: 4654 - An IPsec Quick Mode negotiation failed
 31 | - EID: 4655 - An IPsec Main Mode security association ended
 32 | - EID: 4656 - Object handle requested
 33 | - EID: 4657 - Registry value modified
 34 | - EID: 4658 - Object handle closed
 35 | - EID: 4659 - Object handle requested with intent to delete
 36 | - EID: 4660 - Object deleted
 37 | - EID: 4661 - Object handle requested
 38 | - EID: 4662 - Object operation performed
 39 | - EID: 4663 - Object access attempt
 40 | - EID: 4664 - Hard link creation attempt
 41 | - EID: 4665 - Application client context creation attempt
 42 | - EID: 4666 - Application attempted an operation
 43 | - EID: 4667 - Application client context deleted
 44 | - EID: 4668 - Application initialized
 45 | - EID: 4670 - Object permissions changed
 46 | - EID: 4671 - Application attempted to access a blocked ordinal through the TBS
 47 | - EID: 4672 - Admin logon
 48 | - EID: 4673 - Privileged service called
 49 | - EID: 4674 - Privileged object operation attempt
 50 | - EID: 4675 - SIDs filtered
 51 | - EID: 4685 - Transaction state changed
 52 | - EID: 4688 - Process created
 53 | - EID: 4689 - Process exited
 54 | - EID: 4690 - Object handle duplication attempt
 55 | - EID: 4691 - Indirect access request to object
 56 | - EID: 4692 - Backup of data protection master key attempt
 57 | - EID: 4693 - Recovery of data protection master key attempt
 58 | - EID: 4694 - Protection of auditable protected data attempt
 59 | - EID: 4695 - Unprotection of auditable protected data attempt
 60 | - EID: 4696 - Primary token assigned to process
 61 | - EID: 4697 - Service installed
 62 | - EID: 4698 - Scheduled task created
 63 | - EID: 4699 - Scheduled task deleted
 64 | - EID: 4700 - Scheduled task enabled
 65 | - EID: 4701 - Scheduled task disabled
 66 | - EID: 4702 - Scheduled task updated
 67 | - EID: 4704 - User right assigned
 68 | - EID: 4705 - User right removed
 69 | - EID: 4706 - New trust created to a domain
 70 | - EID: 4707 - Domain trust removed
 71 | - EID: 4709 - IPsec services started
 72 | - EID: 4710 - IPsec services disabled
 73 | - EID: 4711 - PAStore Engine
 74 | - EID: 4712 - IPsec services encountered a potentially serious failure
 75 | - EID: 4713 - Kerberos policy changed
 76 | - EID: 4714 - Encrypted data recovery policy changed
 77 | - EID: 4715 - Object audit policy (SACL) changed
 78 | - EID: 4716 - Trusted domain information modified
 79 | - EID: 4717 - System security access granted to an account
 80 | - EID: 4718 - System security access removed from an account
 81 | - EID: 4719 - System audit policy changed
 82 | - EID: 4720 - User account created
 83 | - EID: 4722 - User account enabled
 84 | - EID: 4723 - Account password change attempt
 85 | - EID: 4724 - Account password reset attempt
 86 | - EID: 4725 - User account disabled
 87 | - EID: 4726 - User account deleted
 88 | - EID: 4727 - Security-enabled global group created
 89 | - EID: 4728 - Member added to security-enabled global group
 90 | - EID: 4729 - Member removed from security-enabled global group
 91 | - EID: 4730 - Security-enabled global group deleted
 92 | - EID: 4731 - Security-enabled local group created
 93 | - EID: 4732 - Member added to security-enabled local group
 94 | - EID: 4733 - Member removed from security-enabled local group
 95 | - EID: 4734 - Security-enabled local group deleted
 96 | - EID: 4735 - Security-enabled local group changed
 97 | - EID: 4737 - Security-enabled global group changed
 98 | - EID: 4738 - User account changed
 99 | - EID: 4739 - Domain policy changed
100 | - EID: 4740 - User account locked out
101 | - EID: 4741 - Computer account created
102 | - EID: 4742 - Computer account changed
103 | - EID: 4743 - Computer account deleted
104 | - EID: 4744 - Security-disabled local group created
105 | - EID: 4745 - Security-disabled local group changed
106 | - EID: 4746 - Member added to security-disabled local group
107 | - EID: 4747 - Member removed from security-disabled local group
108 | - EID: 4748 - Security-disabled local group deleted
109 | - EID: 4749 - Security-disabled global group created
110 | - EID: 4750 - Security-disabled global group changed
111 | - EID: 4751 - Member added to security-disabled global group
112 | - EID: 4752 - Member removed from security-disabled global group
113 | - EID: 4753 - Security-disabled global group deleted
114 | - EID: 4754 - Security-enabled universal group created
115 | - EID: 4755 - Security-enabled universal group changed
116 | - EID: 4756 - Member added to security-enabled universal group
117 | - EID: 4757 - Member removed from security-enabled universal group
118 | - EID: 4758 - Security-enabled universal group deleted
119 | - EID: 4759 - Security-disabled universal group created
120 | - EID: 4760 - Security-disabled universal group changed
121 | - EID: 4761 - Member added to security-disabled universal group
122 | - EID: 4762 - Member removed from security-disabled universal group
123 | - EID: 4763 - Security-disabled universal group deleted
124 | - EID: 4764 - Group type changed
125 | - EID: 4765 - SID history added to account
126 | - EID: 4766 - Attempt to add SID history to account failed
127 | - EID: 4767 - User account unlocked
128 | - EID: 4768 - Kerberos authentication ticket (TGT) requested
129 | - EID: 4769 - Kerberos service ticket requested
130 | - EID: 4770 - Kerberos service ticket renewed
131 | - EID: 4771 - Kerberos pre-authentication failed
132 | - EID: 4772 - Kerberos authentication ticket request failed
133 | - EID: 4773 - Kerberos service ticket request failed
134 | - EID: 4774 - Account mapped for logon
135 | - EID: 4775 - Account could not be mapped for logon
136 | - EID: 4776 - DC attempted to validate account credentials
137 | - EID: 4777 - DC failed to validate account credentials
138 | - EID: 4778 - Window station session reconnected
139 | - EID: 4779 - Window station session disconnected
140 | - EID: 4780 - Administrators group account's ACL set
141 | - EID: 4781 - Account name changed
142 | - EID: 4782 - Account password hash accessed
143 | - EID: 4783 - Basic application group created
144 | - EID: 4784 - Basic application group changed
145 | - EID: 4785 - Member added to basic application group
146 | - EID: 4786 - Member removed from basic application group
147 | - EID: 4787 - Non-member added to basic application group
148 | - EID: 4788 - Non-member removed from basic application group
149 | - EID: 4789 - Basic application group deleted
150 | - EID: 4790 - LDAP query group created
151 | - EID: 4791 - Basic application group changed
152 | - EID: 4792 - LDAP query group deleted
153 | - EID: 4793 - Password policy checking API called
154 | - EID: 4794 - Directory Services Restore Mode administrator password set attempt
155 | - EID: 4800 - Computer locked
156 | - EID: 4801 - Computer unlocked
157 | - EID: 4802 - Screen saver started
158 | - EID: 4803 - Screen saver stopped
159 | - EID: 4816 - RPC integrity violation when decrypting an incoming message
160 | - EID: 4817 - Object auditing settings changed
161 | - EID: 4825 - RDP logon failed
162 | - EID: 4864 - Namespace collision detected
163 | - EID: 4865 - Trusted forest information entry added
164 | - EID: 4866 - Trusted forest information entry removed
165 | - EID: 4867 - Trusted forest information entry modified
166 | - EID: 4868 - Certificate manager denied pending certificate request
167 | - EID: 4869 - Certificate Services received resubmitted certificate request
168 | - EID: 4870 - Certificate Services revoked certificate
169 | - EID: 4871 - Certificate Services received request to publish CRL
170 | - EID: 4872 - Certificate Services published CRL
171 | - EID: 4873 - Certificate request extension changed
172 | - EID: 4874 - One or more certificate request attributes changed
173 | - EID: 4875 - Certificate Services received shutdown request
174 | - EID: 4876 - Certificate Services backup started
175 | - EID: 4877 - Certificate Services backup completed
176 | - EID: 4878 - Certificate Services restore started
177 | - EID: 4879 - Certificate Services restore completed
178 | - EID: 4880 - Certificate Services started
179 | - EID: 4881 - Certificate Services stopped
180 | - EID: 4882 - Certificate Services security permissions changed
181 | - EID: 4883 - Certificate Services retrieved archived key
182 | - EID: 4884 - Certificate Services imported certificate into its database
183 | - EID: 4885 - Certificate Services audit filter changed
184 | - EID: 4886 - Certificate Services received certificate request
185 | - EID: 4887 - Certificate Services approved certificate request and issued certificate
186 | - EID: 4888 - Certificate Services denied certificate request
187 | - EID: 4889 - Certificate Services set status of certificate request to pending
188 | - EID: 4890 - Certificate Services certificate manager settings changed
189 | - EID: 4891 - Certificate Services configuration entry changed
190 | - EID: 4892 - Certificate Services property changed
191 | - EID: 4893 - Certificate Services archived a key
192 | - EID: 4894 - Certificate Services imported and archived a key
193 | - EID: 4895 - Certificate Services published CA certificate to AD
194 | - EID: 4896 - One or more rows have been deleted from the certificate DB
195 | - EID: 4897 - Role separation enabled
196 | - EID: 4898 - Certificate Services loaded a template
197 | - EID: 4899 - Certificate Services template updated
198 | - EID: 4900 - Certificate Services template security updated
199 | - EID: 4902 - Per-user audit policy table created
200 | - EID: 4904 - Attempt to register security event source
201 | - EID: 4905 - Attempt to unregister security event source
202 | - EID: 4906 - CrashOnAuditFail value changed
203 | - EID: 4907 - Auditing settings on object changed
204 | - EID: 4908 - Special groups logon table modified
205 | - EID: 4909 - Local policy settings for TBS changed
206 | - EID: 4910 - Group policy settings for TBS changed
207 | - EID: 4912 - Per user audit policy changed
208 | - EID: 4928 - AD replica source naming context established
209 | - EID: 4929 - AD replica source naming context removed
210 | - EID: 4930 - AD replica source naming context modified
211 | - EID: 4931 - AD replica destination naming context modified
212 | - EID: 4932 - Synchronization of an AD naming context replica has started
213 | - EID: 4933 - Synchronization of an AD naming context replica has ended
214 | - EID: 4934 - AD object attributes were replicated
215 | - EID: 4935 - Replication failure begins
216 | - EID: 4936 - Replication failure ends
217 | - EID: 4937 - A lingering object was removed from a replica
218 | - EID: 4944 - Active policy when firewall started
219 | - EID: 4945 - Rule listed when firewall started
220 | - EID: 4946 - Rule added to firewall exception list
221 | - EID: 4947 - Rule modified in firewall exception list
222 | - EID: 4948 - Rule deleted from firewall exception list
223 | - EID: 4949 - Firewall settings restored to default values
224 | - EID: 4950 - Firewall setting changed
225 | - EID: 4951 - Firewall rule ignored because major version number was not recognized
226 | - EID: 4952 - Parts of a firewall rule ignored because its minor version number was not recognized
227 | - EID: 4953 - Firewall rule could not be parsed
228 | - EID: 4954 - Firewall Group Policy settings changed New settings applied
229 | - EID: 4956 - Firewall changed active profile
230 | - EID: 4957 - Firewall did not apply rule
231 | - EID: 4958 - Firewall did not apply rule because it referred to items not configured on this computer
232 | - EID: 4960 - IPsec dropped inbound packet Integrity check failed
233 | - EID: 4961 - IPsec dropped inbound packet Replay check failed
234 | - EID: 4962 - IPsec dropped inbound packet Replay check failed
235 | - EID: 4963 - IPsec dropped inbound cleartext packet that should have been secured
236 | - EID: 4964 - Special groups assigned to new logon
237 | - EID: 4965 - IPsec received packet from remote computer with an incorrect SPI
238 | - EID: 4976 - IPsec received invalid negotiation packet during Main Mode negotiation
239 | - EID: 4977 - IPsec received invalid negotiation packet during Quick Mode negotiation
240 | - EID: 4978 - IPsec received invalid negotiation packet during Extended Mode negotiation
241 | - EID: 4979 - IPsec Main Mode and Extended Mode SAs established
242 | - EID: 4980 - IPsec Main Mode and Extended Mode SAs established
243 | - EID: 4981 - IPsec Main Mode and Extended Mode SAs established
244 | - EID: 4982 - IPsec Main Mode and Extended Mode SAs established
245 | - EID: 4983 - IPsec Extended Mode negotiation failed
246 | - EID: 4984 - IPsec Extended Mode negotiation failed
247 | - EID: 4985 - State of transaction changed
248 | - EID: 5024 - Firewall service started
249 | - EID: 5025 - Firewall service stopped
250 | - EID: 5027 - Firewall service unable to retrieve security policy from local storage
251 | - EID: 5028 - Firewall service unable to parse new security policy
252 | - EID: 5029 - Firewall service failed to initialize driver
253 | - EID: 5030 - Firewall service failed to start
254 | - EID: 5031 - Firewall service blocked application from accepting incoming connections
255 | - EID: 5032 - Firewall unable to notify user that it blocked an application from accepting incoming connections
256 | - EID: 5033 - Firewall driver started
257 | - EID: 5034 - Firewall driver stopped
258 | - EID: 5035 - Firewall driver failed to start
259 | - EID: 5037 - Firewall driver critical runtime error
260 | - EID: 5038 - Code Integrity invalid file hash
261 | - EID: 5039 - Registry key virtualized
262 | - EID: 5040 - IPsec settings changed Authentication Set added
263 | - EID: 5041 - IPsec settings changed Authentication Set modified
264 | - EID: 5042 - IPsec settings changed Authentication Set deleted
265 | - EID: 5043 - IPsec settings changed Connection Security Rule added
266 | - EID: 5044 - IPsec settings changed Connection Security Rule modified
267 | - EID: 5045 - IPsec settings changed Connection Security Rule deleted
268 | - EID: 5046 - IPsec settings changed Crypto Set added
269 | - EID: 5047 - IPsec settings changed Crypto Set modified
270 | - EID: 5048 - IPsec settings changed Crypto Set deleted
271 | - EID: 5049 - IPsec SA deleted
272 | - EID: 5050 - Attempt to disable firewall using call to INetFwProfile
273 | - EID: 5051 - A file was virtualized
274 | - EID: 5056 - A cryptographic self test was performed
275 | - EID: 5057 - A cryptographic primitive operation failed
276 | - EID: 5058 - Key file operation
277 | - EID: 5059 - Key migration operation
278 | - EID: 5060 - Verification operation failed
279 | - EID: 5061 - Cryptographic operation
280 | - EID: 5062 - kernel-mode cryptographic self test performed
281 | - EID: 5063 - Cryptographic provider operation attempted
282 | - EID: 5064 - Cryptographic context operation attempted
283 | - EID: 5065 - Cryptographic context modification attempted
284 | - EID: 5066 - Cryptographic function operation attempted
285 | - EID: 5067 - Cryptographic function modification attempted
286 | - EID: 5068 - Cryptographic function provider operation attempted
287 | - EID: 5069 - Cryptographic function property operation attempted
288 | - EID: 5070 - Cryptographic function property operation attempted
289 | - EID: 5120 - OCSP responder service started
290 | - EID: 5121 - OCSP responder service stopped
291 | - EID: 5122 - Configuration entry changed in the OCSP responder service
292 | - EID: 5123 - Configuration entry changed in the OCSP responder service
293 | - EID: 5124 - Security setting updated on OCSP responder service
294 | - EID: 5125 - Request submitted to OCSP responder service
295 | - EID: 5126 - Signing certificate automatically updated by OCSP responder service
296 | - EID: 5127 - OCSP revocation provider updated revocation information
297 | - EID: 5136 - Directory service object modified
298 | - EID: 5137 - Directory service object created
299 | - EID: 5138 - Directory service object undeleted
300 | - EID: 5139 - Directory service object moved
301 | - EID: 5140 - Network share object accessed
302 | - EID: 5141 - Directory service object deleted
303 | - EID: 5142 - Network share object added
304 | - EID: 5143 - Network share object modified
305 | - EID: 5144 - Network share object deleted
306 | - EID: 5145 - Network share object checked for client access
307 | - EID: 5148 - Firewall has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded
308 | - EID: 5149 - DoS attack subsided and normal processing resumed
309 | - EID: 5150 - Firewall blocked a packet
310 | - EID: 5151 - A more restrictive firewall filter blocked a packet
311 | - EID: 5152 - Firewall blocked a packet
312 | - EID: 5153 - A more restrictive firewall filter blocked a packet
313 | - EID: 5154 - Firewall permitted an application to listen for incoming connections
314 | - EID: 5155 - Firewall blocked an application from listening for incoming connections
315 | - EID: 5156 - Firewall allowed a connection
316 | - EID: 5157 - Firewall blocked a connection
317 | - EID: 5158 - Firewall permitted local port binding
318 | - EID: 5159 - Firewall blocked local port binding
319 | - EID: 5168 - SPN check for SMB/SMB2 failed
320 | - EID: 5376 - Credential Manager credentials backup
321 | - EID: 5377 - Credential Manager credentials restore from backup
322 | - EID: 5378 - Requested credentials delegation disallowed by policy
323 | - EID: 5440 - Callout present when firewall base filtering engine started
324 | - EID: 5441 - Filter present when firewall base filtering engine started
325 | - EID: 5442 - Provider present when firewall base filtering engine started
326 | - EID: 5443 - Provider context present when firewall base filtering engine started
327 | - EID: 5444 - Sub-layer present when firewall base filtering engine started
328 | - EID: 5446 - Firewall callout changed
329 | - EID: 5447 - Firewall filter changed
330 | - EID: 5448 - Firewall provider changed
331 | - EID: 5449 - Firewall provider context changed
332 | - EID: 5450 - Firewall sub-layer changed
333 | - EID: 5451 - IPsec quick mode SA established
334 | - EID: 5452 -  IPsec quick mode SA ended
335 | - EID: 5453 - IPsec negotiation failed because IKEEXT service is not started
336 | - EID: 5456 - PAStore engine applied AD storage IPsec policy
337 | - EID: 5457 - PAStore engine failed to apply AD storage IPsec policy
338 | - EID: 5458 - PAStore engine applied locally cached copy of AD storage IPsec policy
339 | - EID: 5459 - PAStore engine failed to apply locally cached copy of AD storage IPsec policy
340 | - EID: 5460 - PAStore engine applied local registry storage IPsec policy
341 | - EID: 5461 - PAStore engine failed to apply local registry storage IPsec policy
342 | - EID: 5462 - PAStore engine failed to apply some rules of the active IPsec policy
343 | - EID: 5463 - PAStore engine polled for changes to the active IPsec policy and detected no changes
344 | - EID: 5464 - "PAStore engine polled for changes to the active IPsec policy -  detected changes -  and applied them to IPsec Services"
345 | - EID: 5465 - PAStore engine received a control for forced reloading of IPsec policy and processed the control
346 | - EID: 5466 - "PAStore engine polled for changes to the AD IPsec policy -  determined that AD cannot be reached -  and will use the cached copy of the AD IPsec policy instead"
347 | - EID: 5467 - "PAStore engine polled for changes to the AD IPsec policy -  determined that AD can be reached -  and found no changes to the policy"
348 | - EID: 5468 - "PAStore engine polled for changes to the AD IPsec policy -  determined that AD can be reached -  found changes to the policy -  and applied those changes"
349 | - EID: 5471 - PAStore engine loaded local storage IPsec policy
350 | - EID: 5472 - PAStore engine failed to load local storage IPsec policy
351 | - EID: 5473 - PAStore engine loaded directory storage IPsec policy
352 | - EID: 5474 - PAStore engine failed to load directory storage IPsec policy
353 | - EID: 5477 - PAStore engine failed to add quick mode filter
354 | - EID: 5478 - IPsec services started
355 | - EID: 5479 - IPsec services shutdown
356 | - EID: 5480 - IPsec services failed to get the complete list of network interfaces
357 | - EID: 5483 - IPsec services failed to initialize RPC server and could not be started
358 | - EID: 5484 - IPsec services shut down due to critical failure
359 | - EID: 5485 - IPsec services failed to process some IPsec filters on a PnP event for network interfaces
360 | - EID: 6144 - Security policy GPO applied
361 | - EID: 6145 - One or more errors occured while processing security policy GPO
362 | - EID: 6272 - Network Policy Server granted user access
363 | - EID: 6273 - Network Policy Server denied user access
364 | - EID: 6274 - Network Policy Server discarded user request
365 | - EID: 6275 - Network Policy Server discarded user accounting request
366 | - EID: 6276 - Network Policy Server quarantined a user
367 | - EID: 6277 - Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy
368 | - EID: 6278 - Network Policy Server granted full access to a user because the host met the defined health policy
369 | - EID: 6279 - Network Policy Server locked the user account due to repeated failed authentication attempts
370 | - EID: 6280 - Network Policy Server unlocked user account
371 | - EID: 6281 - Code Integrity determined that the page hashes of an image file are not valid 
372 | - EID: 6400 - BranchCache: Received an incorrectly formatted response while discovering availability of content
373 | - EID: 6401 - BranchCache: Received invalid data from a peer Data discarded
374 | - EID: 6402 - BranchCache: The message to the hosted cache offering it data is incorrectly formatted
375 | - EID: 6403 - BranchCache: The hosted cache sent an incorrectly formatted response to the client
376 | - EID: 6404 - BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate
377 | - EID: 6405 - BranchCache: %2 instance(s) of event id %1 occurred
378 | - EID: 6406 - %1 registered to firewall to control filtering for the following: %2
379 | - EID: 6407 - No info
380 | - EID: 6408 - Registered product %1 failed and firewall is now controlling the filtering for %2
381 | - EID: 6410 - Code integrity determined that a file does not meet the security requirements to load into a process
382 | 
383 | ## System
384 | - EID: 6 - New kernel filter driver
385 | - EID: 27 - KDC encryption type configuration
386 | - EID: 16 - Kerberos key integrity
387 | - EID: 19 - Windows Update Installed
388 | - EID: 104 - Event log cleared
389 | - EID: 1001 - BSOD
390 | - EID: 1022 - New MSI file installed
391 | - EID: 1033 - New MSI file installed
392 | - EID: 1125 - Group Policy internal error
393 | - EID: 1127 - Group Policy generic internal error
394 | - EID: 1129 - Group Policy application failed due to connectivity
395 | - EID: 7022 - Windows service fail or crash
396 | - EID: 7023 - Windows service fail or crash
397 | - EID: 7024 - Windows service fail or crash
398 | - EID: 7026 - Windows service fail or crash
399 | - EID: 7031 - Windows service fail or crash
400 | - EID: 7032 - Windows service fail or crash
401 | - EID: 7034 - Windows service fail or crash
402 | - EID: 7035 - The %1 service was successfully sent a %2 control
403 | - EID: 7036 - The service entered the running/stopped state
404 | - EID: 7030 - "The service is marked as an interactive service but the system is configured to not allow interactive services"
405 | - EID: 7040 - Service start type changed
406 | - EID: 7045 - New windows service
407 | - EID: 10028 - DCOM failed to communicate with a remote node due to invalid creds or invalid WMI namespace
408 | 
409 | ## Microsoft-Windows-Sysmon/Operational
410 | - EID: 1 - Process Creation
411 | - EID: 2 - File Creation Timestamp Changed (Possible Timestomping)
412 | - EID: 3 - Network Connection
413 | - EID: 4 - Sysmon Service State Changed
414 | - EID: 5 - Process Terminated
415 | - EID: 6 - Driver Loaded
416 | - EID: 7 - Image Loaded
417 | - EID: 8 - Remote Thread Created (Possible Code Injection)
418 | - EID: 9 - Raw Access Read
419 | - EID: 10 - Process Access
420 | - EID: 11 - File Creation or Overwrite
421 | - EID: 12 - Registry Object Created/Deletion
422 | - EID: 13 - Registry Value Set
423 | - EID: 14 - Registry Key or Value Rename
424 | - EID: 15 - Alternate Data Stream Created
425 | - EID: 16 - Sysmon Service Configuration Changed
426 | - EID: 17 - Named Pipe Created
427 | - EID: 18 - Named Pipe Connection
428 | - EID: 19 - WmiEventFilter Activity
429 | - EID: 20 - WmiEventConsumer Activity
430 | - EID: 21 - WmiEventConsumerToFilter Activity
431 | - EID: 22 - DNS Query
432 | - EID: 23 - Deleted File Archived
433 | - EID: 24 - Clipboard Changed
434 | - EID: 25 - Process Tampering (Possible Process Hollowing or Herpaderping)
435 | - EID: 26 - File Deleted
436 | - EID: 27 - Executable File Write Blocked
437 | - EID: 255 - Sysmon Error
438 | 
439 | ## Microsoft-Windows-Windows Defender/Operational
440 | - EID: 1005 - Scan failed
441 | - EID: 1006 - Detected malware
442 | - EID: 1008 - Action on malware failed
443 | - EID: 1010 - Failed to remove item from quarantine
444 | - EID: 2001 - Failed to update signatures
445 | - EID: 2003 - Failed to update engine
446 | - EID: 2004 - Reverting to last known good set of signatures
447 | - EID: 3002 - Real-time protection failed
448 | - EID: 5008 - Unexpected error
449 | 
450 | ## Microsoft-Windows-PowerShell/Operational
451 | - EID: 4103 - Module logging - Executing Pipeline
452 | - EID: 4104 - Script Block Logging
453 | - EID: 4105 - CommandStart started
454 | - EID: 4106 - CommandStart stopped
455 | 
456 | ## Microsoft-Windows-WinRM/Operational
457 | - EID: 6 - Creating WSMan session on client
458 | - EID: 81 - Processing client request for operation CreateShell
459 | - EID: 82 - Entering the plugin for operation CreateShell with a ResourceURI
460 | - EID: 134 - Sending response for operation CreateShell
461 | - EID: 169 - Creating WSMan session on server
462 | 
463 | ## Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
464 | - EID: 21 - Shell start notification received
465 | - EID: 23 - Session logoff
466 | - EID: 24 - Session disconnected
467 | 
468 | ## Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
469 | - EID: 1149 - User authentication
470 | 
471 | ## Microsoft-Windows-Bits-Client/Operational
472 | - EID: 3 - Bits client job created 
473 | - EID: 59: Bits client transfer job started
474 | 
475 | ## Microsoft-Windows-TaskScheduler/Operational
476 | - EID: 106 - Task scheduled
477 | 
478 | ## Microsoft-Windows-Application-Experience/Program-Inventory
479 | - EID: 800 - Summary of software activities
480 | - EID: 903 - New application installed
481 | - EID: 904 - New application installed
482 | - EID: 905 - Updated application
483 | - EID: 906 - Updated application
484 | - EID: 907 - Removed application
485 | - EID: 908 - Removed application
486 | 
487 | ## Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
488 | - EID: 2004 - Firewall rule add
489 | - EID: 2005 - Firewall rule change
490 | - EID: 2006 - Firewall rule deleted
491 | - EID: 2033 - Firewall rule deleted
492 | - EID: 2009 - Firewall failed to load Group Policy
493 | 


--------------------------------------------------------------------------------