├── images ├── readme.MD ├── KnownEvents.png ├── Intune_Apps_GUIDs_to_real_names.png ├── Intune_script_GUIDs_to_real_names.png └── 365_days_trend_WindowsUpdates_install.png ├── v1.0 ├── readme.MD ├── Get-WindowsTroubleshootingReportCommunity_v1.0.zip ├── EventRules │ ├── EventRules-Windows - Licensing Error.json │ ├── EventRules-Windows Defender - PUA detected.json │ ├── EventRules-Windows Defender - Attack Surface Rules (ASR).json │ ├── EventRules-Intune - MDM - PolicyManager Errors and Warnings.json │ ├── EventRules-Intune - CustomInventory.json │ ├── EventRules-Intune - MDM Error Events 404.json │ ├── EventRules-Intune - IME Agent.json │ ├── EventRules-Windows - PowerShell logging.json │ ├── EventRules-Intune - Windows Activation KMS.json │ ├── EventRules-Windows - ScheduledTasks.json │ ├── EventRules-Intune - IME Autopilot.json │ ├── EventRules-Intune - IME Remediation scripts.json │ ├── EventRules_Example Rules.json │ ├── EventRules-Windows - Bitlocker.json │ ├── EventRules-Windows - LogonLogoff.json │ ├── EventRules-Windows - ApplicationInstallation MSI.json │ ├── EventRules-Intune - IME PowerShell scripts.json │ ├── EventRules-Windows - Updates.json │ ├── EventRules-Intune - IME Applications.json │ ├── EventRules-Windows Defender - Malware detected.json │ ├── EventRules-Intune - MDM Sync.json │ ├── EventRules-Intune - MDM Sync OLD LOCATION.json │ ├── EventRules-Intune - MDM Enrollment.json │ ├── EventRules-Intune - MDM Enrollment OLD LOCATION.json │ ├── EventRules-ConfigMgr.json │ ├── EventRules-Windows - LAPS.json │ ├── EventRules-Windows - PowerManagement.json │ └── EventRules-Intune - MDM Autopilot ESP.json ├── Procmon │ └── Add Procmon traces here.txt ├── KnownGUIDs │ ├── Get-MSI-Apps-GUIDs-and-Names-from-local-registry.ps1 │ └── KnownGUIDs-ASR.json └── Create-EventRules-GUI-HelperTool.ps1 ├── v1.1 ├── README.md ├── EventRules │ ├── EventRules-Windows Error Reporting.json │ ├── EventRules-Windows - Licensing Error.json │ ├── EventRules-Windows Defender - PUA detected.json │ ├── EventRules-Windows Defender - Attack Surface Rules (ASR).json │ ├── EventRules-Intune - MDM - PolicyManager Errors and Warnings.json │ ├── EventRules-Intune - CustomInventory.json │ ├── EventRules-Intune - MDM Error Events 404.json │ ├── EventRules-Intune - IME Agent.json │ ├── EventRules-Windows - PowerShell logging.json │ ├── EventRules-Intune - Windows Activation KMS.json │ ├── EventRules-Windows - ScheduledTasks.json │ ├── EventRules-Intune - IME Autopilot.json │ ├── EventRules_Example Rules.json │ ├── EventRules-Windows - Bitlocker.json │ ├── EventRules-Windows - LogonLogoff.json │ ├── EventRules-Intune - IME PowerShell scripts.json │ ├── EventRules-Windows - Updates.json │ ├── EventRules-Windows - Application Installations.json │ ├── EventRules-Windows Defender - Malware detected.json │ ├── EventRules-Intune - MDM Sync.json │ ├── EventRules-Intune - IME Remediation scripts.json │ ├── EventRules-Intune - MDM Sync OLD LOCATION.json │ ├── EventRules-Intune - IME Applications.json │ ├── EventRules-Intune - MDM Enrollment.json │ ├── EventRules-Intune - MDM Enrollment OLD LOCATION.json │ ├── EventRules-ConfigMgr.json │ ├── EventRules-Windows - LAPS.json │ ├── EventRules-Windows - PowerManagement.json │ └── EventRules-Intune - MDM Autopilot ESP.json ├── Get-WindowsTroubleshootingReportCommunity_v1.1.zip ├── KnownGUIDs │ ├── Get-MSI-Apps-GUIDs-and-Names-from-local-registry.ps1 │ └── KnownGUIDs-ASR.json └── Create-EventRules-GUI-HelperTool.ps1 ├── Get-WindowsTroubleshootingReportCommunity_v1.0.zip ├── DeveloperVersion ├── Get-WindowsTroubleshootingReportCommunity_v1.01_DEV.zip └── readme.MD ├── LICENSE.md └── README.md /images/readme.MD: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /v1.0/readme.MD: -------------------------------------------------------------------------------- 1 | Version 1.0 release folder 2 | -------------------------------------------------------------------------------- /v1.1/README.md: -------------------------------------------------------------------------------- 1 | Version 1.1 release folder 2 | -------------------------------------------------------------------------------- /images/KnownEvents.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/images/KnownEvents.png -------------------------------------------------------------------------------- /images/Intune_Apps_GUIDs_to_real_names.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/images/Intune_Apps_GUIDs_to_real_names.png -------------------------------------------------------------------------------- /images/Intune_script_GUIDs_to_real_names.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/images/Intune_script_GUIDs_to_real_names.png -------------------------------------------------------------------------------- /images/365_days_trend_WindowsUpdates_install.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/images/365_days_trend_WindowsUpdates_install.png -------------------------------------------------------------------------------- /Get-WindowsTroubleshootingReportCommunity_v1.0.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/Get-WindowsTroubleshootingReportCommunity_v1.0.zip -------------------------------------------------------------------------------- /v1.0/Get-WindowsTroubleshootingReportCommunity_v1.0.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.0/Get-WindowsTroubleshootingReportCommunity_v1.0.zip -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows Error Reporting.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.1/EventRules/EventRules-Windows Error Reporting.json -------------------------------------------------------------------------------- /v1.1/Get-WindowsTroubleshootingReportCommunity_v1.1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.1/Get-WindowsTroubleshootingReportCommunity_v1.1.zip -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows - Licensing Error.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.0/EventRules/EventRules-Windows - Licensing Error.json -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows - Licensing Error.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.1/EventRules/EventRules-Windows - Licensing Error.json -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows Defender - PUA detected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.0/EventRules/EventRules-Windows Defender - PUA detected.json -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows Defender - PUA detected.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.1/EventRules/EventRules-Windows Defender - PUA detected.json -------------------------------------------------------------------------------- /DeveloperVersion/Get-WindowsTroubleshootingReportCommunity_v1.01_DEV.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/DeveloperVersion/Get-WindowsTroubleshootingReportCommunity_v1.01_DEV.zip -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows Defender - Attack Surface Rules (ASR).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.0/EventRules/EventRules-Windows Defender - Attack Surface Rules (ASR).json -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows Defender - Attack Surface Rules (ASR).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.1/EventRules/EventRules-Windows Defender - Attack Surface Rules (ASR).json -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - MDM - PolicyManager Errors and Warnings.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.0/EventRules/EventRules-Intune - MDM - PolicyManager Errors and Warnings.json -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - MDM - PolicyManager Errors and Warnings.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/petripaavola/Get-WindowsTroubleshootingReportCommunity/HEAD/v1.1/EventRules/EventRules-Intune - MDM - PolicyManager Errors and Warnings.json -------------------------------------------------------------------------------- /v1.0/Procmon/Add Procmon traces here.txt: -------------------------------------------------------------------------------- 1 | Sysinternals Procmon trace processing is working but it is experimental feature. 2 | 3 | Challenge is that the report get huge with just a really short time range in Procmon trace. 4 | 5 | But here it is still though! :) 6 | -------------------------------------------------------------------------------- /DeveloperVersion/readme.MD: -------------------------------------------------------------------------------- 1 | # Current Development versions are published here 2 | 3 | These version should fully work and they include new features. 4 | They may not be 100% polished so that's why it is still here in Developer Section 5 | 6 | ## Current Developer version is 1.01 7 | 8 | 📦 [**Download Developer version v1.01**](./Get-WindowsTroubleshootingReportCommunity_v1.01_DEV.zip) 9 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - CustomInventory.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - Custom Inventory", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - Custom Inventory", 7 | "LogType": ".log", 8 | "LogFileName": "IntuneInventoryHarvesterLog.log", 9 | "Message": "Data successfully uploaded.", 10 | "ToolTipText": "", 11 | "Color": "Green", 12 | "DeveloperNotes": "", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": null 15 | } 16 | ] 17 | } 18 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - CustomInventory.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - Custom Inventory", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - Custom Inventory", 7 | "LogType": ".log", 8 | "LogFileName": "IntuneInventoryHarvesterLog.log", 9 | "Message": "Data successfully uploaded.", 10 | "ToolTipText": "", 11 | "Color": "Green", 12 | "DeveloperNotes": "", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": null 15 | } 16 | ] 17 | } 18 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - MDM Error Events 404.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - MDM Failed policies 404", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - MDM Failed policies 404", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 9 | "Id": 404, 10 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Error with Intune MDM policies!", 14 | "Color": "Red", 15 | "DeveloperNotes": "Error: MDM ConfigurationManager: Command failure status. ", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": null 18 | } 19 | ] 20 | } 21 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - MDM Error Events 404.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - MDM Failed policies 404", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - MDM Failed policies 404", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 9 | "Id": 404, 10 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Error with Intune MDM policies!", 14 | "Color": "Red", 15 | "DeveloperNotes": "Error: MDM ConfigurationManager: Command failure status. ", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": null 18 | } 19 | ] 20 | } 21 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - IME Agent.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME Agent Start-Stop", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME Agent Start-Stop", 7 | "LogType": ".log", 8 | "LogFileName": "IntuneManagementExtension.log", 9 | "Message": "EMS Agent Started", 10 | "ToolTipText": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": "" 15 | }, 16 | { 17 | "CategoryName": "Intune - IME Agent Start-Stop", 18 | "LogType": ".log", 19 | "LogFileName": "IntuneManagementExtension.log", 20 | "Message": "EMS Agent Stopped", 21 | "ToolTipText": "", 22 | "Color": "Yellow", 23 | "DeveloperNotes": "", 24 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 25 | "LinkToBlogArticle": "" 26 | } 27 | ] 28 | } 29 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - IME Agent.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME Agent Start-Stop", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME Agent Start-Stop", 7 | "LogType": ".log", 8 | "LogFileName": "IntuneManagementExtension.log", 9 | "Message": "EMS Agent Started", 10 | "ToolTipText": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": "" 15 | }, 16 | { 17 | "CategoryName": "Intune - IME Agent Start-Stop", 18 | "LogType": ".log", 19 | "LogFileName": "IntuneManagementExtension.log", 20 | "Message": "EMS Agent Stopped", 21 | "ToolTipText": "", 22 | "Color": "Yellow", 23 | "DeveloperNotes": "", 24 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 25 | "LinkToBlogArticle": "" 26 | } 27 | ] 28 | } 29 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows - PowerShell logging.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Powershell logging", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Powershell logging", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-PowerShell/Operational", 9 | "Id": 4100, 10 | "ProviderName": "Microsoft-Windows-PowerShell", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Running Powershell script", 14 | "DeveloperNotes": "This shows that Powershell script is running without showing Powershell code" 15 | }, 16 | { 17 | "CategoryName": "Windows - Powershell logging", 18 | "LogType": ".evtx", 19 | "Channel": "Microsoft-Windows-PowerShell/Operational", 20 | "Id": 4104, 21 | "ProviderName": "Microsoft-Windows-PowerShell", 22 | "IncludeEventXMLDataInMessage": false, 23 | "IncludeEventXMLDataInToolTip": false, 24 | "ToolTipText": "Running Powershell script block", 25 | "DeveloperNotes": "This shows actual Powershell code that is running" 26 | } 27 | ] 28 | } 29 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows - PowerShell logging.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Powershell logging", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Powershell logging", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-PowerShell/Operational", 9 | "Id": 4100, 10 | "ProviderName": "Microsoft-Windows-PowerShell", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Running Powershell script", 14 | "DeveloperNotes": "This shows that Powershell script is running without showing Powershell code" 15 | }, 16 | { 17 | "CategoryName": "Windows - Powershell logging", 18 | "LogType": ".evtx", 19 | "Channel": "Microsoft-Windows-PowerShell/Operational", 20 | "Id": 4104, 21 | "ProviderName": "Microsoft-Windows-PowerShell", 22 | "IncludeEventXMLDataInMessage": false, 23 | "IncludeEventXMLDataInToolTip": false, 24 | "ToolTipText": "Running Powershell script block", 25 | "DeveloperNotes": "This shows actual Powershell code that is running" 26 | } 27 | ] 28 | } 29 | ] -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | SPDX-License-Identifier: MIT 2 | 3 | MIT License 4 | 5 | Copyright (c) 2025 Petri Paavola 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in all 15 | copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 | SOFTWARE. 24 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - Windows Activation KMS.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Windows - Activation KMS", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Windows - Activation KMS", 6 | "LogType": ".evtx", 7 | "Channel": "Application", 8 | "Id": 12288, 9 | "ProviderName": "Security-SPP", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "", 14 | "DeveloperNotes": "The client has sent an activation request to the key management service machine", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": "https://learn.microsoft.com/en-us/windows-server/get-started/activation-troubleshoot-kms-general" 17 | }, 18 | { 19 | "CategoryName": "Windows - Activation KMS", 20 | "LogType": ".evtx", 21 | "Channel": "Application", 22 | "Id": 12289, 23 | "ProviderName": "Security-SPP", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "ToolTipText": "", 27 | "Color": "Yellow", 28 | "DeveloperNotes": "The client has processed an activation response from the key management service machine", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "https://learn.microsoft.com/en-us/windows-server/get-started/activation-troubleshoot-kms-general" 31 | } 32 | ] 33 | } -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - Windows Activation KMS.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Windows - Activation KMS", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Windows - Activation KMS", 6 | "LogType": ".evtx", 7 | "Channel": "Application", 8 | "Id": 12288, 9 | "ProviderName": "Security-SPP", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "", 14 | "DeveloperNotes": "The client has sent an activation request to the key management service machine", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": "https://learn.microsoft.com/en-us/windows-server/get-started/activation-troubleshoot-kms-general" 17 | }, 18 | { 19 | "CategoryName": "Windows - Activation KMS", 20 | "LogType": ".evtx", 21 | "Channel": "Application", 22 | "Id": 12289, 23 | "ProviderName": "Security-SPP", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "ToolTipText": "", 27 | "Color": "Yellow", 28 | "DeveloperNotes": "The client has processed an activation response from the key management service machine", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "https://learn.microsoft.com/en-us/windows-server/get-started/activation-troubleshoot-kms-general" 31 | } 32 | ] 33 | } -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows - ScheduledTasks.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Scheduled Tasks", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Scheduled Tasks", 7 | "LogType": "ScheduledTasks", 8 | "Channel": "Scheduled Tasks", 9 | "Id": 0, 10 | "ProviderName": "Scheduled Tasks", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "", 14 | "Color": "", 15 | "DeveloperNotes": "DO NOT REMOVE ME! Internal CategoryName so you can Include or Exclude Scheduled Tasks from report", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": null 18 | } 19 | ] 20 | }, 21 | { 22 | "CategoryName": "Windows - Scheduled Tasks Future", 23 | "KnownEventRules": [ 24 | { 25 | "CategoryName": "Scheduled Tasks Future", 26 | "LogType": "ScheduledTasks", 27 | "Channel": "Scheduled Tasks Future", 28 | "Id": 0, 29 | "ProviderName": "Scheduled Tasks Future", 30 | "IncludeEventXMLDataInMessage": false, 31 | "IncludeEventXMLDataInToolTip": false, 32 | "ToolTipText": "", 33 | "Color": "", 34 | "DeveloperNotes": "DO NOT REMOVE ME! Internal CategoryName so you can Include or Exclude Scheduled Tasks Future from report", 35 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 36 | "LinkToBlogArticle": null 37 | } 38 | ] 39 | } 40 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows - ScheduledTasks.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Scheduled Tasks", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Scheduled Tasks", 7 | "LogType": "ScheduledTasks", 8 | "Channel": "Scheduled Tasks", 9 | "Id": 0, 10 | "ProviderName": "Scheduled Tasks", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "", 14 | "Color": "", 15 | "DeveloperNotes": "DO NOT REMOVE ME! Internal CategoryName so you can Include or Exclude Scheduled Tasks from report", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": null 18 | } 19 | ] 20 | }, 21 | { 22 | "CategoryName": "Windows - Scheduled Tasks Future", 23 | "KnownEventRules": [ 24 | { 25 | "CategoryName": "Scheduled Tasks Future", 26 | "LogType": "ScheduledTasks", 27 | "Channel": "Scheduled Tasks Future", 28 | "Id": 0, 29 | "ProviderName": "Scheduled Tasks Future", 30 | "IncludeEventXMLDataInMessage": false, 31 | "IncludeEventXMLDataInToolTip": false, 32 | "ToolTipText": "", 33 | "Color": "", 34 | "DeveloperNotes": "DO NOT REMOVE ME! Internal CategoryName so you can Include or Exclude Scheduled Tasks Future from report", 35 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 36 | "LinkToBlogArticle": null 37 | } 38 | ] 39 | } 40 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - IME Autopilot.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME Autopilot Device Preparation", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME AutopilotDevicePreparation", 7 | "LogType": ".log", 8 | "LogFileName": "IntuneManagementExtension.log", 9 | "Message": "[APv2] Device is in APv2 mode: True.", 10 | "ToolTipText": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": "" 15 | }, 16 | { 17 | "CategoryName": "Intune - IME AutopilotDevicePreparation", 18 | "LogType": ".log", 19 | "LogFileName": "IntuneManagementExtension.log", 20 | "Message": "[APv2] Attempting to disable APv2 mode for device.", 21 | "ToolTipText": "", 22 | "Color": "Yellow", 23 | "DeveloperNotes": "", 24 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 25 | "LinkToBlogArticle": "" 26 | }, 27 | { 28 | "CategoryName": "Intune - IME AutopilotDevicePreparation", 29 | "LogType": ".log", 30 | "LogFileName": "IntuneManagementExtension.log", 31 | "Message": "[APv2] Successfully disabled APv2 mode.", 32 | "ToolTipText": "", 33 | "Color": "Yellow", 34 | "DeveloperNotes": "", 35 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 36 | "LinkToBlogArticle": "" 37 | } 38 | ] 39 | } 40 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - IME Autopilot.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME Autopilot Device Preparation", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME AutopilotDevicePreparation", 7 | "LogType": ".log", 8 | "LogFileName": "IntuneManagementExtension.log", 9 | "Message": "[APv2] Device is in APv2 mode: True.", 10 | "ToolTipText": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": "" 15 | }, 16 | { 17 | "CategoryName": "Intune - IME AutopilotDevicePreparation", 18 | "LogType": ".log", 19 | "LogFileName": "IntuneManagementExtension.log", 20 | "Message": "[APv2] Attempting to disable APv2 mode for device.", 21 | "ToolTipText": "", 22 | "Color": "Yellow", 23 | "DeveloperNotes": "", 24 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 25 | "LinkToBlogArticle": "" 26 | }, 27 | { 28 | "CategoryName": "Intune - IME AutopilotDevicePreparation", 29 | "LogType": ".log", 30 | "LogFileName": "IntuneManagementExtension.log", 31 | "Message": "[APv2] Successfully disabled APv2 mode.", 32 | "ToolTipText": "", 33 | "Color": "Yellow", 34 | "DeveloperNotes": "", 35 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 36 | "LinkToBlogArticle": "" 37 | } 38 | ] 39 | } 40 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - IME Remediation scripts.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME Remediation scripts - 1. Start", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME Remediation scripts - 1. Start", 7 | "LogType": ".log", 8 | "LogFileName": "healthscripts.log", 9 | "Message": "[HS] Processing policy with id =", 10 | "ToolTipText": "Intune Remediation or custom compliance check script start entry", 11 | "Color": "White", 12 | "DeveloperNotes": "" 13 | } 14 | ] 15 | }, 16 | { 17 | "CategoryName": "Intune - IME Remediation scripts - 2. Output", 18 | "KnownEventRules": [ 19 | { 20 | "CategoryName": "Intune - IME Remediation scripts - 2. Output", 21 | "LogType": ".log", 22 | "LogFileName": "healthscripts.log", 23 | "Message": "[HS] std output =", 24 | "ToolTipText": "Intune Remediation or custom compliance check script Output", 25 | "Color": "Yellow", 26 | "DeveloperNotes": "" 27 | }, 28 | { 29 | "CategoryName": "Intune - IME Remediation scripts - 2. Output", 30 | "LogType": ".log", 31 | "LogFileName": "healthscripts.log", 32 | "Message": "[HS] err output =", 33 | "ToolTipText": "Intune Remediation or custom compliance check script Output", 34 | "Color": "Yellow", 35 | "DeveloperNotes": "" 36 | } 37 | ] 38 | }, 39 | { 40 | "CategoryName": "Intune - IME Remediation scripts - 3. Result", 41 | "KnownEventRules": [ 42 | { 43 | "CategoryName": "Intune - IME Remediation scripts - 3. Result", 44 | "LogType": ".log", 45 | "LogFileName": "healthscripts.log", 46 | "Message": "[HS] the pre-remdiation detection script compliance result for", 47 | "ToolTipText": "[HS] the pre-remdiation detection script compliance result for 4b84b5fc-4b32-4507-9ba7-ab39119433ef is False", 48 | "Color": "Yellow", 49 | "DeveloperNotes": "" 50 | } 51 | ] 52 | } 53 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules_Example Rules.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Example category", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Example category", 7 | "LogType": ".evtx", 8 | "Channel": "ExampleApplication", 9 | "Id": 1033, 10 | "ProviderName": "MsiInstaller", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Windows Installer installed the product.", 14 | "DeveloperNotes": "Windows Installer installed the product. Product Name: Mozilla Firefox 130.0 x64 en-US. Product Version: 130.0.0.0. Product Language: 0. Manufacturer: Mozilla. Installation success or error status: 0.", 15 | "Author": "This_could_be.You@company.com", 16 | "LinkToBlogArticle": null 17 | }, 18 | { 19 | "CategoryName": "Example category", 20 | "LogType": ".evtx", 21 | "Channel": "ExampleApplication", 22 | "Id": 1034, 23 | "ProviderName": "MsiInstaller", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "Category": "Application installation", 27 | "ToolTipText": "Windows Installer removed the product.", 28 | "DeveloperNotes": "Windows Installer removed the product. Product Name: Microsoft Teams Meeting Add-in for Microsoft Office. Product Version: 1.24.19202. Product Language: 1033. Manufacturer: Microsoft. Removal success or error status: 0.", 29 | "Author": "This_could_be.You@company.com", 30 | "LinkToBlogArticle": null 31 | }, 32 | { 33 | "CategoryName": "Example category", 34 | "LogType": ".log", 35 | "LogFileName": "Example.log", 36 | "Message": "Example text to search", 37 | "ToolTipText": "This text is shown on event ToolTip when hovering on top event text", 38 | "Color": "Green", 39 | "DeveloperNotes": "This is Intune Powershell script body as is", 40 | "Author": "This_could_be.You@company.com", 41 | "LinkToBlogArticle": null 42 | } 43 | ] 44 | } 45 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules_Example Rules.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Example category", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Example category", 7 | "LogType": ".evtx", 8 | "Channel": "ExampleApplication", 9 | "Id": 1033, 10 | "ProviderName": "MsiInstaller", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Windows Installer installed the product.", 14 | "DeveloperNotes": "Windows Installer installed the product. Product Name: Mozilla Firefox 130.0 x64 en-US. Product Version: 130.0.0.0. Product Language: 0. Manufacturer: Mozilla. Installation success or error status: 0.", 15 | "Author": "This_could_be.You@company.com", 16 | "LinkToBlogArticle": null 17 | }, 18 | { 19 | "CategoryName": "Example category", 20 | "LogType": ".evtx", 21 | "Channel": "ExampleApplication", 22 | "Id": 1034, 23 | "ProviderName": "MsiInstaller", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "Category": "Application installation", 27 | "ToolTipText": "Windows Installer removed the product.", 28 | "DeveloperNotes": "Windows Installer removed the product. Product Name: Microsoft Teams Meeting Add-in for Microsoft Office. Product Version: 1.24.19202. Product Language: 1033. Manufacturer: Microsoft. Removal success or error status: 0.", 29 | "Author": "This_could_be.You@company.com", 30 | "LinkToBlogArticle": null 31 | }, 32 | { 33 | "CategoryName": "Example category", 34 | "LogType": ".log", 35 | "LogFileName": "Example.log", 36 | "Message": "Example text to search", 37 | "ToolTipText": "This text is shown on event ToolTip when hovering on top event text", 38 | "Color": "Green", 39 | "DeveloperNotes": "This is Intune Powershell script body as is", 40 | "Author": "This_could_be.You@company.com", 41 | "LinkToBlogArticle": null 42 | } 43 | ] 44 | } 45 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows - Bitlocker.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Bitlocker", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Bitlocker", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-BitLocker/BitLocker Management", 9 | "Id": 853, 10 | "ProviderName": "Microsoft-Windows-BitLocker-API", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Failed to enable Silent Encryption. TPM is not available.\\n\\nWith Virtual Machines this is either forgotten TPM enablement or maybe more common mounted .ISO image in VM DVD drive", 14 | "Color": "Red", 15 | "DeveloperNotes": "Failed to enable Silent Encryption. TPM is not available. With Virtual Machines this is either forgotten TPM enablement or maybe more common mounted .ISO image in VM DVD drive", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": null 18 | }, 19 | { 20 | "CategoryName": "Windows - Bitlocker", 21 | "LogType": ".evtx", 22 | "Channel": "Microsoft-Windows-BitLocker/BitLocker Management", 23 | "Id": 845, 24 | "ProviderName": "Microsoft-Windows-BitLocker-API", 25 | "IncludeEventXMLDataInMessage": false, 26 | "IncludeEventXMLDataInToolTip": false, 27 | "ToolTipText": "", 28 | "Color": "Green", 29 | "DeveloperNotes": "BitLocker Drive Encryption recovery information for volume %1 was backed up successfully to your Azure AD. Protector GUID: %2. TraceId: %3", 30 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 31 | "LinkToBlogArticle": null 32 | }, 33 | { 34 | "CategoryName": "Windows - Bitlocker", 35 | "LogType": ".evtx", 36 | "Channel": "Microsoft-Windows-BitLocker/BitLocker Management", 37 | "Id": 846, 38 | "ProviderName": "Microsoft-Windows-BitLocker-API", 39 | "IncludeEventXMLDataInMessage": false, 40 | "IncludeEventXMLDataInToolTip": false, 41 | "ToolTipText": "", 42 | "Color": "Red", 43 | "DeveloperNotes": "Failed to backup BitLocker Drive Encryption recovery information for volume %1 to your Azure AD. TraceId: %2 Error: %3", 44 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 45 | "LinkToBlogArticle": null 46 | } 47 | ] 48 | } 49 | ] 50 | -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows - Bitlocker.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Bitlocker", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Bitlocker", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-BitLocker/BitLocker Management", 9 | "Id": 853, 10 | "ProviderName": "Microsoft-Windows-BitLocker-API", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Failed to enable Silent Encryption. TPM is not available.\\n\\nWith Virtual Machines this is either forgotten TPM enablement or maybe more common mounted .ISO image in VM DVD drive", 14 | "Color": "Red", 15 | "DeveloperNotes": "Failed to enable Silent Encryption. TPM is not available. With Virtual Machines this is either forgotten TPM enablement or maybe more common mounted .ISO image in VM DVD drive", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": null 18 | }, 19 | { 20 | "CategoryName": "Windows - Bitlocker", 21 | "LogType": ".evtx", 22 | "Channel": "Microsoft-Windows-BitLocker/BitLocker Management", 23 | "Id": 845, 24 | "ProviderName": "Microsoft-Windows-BitLocker-API", 25 | "IncludeEventXMLDataInMessage": false, 26 | "IncludeEventXMLDataInToolTip": false, 27 | "ToolTipText": "", 28 | "Color": "Green", 29 | "DeveloperNotes": "BitLocker Drive Encryption recovery information for volume %1 was backed up successfully to your Azure AD. Protector GUID: %2. TraceId: %3", 30 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 31 | "LinkToBlogArticle": null 32 | }, 33 | { 34 | "CategoryName": "Windows - Bitlocker", 35 | "LogType": ".evtx", 36 | "Channel": "Microsoft-Windows-BitLocker/BitLocker Management", 37 | "Id": 846, 38 | "ProviderName": "Microsoft-Windows-BitLocker-API", 39 | "IncludeEventXMLDataInMessage": false, 40 | "IncludeEventXMLDataInToolTip": false, 41 | "ToolTipText": "", 42 | "Color": "Red", 43 | "DeveloperNotes": "Failed to backup BitLocker Drive Encryption recovery information for volume %1 to your Azure AD. TraceId: %2 Error: %3", 44 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 45 | "LinkToBlogArticle": null 46 | } 47 | ] 48 | } 49 | ] 50 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows - LogonLogoff.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - LogonLogoff", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - LogonLogoff", 7 | "LogType": ".evtx", 8 | "Channel": "Security", 9 | "Id": 4647, 10 | "ProviderName": "Microsoft-Windows-User Profiles Service", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "User logged off", 14 | "Color": "White", 15 | "DeveloperNotes": "User initiated logoff:" 16 | }, 17 | { 18 | "CategoryName": "Windows - LogonLogoff", 19 | "LogType": ".evtx", 20 | "Channel": "Microsoft-Windows-User Profile Service/Operational", 21 | "Id": 67, 22 | "ProviderName": "Microsoft-Windows-User Profiles Service", 23 | "IncludeEventXMLDataInMessage": false, 24 | "IncludeEventXMLDataInToolTip": false, 25 | "ToolTipText": "Logon type: Regular...", 26 | "Color": "White", 27 | "DeveloperNotes": "Logon event" 28 | }, 29 | { 30 | "CategoryName": "Windows - LogonLogoff", 31 | "LogType": ".evtx", 32 | "Channel": "Microsoft-Windows-User Profile Service/Operational", 33 | "Id": 4, 34 | "ProviderName": "Microsoft-Windows-User Profiles Service", 35 | "IncludeEventXMLDataInMessage": false, 36 | "IncludeEventXMLDataInToolTip": false, 37 | "ToolTipText": "Finished processing user logoff notification on session.", 38 | "DeveloperNotes": "Finished processing user logoff notification on session 1." 39 | }, 40 | { 41 | "CategoryName": "Windows - LogonLogoff", 42 | "LogType": ".log", 43 | "LogFileName": "execmgr.log", 44 | "Message": "A user has logged on.", 45 | "ToolTipText": "", 46 | "Color": "Yellow", 47 | "DeveloperNotes": "", 48 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 49 | "LinkToBlogArticle": null 50 | }, 51 | { 52 | "CategoryName": "Windows - LogonLogoff", 53 | "LogType": ".log", 54 | "LogFileName": "execmgr.log", 55 | "Message": "The logged on user is - THIS RULE IS DISABLED BECAUSE CAN WE SHOW USERNAME ?", 56 | "ToolTipText": "", 57 | "Color": "Yellow", 58 | "DeveloperNotes": "The logged on user is DOMAIN\\username", 59 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 60 | "LinkToBlogArticle": null 61 | } 62 | ] 63 | } 64 | ] 65 | -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows - LogonLogoff.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - LogonLogoff", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - LogonLogoff", 7 | "LogType": ".evtx", 8 | "Channel": "Security", 9 | "Id": 4647, 10 | "ProviderName": "Microsoft-Windows-User Profiles Service", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "User logged off", 14 | "Color": "White", 15 | "DeveloperNotes": "User initiated logoff:" 16 | }, 17 | { 18 | "CategoryName": "Windows - LogonLogoff", 19 | "LogType": ".evtx", 20 | "Channel": "Microsoft-Windows-User Profile Service/Operational", 21 | "Id": 67, 22 | "ProviderName": "Microsoft-Windows-User Profiles Service", 23 | "IncludeEventXMLDataInMessage": false, 24 | "IncludeEventXMLDataInToolTip": false, 25 | "ToolTipText": "Logon type: Regular...", 26 | "Color": "White", 27 | "DeveloperNotes": "Logon event" 28 | }, 29 | { 30 | "CategoryName": "Windows - LogonLogoff", 31 | "LogType": ".evtx", 32 | "Channel": "Microsoft-Windows-User Profile Service/Operational", 33 | "Id": 4, 34 | "ProviderName": "Microsoft-Windows-User Profiles Service", 35 | "IncludeEventXMLDataInMessage": false, 36 | "IncludeEventXMLDataInToolTip": false, 37 | "ToolTipText": "Finished processing user logoff notification on session.", 38 | "DeveloperNotes": "Finished processing user logoff notification on session 1." 39 | }, 40 | { 41 | "CategoryName": "Windows - LogonLogoff", 42 | "LogType": ".log", 43 | "LogFileName": "execmgr.log", 44 | "Message": "A user has logged on.", 45 | "ToolTipText": "", 46 | "Color": "Yellow", 47 | "DeveloperNotes": "", 48 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 49 | "LinkToBlogArticle": null 50 | }, 51 | { 52 | "CategoryName": "Windows - LogonLogoff", 53 | "LogType": ".log", 54 | "LogFileName": "execmgr.log", 55 | "Message": "The logged on user is - THIS RULE IS DISABLED BECAUSE CAN WE SHOW USERNAME ?", 56 | "ToolTipText": "", 57 | "Color": "Yellow", 58 | "DeveloperNotes": "The logged on user is DOMAIN\\username", 59 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 60 | "LinkToBlogArticle": null 61 | } 62 | ] 63 | } 64 | ] 65 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows - ApplicationInstallation MSI.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Application installation MSI", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Application installation MSI", 7 | "LogType": ".evtx", 8 | "Channel": "Application", 9 | "Id": 1033, 10 | "ProviderName": "MsiInstaller", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Windows Installer installed the product. Check if it succeeded or failed!", 14 | "Color": "Yellow", 15 | "DeveloperNotes": "Windows Installer installed the product. Product Name: Mozilla Firefox 130.0 x64 en-US. Product Version: 130.0.0.0. Product Language: 0. Manufacturer: Mozilla. Installation success or error status: 0. OR Installation success or error status: 1603", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": null 18 | }, 19 | { 20 | "CategoryName": "Windows - Application installation MSI", 21 | "LogType": ".evtx", 22 | "Channel": "Application", 23 | "Id": 1034, 24 | "ProviderName": "MsiInstaller", 25 | "IncludeEventXMLDataInMessage": false, 26 | "IncludeEventXMLDataInToolTip": false, 27 | "ToolTipText": "Windows Installer removed the product.", 28 | "Color": "Green", 29 | "DeveloperNotes": "Windows Installer removed the product. Product Name: Microsoft Teams Meeting Add-in for Microsoft Office. Product Version: 1.24.19202. Product Language: 1033. Manufacturer: Microsoft. Removal success or error status: 0." 30 | }, 31 | { 32 | "CategoryName": "Windows - Application installation MSI", 33 | "LogType": ".evtx", 34 | "Channel": "Application", 35 | "Id": 1040, 36 | "ProviderName": "MsiInstaller", 37 | "IncludeEventXMLDataInMessage": false, 38 | "IncludeEventXMLDataInToolTip": false, 39 | "ToolTipText": "Beginning a Windows Installer transaction", 40 | "DeveloperNotes": "Beginning a Windows Installer transaction: C:\\Users\\username\\AppData\\Local\\Temp\\MicrosoftEdgeDownloads\\5a6b708b-8605-4f36-a705-e192ca521b7c\\Firefox Setup 130.0.msi. Client Process Id: 118392." 41 | }, 42 | { 43 | "CategoryName": "Windows - Application installation MSI", 44 | "LogType": ".evtx", 45 | "Channel": "Application", 46 | "Id": 11708, 47 | "ProviderName": "MsiInstaller", 48 | "IncludeEventXMLDataInMessage": false, 49 | "IncludeEventXMLDataInToolTip": false, 50 | "ToolTipText": "MSI Installation failed!", 51 | "Color": "Red", 52 | "DeveloperNotes": "Product: Microsoft EPM Agent -- Installation failed." 53 | } 54 | ] 55 | } 56 | ] 57 | -------------------------------------------------------------------------------- /v1.0/KnownGUIDs/Get-MSI-Apps-GUIDs-and-Names-from-local-registry.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script retrieves and exports the names and versions of installed MSI applications from the Windows registry. 4 | 5 | .DESCRIPTION 6 | The script searches through specific registry paths to find installed MSI applications. It looks for subkeys that match the GUID pattern under the specified uninstall paths. For each matching subkey, it extracts the DisplayName and DisplayVersion properties. If a DisplayName is found, it constructs a custom object containing the GUID, DisplayName, and a category. The results are then exported to a JSON file. 7 | 8 | .PARAMETER uninstallPaths 9 | An array of registry paths to search for installed MSI applications. Default paths are: 10 | - "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" 11 | - "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" 12 | 13 | .EXAMPLE 14 | .\Get-MSI-Apps-GUIDs-and-Names.ps1 15 | This command runs the script and exports the MSI application names and versions to the KnownGUIDs-MSI.json file. 16 | 17 | 18 | .NOTES 19 | Author: Petri Paavola 20 | Date: 20241220 21 | Version: 0.91 22 | 23 | #> 24 | 25 | # Define output JSON file 26 | $outputFile = "$PSScriptRoot\KnownGUIDs-MSIApps.json" 27 | 28 | # Define registry paths to search 29 | $uninstallPaths = @( 30 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", 31 | "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" 32 | ) 33 | 34 | # Initialize an array to store result objects 35 | $results = @() 36 | 37 | foreach ($path in $uninstallPaths) { 38 | # Get all subkeys under the uninstall paths that look like {GUID} 39 | $subKeys = Get-ChildItem -Path $path -ErrorAction SilentlyContinue | Where-Object { $_.Name -match '{[0-9A-Fa-f\-]+}' } 40 | 41 | foreach ($subKey in $subKeys) { 42 | # Extract properties 43 | $props = Get-ItemProperty -Path $subKey.PSPath -ErrorAction SilentlyContinue 44 | $displayName = $props.DisplayName 45 | $displayVersion = $props.DisplayVersion 46 | $guid = $subKey.Name.Split('\')[-1] 47 | 48 | # Remove curly brackets from GUID 49 | $guid = $guid -replace '[{}]', '' 50 | 51 | # Only proceed if we have a DisplayName 52 | if ($displayName) { 53 | # Check if displayVersion is not already in displayName 54 | if ($displayVersion -and (-not ($displayName -like "*$displayVersion*"))) { 55 | $displayName = "$displayName $displayVersion" 56 | } 57 | 58 | $results += [PSCustomObject]@{ 59 | ID = $guid 60 | displayName = $displayName 61 | Category = "MSI Application names" 62 | } 63 | } 64 | } 65 | } 66 | 67 | # Remove duplicates based on ID if any 68 | $results = $results | Sort-Object ID -Unique 69 | 70 | # Convert the array to JSON and write to file 71 | $results | ConvertTo-Json -Depth 4 | Out-File $outputFile -Encoding UTF8 72 | 73 | Write-Host "MSI GUID to DisplayName mapping saved to $outputFile" 74 | -------------------------------------------------------------------------------- /v1.1/KnownGUIDs/Get-MSI-Apps-GUIDs-and-Names-from-local-registry.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script retrieves and exports the names and versions of installed MSI applications from the Windows registry. 4 | 5 | .DESCRIPTION 6 | The script searches through specific registry paths to find installed MSI applications. It looks for subkeys that match the GUID pattern under the specified uninstall paths. For each matching subkey, it extracts the DisplayName and DisplayVersion properties. If a DisplayName is found, it constructs a custom object containing the GUID, DisplayName, and a category. The results are then exported to a JSON file. 7 | 8 | .PARAMETER uninstallPaths 9 | An array of registry paths to search for installed MSI applications. Default paths are: 10 | - "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" 11 | - "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" 12 | 13 | .EXAMPLE 14 | .\Get-MSI-Apps-GUIDs-and-Names.ps1 15 | This command runs the script and exports the MSI application names and versions to the KnownGUIDs-MSI.json file. 16 | 17 | 18 | .NOTES 19 | Author: Petri Paavola 20 | Date: 20241220 21 | Version: 0.91 22 | 23 | #> 24 | 25 | # Define output JSON file 26 | $outputFile = "$PSScriptRoot\KnownGUIDs-MSIApps.json" 27 | 28 | # Define registry paths to search 29 | $uninstallPaths = @( 30 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", 31 | "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" 32 | ) 33 | 34 | # Initialize an array to store result objects 35 | $results = @() 36 | 37 | foreach ($path in $uninstallPaths) { 38 | # Get all subkeys under the uninstall paths that look like {GUID} 39 | $subKeys = Get-ChildItem -Path $path -ErrorAction SilentlyContinue | Where-Object { $_.Name -match '{[0-9A-Fa-f\-]+}' } 40 | 41 | foreach ($subKey in $subKeys) { 42 | # Extract properties 43 | $props = Get-ItemProperty -Path $subKey.PSPath -ErrorAction SilentlyContinue 44 | $displayName = $props.DisplayName 45 | $displayVersion = $props.DisplayVersion 46 | $guid = $subKey.Name.Split('\')[-1] 47 | 48 | # Remove curly brackets from GUID 49 | $guid = $guid -replace '[{}]', '' 50 | 51 | # Only proceed if we have a DisplayName 52 | if ($displayName) { 53 | # Check if displayVersion is not already in displayName 54 | if ($displayVersion -and (-not ($displayName -like "*$displayVersion*"))) { 55 | $displayName = "$displayName $displayVersion" 56 | } 57 | 58 | $results += [PSCustomObject]@{ 59 | ID = $guid 60 | displayName = $displayName 61 | Category = "MSI Application names" 62 | } 63 | } 64 | } 65 | } 66 | 67 | # Remove duplicates based on ID if any 68 | $results = $results | Sort-Object ID -Unique 69 | 70 | # Convert the array to JSON and write to file 71 | $results | ConvertTo-Json -Depth 4 | Out-File $outputFile -Encoding UTF8 72 | 73 | Write-Host "MSI GUID to DisplayName mapping saved to $outputFile" 74 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - IME PowerShell scripts.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME Powershell scripts output (all scripts)", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME Powershell scripts output (all scripts)", 7 | "LogType": ".log", 8 | "LogFileName": "AgentExecutor.log", 9 | "Message": "write output done. output = ", 10 | "MessageToolTip": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "This is output from any PowerShell script including PowerShell platform scripts and detection scripts. This does not include Intune Remediation scripts output", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": "" 15 | } 16 | ] 17 | }, 18 | { 19 | "CategoryName": "Intune - IME Powershell Platform scripts - 1. Start", 20 | "KnownEventRules": [ 21 | { 22 | "CategoryName": "Intune - IME Powershell Platform scripts - 1. Start", 23 | "LogType": ".log", 24 | "LogFileName": "IntuneManagementExtension.log", 25 | "Message": "[PowerShell] Processing policy with id =", 26 | "MessageToolTip": "", 27 | "Color": "White", 28 | "DeveloperNotes": "This is start processing Intune Powershell platform script", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "" 31 | } 32 | ] 33 | }, 34 | { 35 | "CategoryName": "Intune - IME Powershell Platform scripts - 2. Script in clear text", 36 | "KnownEventRules": [ 37 | { 38 | "CategoryName": "Intune - IME Powershell Platform scripts - 2. Script in clear text", 39 | "LogType": ".log", 40 | "LogFileName": "IntuneManagementExtension.log", 41 | "Message": "[PowerShell] Policy body = ", 42 | "MessageToolTip": "", 43 | "Color": "Yellow", 44 | "DeveloperNotes": "This is Intune Powershell script body as is", 45 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 46 | "LinkToBlogArticle": "" 47 | } 48 | ] 49 | }, 50 | { 51 | "CategoryName": "Intune - IME Powershell Platform scripts - 3. Result", 52 | "KnownEventRules": [ 53 | { 54 | "CategoryName": "Intune - IME Powershell Platform scripts - 3. Result", 55 | "LogType": ".log", 56 | "LogFileName": "IntuneManagementExtension.log", 57 | "Message": ".*policy result = Success.*", 58 | "MessageToolTip": "", 59 | "Color": "Green", 60 | "DeveloperNotes": "This is result for Intune Powershell platform script", 61 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 62 | "LinkToBlogArticle": "" 63 | }, 64 | { 65 | "CategoryName": "Intune - IME Powershell Platform scripts - 3. Result", 66 | "LogType": ".log", 67 | "LogFileName": "IntuneManagementExtension.log", 68 | "Message": ".*policy result = Failed.*", 69 | "MessageToolTip": "", 70 | "Color": "Red", 71 | "DeveloperNotes": "This is result for Intune Powershell platform script", 72 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 73 | "LinkToBlogArticle": "" 74 | } 75 | ] 76 | } 77 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - IME PowerShell scripts.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME PowerShell scripts output (all scripts)", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME PowerShell scripts output (all scripts)", 7 | "LogType": ".log", 8 | "LogFileName": "AgentExecutor.log", 9 | "Message": "write output done. output = ", 10 | "MessageToolTip": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "This is output from any PowerShell script including PowerShell platform scripts and detection scripts. This does not include Intune Remediation scripts output", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": "" 15 | } 16 | ] 17 | }, 18 | { 19 | "CategoryName": "Intune - IME PowerShell Platform scripts - 1. Start", 20 | "KnownEventRules": [ 21 | { 22 | "CategoryName": "Intune - IME PowerShell Platform scripts - 1. Start", 23 | "LogType": ".log", 24 | "LogFileName": "IntuneManagementExtension.log", 25 | "Message": "[PowerShell] Processing policy with id =", 26 | "MessageToolTip": "", 27 | "Color": "White", 28 | "DeveloperNotes": "This is start processing Intune Powershell platform script", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "" 31 | } 32 | ] 33 | }, 34 | { 35 | "CategoryName": "Intune - IME PowerShell Platform scripts - 2. Script in clear text", 36 | "KnownEventRules": [ 37 | { 38 | "CategoryName": "Intune - IME PowerShell Platform scripts - 2. Script in clear text", 39 | "LogType": ".log", 40 | "LogFileName": "IntuneManagementExtension.log", 41 | "Message": "[PowerShell] Policy body = ", 42 | "MessageToolTip": "", 43 | "Color": "Yellow", 44 | "DeveloperNotes": "This is Intune Powershell script body as is", 45 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 46 | "LinkToBlogArticle": "" 47 | } 48 | ] 49 | }, 50 | { 51 | "CategoryName": "Intune - IME PowerShell Platform scripts - 3. Result", 52 | "KnownEventRules": [ 53 | { 54 | "CategoryName": "Intune - IME PowerShell Platform scripts - 3. Result", 55 | "LogType": ".log", 56 | "LogFileName": "IntuneManagementExtension.log", 57 | "Message": ".*policy result = Success.*", 58 | "MessageToolTip": "", 59 | "Color": "Green", 60 | "DeveloperNotes": "This is result for Intune Powershell platform script", 61 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 62 | "LinkToBlogArticle": "" 63 | }, 64 | { 65 | "CategoryName": "Intune - IME PowerShell Platform scripts - 3. Result", 66 | "LogType": ".log", 67 | "LogFileName": "IntuneManagementExtension.log", 68 | "Message": ".*policy result = Failed.*", 69 | "MessageToolTip": "", 70 | "Color": "Red", 71 | "DeveloperNotes": "This is result for Intune Powershell platform script", 72 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 73 | "LinkToBlogArticle": "" 74 | } 75 | ] 76 | } 77 | ] -------------------------------------------------------------------------------- /v1.0/KnownGUIDs/KnownGUIDs-ASR.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "56a863a9-875e-4185-98a7-b882c64b5ce5", 4 | "Name": "Block abuse of exploited vulnerable signed drivers", 5 | "Category": "ASR" 6 | }, 7 | { 8 | "ID": "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c", 9 | "Name": "Block Adobe Reader from creating child processes", 10 | "Category": "ASR" 11 | }, 12 | { 13 | "ID": "d4f940ab-401b-4efc-aadc-ad5f3c50688a", 14 | "Name": "Block all Office applications from creating child processes", 15 | "Category": "ASR" 16 | }, 17 | { 18 | "ID": "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2", 19 | "Name": "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", 20 | "Category": "ASR" 21 | }, 22 | { 23 | "ID": "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550", 24 | "Name": "Block executable content from email client and webmail", 25 | "Category": "ASR" 26 | }, 27 | { 28 | "ID": "01443614-cd74-433a-b99e-2ecdc07bfc25", 29 | "Name": "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", 30 | "Category": "ASR" 31 | }, 32 | { 33 | "ID": "5beb7efe-fd9a-4556-801d-275e5ffc04cc", 34 | "Name": "Block execution of potentially obfuscated scripts", 35 | "Category": "ASR" 36 | }, 37 | { 38 | "ID": "d3e037e1-3eb8-44c8-a917-57927947596d", 39 | "Name": "Block JavaScript or VBScript from launching downloaded executable content", 40 | "Category": "ASR" 41 | }, 42 | { 43 | "ID": "3b576869-a4ec-4529-8536-b80a7769e899", 44 | "Name": "Block Office applications from creating executable content", 45 | "Category": "ASR" 46 | }, 47 | { 48 | "ID": "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84", 49 | "Name": "Block Office applications from injecting code into other processes", 50 | "Category": "ASR" 51 | }, 52 | { 53 | "ID": "26190899-1602-49e8-8b27-eb1d0a1ce869", 54 | "Name": "Block Office communication application from creating child processes", 55 | "Category": "ASR" 56 | }, 57 | { 58 | "ID": "e6db77e5-3df2-4cf1-b95a-636979351e5b", 59 | "Name": "Block persistence through WMI event subscription\n* File and folder exclusions not supported.", 60 | "Category": "ASR" 61 | }, 62 | { 63 | "ID": "d1e49aac-8f56-4280-b9ba-993a6d77406c", 64 | "Name": "Block process creations originating from PSExec and WMI commands", 65 | "Category": "ASR" 66 | }, 67 | { 68 | "ID": "33ddedf1-c6e0-47cb-833e-de6133960387", 69 | "Name": "Block rebooting machine in Safe Mode (preview)", 70 | "Category": "ASR" 71 | }, 72 | { 73 | "ID": "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4", 74 | "Name": "Block untrusted and unsigned processes that run from USB", 75 | "Category": "ASR" 76 | }, 77 | { 78 | "ID": "c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb", 79 | "Name": "Block use of copied or impersonated system tools (preview)", 80 | "Category": "ASR" 81 | }, 82 | { 83 | "ID": "a8f5898e-1dc8-49a9-9878-85004b8a61e6", 84 | "Name": "Block Webshell creation for Servers", 85 | "Category": "ASR" 86 | }, 87 | { 88 | "ID": "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b", 89 | "Name": "Block Win32 API calls from Office macros", 90 | "Category": "ASR" 91 | }, 92 | { 93 | "ID": "c1db55ab-c21a-4637-bb3f-a12568109d35", 94 | "Name": "Use advanced protection against ransomware", 95 | "Category": "ASR" 96 | } 97 | ] 98 | -------------------------------------------------------------------------------- /v1.1/KnownGUIDs/KnownGUIDs-ASR.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "56a863a9-875e-4185-98a7-b882c64b5ce5", 4 | "Name": "Block abuse of exploited vulnerable signed drivers", 5 | "Category": "ASR" 6 | }, 7 | { 8 | "ID": "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c", 9 | "Name": "Block Adobe Reader from creating child processes", 10 | "Category": "ASR" 11 | }, 12 | { 13 | "ID": "d4f940ab-401b-4efc-aadc-ad5f3c50688a", 14 | "Name": "Block all Office applications from creating child processes", 15 | "Category": "ASR" 16 | }, 17 | { 18 | "ID": "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2", 19 | "Name": "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", 20 | "Category": "ASR" 21 | }, 22 | { 23 | "ID": "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550", 24 | "Name": "Block executable content from email client and webmail", 25 | "Category": "ASR" 26 | }, 27 | { 28 | "ID": "01443614-cd74-433a-b99e-2ecdc07bfc25", 29 | "Name": "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", 30 | "Category": "ASR" 31 | }, 32 | { 33 | "ID": "5beb7efe-fd9a-4556-801d-275e5ffc04cc", 34 | "Name": "Block execution of potentially obfuscated scripts", 35 | "Category": "ASR" 36 | }, 37 | { 38 | "ID": "d3e037e1-3eb8-44c8-a917-57927947596d", 39 | "Name": "Block JavaScript or VBScript from launching downloaded executable content", 40 | "Category": "ASR" 41 | }, 42 | { 43 | "ID": "3b576869-a4ec-4529-8536-b80a7769e899", 44 | "Name": "Block Office applications from creating executable content", 45 | "Category": "ASR" 46 | }, 47 | { 48 | "ID": "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84", 49 | "Name": "Block Office applications from injecting code into other processes", 50 | "Category": "ASR" 51 | }, 52 | { 53 | "ID": "26190899-1602-49e8-8b27-eb1d0a1ce869", 54 | "Name": "Block Office communication application from creating child processes", 55 | "Category": "ASR" 56 | }, 57 | { 58 | "ID": "e6db77e5-3df2-4cf1-b95a-636979351e5b", 59 | "Name": "Block persistence through WMI event subscription\n* File and folder exclusions not supported.", 60 | "Category": "ASR" 61 | }, 62 | { 63 | "ID": "d1e49aac-8f56-4280-b9ba-993a6d77406c", 64 | "Name": "Block process creations originating from PSExec and WMI commands", 65 | "Category": "ASR" 66 | }, 67 | { 68 | "ID": "33ddedf1-c6e0-47cb-833e-de6133960387", 69 | "Name": "Block rebooting machine in Safe Mode (preview)", 70 | "Category": "ASR" 71 | }, 72 | { 73 | "ID": "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4", 74 | "Name": "Block untrusted and unsigned processes that run from USB", 75 | "Category": "ASR" 76 | }, 77 | { 78 | "ID": "c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb", 79 | "Name": "Block use of copied or impersonated system tools (preview)", 80 | "Category": "ASR" 81 | }, 82 | { 83 | "ID": "a8f5898e-1dc8-49a9-9878-85004b8a61e6", 84 | "Name": "Block Webshell creation for Servers", 85 | "Category": "ASR" 86 | }, 87 | { 88 | "ID": "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b", 89 | "Name": "Block Win32 API calls from Office macros", 90 | "Category": "ASR" 91 | }, 92 | { 93 | "ID": "c1db55ab-c21a-4637-bb3f-a12568109d35", 94 | "Name": "Use advanced protection against ransomware", 95 | "Category": "ASR" 96 | } 97 | ] 98 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows - Updates.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Updates Download", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Updates Download", 7 | "LogType": ".evtx", 8 | "Channel": "System-REMOVED-THIS CAUSES TOO MUCH INFORMATION WITHOUT UPDATE NAME", 9 | "Id": 44, 10 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Windows Update started downloading an update.", 14 | "Color": "Yellow", 15 | "DeveloperNotes": "Windows Update started downloading an update." 16 | }, 17 | { 18 | "CategoryName": "Windows - Updates Download", 19 | "LogType": ".evtx", 20 | "Channel": "System", 21 | "Id": 41, 22 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 23 | "IncludeEventXMLDataInMessage": true, 24 | "IncludeEventXMLDataInToolTip": true, 25 | "ToolTipText": "An update was downloaded", 26 | "Color": "Yellow", 27 | "DeveloperNotes": "An update was downloaded. Need to include update name from xml" 28 | } 29 | ] 30 | }, 31 | { 32 | "CategoryName": "Windows - Updates Install", 33 | "KnownEventRules": [ 34 | { 35 | "CategoryName": "Windows - Updates Install", 36 | "LogType": ".evtx", 37 | "Channel": "System", 38 | "Id": 43, 39 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 40 | "IncludeEventXMLDataInMessage": true, 41 | "IncludeEventXMLDataInToolTip": false, 42 | "ToolTipText": "Installation Started", 43 | "Color": "Yellow", 44 | "RemoveNewLinesFromLogMessage": true, 45 | "DeveloperNotes": "Installation Started: Windows has started installing the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.417.507.0) - Current Channel (Broad)" 46 | }, 47 | { 48 | "CategoryName": "Windows - Updates Install", 49 | "LogType": ".evtx", 50 | "Channel": "System", 51 | "Id": 19, 52 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 53 | "IncludeEventXMLDataInMessage": true, 54 | "IncludeEventXMLDataInToolTip": false, 55 | "ToolTipText": "Installation Successful", 56 | "Color": "Green", 57 | "RemoveNewLinesFromLogMessage": true, 58 | "DeveloperNotes": "Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.417.507.0) - Current Channel (Broad)" 59 | }, 60 | { 61 | "CategoryName": "Windows - Updates Install", 62 | "LogType": ".evtx", 63 | "Channel": "System", 64 | "Id": 20, 65 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "Installation Failure", 69 | "Color": "Red", 70 | "DeveloperNotes": "Installation Failure: Windows failed to install the following update with error %1: %2.", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": null 73 | }, 74 | { 75 | "CategoryName": "Windows - Updates Install", 76 | "LogType": ".evtx", 77 | "Channel": "Setup", 78 | "Id": 2, 79 | "ProviderName": "Microsoft-Windows-Servicing", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": false, 82 | "ToolTipText": "", 83 | "Color": "", 84 | "DeveloperNotes": "Package KB5042099 was successfully changed to the Installed state." 85 | } 86 | ] 87 | } 88 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows - Updates.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Updates Download", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Updates Download", 7 | "LogType": ".evtx", 8 | "Channel": "System-REMOVED-THIS CAUSES TOO MUCH INFORMATION WITHOUT UPDATE NAME", 9 | "Id": 44, 10 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Windows Update started downloading an update.", 14 | "Color": "Yellow", 15 | "DeveloperNotes": "Windows Update started downloading an update." 16 | }, 17 | { 18 | "CategoryName": "Windows - Updates Download", 19 | "LogType": ".evtx", 20 | "Channel": "System", 21 | "Id": 41, 22 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 23 | "IncludeEventXMLDataInMessage": true, 24 | "IncludeEventXMLDataInToolTip": true, 25 | "ToolTipText": "An update was downloaded", 26 | "Color": "Yellow", 27 | "DeveloperNotes": "An update was downloaded. Need to include update name from xml" 28 | } 29 | ] 30 | }, 31 | { 32 | "CategoryName": "Windows - Updates Install", 33 | "KnownEventRules": [ 34 | { 35 | "CategoryName": "Windows - Updates Install", 36 | "LogType": ".evtx", 37 | "Channel": "System", 38 | "Id": 43, 39 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 40 | "IncludeEventXMLDataInMessage": true, 41 | "IncludeEventXMLDataInToolTip": false, 42 | "ToolTipText": "Installation Started", 43 | "Color": "Yellow", 44 | "RemoveNewLinesFromLogMessage": true, 45 | "DeveloperNotes": "Installation Started: Windows has started installing the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.417.507.0) - Current Channel (Broad)" 46 | }, 47 | { 48 | "CategoryName": "Windows - Updates Install", 49 | "LogType": ".evtx", 50 | "Channel": "System", 51 | "Id": 19, 52 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 53 | "IncludeEventXMLDataInMessage": true, 54 | "IncludeEventXMLDataInToolTip": false, 55 | "ToolTipText": "Installation Successful", 56 | "Color": "Green", 57 | "RemoveNewLinesFromLogMessage": true, 58 | "DeveloperNotes": "Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.417.507.0) - Current Channel (Broad)" 59 | }, 60 | { 61 | "CategoryName": "Windows - Updates Install", 62 | "LogType": ".evtx", 63 | "Channel": "System", 64 | "Id": 20, 65 | "ProviderName": "Microsoft-Windows-WindowsUpdateClient", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "Installation Failure", 69 | "Color": "Red", 70 | "DeveloperNotes": "Installation Failure: Windows failed to install the following update with error %1: %2.", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": null 73 | }, 74 | { 75 | "CategoryName": "Windows - Updates Install", 76 | "LogType": ".evtx", 77 | "Channel": "Setup", 78 | "Id": 2, 79 | "ProviderName": "Microsoft-Windows-Servicing", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": false, 82 | "ToolTipText": "", 83 | "Color": "", 84 | "DeveloperNotes": "Package KB5042099 was successfully changed to the Installed state." 85 | } 86 | ] 87 | } 88 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows - Application Installations.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Application installation MSI", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Application installation MSI", 7 | "LogType": ".evtx", 8 | "Channel": "Application", 9 | "Id": 1033, 10 | "ProviderName": "MsiInstaller", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "Windows Installer installed the product. Check if it succeeded or failed!", 14 | "Color": "Yellow", 15 | "DeveloperNotes": "Windows Installer installed the product. Product Name: Mozilla Firefox 130.0 x64 en-US. Product Version: 130.0.0.0. Product Language: 0. Manufacturer: Mozilla. Installation success or error status: 0. OR Installation success or error status: 1603", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": null 18 | }, 19 | { 20 | "CategoryName": "Windows - Application installation MSI", 21 | "LogType": ".evtx", 22 | "Channel": "Application", 23 | "Id": 1034, 24 | "ProviderName": "MsiInstaller", 25 | "IncludeEventXMLDataInMessage": false, 26 | "IncludeEventXMLDataInToolTip": false, 27 | "ToolTipText": "Windows Installer removed the product.", 28 | "Color": "Green", 29 | "DeveloperNotes": "Windows Installer removed the product. Product Name: Microsoft Teams Meeting Add-in for Microsoft Office. Product Version: 1.24.19202. Product Language: 1033. Manufacturer: Microsoft. Removal success or error status: 0." 30 | }, 31 | { 32 | "CategoryName": "Windows - Application installation MSI", 33 | "LogType": ".evtx", 34 | "Channel": "Application", 35 | "Id": 1040, 36 | "ProviderName": "MsiInstaller", 37 | "IncludeEventXMLDataInMessage": false, 38 | "IncludeEventXMLDataInToolTip": false, 39 | "ToolTipText": "Beginning a Windows Installer transaction", 40 | "DeveloperNotes": "Beginning a Windows Installer transaction: C:\\Users\\username\\AppData\\Local\\Temp\\MicrosoftEdgeDownloads\\5a6b708b-8605-4f36-a705-e192ca521b7c\\Firefox Setup 130.0.msi. Client Process Id: 118392." 41 | }, 42 | { 43 | "CategoryName": "Windows - Application installation MSI", 44 | "LogType": ".evtx", 45 | "Channel": "Application", 46 | "Id": 11708, 47 | "ProviderName": "MsiInstaller", 48 | "IncludeEventXMLDataInMessage": false, 49 | "IncludeEventXMLDataInToolTip": false, 50 | "ToolTipText": "MSI Installation failed!", 51 | "Color": "Red", 52 | "DeveloperNotes": "Product: Microsoft EPM Agent -- Installation failed." 53 | } 54 | ] 55 | }, 56 | { 57 | "CategoryName": "Windows - Application installation StoreApps", 58 | "KnownEventRules": [ 59 | { 60 | "CategoryName": "Windows - Application installation StoreApps", 61 | "LogType": ".evtx", 62 | "Channel": "Microsoft-Windows-AppXDeploymentServer/Operational", 63 | "Id": 634, 64 | "LevelDisplayName": "Warning", 65 | "ProviderName": "Microsoft-Windows-AppXDeployment-Server", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "Application dependency was not found. For example Intune Company Portal might fails if dependencies are not found", 69 | "Color": "Yellow", 70 | "DeveloperNotes": "OnDemandRegisterPackage Microsoft.VCLibs. 140.00_14.0.30704.0_x64_8wekyb3d8bbwe, unable to find the package from StateRepository, we will register it later.", 71 | "Author": "", 72 | "LinkToBlogArticle": "" 73 | } 74 | ] 75 | } 76 | ] 77 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - IME Applications.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME Applications", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME Applications", 7 | "LogType": ".log", 8 | "LogFileName": "AppWorkload.log", 9 | "Message": "Get policies = [", 10 | "ToolTipText": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "This has all information about Intune Apps including App Name, GUID and App Intent", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": "" 15 | }, 16 | { 17 | "CategoryName": "Intune - IME Applications", 18 | "LogType": ".log", 19 | "LogFileName": "AppWorkload.log", 20 | "Message": "[Win32App][V3Processor] Processing subgraph", 21 | "ToolTipText": "", 22 | "Color": "Yellow", 23 | "DeveloperNotes": "This has Intune App process start information", 24 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 25 | "LinkToBlogArticle": "" 26 | }, 27 | { 28 | "CategoryName": "Intune - IME Applications Install", 29 | "LogType": ".log", 30 | "LogFileName": "AppWorkload.log", 31 | "Message": "[Win32App] lpExitCode is defined as Success", 32 | "ToolTipText": "", 33 | "Color": "Green", 34 | "DeveloperNotes": "Intune application installation Succeeded", 35 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 36 | "LinkToBlogArticle": "" 37 | }, 38 | { 39 | "CategoryName": "Intune - IME Applications Install", 40 | "LogType": ".log", 41 | "LogFileName": "AppWorkload.log", 42 | "Message": "[Win32App] lpExitCode is defined as Failed", 43 | "ToolTipText": "", 44 | "Color": "Red", 45 | "DeveloperNotes": "Intune application installation Failed", 46 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 47 | "LinkToBlogArticle": "" 48 | }, 49 | { 50 | "CategoryName": "Intune - IME Applications Install", 51 | "LogType": ".log", 52 | "LogFileName": "AppWorkload.log", 53 | "Message": "[Win32App] lpExitCode", 54 | "ToolTipText": "", 55 | "Color": "Yellow", 56 | "DeveloperNotes": "Intune application installation exitCode", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": "" 59 | }, 60 | { 61 | "CategoryName": "Intune - IME Applications Detection", 62 | "LogType": ".log", 63 | "LogFileName": "AppWorkload.log", 64 | "Message": ".*applicationDetected: True.*", 65 | "ToolTipText": "", 66 | "Color": "Green", 67 | "DeveloperNotes": "This has Intune App detection check Detected True result", 68 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 69 | "LinkToBlogArticle": "" 70 | }, 71 | { 72 | "CategoryName": "Intune - IME Applications Detection", 73 | "LogType": ".log", 74 | "LogFileName": "AppWorkload.log", 75 | "Message": "[Win32App][WinGetApp][WinGetOperation] Starting Detection for app with id", 76 | "ToolTipText": "", 77 | "Color": "", 78 | "DeveloperNotes": "Intune Winget app detection start", 79 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 80 | "LinkToBlogArticle": "" 81 | }, 82 | { 83 | "CategoryName": "Intune - IME Applications Detection", 84 | "LogType": ".log", 85 | "LogFileName": "AppWorkload.log", 86 | "Message": "[Win32App][DetectionActionHandler] Detection for policy with id", 87 | "ToolTipText": "", 88 | "Color": "", 89 | "DeveloperNotes": "Intune Winget and Win32 app detection end", 90 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 91 | "LinkToBlogArticle": "" 92 | } 93 | ] 94 | } 95 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows Defender - Malware detected.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Windows - Defender Malware detected", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Windows - Defender Malware detected", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-Windows Defender/Operational", 8 | "Id": 1006, 9 | "LevelDisplayName": "Warning\u0000", 10 | "ProviderName": "Microsoft-Windows-Windows Defender", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "", 14 | "Color": "", 15 | "DeveloperNotes": "%1 has detected malware or other potentially unwanted software.\r\n For more information please see the following:\r\n%15\r\n \tName: %11\r\n \tID: %12\r\n \tSeverity: %25\r\n \tCategory: %26\r\n \tPath Found: %16\r\n \tDetection Type: %22\r\n \tDetection Source: %5\r\n \tStatus: %20\r\n \tUser: %8\\%9\r\n \tProcess Name: %7\r\n \tSecurity intelligence Version: %27\r\n \tEngine Version: %28\u0000", 16 | "Author": "Firstname.Lastname@company.com / Super IT-Admin", 17 | "LinkToBlogArticle": "" 18 | }, 19 | { 20 | "CategoryName": "Windows - Defender Malware detected", 21 | "LogType": ".evtx", 22 | "Channel": "Microsoft-Windows-Windows Defender/Operational", 23 | "Id": 1007, 24 | "LevelDisplayName": "Information\u0000", 25 | "ProviderName": "Microsoft-Windows-Windows Defender", 26 | "IncludeEventXMLDataInMessage": false, 27 | "IncludeEventXMLDataInToolTip": false, 28 | "ToolTipText": "", 29 | "Color": "", 30 | "DeveloperNotes": "%1 has taken action to protect this machine from malware or other potentially unwanted software.\r\n For more information please see the following:\r\n%15\r\n \tUser: %8\\%9\r\n \tName: %11\r\n \tID: %12\r\n \tSeverity: %25\r\n \tCategory: %26\r\n \tAction: %20\r\n \tStatus: %7\r\n \tSecurity intelligence Version: %27\r\n \tEngine Version: %28\u0000", 31 | "Author": "Firstname.Lastname@company.com / Super IT-Admin", 32 | "LinkToBlogArticle": "" 33 | }, 34 | { 35 | "CategoryName": "Windows - Defender Malware detected", 36 | "LogType": ".evtx", 37 | "Channel": "Microsoft-Windows-Windows Defender/Operational", 38 | "Id": 1008, 39 | "LevelDisplayName": "Error\u0000", 40 | "ProviderName": "Microsoft-Windows-Windows Defender", 41 | "IncludeEventXMLDataInMessage": false, 42 | "IncludeEventXMLDataInToolTip": false, 43 | "ToolTipText": "", 44 | "Color": "Red", 45 | "DeveloperNotes": "%1 has encountered an error when taking action on malware or other potentially unwanted software.\r\n For more information please see the following:\r\n%15\r\n \tUser: %8\\%9\r\n \tName: %11\r\n \tID: %12\r\n \tSeverity: %25\r\n \tCategory: %26\r\n \tPath: %16\r\n \tAction: %20\r\n \tError Code: %21\r\n \tError description: %22\r\n \tStatus: %7\r\n \tSecurity intelligence Version: %27\r\n \tEngine Version: %28\u0000", 46 | "Author": "Firstname.Lastname@company.com / Super IT-Admin", 47 | "LinkToBlogArticle": "" 48 | }, 49 | { 50 | "CategoryName": "Windows - Defender Malware detected", 51 | "LogType": ".evtx", 52 | "Channel": "Microsoft-Windows-Windows Defender/Operational", 53 | "Id": 1116, 54 | "LevelDisplayName": "Warning\u0000", 55 | "ProviderName": "Microsoft-Windows-Windows Defender", 56 | "IncludeEventXMLDataInMessage": false, 57 | "IncludeEventXMLDataInToolTip": false, 58 | "ToolTipText": "", 59 | "Color": "", 60 | "DeveloperNotes": "%1 has detected malware or other potentially unwanted software.\r\n For more information please see the following:\r\n%13\r\n \tName: %8\r\n \tID: %7\r\n \tSeverity: %10\r\n \tCategory: %12\r\n \tPath: %22\r\n \tDetection Origin: %24\r\n \tDetection Type: %28\r\n \tDetection Source: %18\r\n \tUser: %20\r\n \tProcess Name: %19\r\n \tSecurity intelligence Version: %41\r\n \tEngine Version: %42\u0000", 61 | "Author": "Firstname.Lastname@company.com / Super IT-Admin", 62 | "LinkToBlogArticle": "" 63 | } 64 | ] 65 | } 66 | -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows Defender - Malware detected.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Windows - Defender Malware detected", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Windows - Defender Malware detected", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-Windows Defender/Operational", 8 | "Id": 1006, 9 | "LevelDisplayName": "Warning\u0000", 10 | "ProviderName": "Microsoft-Windows-Windows Defender", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "", 14 | "Color": "", 15 | "DeveloperNotes": "%1 has detected malware or other potentially unwanted software.\r\n For more information please see the following:\r\n%15\r\n \tName: %11\r\n \tID: %12\r\n \tSeverity: %25\r\n \tCategory: %26\r\n \tPath Found: %16\r\n \tDetection Type: %22\r\n \tDetection Source: %5\r\n \tStatus: %20\r\n \tUser: %8\\%9\r\n \tProcess Name: %7\r\n \tSecurity intelligence Version: %27\r\n \tEngine Version: %28\u0000", 16 | "Author": "Firstname.Lastname@company.com / Super IT-Admin", 17 | "LinkToBlogArticle": "" 18 | }, 19 | { 20 | "CategoryName": "Windows - Defender Malware detected", 21 | "LogType": ".evtx", 22 | "Channel": "Microsoft-Windows-Windows Defender/Operational", 23 | "Id": 1007, 24 | "LevelDisplayName": "Information\u0000", 25 | "ProviderName": "Microsoft-Windows-Windows Defender", 26 | "IncludeEventXMLDataInMessage": false, 27 | "IncludeEventXMLDataInToolTip": false, 28 | "ToolTipText": "", 29 | "Color": "", 30 | "DeveloperNotes": "%1 has taken action to protect this machine from malware or other potentially unwanted software.\r\n For more information please see the following:\r\n%15\r\n \tUser: %8\\%9\r\n \tName: %11\r\n \tID: %12\r\n \tSeverity: %25\r\n \tCategory: %26\r\n \tAction: %20\r\n \tStatus: %7\r\n \tSecurity intelligence Version: %27\r\n \tEngine Version: %28\u0000", 31 | "Author": "Firstname.Lastname@company.com / Super IT-Admin", 32 | "LinkToBlogArticle": "" 33 | }, 34 | { 35 | "CategoryName": "Windows - Defender Malware detected", 36 | "LogType": ".evtx", 37 | "Channel": "Microsoft-Windows-Windows Defender/Operational", 38 | "Id": 1008, 39 | "LevelDisplayName": "Error\u0000", 40 | "ProviderName": "Microsoft-Windows-Windows Defender", 41 | "IncludeEventXMLDataInMessage": false, 42 | "IncludeEventXMLDataInToolTip": false, 43 | "ToolTipText": "", 44 | "Color": "Red", 45 | "DeveloperNotes": "%1 has encountered an error when taking action on malware or other potentially unwanted software.\r\n For more information please see the following:\r\n%15\r\n \tUser: %8\\%9\r\n \tName: %11\r\n \tID: %12\r\n \tSeverity: %25\r\n \tCategory: %26\r\n \tPath: %16\r\n \tAction: %20\r\n \tError Code: %21\r\n \tError description: %22\r\n \tStatus: %7\r\n \tSecurity intelligence Version: %27\r\n \tEngine Version: %28\u0000", 46 | "Author": "Firstname.Lastname@company.com / Super IT-Admin", 47 | "LinkToBlogArticle": "" 48 | }, 49 | { 50 | "CategoryName": "Windows - Defender Malware detected", 51 | "LogType": ".evtx", 52 | "Channel": "Microsoft-Windows-Windows Defender/Operational", 53 | "Id": 1116, 54 | "LevelDisplayName": "Warning\u0000", 55 | "ProviderName": "Microsoft-Windows-Windows Defender", 56 | "IncludeEventXMLDataInMessage": false, 57 | "IncludeEventXMLDataInToolTip": false, 58 | "ToolTipText": "", 59 | "Color": "", 60 | "DeveloperNotes": "%1 has detected malware or other potentially unwanted software.\r\n For more information please see the following:\r\n%13\r\n \tName: %8\r\n \tID: %7\r\n \tSeverity: %10\r\n \tCategory: %12\r\n \tPath: %22\r\n \tDetection Origin: %24\r\n \tDetection Type: %28\r\n \tDetection Source: %18\r\n \tUser: %20\r\n \tProcess Name: %19\r\n \tSecurity intelligence Version: %41\r\n \tEngine Version: %42\u0000", 61 | "Author": "Firstname.Lastname@company.com / Super IT-Admin", 62 | "LinkToBlogArticle": "" 63 | } 64 | ] 65 | } 66 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - MDM Sync.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - MDM Sync", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - MDM Sync", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 9 | "Id": 201, 10 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "", 14 | "Color": "Red", 15 | "DeveloperNotes": "MDM Session: OMA-DM message failed to be sent. Result: (%1).\u0000", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": "" 18 | }, 19 | { 20 | "CategoryName": "Intune - MDM Sync", 21 | "LogType": ".evtx", 22 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 23 | "Id": 204, 24 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 25 | "IncludeEventXMLDataInMessage": false, 26 | "IncludeEventXMLDataInToolTip": false, 27 | "ToolTipText": "", 28 | "Color": "Red", 29 | "DeveloperNotes": "MDM Session: OMA-DM client failed to connect to the server. Result: (%1).\u0000", 30 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 31 | "LinkToBlogArticle": "" 32 | }, 33 | { 34 | "CategoryName": "Intune - MDM Sync", 35 | "LogType": ".evtx", 36 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 37 | "Id": 205, 38 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 39 | "IncludeEventXMLDataInMessage": false, 40 | "IncludeEventXMLDataInToolTip": false, 41 | "ToolTipText": "", 42 | "Color": "Yellow", 43 | "DeveloperNotes": "MDM Session: OMA-DM client started. CV: (%1).\u0000", 44 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 45 | "LinkToBlogArticle": "" 46 | }, 47 | { 48 | "CategoryName": "Intune - MDM Sync", 49 | "LogType": ".evtx", 50 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 51 | "Id": 206, 52 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 53 | "IncludeEventXMLDataInMessage": false, 54 | "IncludeEventXMLDataInToolTip": false, 55 | "ToolTipText": "", 56 | "Color": "", 57 | "DeveloperNotes": "MDM Session: OMA-DM session Init: UserSID(%1), EnrolledUser(%2), UserToken(%3), DeviceToken(%4), EnrollmentType(%5), SyncType(%6).\u0000", 58 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 59 | "LinkToBlogArticle": "" 60 | }, 61 | { 62 | "CategoryName": "Intune - MDM Sync", 63 | "LogType": ".evtx", 64 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 65 | "Id": 209, 66 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 67 | "IncludeEventXMLDataInMessage": false, 68 | "IncludeEventXMLDataInToolTip": false, 69 | "ToolTipText": "", 70 | "Color": "Green", 71 | "DeveloperNotes": "MDM Session: OMA-DM session ended with status: (%1).\u0000", 72 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 73 | "LinkToBlogArticle": "" 74 | }, 75 | { 76 | "CategoryName": "Intune - MDM Sync", 77 | "LogType": ".evtx", 78 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug", 79 | "Id": 210, 80 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 81 | "IncludeEventXMLDataInMessage": false, 82 | "IncludeEventXMLDataInToolTip": false, 83 | "ToolTipText": "", 84 | "Color": "Red", 85 | "DeveloperNotes": "MDM Session: OMA-DM client stopped with status: (%1).\u0000", 86 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 87 | "LinkToBlogArticle": "" 88 | } 89 | ] 90 | } 91 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - MDM Sync.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - MDM Sync", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - MDM Sync", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 9 | "Id": 201, 10 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "", 14 | "Color": "Red", 15 | "DeveloperNotes": "MDM Session: OMA-DM message failed to be sent. Result: (%1).\u0000", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": "" 18 | }, 19 | { 20 | "CategoryName": "Intune - MDM Sync", 21 | "LogType": ".evtx", 22 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 23 | "Id": 204, 24 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 25 | "IncludeEventXMLDataInMessage": false, 26 | "IncludeEventXMLDataInToolTip": false, 27 | "ToolTipText": "", 28 | "Color": "Red", 29 | "DeveloperNotes": "MDM Session: OMA-DM client failed to connect to the server. Result: (%1).\u0000", 30 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 31 | "LinkToBlogArticle": "" 32 | }, 33 | { 34 | "CategoryName": "Intune - MDM Sync", 35 | "LogType": ".evtx", 36 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 37 | "Id": 205, 38 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 39 | "IncludeEventXMLDataInMessage": false, 40 | "IncludeEventXMLDataInToolTip": false, 41 | "ToolTipText": "", 42 | "Color": "Yellow", 43 | "DeveloperNotes": "MDM Session: OMA-DM client started. CV: (%1).\u0000", 44 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 45 | "LinkToBlogArticle": "" 46 | }, 47 | { 48 | "CategoryName": "Intune - MDM Sync", 49 | "LogType": ".evtx", 50 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 51 | "Id": 206, 52 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 53 | "IncludeEventXMLDataInMessage": false, 54 | "IncludeEventXMLDataInToolTip": false, 55 | "ToolTipText": "", 56 | "Color": "", 57 | "DeveloperNotes": "MDM Session: OMA-DM session Init: UserSID(%1), EnrolledUser(%2), UserToken(%3), DeviceToken(%4), EnrollmentType(%5), SyncType(%6).\u0000", 58 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 59 | "LinkToBlogArticle": "" 60 | }, 61 | { 62 | "CategoryName": "Intune - MDM Sync", 63 | "LogType": ".evtx", 64 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Sync", 65 | "Id": 209, 66 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 67 | "IncludeEventXMLDataInMessage": false, 68 | "IncludeEventXMLDataInToolTip": false, 69 | "ToolTipText": "", 70 | "Color": "Green", 71 | "DeveloperNotes": "MDM Session: OMA-DM session ended with status: (%1).\u0000", 72 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 73 | "LinkToBlogArticle": "" 74 | }, 75 | { 76 | "CategoryName": "Intune - MDM Sync", 77 | "LogType": ".evtx", 78 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug", 79 | "Id": 210, 80 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 81 | "IncludeEventXMLDataInMessage": false, 82 | "IncludeEventXMLDataInToolTip": false, 83 | "ToolTipText": "", 84 | "Color": "Red", 85 | "DeveloperNotes": "MDM Session: OMA-DM client stopped with status: (%1).\u0000", 86 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 87 | "LinkToBlogArticle": "" 88 | } 89 | ] 90 | } 91 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - IME Remediation scripts.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME Remediation scripts - 1. Start", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME Remediation scripts - 1. Start", 7 | "LogType": ".log", 8 | "LogFileName": "healthscripts.log", 9 | "Message": "[HS] Processing policy with id =", 10 | "ToolTipText": "Intune Remediation or custom compliance check script start entry", 11 | "Color": "Green", 12 | "DeveloperNotes": "", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": "" 15 | }, 16 | { 17 | "CategoryName": "Intune - IME Remediation scripts - 1. Start", 18 | "LogType": ".log", 19 | "LogFileName": "AgentExecutor.log", 20 | "Message": "REMOVE_FOR_NOW-Adding argument remediationScript with value C:\\Windows\\IMECache\\HealthScripts", 21 | "ToolTipText": "", 22 | "Color": "Yellow", 23 | "DeveloperNotes": "This is Remediation and Custom Compliance script start running message. For now this is duplicate start with Remediations, too much clutter. Need to check Custom Compliance start message though", 24 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 25 | "LinkToBlogArticle": "" 26 | } 27 | ] 28 | }, 29 | { 30 | "CategoryName": "Intune - IME Remediation scripts - 2. Output", 31 | "KnownEventRules": [ 32 | { 33 | "CategoryName": "Intune - IME Remediation scripts - 2. Output", 34 | "LogType": ".log", 35 | "LogFileName": "healthscripts.log", 36 | "Message": "[HS] std output =", 37 | "ToolTipText": "Intune Remediation or custom compliance check script Output", 38 | "Color": "Yellow", 39 | "DeveloperNotes": "", 40 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 41 | "LinkToBlogArticle": "" 42 | }, 43 | { 44 | "CategoryName": "Intune - IME Remediation scripts - 2. Output", 45 | "LogType": ".log", 46 | "LogFileName": "healthscripts.log", 47 | "Message": "[HS] err output = ", 48 | "ToolTipText": "Intune Remediation or custom compliance check script Output", 49 | "Color": "Red", 50 | "DeveloperNotes": "", 51 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 52 | "LinkToBlogArticle": "" 53 | } 54 | ] 55 | }, 56 | { 57 | "CategoryName": "Intune - IME Remediation scripts - 3. Result", 58 | "KnownEventRules": [ 59 | { 60 | "CategoryName": "Intune - IME Remediation scripts - 3. Result", 61 | "LogType": ".log", 62 | "LogFileName": "healthscripts.log", 63 | "Message": "ORIGINAL_REMOVED_FOR_NOW-[HS] the pre-remdiation detection script compliance result for", 64 | "ToolTipText": "[HS] the pre-remdiation detection script compliance result for 4b84b5fc-4b32-4507-9ba7-ab39119433ef is False", 65 | "Color": "Yellow", 66 | "DeveloperNotes": "", 67 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 68 | "LinkToBlogArticle": "" 69 | }, 70 | { 71 | "CategoryName": "Intune - IME Remediation scripts - 3. Result", 72 | "LogType": ".log", 73 | "LogFileName": "healthscripts.log", 74 | "Message": ".*is True.*", 75 | "ToolTipText": "[HS] the pre-remdiation detection script compliance result for 4b84b5fc-4b32-4507-9ba7-ab39119433ef is True", 76 | "Color": "Green", 77 | "DeveloperNotes": "Hopefully this doesn't cause too much lines detected", 78 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 79 | "LinkToBlogArticle": "" 80 | }, 81 | { 82 | "CategoryName": "Intune - IME Remediation scripts - 3. Result", 83 | "LogType": ".log", 84 | "LogFileName": "healthscripts.log", 85 | "Message": ".*is False.*", 86 | "ToolTipText": "[HS] the pre-remdiation detection script compliance result for 4b84b5fc-4b32-4507-9ba7-ab39119433ef is False", 87 | "Color": "Yellow", 88 | "DeveloperNotes": "Hopefully this doesn't cause too much lines detected", 89 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 90 | "LinkToBlogArticle": "" 91 | } 92 | ] 93 | } 94 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - MDM Sync OLD LOCATION.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 9 | "Id": 201, 10 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "", 14 | "Color": "Red", 15 | "DeveloperNotes": "MDM Session: OMA-DM message failed to be sent. Result: (%1).\u0000", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": "" 18 | }, 19 | { 20 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 21 | "LogType": ".evtx", 22 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 23 | "Id": 204, 24 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 25 | "IncludeEventXMLDataInMessage": false, 26 | "IncludeEventXMLDataInToolTip": false, 27 | "ToolTipText": "", 28 | "Color": "Red", 29 | "DeveloperNotes": "MDM Session: OMA-DM client failed to connect to the server. Result: (%1).\u0000", 30 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 31 | "LinkToBlogArticle": "" 32 | }, 33 | { 34 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 35 | "LogType": ".evtx", 36 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 37 | "Id": 205, 38 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 39 | "IncludeEventXMLDataInMessage": false, 40 | "IncludeEventXMLDataInToolTip": false, 41 | "ToolTipText": "", 42 | "Color": "Yellow", 43 | "DeveloperNotes": "MDM Session: OMA-DM client started. CV: (%1).\u0000", 44 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 45 | "LinkToBlogArticle": "" 46 | }, 47 | { 48 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 49 | "LogType": ".evtx", 50 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 51 | "Id": 206, 52 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 53 | "IncludeEventXMLDataInMessage": false, 54 | "IncludeEventXMLDataInToolTip": false, 55 | "ToolTipText": "", 56 | "Color": "", 57 | "DeveloperNotes": "MDM Session: OMA-DM session Init: UserSID(%1), EnrolledUser(%2), UserToken(%3), DeviceToken(%4), EnrollmentType(%5), SyncType(%6).\u0000", 58 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 59 | "LinkToBlogArticle": "" 60 | }, 61 | { 62 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 63 | "LogType": ".evtx", 64 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 65 | "Id": 209, 66 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 67 | "IncludeEventXMLDataInMessage": false, 68 | "IncludeEventXMLDataInToolTip": false, 69 | "ToolTipText": "", 70 | "Color": "Green", 71 | "DeveloperNotes": "MDM Session: OMA-DM session ended with status: (%1).\u0000", 72 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 73 | "LinkToBlogArticle": "" 74 | }, 75 | { 76 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 77 | "LogType": ".evtx", 78 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug", 79 | "Id": 210, 80 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 81 | "IncludeEventXMLDataInMessage": false, 82 | "IncludeEventXMLDataInToolTip": false, 83 | "ToolTipText": "", 84 | "Color": "Red", 85 | "DeveloperNotes": "MDM Session: OMA-DM client stopped with status: (%1).\u0000", 86 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 87 | "LinkToBlogArticle": "" 88 | } 89 | ] 90 | } 91 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - MDM Sync OLD LOCATION.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 7 | "LogType": ".evtx", 8 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 9 | "Id": 201, 10 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "", 14 | "Color": "Red", 15 | "DeveloperNotes": "MDM Session: OMA-DM message failed to be sent. Result: (%1).\u0000", 16 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 17 | "LinkToBlogArticle": "" 18 | }, 19 | { 20 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 21 | "LogType": ".evtx", 22 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 23 | "Id": 204, 24 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 25 | "IncludeEventXMLDataInMessage": false, 26 | "IncludeEventXMLDataInToolTip": false, 27 | "ToolTipText": "", 28 | "Color": "Red", 29 | "DeveloperNotes": "MDM Session: OMA-DM client failed to connect to the server. Result: (%1).\u0000", 30 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 31 | "LinkToBlogArticle": "" 32 | }, 33 | { 34 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 35 | "LogType": ".evtx", 36 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 37 | "Id": 205, 38 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 39 | "IncludeEventXMLDataInMessage": false, 40 | "IncludeEventXMLDataInToolTip": false, 41 | "ToolTipText": "", 42 | "Color": "Yellow", 43 | "DeveloperNotes": "MDM Session: OMA-DM client started. CV: (%1).\u0000", 44 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 45 | "LinkToBlogArticle": "" 46 | }, 47 | { 48 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 49 | "LogType": ".evtx", 50 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 51 | "Id": 206, 52 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 53 | "IncludeEventXMLDataInMessage": false, 54 | "IncludeEventXMLDataInToolTip": false, 55 | "ToolTipText": "", 56 | "Color": "", 57 | "DeveloperNotes": "MDM Session: OMA-DM session Init: UserSID(%1), EnrolledUser(%2), UserToken(%3), DeviceToken(%4), EnrollmentType(%5), SyncType(%6).\u0000", 58 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 59 | "LinkToBlogArticle": "" 60 | }, 61 | { 62 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 63 | "LogType": ".evtx", 64 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 65 | "Id": 209, 66 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 67 | "IncludeEventXMLDataInMessage": false, 68 | "IncludeEventXMLDataInToolTip": false, 69 | "ToolTipText": "", 70 | "Color": "Green", 71 | "DeveloperNotes": "MDM Session: OMA-DM session ended with status: (%1).\u0000", 72 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 73 | "LinkToBlogArticle": "" 74 | }, 75 | { 76 | "CategoryName": "Intune - MDM Sync (OLD LOCATION)", 77 | "LogType": ".evtx", 78 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug", 79 | "Id": 210, 80 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 81 | "IncludeEventXMLDataInMessage": false, 82 | "IncludeEventXMLDataInToolTip": false, 83 | "ToolTipText": "", 84 | "Color": "Red", 85 | "DeveloperNotes": "MDM Session: OMA-DM client stopped with status: (%1).\u0000", 86 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 87 | "LinkToBlogArticle": "" 88 | } 89 | ] 90 | } 91 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - IME Applications.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Intune - IME Applications", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Intune - IME Applications - 1. Get policy", 7 | "LogType": ".log", 8 | "LogFileName": "AppWorkload.log", 9 | "Message": "Get policies = [", 10 | "ToolTipText": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "This has all information about Intune Apps including App Name, GUID and App Intent", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": "" 15 | }, 16 | { 17 | "CategoryName": "Intune - IME Applications - 2. Start processing", 18 | "LogType": ".log", 19 | "LogFileName": "AppWorkload.log", 20 | "Message": "[Win32App][V3Processor] Processing subgraph", 21 | "ToolTipText": "", 22 | "Color": "Yellow", 23 | "DeveloperNotes": "This has Intune App process start information", 24 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 25 | "LinkToBlogArticle": "" 26 | }, 27 | { 28 | "CategoryName": "Intune - IME Applications - 3. Detection", 29 | "LogType": ".log", 30 | "LogFileName": "AppWorkload.log", 31 | "Message": ".*applicationDetected: True.*", 32 | "ToolTipText": "", 33 | "Color": "Green", 34 | "DeveloperNotes": "This has Intune App detection check Detected True result", 35 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 36 | "LinkToBlogArticle": "" 37 | }, 38 | { 39 | "CategoryName": "Intune - IME Applications - 3. Detection", 40 | "LogType": ".log", 41 | "LogFileName": "AppWorkload.log", 42 | "Message": "[Win32App][WinGetApp][WinGetOperation] Starting Detection for app with id", 43 | "ToolTipText": "", 44 | "Color": "", 45 | "DeveloperNotes": "Intune Winget app detection start", 46 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 47 | "LinkToBlogArticle": "" 48 | }, 49 | { 50 | "CategoryName": "Intune - IME Applications - 3. Detection", 51 | "LogType": ".log", 52 | "LogFileName": "AppWorkload.log", 53 | "Message": "[Win32App][DetectionActionHandler] Detection for policy with id", 54 | "ToolTipText": "", 55 | "Color": "", 56 | "DeveloperNotes": "Intune Winget and Win32 app detection end", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": "" 59 | }, 60 | { 61 | "CategoryName": "Intune - IME Applications - 3. Detection", 62 | "LogType": ".log", 63 | "LogFileName": "AgentExecutor.log", 64 | "Message": "Adding argument powershellDetection with value C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Content\\DetectionScripts", 65 | "ToolTipText": "", 66 | "Color": "", 67 | "DeveloperNotes": "Intune Win32 Application custom detection script start running", 68 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 69 | "LinkToBlogArticle": "" 70 | }, 71 | { 72 | "CategoryName": "Intune - IME Applications - 5. Install Result", 73 | "LogType": ".log", 74 | "LogFileName": "AppWorkload.log", 75 | "Message": "[Win32App] lpExitCode is defined as Success", 76 | "ToolTipText": "", 77 | "Color": "Green", 78 | "DeveloperNotes": "Intune application installation Succeeded", 79 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 80 | "LinkToBlogArticle": "" 81 | }, 82 | { 83 | "CategoryName": "Intune - IME Applications - 5. Install Result", 84 | "LogType": ".log", 85 | "LogFileName": "AppWorkload.log", 86 | "Message": "[Win32App] lpExitCode is defined as Failed", 87 | "ToolTipText": "", 88 | "Color": "Red", 89 | "DeveloperNotes": "Intune application installation Failed", 90 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 91 | "LinkToBlogArticle": "" 92 | }, 93 | { 94 | "CategoryName": "Intune - IME Applications - 5. Install Result", 95 | "LogType": ".log", 96 | "LogFileName": "AppWorkload.log", 97 | "Message": "[Win32App] lpExitCode", 98 | "ToolTipText": "", 99 | "Color": "Yellow", 100 | "DeveloperNotes": "Intune application installation exitCode. This is intentionally in wrong order here in json because we need 5 steps to be evaluated first because they have same beginning.", 101 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 102 | "LinkToBlogArticle": "" 103 | } 104 | ] 105 | } 106 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - MDM Enrollment.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Intune - MDM Enrollment", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Intune - MDM Enrollment", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 8 | "Id": 16, 9 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "", 14 | "DeveloperNotes": "MDM Enroll: OMA-DM client configuration succeeds.\u0000", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": "" 17 | }, 18 | { 19 | "CategoryName": "Intune - MDM Enrollment", 20 | "LogType": ".evtx", 21 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 22 | "Id": 17, 23 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "ToolTipText": "", 27 | "Color": "Red", 28 | "DeveloperNotes": "MDM Enroll: OMA-DM client configuration failed. RAWResult: (%1) Result: (%2).\u0000", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "" 31 | }, 32 | { 33 | "CategoryName": "Intune - MDM Enrollment", 34 | "LogType": ".evtx", 35 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug", 36 | "Id": 27, 37 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 38 | "IncludeEventXMLDataInMessage": false, 39 | "IncludeEventXMLDataInToolTip": false, 40 | "ToolTipText": "", 41 | "Color": "", 42 | "DeveloperNotes": "MDM Enroll: AutoEnrollMDM Result: (%3) PolicyValue: (%1) AADCredentialType: (%2).\u0000", 43 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 44 | "LinkToBlogArticle": "" 45 | }, 46 | { 47 | "CategoryName": "Intune - MDM Enrollment", 48 | "LogType": ".evtx", 49 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 50 | "Id": 58, 51 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 52 | "IncludeEventXMLDataInMessage": false, 53 | "IncludeEventXMLDataInToolTip": false, 54 | "ToolTipText": "", 55 | "Color": "", 56 | "DeveloperNotes": "MDM Enroll: Provisioning succeeded.\u0000", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": "" 59 | }, 60 | { 61 | "CategoryName": "Intune - MDM Enrollment", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 64 | "Id": 57, 65 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "", 69 | "Color": "Red", 70 | "DeveloperNotes": "MDM Enroll: Provisioning failed. Result: (%1).\u0000", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": "" 73 | }, 74 | { 75 | "CategoryName": "Intune - MDM Enrollment", 76 | "LogType": ".evtx", 77 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 78 | "Id": 71, 79 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": false, 82 | "ToolTipText": "", 83 | "Color": "Red", 84 | "DeveloperNotes": "MDM Enroll: Failed (%1)\u0000", 85 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 86 | "LinkToBlogArticle": "" 87 | }, 88 | { 89 | "CategoryName": "Intune - MDM Enrollment", 90 | "LogType": ".evtx", 91 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 92 | "Id": 72, 93 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 94 | "IncludeEventXMLDataInMessage": false, 95 | "IncludeEventXMLDataInToolTip": false, 96 | "ToolTipText": "", 97 | "Color": "", 98 | "DeveloperNotes": "MDM Enroll: Succeeded\u0000", 99 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 100 | "LinkToBlogArticle": "" 101 | } 102 | ] 103 | } 104 | -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - MDM Enrollment.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Intune - MDM Enrollment", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Intune - MDM Enrollment", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 8 | "Id": 16, 9 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "", 14 | "DeveloperNotes": "MDM Enroll: OMA-DM client configuration succeeds.\u0000", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": "" 17 | }, 18 | { 19 | "CategoryName": "Intune - MDM Enrollment", 20 | "LogType": ".evtx", 21 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 22 | "Id": 17, 23 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "ToolTipText": "", 27 | "Color": "Red", 28 | "DeveloperNotes": "MDM Enroll: OMA-DM client configuration failed. RAWResult: (%1) Result: (%2).\u0000", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "" 31 | }, 32 | { 33 | "CategoryName": "Intune - MDM Enrollment", 34 | "LogType": ".evtx", 35 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug", 36 | "Id": 27, 37 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 38 | "IncludeEventXMLDataInMessage": false, 39 | "IncludeEventXMLDataInToolTip": false, 40 | "ToolTipText": "", 41 | "Color": "", 42 | "DeveloperNotes": "MDM Enroll: AutoEnrollMDM Result: (%3) PolicyValue: (%1) AADCredentialType: (%2).\u0000", 43 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 44 | "LinkToBlogArticle": "" 45 | }, 46 | { 47 | "CategoryName": "Intune - MDM Enrollment", 48 | "LogType": ".evtx", 49 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 50 | "Id": 58, 51 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 52 | "IncludeEventXMLDataInMessage": false, 53 | "IncludeEventXMLDataInToolTip": false, 54 | "ToolTipText": "", 55 | "Color": "", 56 | "DeveloperNotes": "MDM Enroll: Provisioning succeeded.\u0000", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": "" 59 | }, 60 | { 61 | "CategoryName": "Intune - MDM Enrollment", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 64 | "Id": 57, 65 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "", 69 | "Color": "Red", 70 | "DeveloperNotes": "MDM Enroll: Provisioning failed. Result: (%1).\u0000", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": "" 73 | }, 74 | { 75 | "CategoryName": "Intune - MDM Enrollment", 76 | "LogType": ".evtx", 77 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 78 | "Id": 71, 79 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": false, 82 | "ToolTipText": "", 83 | "Color": "Red", 84 | "DeveloperNotes": "MDM Enroll: Failed (%1)\u0000", 85 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 86 | "LinkToBlogArticle": "" 87 | }, 88 | { 89 | "CategoryName": "Intune - MDM Enrollment", 90 | "LogType": ".evtx", 91 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Enrollment", 92 | "Id": 72, 93 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 94 | "IncludeEventXMLDataInMessage": false, 95 | "IncludeEventXMLDataInToolTip": false, 96 | "ToolTipText": "", 97 | "Color": "", 98 | "DeveloperNotes": "MDM Enroll: Succeeded\u0000", 99 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 100 | "LinkToBlogArticle": "" 101 | } 102 | ] 103 | } 104 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - MDM Enrollment OLD LOCATION.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 8 | "Id": 16, 9 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "", 14 | "DeveloperNotes": "MDM Enroll: OMA-DM client configuration succeeds.\u0000", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": "" 17 | }, 18 | { 19 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 20 | "LogType": ".evtx", 21 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 22 | "Id": 17, 23 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "ToolTipText": "", 27 | "Color": "Red", 28 | "DeveloperNotes": "MDM Enroll: OMA-DM client configuration failed. RAWResult: (%1) Result: (%2).\u0000", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "" 31 | }, 32 | { 33 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 34 | "LogType": ".evtx", 35 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug", 36 | "Id": 27, 37 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 38 | "IncludeEventXMLDataInMessage": false, 39 | "IncludeEventXMLDataInToolTip": false, 40 | "ToolTipText": "", 41 | "Color": "", 42 | "DeveloperNotes": "MDM Enroll: AutoEnrollMDM Result: (%3) PolicyValue: (%1) AADCredentialType: (%2).\u0000", 43 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 44 | "LinkToBlogArticle": "" 45 | }, 46 | { 47 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 48 | "LogType": ".evtx", 49 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 50 | "Id": 58, 51 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 52 | "IncludeEventXMLDataInMessage": false, 53 | "IncludeEventXMLDataInToolTip": false, 54 | "ToolTipText": "", 55 | "Color": "", 56 | "DeveloperNotes": "MDM Enroll: Provisioning succeeded.\u0000", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": "" 59 | }, 60 | { 61 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 64 | "Id": 57, 65 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "", 69 | "Color": "Red", 70 | "DeveloperNotes": "MDM Enroll: Provisioning failed. Result: (%1).\u0000", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": "" 73 | }, 74 | { 75 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 76 | "LogType": ".evtx", 77 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 78 | "Id": 71, 79 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": false, 82 | "ToolTipText": "", 83 | "Color": "Red", 84 | "DeveloperNotes": "MDM Enroll: Failed (%1)\u0000", 85 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 86 | "LinkToBlogArticle": "" 87 | }, 88 | { 89 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 90 | "LogType": ".evtx", 91 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 92 | "Id": 72, 93 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 94 | "IncludeEventXMLDataInMessage": false, 95 | "IncludeEventXMLDataInToolTip": false, 96 | "ToolTipText": "", 97 | "Color": "", 98 | "DeveloperNotes": "MDM Enroll: Succeeded\u0000", 99 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 100 | "LinkToBlogArticle": "" 101 | } 102 | ] 103 | } 104 | -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - MDM Enrollment OLD LOCATION.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 8 | "Id": 16, 9 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "", 14 | "DeveloperNotes": "MDM Enroll: OMA-DM client configuration succeeds.\u0000", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": "" 17 | }, 18 | { 19 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 20 | "LogType": ".evtx", 21 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 22 | "Id": 17, 23 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "ToolTipText": "", 27 | "Color": "Red", 28 | "DeveloperNotes": "MDM Enroll: OMA-DM client configuration failed. RAWResult: (%1) Result: (%2).\u0000", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "" 31 | }, 32 | { 33 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 34 | "LogType": ".evtx", 35 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug", 36 | "Id": 27, 37 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 38 | "IncludeEventXMLDataInMessage": false, 39 | "IncludeEventXMLDataInToolTip": false, 40 | "ToolTipText": "", 41 | "Color": "", 42 | "DeveloperNotes": "MDM Enroll: AutoEnrollMDM Result: (%3) PolicyValue: (%1) AADCredentialType: (%2).\u0000", 43 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 44 | "LinkToBlogArticle": "" 45 | }, 46 | { 47 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 48 | "LogType": ".evtx", 49 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 50 | "Id": 58, 51 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 52 | "IncludeEventXMLDataInMessage": false, 53 | "IncludeEventXMLDataInToolTip": false, 54 | "ToolTipText": "", 55 | "Color": "", 56 | "DeveloperNotes": "MDM Enroll: Provisioning succeeded.\u0000", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": "" 59 | }, 60 | { 61 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 64 | "Id": 57, 65 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "", 69 | "Color": "Red", 70 | "DeveloperNotes": "MDM Enroll: Provisioning failed. Result: (%1).\u0000", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": "" 73 | }, 74 | { 75 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 76 | "LogType": ".evtx", 77 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 78 | "Id": 71, 79 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": false, 82 | "ToolTipText": "", 83 | "Color": "Red", 84 | "DeveloperNotes": "MDM Enroll: Failed (%1)\u0000", 85 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 86 | "LinkToBlogArticle": "" 87 | }, 88 | { 89 | "CategoryName": "Intune - MDM Enrollment (OLD LOCATION)", 90 | "LogType": ".evtx", 91 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin", 92 | "Id": 72, 93 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 94 | "IncludeEventXMLDataInMessage": false, 95 | "IncludeEventXMLDataInToolTip": false, 96 | "ToolTipText": "", 97 | "Color": "", 98 | "DeveloperNotes": "MDM Enroll: Succeeded\u0000", 99 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 100 | "LinkToBlogArticle": "" 101 | } 102 | ] 103 | } 104 | -------------------------------------------------------------------------------- /v1.0/Create-EventRules-GUI-HelperTool.ps1: -------------------------------------------------------------------------------- 1 | # This tool will show all Windows Event provider in Out-GridView 2 | # You can then select event provider where you want to create Known EventRules to 3 | # Get-WindowsTroubleshootingReportCommunity tool 4 | # 5 | # Petri.Paavola@yodamiitti.fi 6 | # Microsoft MVP - Windows and Intune 7 | 8 | 9 | # Change your information here 10 | # This will be shown on EventRules.json file 11 | # And shared in project GitHub 12 | $Author = "Firstname.Lastname@company.com / Super IT-Admin" 13 | 14 | 15 | # Create Eventrules folder if not exists 16 | if(-not (Test-Path "$PSScriptRoot\EventRules")) { 17 | New-Item -ItemType Directory -Path "$PSScriptRoot\EventRules" -Force 18 | } 19 | 20 | 21 | Write-Host "Select Event Provider to get Event IDs from" 22 | 23 | # List Event log Providers in Out-GridView 24 | $SelectedEventProviders = Get-WinEvent -ListProvider '*' -ErrorAction SilentlyContinue | Sort-Object -Property ProviderName | Out-GridView -Title 'Select Event Viewer log to show available Event IDs' -OutputMode Single 25 | 26 | Write-Host "Selected $($SelectedEventProviders.ProviderName)" 27 | 28 | Foreach ($EventProviderObject in $SelectedEventProviders) { 29 | # Show selected EventProvider 30 | $EventProviderObject | Format-List -Property * 31 | 32 | # Make a copy of events so we can add our own custom properties later 33 | $Events = (Get-WinEvent -ListProvider $EventProviderObject.ProviderName).Events 34 | 35 | # Add Level as clear text (Informational, Error, Warning) 36 | Foreach ($Event in $Events) { 37 | # DEBUG 38 | #Write-Host "DEBUG event:" 39 | #$Event | ConvertTo-Json 40 | 41 | # Add DisplayName property for Event 42 | $Event | Add-Member -MemberType NoteProperty -Name LevelDisplayName -Value $Event.Level.DisplayName 43 | 44 | # Add LogName property for Event 45 | $Event | Add-Member -MemberType NoteProperty -Name LogName -Value $Event.LogLink.LogName 46 | 47 | } 48 | 49 | Write-Host "Select Event IDs you want to add to your custom EventRules json file" 50 | 51 | # Show available Event Provider Event Ids 52 | $SelectedEventIds = $Events | Select-Object -Property Id, Description, LevelDisplayName, LogName, LogLink, Level | Out-GridView -Title 'Select objects for KnownRules.json' -OutputMode Multiple 53 | 54 | if(-not $SelectedEventIds) { 55 | Write-Host "No Event IDs selected. Skipping EventProvider $($EventProviderObject.ProviderName)" 56 | Continue 57 | } 58 | 59 | $CategoryName = $null 60 | While(-not $CategoryName) { 61 | $CategoryName = Read-Host "Enter CategoryName for KnownRules.json: " 62 | } 63 | 64 | $EventRulesFileFullPath = "$PSScriptRoot\EventRules\EventRules-$($CategoryName).json" 65 | Write-Host "Create EventRules file: $EventRulesFileFullPath" 66 | 67 | $EventRulesArray = [System.Collections.Generic.List[PSObject]]@() 68 | 69 | # Translate selected Event provider Ids to KnownRules.json syntax 70 | Foreach($SelectedEventId in $SelectedEventIds | Sort-Object -Property Id) { 71 | # Create custom Powershell object 72 | 73 | # DEBUG 74 | #$SelectedEventId | fl * 75 | #$SelectedEventId | ConvertTo-Json -Depth 4 | Set-Clipboard 76 | 77 | # Event type: Informational, Error 78 | Switch ($SelectedEventId.Level.Value) { 79 | '2' { 80 | # Error 81 | $Color = 'Red' 82 | } 83 | '3' { 84 | # Warning 85 | $Color = '' 86 | } 87 | '4' { 88 | # Informational 89 | $Color = '' 90 | } 91 | Default { 92 | $Color = '' 93 | } 94 | } 95 | 96 | $EventRuleCustomObject = ([PSCustomObject]@{ 97 | "CategoryName" = $CategoryName 98 | "LogType" = '.evtx' 99 | "Channel" = $SelectedEventId.LogLink.LogName 100 | "Id" = $SelectedEventId.Id 101 | "LevelDisplayName" = $SelectedEventId.LevelDisplayName 102 | "ProviderName" = "$($EventProviderObject.ProviderName)" 103 | "IncludeEventXMLDataInMessage" = $false 104 | "IncludeEventXMLDataInToolTip" = $false 105 | "ToolTipText" = '' 106 | "Color" = $Color 107 | "DeveloperNotes" = "$($SelectedEventId.Description)" 108 | "Author" = $Author 109 | "LinkToBlogArticle" = '' 110 | }) 111 | 112 | # DEBUG $CustomTimelineObject 113 | #$CustomTimelineObject 114 | #Pause 115 | 116 | $EventRulesArray.add($EventRuleCustomObject) 117 | } 118 | 119 | # Create main CategoryObject 120 | # And add previously selected EventIds to Property KnownEventRules 121 | $EventRulesObjectForJSONFile = ([PSCustomObject]@{ 122 | "CategoryName" = $CategoryName 123 | "KnownEventRules" = $EventRulesArray 124 | }) 125 | 126 | 127 | 128 | # DEBUG 129 | #$EventRulesArray 130 | #$EventRulesArray | ConvertTo-Json | Set-Clipboard 131 | 132 | # DEBUG 133 | #$EventRulesObjectForJSONFile 134 | 135 | # Save EventRules to json file 136 | $EventRulesObjectForJSONFile | ConvertTo-Json -Depth 3 | Out-File -FilePath "$EventRulesFileFullPath" -Force 137 | $Success = $? 138 | 139 | if($Success) { 140 | Write-Host "File saved successfully" -ForegroundColor Green 141 | } else { 142 | Write-Host "Failed to save file!" -ForegroundColor Red 143 | } 144 | 145 | } 146 | -------------------------------------------------------------------------------- /v1.1/Create-EventRules-GUI-HelperTool.ps1: -------------------------------------------------------------------------------- 1 | # This tool will show all Windows Event provider in Out-GridView 2 | # You can then select event provider where you want to create Known EventRules to 3 | # Get-WindowsTroubleshootingReportCommunity tool 4 | # 5 | # Petri.Paavola@yodamiitti.fi 6 | # Microsoft MVP - Windows and Intune 7 | 8 | 9 | # Change your information here 10 | # This will be shown on EventRules.json file 11 | # And shared in project GitHub 12 | $Author = "Firstname.Lastname@company.com / Super IT-Admin" 13 | 14 | 15 | # Create Eventrules folder if not exists 16 | if(-not (Test-Path "$PSScriptRoot\EventRules")) { 17 | New-Item -ItemType Directory -Path "$PSScriptRoot\EventRules" -Force 18 | } 19 | 20 | 21 | Write-Host "Select Event Provider to get Event IDs from" 22 | 23 | # List Event log Providers in Out-GridView 24 | $SelectedEventProviders = Get-WinEvent -ListProvider '*' -ErrorAction SilentlyContinue | Sort-Object -Property ProviderName | Out-GridView -Title 'Select Event Viewer log to show available Event IDs' -OutputMode Single 25 | 26 | Write-Host "Selected $($SelectedEventProviders.ProviderName)" 27 | 28 | Foreach ($EventProviderObject in $SelectedEventProviders) { 29 | # Show selected EventProvider 30 | $EventProviderObject | Format-List -Property * 31 | 32 | # Make a copy of events so we can add our own custom properties later 33 | $Events = (Get-WinEvent -ListProvider $EventProviderObject.ProviderName).Events 34 | 35 | # Add Level as clear text (Informational, Error, Warning) 36 | Foreach ($Event in $Events) { 37 | # DEBUG 38 | #Write-Host "DEBUG event:" 39 | #$Event | ConvertTo-Json 40 | 41 | # Add DisplayName property for Event 42 | $Event | Add-Member -MemberType NoteProperty -Name LevelDisplayName -Value $Event.Level.DisplayName 43 | 44 | # Add LogName property for Event 45 | $Event | Add-Member -MemberType NoteProperty -Name LogName -Value $Event.LogLink.LogName 46 | 47 | } 48 | 49 | Write-Host "Select Event IDs you want to add to your custom EventRules json file" 50 | 51 | # Show available Event Provider Event Ids 52 | $SelectedEventIds = $Events | Select-Object -Property Id, Description, LevelDisplayName, LogName, LogLink, Level | Out-GridView -Title 'Select objects for KnownRules.json' -OutputMode Multiple 53 | 54 | if(-not $SelectedEventIds) { 55 | Write-Host "No Event IDs selected. Skipping EventProvider $($EventProviderObject.ProviderName)" 56 | Continue 57 | } 58 | 59 | $CategoryName = $null 60 | While(-not $CategoryName) { 61 | $CategoryName = Read-Host "Enter CategoryName for KnownRules.json: " 62 | } 63 | 64 | $EventRulesFileFullPath = "$PSScriptRoot\EventRules\EventRules-$($CategoryName).json" 65 | Write-Host "Create EventRules file: $EventRulesFileFullPath" 66 | 67 | $EventRulesArray = [System.Collections.Generic.List[PSObject]]@() 68 | 69 | # Translate selected Event provider Ids to KnownRules.json syntax 70 | Foreach($SelectedEventId in $SelectedEventIds | Sort-Object -Property Id) { 71 | # Create custom Powershell object 72 | 73 | # DEBUG 74 | #$SelectedEventId | fl * 75 | #$SelectedEventId | ConvertTo-Json -Depth 4 | Set-Clipboard 76 | 77 | # Event type: Informational, Error 78 | Switch ($SelectedEventId.Level.Value) { 79 | '2' { 80 | # Error 81 | $Color = 'Red' 82 | } 83 | '3' { 84 | # Warning 85 | $Color = '' 86 | } 87 | '4' { 88 | # Informational 89 | $Color = '' 90 | } 91 | Default { 92 | $Color = '' 93 | } 94 | } 95 | 96 | $EventRuleCustomObject = ([PSCustomObject]@{ 97 | "CategoryName" = $CategoryName 98 | "LogType" = '.evtx' 99 | "Channel" = $SelectedEventId.LogLink.LogName 100 | "Id" = $SelectedEventId.Id 101 | "LevelDisplayName" = $SelectedEventId.LevelDisplayName 102 | "ProviderName" = "$($EventProviderObject.ProviderName)" 103 | "IncludeEventXMLDataInMessage" = $false 104 | "IncludeEventXMLDataInToolTip" = $false 105 | "ToolTipText" = '' 106 | "Color" = $Color 107 | "DeveloperNotes" = "$($SelectedEventId.Description)" 108 | "Author" = $Author 109 | "LinkToBlogArticle" = '' 110 | }) 111 | 112 | # DEBUG $CustomTimelineObject 113 | #$CustomTimelineObject 114 | #Pause 115 | 116 | $EventRulesArray.add($EventRuleCustomObject) 117 | } 118 | 119 | # Create main CategoryObject 120 | # And add previously selected EventIds to Property KnownEventRules 121 | $EventRulesObjectForJSONFile = ([PSCustomObject]@{ 122 | "CategoryName" = $CategoryName 123 | "KnownEventRules" = $EventRulesArray 124 | }) 125 | 126 | 127 | 128 | # DEBUG 129 | #$EventRulesArray 130 | #$EventRulesArray | ConvertTo-Json | Set-Clipboard 131 | 132 | # DEBUG 133 | #$EventRulesObjectForJSONFile 134 | 135 | # Save EventRules to json file 136 | $EventRulesObjectForJSONFile | ConvertTo-Json -Depth 3 | Out-File -FilePath "$EventRulesFileFullPath" -Force 137 | $Success = $? 138 | 139 | if($Success) { 140 | Write-Host "File saved successfully" -ForegroundColor Green 141 | } else { 142 | Write-Host "Failed to save file!" -ForegroundColor Red 143 | } 144 | 145 | } 146 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-ConfigMgr.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "ConfigMgr - Task Sequence", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "ConfigMgr - Task Sequence", 7 | "LogType": ".log", 8 | "LogFileName": "smsts.log", 9 | "Message": "TSManager initialized environment for task sequence:", 10 | "ToolTipText": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "Task Sequence start and TaskSequence name", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": null 15 | }, 16 | { 17 | "CategoryName": "ConfigMgr - Task Sequence", 18 | "LogType": ".log", 19 | "LogFileName": "smsts.log", 20 | "Message": "Start executing an instruction. Instruction name:", 21 | "ToolTipText": "", 22 | "Color": "Yellow", 23 | "DeveloperNotes": "Individual Task Sequence steps", 24 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 25 | "LinkToBlogArticle": null 26 | }, 27 | { 28 | "CategoryName": "ConfigMgr - Task Sequence", 29 | "LogType": ".log", 30 | "LogFileName": "smsts.log", 31 | "Message": "Successfully completed the action", 32 | "ToolTipText": "", 33 | "Color": "Green", 34 | "DeveloperNotes": "", 35 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 36 | "LinkToBlogArticle": null 37 | }, 38 | { 39 | "CategoryName": "ConfigMgr - Task Sequence", 40 | "LogType": ".log", 41 | "LogFileName": "smsts.log", 42 | "Message": "Execution engine result code: Success", 43 | "ToolTipText": "", 44 | "Color": "Green", 45 | "DeveloperNotes": "", 46 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 47 | "LinkToBlogArticle": null 48 | }, 49 | { 50 | "CategoryName": "ConfigMgr - Task Sequence", 51 | "LogType": ".log", 52 | "LogFileName": "smsts.log", 53 | "Message": "Execution engine result code: Reboot", 54 | "ToolTipText": "", 55 | "Color": "Yellow", 56 | "DeveloperNotes": "", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": null 59 | }, 60 | { 61 | "CategoryName": "ConfigMgr - Task Sequence", 62 | "LogType": ".log", 63 | "LogFileName": "smsts.log", 64 | "Message": "Execution engine result code: Fail", 65 | "ToolTipText": "", 66 | "Color": "Red", 67 | "DeveloperNotes": "This is just a guess. Did not find example from log files.", 68 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 69 | "LinkToBlogArticle": null 70 | } 71 | ] 72 | }, 73 | { 74 | "CategoryName": "ConfigMgr - App Enforcement", 75 | "KnownEventRules": [ 76 | { 77 | "CategoryName": "ConfigMgr - App Enforcement", 78 | "LogType": ".log", 79 | "LogFileName": "appenforce.log", 80 | "Message": "+++ Starting Install enforcement for App", 81 | "ToolTipText": "", 82 | "Color": "Yellow", 83 | "DeveloperNotes": "", 84 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 85 | "LinkToBlogArticle": null 86 | }, 87 | { 88 | "CategoryName": "ConfigMgr - App Enforcement", 89 | "LogType": ".log", 90 | "LogFileName": "appenforce.log", 91 | "Message": "++++++ App enforcement completed", 92 | "ToolTipText": "", 93 | "Color": "Green", 94 | "DeveloperNotes": "", 95 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 96 | "LinkToBlogArticle": null 97 | }, 98 | { 99 | "CategoryName": "ConfigMgr - App Enforcement", 100 | "LogType": ".log", 101 | "LogFileName": "appenforce.log", 102 | "Message": "+++ Discovered application", 103 | "ToolTipText": "", 104 | "Color": "", 105 | "DeveloperNotes": "", 106 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 107 | "LinkToBlogArticle": null 108 | }, 109 | { 110 | "CategoryName": "ConfigMgr - App Enforcement", 111 | "LogType": ".log", 112 | "LogFileName": "appenforce.log", 113 | "Message": "+++ Application not discovered - THIS IS NOT ACTIVE NOW, MAYBE NOT NEEDED ?", 114 | "ToolTipText": "", 115 | "Color": "Yellow", 116 | "DeveloperNotes": "+++ Application not discovered", 117 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 118 | "LinkToBlogArticle": null 119 | }, 120 | { 121 | "CategoryName": "ConfigMgr - App Enforcement", 122 | "LogType": ".log", 123 | "LogFileName": "appenforce.log", 124 | "Message": "Unmatched exit code", 125 | "ToolTipText": "", 126 | "Color": "Red", 127 | "DeveloperNotes": "Unmatched exit code (1) is considered an execution failure.", 128 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 129 | "LinkToBlogArticle": null 130 | } 131 | ] 132 | }, 133 | { 134 | "CategoryName": "ConfigMgr - Windows Updates", 135 | "KnownEventRules": [ 136 | { 137 | "CategoryName": "ConfigMgr - Windows Updates", 138 | "LogType": ".log", 139 | "LogFileName": "wuahandler.log", 140 | "Message": "Update (Installed):", 141 | "ToolTipText": "", 142 | "Color": "Green", 143 | "DeveloperNotes": "", 144 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 145 | "LinkToBlogArticle": null 146 | }, 147 | { 148 | "CategoryName": "ConfigMgr - Windows Updates", 149 | "LogType": ".log", 150 | "LogFileName": "wuahandler.log", 151 | "Message": "Failed to install updates.", 152 | "ToolTipText": "", 153 | "Color": "Red", 154 | "DeveloperNotes": "", 155 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 156 | "LinkToBlogArticle": null 157 | } 158 | ] 159 | } 160 | ] -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-ConfigMgr.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "ConfigMgr - Task Sequence", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "ConfigMgr - Task Sequence", 7 | "LogType": ".log", 8 | "LogFileName": "smsts.log", 9 | "Message": "TSManager initialized environment for task sequence:", 10 | "ToolTipText": "", 11 | "Color": "Yellow", 12 | "DeveloperNotes": "Task Sequence start and TaskSequence name", 13 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 14 | "LinkToBlogArticle": null 15 | }, 16 | { 17 | "CategoryName": "ConfigMgr - Task Sequence", 18 | "LogType": ".log", 19 | "LogFileName": "smsts.log", 20 | "Message": "Start executing an instruction. Instruction name:", 21 | "ToolTipText": "", 22 | "Color": "Yellow", 23 | "DeveloperNotes": "Individual Task Sequence steps", 24 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 25 | "LinkToBlogArticle": null 26 | }, 27 | { 28 | "CategoryName": "ConfigMgr - Task Sequence", 29 | "LogType": ".log", 30 | "LogFileName": "smsts.log", 31 | "Message": "Successfully completed the action", 32 | "ToolTipText": "", 33 | "Color": "Green", 34 | "DeveloperNotes": "", 35 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 36 | "LinkToBlogArticle": null 37 | }, 38 | { 39 | "CategoryName": "ConfigMgr - Task Sequence", 40 | "LogType": ".log", 41 | "LogFileName": "smsts.log", 42 | "Message": "Execution engine result code: Success", 43 | "ToolTipText": "", 44 | "Color": "Green", 45 | "DeveloperNotes": "", 46 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 47 | "LinkToBlogArticle": null 48 | }, 49 | { 50 | "CategoryName": "ConfigMgr - Task Sequence", 51 | "LogType": ".log", 52 | "LogFileName": "smsts.log", 53 | "Message": "Execution engine result code: Reboot", 54 | "ToolTipText": "", 55 | "Color": "Yellow", 56 | "DeveloperNotes": "", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": null 59 | }, 60 | { 61 | "CategoryName": "ConfigMgr - Task Sequence", 62 | "LogType": ".log", 63 | "LogFileName": "smsts.log", 64 | "Message": "Execution engine result code: Fail", 65 | "ToolTipText": "", 66 | "Color": "Red", 67 | "DeveloperNotes": "This is just a guess. Did not find example from log files.", 68 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 69 | "LinkToBlogArticle": null 70 | } 71 | ] 72 | }, 73 | { 74 | "CategoryName": "ConfigMgr - App Enforcement", 75 | "KnownEventRules": [ 76 | { 77 | "CategoryName": "ConfigMgr - App Enforcement", 78 | "LogType": ".log", 79 | "LogFileName": "appenforce.log", 80 | "Message": "+++ Starting Install enforcement for App", 81 | "ToolTipText": "", 82 | "Color": "Yellow", 83 | "DeveloperNotes": "", 84 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 85 | "LinkToBlogArticle": null 86 | }, 87 | { 88 | "CategoryName": "ConfigMgr - App Enforcement", 89 | "LogType": ".log", 90 | "LogFileName": "appenforce.log", 91 | "Message": "++++++ App enforcement completed", 92 | "ToolTipText": "", 93 | "Color": "Green", 94 | "DeveloperNotes": "", 95 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 96 | "LinkToBlogArticle": null 97 | }, 98 | { 99 | "CategoryName": "ConfigMgr - App Enforcement", 100 | "LogType": ".log", 101 | "LogFileName": "appenforce.log", 102 | "Message": "+++ Discovered application", 103 | "ToolTipText": "", 104 | "Color": "", 105 | "DeveloperNotes": "", 106 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 107 | "LinkToBlogArticle": null 108 | }, 109 | { 110 | "CategoryName": "ConfigMgr - App Enforcement", 111 | "LogType": ".log", 112 | "LogFileName": "appenforce.log", 113 | "Message": "+++ Application not discovered - THIS IS NOT ACTIVE NOW, MAYBE NOT NEEDED ?", 114 | "ToolTipText": "", 115 | "Color": "Yellow", 116 | "DeveloperNotes": "+++ Application not discovered", 117 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 118 | "LinkToBlogArticle": null 119 | }, 120 | { 121 | "CategoryName": "ConfigMgr - App Enforcement", 122 | "LogType": ".log", 123 | "LogFileName": "appenforce.log", 124 | "Message": "Unmatched exit code", 125 | "ToolTipText": "", 126 | "Color": "Red", 127 | "DeveloperNotes": "Unmatched exit code (1) is considered an execution failure.", 128 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 129 | "LinkToBlogArticle": null 130 | } 131 | ] 132 | }, 133 | { 134 | "CategoryName": "ConfigMgr - Windows Updates", 135 | "KnownEventRules": [ 136 | { 137 | "CategoryName": "ConfigMgr - Windows Updates", 138 | "LogType": ".log", 139 | "LogFileName": "wuahandler.log", 140 | "Message": "Update (Installed):", 141 | "ToolTipText": "", 142 | "Color": "Green", 143 | "DeveloperNotes": "", 144 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 145 | "LinkToBlogArticle": null 146 | }, 147 | { 148 | "CategoryName": "ConfigMgr - Windows Updates", 149 | "LogType": ".log", 150 | "LogFileName": "wuahandler.log", 151 | "Message": "Failed to install updates.", 152 | "ToolTipText": "", 153 | "Color": "Red", 154 | "DeveloperNotes": "", 155 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 156 | "LinkToBlogArticle": null 157 | } 158 | ] 159 | } 160 | ] -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows - LAPS.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Windows - LAPS", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Windows - LAPS", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-LAPS/Operational", 8 | "Id": 10004, 9 | "ProviderName": "Microsoft-Windows-LAPS", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "Green", 14 | "DeveloperNotes": "LAPS policy processing succeeded", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": null 17 | }, 18 | { 19 | "CategoryName": "Windows - LAPS", 20 | "LogType": ".evtx", 21 | "Channel": "Microsoft-Windows-LAPS/Operational", 22 | "Id": 10005, 23 | "ProviderName": "Microsoft-Windows-LAPS", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": true, 26 | "ToolTipText": "", 27 | "Color": "Red", 28 | "DeveloperNotes": "LAPS policy processing failed with the error code below.", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": null 31 | }, 32 | { 33 | "CategoryName": "Windows - LAPS", 34 | "LogType": ".evtx", 35 | "Channel": "Microsoft-Windows-LAPS/Operational", 36 | "Id": 10007, 37 | "ProviderName": "Microsoft-Windows-LAPS", 38 | "IncludeEventXMLDataInMessage": false, 39 | "IncludeEventXMLDataInToolTip": false, 40 | "ToolTipText": "", 41 | "Color": "Yellow", 42 | "DeveloperNotes": "LAPS is not currently configured to manage any account.", 43 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 44 | "LinkToBlogArticle": null 45 | }, 46 | { 47 | "CategoryName": "Windows - LAPS", 48 | "LogType": ".evtx", 49 | "Channel": "Microsoft-Windows-LAPS/Operational", 50 | "Id": 10013, 51 | "ProviderName": "Microsoft-Windows-LAPS", 52 | "IncludeEventXMLDataInMessage": false, 53 | "IncludeEventXMLDataInToolTip": true, 54 | "ToolTipText": "", 55 | "Color": "Red", 56 | "DeveloperNotes": "LAPS failed to find the currently configured local administrator account.", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": null 59 | }, 60 | { 61 | "CategoryName": "Windows - LAPS", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-LAPS/Operational-DISABLED-Because-below-event-should-be-enough", 64 | "Id": 10014, 65 | "ProviderName": "Microsoft-Windows-LAPS", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "", 69 | "Color": "Yellow", 70 | "DeveloperNotes": "LAPS is updating the managed account password due to an Administrator-initiated request.", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": null 73 | }, 74 | { 75 | "CategoryName": "Windows - LAPS", 76 | "LogType": ".evtx", 77 | "Channel": "Microsoft-Windows-LAPS/Operational", 78 | "Id": 10015, 79 | "ProviderName": "Microsoft-Windows-LAPS", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": true, 82 | "ToolTipText": "", 83 | "Color": "Green", 84 | "DeveloperNotes": "The managed account password needs to be updated due to one or more reasons (%1):", 85 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 86 | "LinkToBlogArticle": null 87 | }, 88 | { 89 | "CategoryName": "Windows - LAPS", 90 | "LogType": ".evtx", 91 | "Channel": "Microsoft-Windows-LAPS/Operational", 92 | "Id": 10019, 93 | "ProviderName": "Microsoft-Windows-LAPS", 94 | "IncludeEventXMLDataInMessage": false, 95 | "IncludeEventXMLDataInToolTip": true, 96 | "ToolTipText": "", 97 | "Color": "Red", 98 | "DeveloperNotes": "LAPS failed to update the local admin account with the new password.\\nAccount name: %1\\nAccount RID: %2\\nError code: %3", 99 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 100 | "LinkToBlogArticle": null 101 | }, 102 | { 103 | "CategoryName": "Windows - LAPS", 104 | "LogType": ".evtx", 105 | "Channel": "Microsoft-Windows-LAPS/Operational", 106 | "Id": 10020, 107 | "ProviderName": "Microsoft-Windows-LAPS", 108 | "IncludeEventXMLDataInMessage": false, 109 | "IncludeEventXMLDataInToolTip": true, 110 | "ToolTipText": "", 111 | "Color": "Green", 112 | "DeveloperNotes": "LAPS successfully updated the local admin account with the new password.\\nAccount name: %1\\nAccount RID: %2", 113 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 114 | "LinkToBlogArticle": null 115 | }, 116 | { 117 | "CategoryName": "Windows - LAPS", 118 | "LogType": ".evtx", 119 | "Channel": "Microsoft-Windows-LAPS/Operational", 120 | "Id": 10022, 121 | "ProviderName": "Microsoft-Windows-LAPS", 122 | "IncludeEventXMLDataInMessage": false, 123 | "IncludeEventXMLDataInToolTip": true, 124 | "ToolTipText": "", 125 | "Color": "Yellow", 126 | "DeveloperNotes": "The current LAPS policy is configured as follows", 127 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 128 | "LinkToBlogArticle": null 129 | }, 130 | { 131 | "CategoryName": "Windows - LAPS", 132 | "LogType": ".evtx", 133 | "Channel": "Microsoft-Windows-LAPS/Operational", 134 | "Id": 10024, 135 | "ProviderName": "Microsoft-Windows-LAPS", 136 | "IncludeEventXMLDataInMessage": false, 137 | "IncludeEventXMLDataInToolTip": false, 138 | "ToolTipText": "", 139 | "Color": "Yellow", 140 | "DeveloperNotes": "LAPS policy is configured as disabled.", 141 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 142 | "LinkToBlogArticle": null 143 | }, 144 | { 145 | "CategoryName": "Windows - LAPS", 146 | "LogType": ".evtx", 147 | "Channel": "Microsoft-Windows-LAPS/Operational", 148 | "Id": 10029, 149 | "ProviderName": "Microsoft-Windows-LAPS-EVENT-DISABLED-BECAUSE-DUPLICATE-Check-below-event", 150 | "IncludeEventXMLDataInMessage": false, 151 | "IncludeEventXMLDataInToolTip": false, 152 | "ToolTipText": "", 153 | "Color": "Green", 154 | "DeveloperNotes": "LAPS successfully updated Azure Active Directory with the new password.", 155 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 156 | "LinkToBlogArticle": null 157 | }, 158 | { 159 | "CategoryName": "Windows - LAPS", 160 | "LogType": ".evtx", 161 | "Channel": "Microsoft-Windows-LAPS/Operational", 162 | "Id": 10067, 163 | "ProviderName": "Microsoft-Windows-LAPS", 164 | "IncludeEventXMLDataInMessage": false, 165 | "IncludeEventXMLDataInToolTip": true, 166 | "ToolTipText": "", 167 | "Color": "Yellow", 168 | "DeveloperNotes": "The configured local account is currently disabled. The account must be enabled before it can be used.", 169 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 170 | "LinkToBlogArticle": null 171 | } 172 | ] 173 | } -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows - LAPS.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Windows - LAPS", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Windows - LAPS", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-LAPS/Operational", 8 | "Id": 10004, 9 | "ProviderName": "Microsoft-Windows-LAPS", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "Green", 14 | "DeveloperNotes": "LAPS policy processing succeeded", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": null 17 | }, 18 | { 19 | "CategoryName": "Windows - LAPS", 20 | "LogType": ".evtx", 21 | "Channel": "Microsoft-Windows-LAPS/Operational", 22 | "Id": 10005, 23 | "ProviderName": "Microsoft-Windows-LAPS", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": true, 26 | "ToolTipText": "", 27 | "Color": "Red", 28 | "DeveloperNotes": "LAPS policy processing failed with the error code below.", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": null 31 | }, 32 | { 33 | "CategoryName": "Windows - LAPS", 34 | "LogType": ".evtx", 35 | "Channel": "Microsoft-Windows-LAPS/Operational", 36 | "Id": 10007, 37 | "ProviderName": "Microsoft-Windows-LAPS", 38 | "IncludeEventXMLDataInMessage": false, 39 | "IncludeEventXMLDataInToolTip": false, 40 | "ToolTipText": "", 41 | "Color": "Yellow", 42 | "DeveloperNotes": "LAPS is not currently configured to manage any account.", 43 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 44 | "LinkToBlogArticle": null 45 | }, 46 | { 47 | "CategoryName": "Windows - LAPS", 48 | "LogType": ".evtx", 49 | "Channel": "Microsoft-Windows-LAPS/Operational", 50 | "Id": 10013, 51 | "ProviderName": "Microsoft-Windows-LAPS", 52 | "IncludeEventXMLDataInMessage": false, 53 | "IncludeEventXMLDataInToolTip": true, 54 | "ToolTipText": "", 55 | "Color": "Red", 56 | "DeveloperNotes": "LAPS failed to find the currently configured local administrator account.", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": null 59 | }, 60 | { 61 | "CategoryName": "Windows - LAPS", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-LAPS/Operational-DISABLED-Because-below-event-should-be-enough", 64 | "Id": 10014, 65 | "ProviderName": "Microsoft-Windows-LAPS", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "", 69 | "Color": "Yellow", 70 | "DeveloperNotes": "LAPS is updating the managed account password due to an Administrator-initiated request.", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": null 73 | }, 74 | { 75 | "CategoryName": "Windows - LAPS", 76 | "LogType": ".evtx", 77 | "Channel": "Microsoft-Windows-LAPS/Operational", 78 | "Id": 10015, 79 | "ProviderName": "Microsoft-Windows-LAPS", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": true, 82 | "ToolTipText": "", 83 | "Color": "Green", 84 | "DeveloperNotes": "The managed account password needs to be updated due to one or more reasons (%1):", 85 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 86 | "LinkToBlogArticle": null 87 | }, 88 | { 89 | "CategoryName": "Windows - LAPS", 90 | "LogType": ".evtx", 91 | "Channel": "Microsoft-Windows-LAPS/Operational", 92 | "Id": 10019, 93 | "ProviderName": "Microsoft-Windows-LAPS", 94 | "IncludeEventXMLDataInMessage": false, 95 | "IncludeEventXMLDataInToolTip": true, 96 | "ToolTipText": "", 97 | "Color": "Red", 98 | "DeveloperNotes": "LAPS failed to update the local admin account with the new password.\\nAccount name: %1\\nAccount RID: %2\\nError code: %3", 99 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 100 | "LinkToBlogArticle": null 101 | }, 102 | { 103 | "CategoryName": "Windows - LAPS", 104 | "LogType": ".evtx", 105 | "Channel": "Microsoft-Windows-LAPS/Operational", 106 | "Id": 10020, 107 | "ProviderName": "Microsoft-Windows-LAPS", 108 | "IncludeEventXMLDataInMessage": false, 109 | "IncludeEventXMLDataInToolTip": true, 110 | "ToolTipText": "", 111 | "Color": "Green", 112 | "DeveloperNotes": "LAPS successfully updated the local admin account with the new password.\\nAccount name: %1\\nAccount RID: %2", 113 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 114 | "LinkToBlogArticle": null 115 | }, 116 | { 117 | "CategoryName": "Windows - LAPS", 118 | "LogType": ".evtx", 119 | "Channel": "Microsoft-Windows-LAPS/Operational", 120 | "Id": 10022, 121 | "ProviderName": "Microsoft-Windows-LAPS", 122 | "IncludeEventXMLDataInMessage": false, 123 | "IncludeEventXMLDataInToolTip": true, 124 | "ToolTipText": "", 125 | "Color": "Yellow", 126 | "DeveloperNotes": "The current LAPS policy is configured as follows", 127 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 128 | "LinkToBlogArticle": null 129 | }, 130 | { 131 | "CategoryName": "Windows - LAPS", 132 | "LogType": ".evtx", 133 | "Channel": "Microsoft-Windows-LAPS/Operational", 134 | "Id": 10024, 135 | "ProviderName": "Microsoft-Windows-LAPS", 136 | "IncludeEventXMLDataInMessage": false, 137 | "IncludeEventXMLDataInToolTip": false, 138 | "ToolTipText": "", 139 | "Color": "Yellow", 140 | "DeveloperNotes": "LAPS policy is configured as disabled.", 141 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 142 | "LinkToBlogArticle": null 143 | }, 144 | { 145 | "CategoryName": "Windows - LAPS", 146 | "LogType": ".evtx", 147 | "Channel": "Microsoft-Windows-LAPS/Operational", 148 | "Id": 10029, 149 | "ProviderName": "Microsoft-Windows-LAPS-EVENT-DISABLED-BECAUSE-DUPLICATE-Check-below-event", 150 | "IncludeEventXMLDataInMessage": false, 151 | "IncludeEventXMLDataInToolTip": false, 152 | "ToolTipText": "", 153 | "Color": "Green", 154 | "DeveloperNotes": "LAPS successfully updated Azure Active Directory with the new password.", 155 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 156 | "LinkToBlogArticle": null 157 | }, 158 | { 159 | "CategoryName": "Windows - LAPS", 160 | "LogType": ".evtx", 161 | "Channel": "Microsoft-Windows-LAPS/Operational", 162 | "Id": 10067, 163 | "ProviderName": "Microsoft-Windows-LAPS", 164 | "IncludeEventXMLDataInMessage": false, 165 | "IncludeEventXMLDataInToolTip": true, 166 | "ToolTipText": "", 167 | "Color": "Yellow", 168 | "DeveloperNotes": "The configured local account is currently disabled. The account must be enabled before it can be used.", 169 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 170 | "LinkToBlogArticle": null 171 | } 172 | ] 173 | } -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Windows - PowerManagement.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Power management (Modern) Sleep", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Power management (Modern) Sleep", 7 | "LogType": ".evtx", 8 | "Channel": "System", 9 | "Id": 1, 10 | "ProviderName": "Microsoft-Windows-Power-Troubleshooter", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "The system has returned from a low power state.", 14 | "DeveloperNotes": "The system has returned from a low power state.\\n\\nSleep Time: 2024-09-07T13:17:14.529644800Z\\nWake Time: 2024-09-07T13:22:49.615516200Z\\n\\nWake Source: Device -Surface Button" 15 | }, 16 | { 17 | "CategoryName": "Windows - Power management (Modern) Sleep", 18 | "LogType": ".evtx", 19 | "Channel": "System", 20 | "Id": 42, 21 | "ProviderName": "Microsoft-Windows-Kernel-Power", 22 | "IncludeEventXMLDataInMessage": false, 23 | "IncludeEventXMLDataInToolTip": true, 24 | "ToolTipText": "The system is entering sleep.", 25 | "DeveloperNotes": "The system is entering sleep.\\n\\nSleep Reason: Application API" 26 | }, 27 | { 28 | "CategoryName": "Windows - Power management (Modern) Sleep", 29 | "LogType": ".evtx", 30 | "Channel": "System", 31 | "Id": 107, 32 | "ProviderName": "Microsoft-Windows-Kernel-Power", 33 | "IncludeEventXMLDataInMessage": false, 34 | "IncludeEventXMLDataInToolTip": true, 35 | "ToolTipText": "The system has resumed from sleep.", 36 | "DeveloperNotes": "The system has resumed from sleep." 37 | }, 38 | { 39 | "CategoryName": "Windows - Power management (Modern) Sleep", 40 | "LogType": ".evtx", 41 | "Channel": "System", 42 | "Id": 506, 43 | "ProviderName": "Microsoft-Windows-Kernel-Power", 44 | "IncludeEventXMLDataInMessage": false, 45 | "IncludeEventXMLDataInToolTip": true, 46 | "ToolTipText": "The system is entering Modern Standby", 47 | "DeveloperNotes": "The system is entering Modern Standby\\n\\nReason: Sleep, Hibernate, or Shutdown." 48 | }, 49 | { 50 | "CategoryName": "Windows - Power management (Modern) Sleep", 51 | "LogType": ".evtx", 52 | "Channel": "System", 53 | "Id": 507, 54 | "ProviderName": "Microsoft-Windows-Kernel-Power", 55 | "IncludeEventXMLDataInMessage": false, 56 | "IncludeEventXMLDataInToolTip": true, 57 | "ToolTipText": "The system is exiting Modern Standby", 58 | "DeveloperNotes": "The system is exiting Modern Standby\\n\\nReason: Resume from Hibernate." 59 | }, 60 | { 61 | "CategoryName": "Windows - Power management (Modern) Sleep", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-Wcmsvc/Operational", 64 | "Id": 1005, 65 | "ProviderName": "Microsoft-Windows-Wcmsvc", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "A Power change was processed. ", 69 | "DeveloperNotes": "Several different reasons:\\n\\nReason: Operation is resuming automatically from a low-power state\\n\\nReason: A resume was triggered by user input" 70 | }, 71 | { 72 | "CategoryName": "Windows - Power management (Modern) Sleep", 73 | "LogType": ".log", 74 | "LogFileName": "pwrmgmt.log", 75 | "Message": "The next wake up time is", 76 | "ToolTipText": "", 77 | "Color": "Yellow", 78 | "DeveloperNotes": "", 79 | "Author": "", 80 | "LinkToBlogArticle": null 81 | }, 82 | { 83 | "CategoryName": "Windows - Power management (Modern) Sleep", 84 | "LogType": ".log", 85 | "LogFileName": "pwrmgmt.log", 86 | "Message": "This device is Modern Standby Capable", 87 | "ToolTipText": "", 88 | "Color": "Green", 89 | "DeveloperNotes": "", 90 | "Author": "", 91 | "LinkToBlogArticle": null 92 | } 93 | ] 94 | }, 95 | { 96 | "CategoryName": "Windows - Power management Reboot", 97 | "KnownEventRules": [ 98 | { 99 | "CategoryName": "Windows - Power management Reboot", 100 | "LogType": ".evtx", 101 | "Channel": "System", 102 | "Id": 577, 103 | "ProviderName": "Microsoft-Windows-Kernel-Power", 104 | "IncludeEventXMLDataInMessage": false, 105 | "IncludeEventXMLDataInToolTip": true, 106 | "ToolTipText": "Prepared reboot from sleep (Idle)", 107 | "DeveloperNotes": "The system has prepared for a system initiated reboot from Sleeping (Idle)." 108 | }, 109 | { 110 | "CategoryName": "Windows - Power management Reboot", 111 | "LogType": ".evtx", 112 | "Channel": "System", 113 | "Id": 578, 114 | "ProviderName": "Microsoft-Windows-Kernel-Power", 115 | "IncludeEventXMLDataInMessage": false, 116 | "IncludeEventXMLDataInToolTip": true, 117 | "ToolTipText": "Detected reboot from sleep (Idle)", 118 | "DeveloperNotes": "The system has detected a system initiated reboot from Sleeping (Idle)." 119 | }, 120 | { 121 | "CategoryName": "Windows - Power management Start&Shutdown", 122 | "LogType": ".evtx", 123 | "Channel": "System_RULE_DISABLED_FOR_NOW_FOR_BETTER_READABILITY", 124 | "Id": 109, 125 | "ProviderName": "Microsoft-Windows-Kernel-Power", 126 | "IncludeEventXMLDataInMessage": false, 127 | "IncludeEventXMLDataInToolTip": false, 128 | "ToolTipText": "Shutdown reason", 129 | "DeveloperNotes": "The kernel power manager has initiated a shutdown transition.\\nAction: Power Action Reboot \\nEvent Code: 0x0 \\nReason: Kernel API" 130 | } 131 | ] 132 | }, 133 | { 134 | "CategoryName": "Windows - Power management Start&Shutdown", 135 | "KnownEventRules": [ 136 | { 137 | "CategoryName": "Windows - Power management Start&Shutdown", 138 | "LogType": ".evtx", 139 | "Channel": "System", 140 | "Id": 13, 141 | "ProviderName": "Microsoft-Windows-Kernel-General", 142 | "IncludeEventXMLDataInMessage": false, 143 | "IncludeEventXMLDataInToolTip": false, 144 | "ToolTipText": "Shutting down", 145 | "Color": "Yellow", 146 | "DeveloperNotes": "The operating system is shutting down at system time 2024-08-15T21:52:47.694460500Z." 147 | }, 148 | { 149 | "CategoryName": "Windows - Power management Start&Shutdown", 150 | "LogType": ".evtx", 151 | "Channel": "System", 152 | "Id": 12, 153 | "ProviderName": "Microsoft-Windows-Kernel-General", 154 | "IncludeEventXMLDataInMessage": false, 155 | "IncludeEventXMLDataInToolTip": false, 156 | "ToolTipText": "Operating System started", 157 | "Color": "Yellow", 158 | "DeveloperNotes": "The operating system started at system time 2024-08-15T21:53:08.500000000Z." 159 | } 160 | ] 161 | }, 162 | { 163 | "CategoryName": "Windows - Power management Display", 164 | "KnownEventRules": [ 165 | { 166 | "CategoryName": "Windows - Power management Display", 167 | "LogType": ".evtx", 168 | "Channel": "Microsoft-Windows-PushNotification-Platform/Operational", 169 | "Id": 1025, 170 | "ProviderName": "Microsoft-Windows-PushNotifications-Platform", 171 | "IncludeEventXMLDataInMessage": false, 172 | "IncludeEventXMLDataInToolTip": false, 173 | "ToolTipText": "Monitor sleep\\ntrue = Monitor On\\nfalse = Monitor off", 174 | "DeveloperNotes": "A Power event was fired: MonitorSettingChange [PowerEventType] false [Enabled].\\nA Power event was fired: MonitorSettingChange [PowerEventType] true [Enabled]." 175 | } 176 | ] 177 | }, 178 | { 179 | "CategoryName": "Windows - Power management General", 180 | "KnownEventRules": [ 181 | { 182 | "CategoryName": "Windows - Power management General", 183 | "LogType": ".log", 184 | "LogFileName": "pwrmgmt.log", 185 | "Message": "Applying Power Plan", 186 | "ToolTipText": "", 187 | "Color": "Yellow", 188 | "DeveloperNotes": "", 189 | "Author": "", 190 | "LinkToBlogArticle": null 191 | } 192 | ] 193 | } 194 | ] 195 | -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Windows - PowerManagement.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "CategoryName": "Windows - Power management (Modern) Sleep", 4 | "KnownEventRules": [ 5 | { 6 | "CategoryName": "Windows - Power management (Modern) Sleep", 7 | "LogType": ".evtx", 8 | "Channel": "System", 9 | "Id": 1, 10 | "ProviderName": "Microsoft-Windows-Power-Troubleshooter", 11 | "IncludeEventXMLDataInMessage": false, 12 | "IncludeEventXMLDataInToolTip": false, 13 | "ToolTipText": "The system has returned from a low power state.", 14 | "DeveloperNotes": "The system has returned from a low power state.\\n\\nSleep Time: 2024-09-07T13:17:14.529644800Z\\nWake Time: 2024-09-07T13:22:49.615516200Z\\n\\nWake Source: Device -Surface Button" 15 | }, 16 | { 17 | "CategoryName": "Windows - Power management (Modern) Sleep", 18 | "LogType": ".evtx", 19 | "Channel": "System", 20 | "Id": 42, 21 | "ProviderName": "Microsoft-Windows-Kernel-Power", 22 | "IncludeEventXMLDataInMessage": false, 23 | "IncludeEventXMLDataInToolTip": true, 24 | "ToolTipText": "The system is entering sleep.", 25 | "DeveloperNotes": "The system is entering sleep.\\n\\nSleep Reason: Application API" 26 | }, 27 | { 28 | "CategoryName": "Windows - Power management (Modern) Sleep", 29 | "LogType": ".evtx", 30 | "Channel": "System", 31 | "Id": 107, 32 | "ProviderName": "Microsoft-Windows-Kernel-Power", 33 | "IncludeEventXMLDataInMessage": false, 34 | "IncludeEventXMLDataInToolTip": true, 35 | "ToolTipText": "The system has resumed from sleep.", 36 | "DeveloperNotes": "The system has resumed from sleep." 37 | }, 38 | { 39 | "CategoryName": "Windows - Power management (Modern) Sleep", 40 | "LogType": ".evtx", 41 | "Channel": "System", 42 | "Id": 506, 43 | "ProviderName": "Microsoft-Windows-Kernel-Power", 44 | "IncludeEventXMLDataInMessage": false, 45 | "IncludeEventXMLDataInToolTip": true, 46 | "ToolTipText": "The system is entering Modern Standby", 47 | "DeveloperNotes": "The system is entering Modern Standby\\n\\nReason: Sleep, Hibernate, or Shutdown." 48 | }, 49 | { 50 | "CategoryName": "Windows - Power management (Modern) Sleep", 51 | "LogType": ".evtx", 52 | "Channel": "System", 53 | "Id": 507, 54 | "ProviderName": "Microsoft-Windows-Kernel-Power", 55 | "IncludeEventXMLDataInMessage": false, 56 | "IncludeEventXMLDataInToolTip": true, 57 | "ToolTipText": "The system is exiting Modern Standby", 58 | "DeveloperNotes": "The system is exiting Modern Standby\\n\\nReason: Resume from Hibernate." 59 | }, 60 | { 61 | "CategoryName": "Windows - Power management (Modern) Sleep", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-Wcmsvc/Operational", 64 | "Id": 1005, 65 | "ProviderName": "Microsoft-Windows-Wcmsvc", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "A Power change was processed. ", 69 | "DeveloperNotes": "Several different reasons:\\n\\nReason: Operation is resuming automatically from a low-power state\\n\\nReason: A resume was triggered by user input" 70 | }, 71 | { 72 | "CategoryName": "Windows - Power management (Modern) Sleep", 73 | "LogType": ".log", 74 | "LogFileName": "pwrmgmt.log", 75 | "Message": "The next wake up time is", 76 | "ToolTipText": "", 77 | "Color": "Yellow", 78 | "DeveloperNotes": "", 79 | "Author": "", 80 | "LinkToBlogArticle": null 81 | }, 82 | { 83 | "CategoryName": "Windows - Power management (Modern) Sleep", 84 | "LogType": ".log", 85 | "LogFileName": "pwrmgmt.log", 86 | "Message": "This device is Modern Standby Capable", 87 | "ToolTipText": "", 88 | "Color": "Green", 89 | "DeveloperNotes": "", 90 | "Author": "", 91 | "LinkToBlogArticle": null 92 | } 93 | ] 94 | }, 95 | { 96 | "CategoryName": "Windows - Power management Reboot", 97 | "KnownEventRules": [ 98 | { 99 | "CategoryName": "Windows - Power management Reboot", 100 | "LogType": ".evtx", 101 | "Channel": "System", 102 | "Id": 577, 103 | "ProviderName": "Microsoft-Windows-Kernel-Power", 104 | "IncludeEventXMLDataInMessage": false, 105 | "IncludeEventXMLDataInToolTip": true, 106 | "ToolTipText": "Prepared reboot from sleep (Idle)", 107 | "DeveloperNotes": "The system has prepared for a system initiated reboot from Sleeping (Idle)." 108 | }, 109 | { 110 | "CategoryName": "Windows - Power management Reboot", 111 | "LogType": ".evtx", 112 | "Channel": "System", 113 | "Id": 578, 114 | "ProviderName": "Microsoft-Windows-Kernel-Power", 115 | "IncludeEventXMLDataInMessage": false, 116 | "IncludeEventXMLDataInToolTip": true, 117 | "ToolTipText": "Detected reboot from sleep (Idle)", 118 | "DeveloperNotes": "The system has detected a system initiated reboot from Sleeping (Idle)." 119 | }, 120 | { 121 | "CategoryName": "Windows - Power management Start&Shutdown", 122 | "LogType": ".evtx", 123 | "Channel": "System_RULE_DISABLED_FOR_NOW_FOR_BETTER_READABILITY", 124 | "Id": 109, 125 | "ProviderName": "Microsoft-Windows-Kernel-Power", 126 | "IncludeEventXMLDataInMessage": false, 127 | "IncludeEventXMLDataInToolTip": false, 128 | "ToolTipText": "Shutdown reason", 129 | "DeveloperNotes": "The kernel power manager has initiated a shutdown transition.\\nAction: Power Action Reboot \\nEvent Code: 0x0 \\nReason: Kernel API" 130 | } 131 | ] 132 | }, 133 | { 134 | "CategoryName": "Windows - Power management Start&Shutdown", 135 | "KnownEventRules": [ 136 | { 137 | "CategoryName": "Windows - Power management Start&Shutdown", 138 | "LogType": ".evtx", 139 | "Channel": "System", 140 | "Id": 13, 141 | "ProviderName": "Microsoft-Windows-Kernel-General", 142 | "IncludeEventXMLDataInMessage": false, 143 | "IncludeEventXMLDataInToolTip": false, 144 | "ToolTipText": "Shutting down", 145 | "Color": "Yellow", 146 | "DeveloperNotes": "The operating system is shutting down at system time 2024-08-15T21:52:47.694460500Z." 147 | }, 148 | { 149 | "CategoryName": "Windows - Power management Start&Shutdown", 150 | "LogType": ".evtx", 151 | "Channel": "System", 152 | "Id": 12, 153 | "ProviderName": "Microsoft-Windows-Kernel-General", 154 | "IncludeEventXMLDataInMessage": false, 155 | "IncludeEventXMLDataInToolTip": false, 156 | "ToolTipText": "Operating System started", 157 | "Color": "Yellow", 158 | "DeveloperNotes": "The operating system started at system time 2024-08-15T21:53:08.500000000Z." 159 | } 160 | ] 161 | }, 162 | { 163 | "CategoryName": "Windows - Power management Exceptions", 164 | "KnownEventRules": [ 165 | { 166 | "CategoryName": "Windows - Power management Exceptions", 167 | "LogType": ".evtx", 168 | "Channel": "System", 169 | "Id": 6008, 170 | "LevelDisplayName": "Error", 171 | "ProviderName": "EventLog", 172 | "IncludeEventXMLDataInMessage": false, 173 | "IncludeEventXMLDataInToolTip": false, 174 | "ToolTipText": "Unexpected shutdown detected", 175 | "Color": "Red", 176 | "DeveloperNotes": "The previous system shutdown at 2:02:30 PM on ‎9/‎22/‎2025 was unexpected." 177 | }, 178 | { 179 | "CategoryName": "Windows - Power management Exceptions", 180 | "LogType": ".evtx", 181 | "Channel": "System", 182 | "Id": 41, 183 | "LevelDisplayName": "Critical", 184 | "ProviderName": "Microsoft-Windows-Kernel-Power", 185 | "IncludeEventXMLDataInMessage": false, 186 | "IncludeEventXMLDataInToolTip": false, 187 | "ToolTipText": "", 188 | "Color": "Red", 189 | "DeveloperNotes": "The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly." 190 | } 191 | ] 192 | }, 193 | { 194 | "CategoryName": "Windows - Power management Display", 195 | "KnownEventRules": [ 196 | { 197 | "CategoryName": "Windows - Power management Display", 198 | "LogType": ".evtx", 199 | "Channel": "Microsoft-Windows-PushNotification-Platform/Operational", 200 | "Id": 1025, 201 | "ProviderName": "Microsoft-Windows-PushNotifications-Platform", 202 | "IncludeEventXMLDataInMessage": false, 203 | "IncludeEventXMLDataInToolTip": false, 204 | "ToolTipText": "Monitor sleep\\ntrue = Monitor On\\nfalse = Monitor off", 205 | "DeveloperNotes": "A Power event was fired: MonitorSettingChange [PowerEventType] false [Enabled].\\nA Power event was fired: MonitorSettingChange [PowerEventType] true [Enabled]." 206 | } 207 | ] 208 | }, 209 | { 210 | "CategoryName": "Windows - Power management General", 211 | "KnownEventRules": [ 212 | { 213 | "CategoryName": "Windows - Power management General", 214 | "LogType": ".log", 215 | "LogFileName": "pwrmgmt.log", 216 | "Message": "Applying Power Plan", 217 | "ToolTipText": "", 218 | "Color": "Yellow", 219 | "DeveloperNotes": "", 220 | "Author": "", 221 | "LinkToBlogArticle": null 222 | } 223 | ] 224 | } 225 | ] 226 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 🧠 Get-WindowsTroubleshootingReportCommunity v1.1 2 | 3 | ![Version](https://img.shields.io/badge/version-1.1-blue.svg) 4 | ![PowerShell](https://img.shields.io/badge/PowerShell-5.1%20%7C%207.x-blue.svg) 5 | ![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg) 6 | 7 | --- 8 | 9 | ## 🔥 The First & Only Tool That Combines Windows Event Logs + .log Files into a Single Unified Timeline Report 10 | 11 | Forget siloed logs. This tool **redefines Windows and Intune troubleshooting** by doing what no other tool can: 12 | 13 | ✅ **Merge** Event Logs (`.evtx`) and traditional `.log` files 14 | ✅ Present everything in a **single, chronological timeline** 15 | ✅ Detect known issues using **community-driven rules** 16 | ✅ Generate clean, interactive **HTML reports with filtering** 17 | ✅ Works with live systems or offline Intune diagnostic packages 18 | 19 | > **Built by IT Pros, for IT Pros** — this is your all-in-one troubleshooting lens. 20 | > It’s not just a script. It’s a **community-powered log intelligence engine**. 21 | 22 | --- 23 | 24 | ### 👨‍💻 About the Author 25 | 26 | This groundbreaking tool was created by **Petri Paavola**, 27 | 🎖️ *Microsoft MVP (Windows and Intune)* and creator of the widely used 28 | 🔧 [Get-IntuneManagementExtensionDiagnostics](https://github.com/petripaavola/Get-IntuneManagementExtensionDiagnostics) tool. 29 | 30 | Petri has helped thousands of IT pros automate and simplify log analysis — this tool takes it to the next level. 31 | 32 | --- 33 | 34 | 📦 [**Download the Tool v1.1**](./v1.1/Get-WindowsTroubleshootingReportCommunity_v1.1.zip) and start seeing the full story in your logs. 35 | 36 | --- 37 | 38 | 39 | ## Table of Contents 📚 40 | 41 | - [What's New (v1.1)](#whats-new-v11) 42 | - [What's New (v1.0)](#whats-new-v10) 43 | - [Screenshots](#screenshots) 44 | - [Video Demo](#video-demo) 45 | - [Features](#features) 46 | - [Usage Examples](#usage-examples) 47 | - [Parameters](#parameters) 48 | - [How It Works](#how-it-works) 49 | - [Contributing](#contributing) 50 | - [Scenarios](#scenarios) 51 | - [Example Reports](#example-reports-coming-soon) 52 | - [GUID to Name Resolution](#guid-resolution) 53 | - [PowerShell Script Parameters](#powershell-script-parameters) 54 | - [Supported Log Files and Event Logs](#supported-log-files-and-event-logs) 55 | - [Do I Need Admin Rights](#do-i-need-admin-rights) 56 | - [PowerShell Support](#powershell-support) 57 | - [License](#license) 58 | - [Contributors](#contributors) 59 | - [Acknowledgments](#acknowledgments) 60 | 61 | --- 62 | 63 | 64 | ## 🆕 What's New (v1.1) 65 | 66 | **🎉 First Public Release! (Finally 😀) - This time for real** 67 | 68 | > Please report bugs or suggestions via [GitHub Issues](../../issues). 69 | 70 | ### Changelog Highlights 71 | 72 | - Bug Fixes 73 | - More KnownEventRules created 74 | 75 | --- 76 | 77 | 78 | ## 🆕 What's New (v1.0) 79 | 80 | **🎉 First Public Release! (Finally 😀)** 81 | 82 | > Please report bugs or suggestions via [GitHub Issues](../../issues). 83 | 84 | ### Changelog Highlights 85 | 86 | - LOTS of new features throughout the script 87 | - New console UI look 88 | - Improved HTML report 89 | - Expanded out-of-box **KnownEvent** rules 90 | 91 | --- 92 | 93 | 94 | ## 🖼️ Screenshots 95 | 96 | > 📍 Real examples from the generated timeline report 97 | 98 | --- 99 | 100 | ### 🧭 Known Events Timeline + Windows Update Trends 101 | 102 | 103 | 104 | 110 | 116 | 117 |
105 | Known Events Timeline View
106 | 107 | Known Events Timeline 108 | 109 | 		111 | 365-Day Windows Update Trend
112 | 113 | 365 Day Windows Update Trend 114 | 115 |
118 | 119 | --- 120 | 121 | ### 🔍 Intune App & Script GUIDs Translated 122 | 123 | 124 | 125 | 131 | 137 | 138 |
126 | App GUIDs → Real App Names
127 | 128 | App GUIDs 129 | 130 | 		132 | Script GUIDs → Real Script Names
133 | 134 | Script GUIDs 135 | 136 |
139 | 140 | --- 141 | 142 | 143 | ## 🎥 Video Demo 144 | 145 | > 📍 Video demo coming soon... 146 | --- 147 | 148 | 149 | ## 🛠️ Features 150 | 151 | - **Event Log Support**: Read Windows Event logs from live Windows systems or Intune DiagLogs packages (.zip). Extract .zip file first. 152 | - **Log File Support**: Analyze structured log files containing dateTime and message fields. 153 | - **Unified Timeline**: **Merge event and log file data chronologically.** 154 | - **Rich HTML Reports**: Real-time filtering and searchable HTML output. 155 | - **Scenario-Based Troubleshooting**: Focused support for updates, installs, Intune, etc. 156 | - **Full logs reporting**: Include all logs to report to understand what is happening in all logs. 157 | - **Custom Event Detection**: Detect specific events using customizable `EventRules.json`. 158 | - **GUIDs to real names**: Tool translates known GUIDs to real names, for example Intune Apps and Scripts names 159 | - **Community-Driven**: Share your rules and help others troubleshoot. 160 | 161 | --- 162 | 163 | 164 | ## ▶️ Usage Examples 165 | 166 | ```powershell 167 | # Get only KNOWN Events. KnownEvents categories and time range is selected from graphical UI 168 | ./Get-WindowsTroubleshootingReportCommunity_v1.1.ps1 169 | 170 | # Get ALL Events. KnownEvents categories, Event logs and log files and time range is selected from graphical UI 171 | ./Get-WindowsTroubleshootingReportCommunity_v1.1.ps1 -AllEvents 172 | 173 | # From folder with known events only 174 | ./Get-WindowsTroubleshootingReportCommunity_v1.1.ps1 -LogFilesFolder "C:\Logs\DiagLogs-COMPUTERNAME" 175 | 176 | # From folder with ALL events 177 | ./Get-WindowsTroubleshootingReportCommunity_v1.1.ps1 -LogFilesFolder "C:\Logs\DiagLogs-COMPUTERNAME" -AllEvents 178 | 179 | # Known events between two times 180 | ./Get-WindowsTroubleshootingReportCommunity_v1.1.ps1 -LogFilesFolder "C:\Logs\DiagLogs-COMPUTERNAME" -StartTime "2024-12-02 08:00:00" -EndTime "2024-12-02 18:00:00" 181 | 182 | # All events between two times 183 | ./Get-WindowsTroubleshootingReportCommunity_v1.1.ps1 -LogFilesFolder "C:\Logs\DiagLogs-COMPUTERNAME" -StartTime "2024-12-02 08:00:00" -EndTime "2024-12-02 18:00:00" -AllEvents 184 | ``` 185 | 186 | --- 187 | 188 | 189 | ## ⚙️ Parameters 190 | 191 | - `-AllEvents`: Include all events (not just known). 192 | - `-LogFilesFolder`: Folder with multiple .evtx/log files. 193 | - `-StartTime`, `-EndTime`: Specify exact range. 194 | - `-LogViewerUI`: Launch log review UI. 195 | - `-RealtimeLogViewerUI`: Real-time Event logs monitoring UI. 196 | - `-IncludeSelectedKnownRulesCategoriesOnly`: Filter by known rules. 197 | - `-ExcludeSelectedKnownRulesCategories`: Exclude rule categories. 198 | - `-SortDescending`: Sort newest-first. 199 | - `-ProcmonFilePath`: Include Procmon CSV file. 200 | 201 | --- 202 | 203 | 204 | ## 🧠 How It Works 205 | 206 | 1. **Log Processing**: Parses event logs and .log files, combines them into timeline. 207 | 2. **Report Generation**: Builds interactive HTML report with filters and search. 208 | 3. **Known Event Detection**: Uses rules from `EventRules.json`. 209 | 4. **Customization**: Build your own rules with `Create-EventRules-GUI-HelperTool.ps1`. 210 | 211 | --- 212 | 213 | 214 | ## 🤝 Contributing 215 | 216 | - Use `Create-EventRules-GUI-HelperTool.ps1` to create `EventRules.json`. 217 | - Add green (success) and red (fail) markers. 218 | - Submit via GitHub to help others. 219 | 220 | --- 221 | 222 | 223 | ## 🧪 Scenarios 224 | 225 | - **Windows Update**: Status, success/fail, reboots. 226 | - **Intune**: Enrollment, sync, script/app information and errors. 227 | - **Defender for Endpoint**: AV definitions and scans. 228 | - **Software Installs**: MSI/Store installs and issues. 229 | - **System Events**: Restarts, sleep, driver changes. 230 | 231 | --- 232 | 233 | 234 | ## 📊 Example Reports (Coming soon) 235 | 236 | - **Timeline View** 237 | - **Filtered Report**: Only known events or categories 238 | 239 | --- 240 | 241 | 242 | ## 🔎 GUID to Name Resolution 243 | 244 | Reading Intune logs full of random GUIDs? This tool fixes that. 245 | 246 | The report can **automatically convert known GUIDs to real, human-readable names** — especially helpful when analyzing Intune `.log` files and Event Logs. 247 | 248 | ### 💡 Built-in Translation Features 249 | 250 | - **App installation logs**: Converts Intune App GUIDs to their real names. (Built-in) 251 | - **Attack Surface Reduction (ASR) rules**: Recognized and labeled. (Built-in) 252 | - **PowerShell and Remediation Scripts**: Shows actual script names. (Run included tool to download Intune names) 253 | 254 | ### 📦 How It Works 255 | 256 | 1. The tool checks for known GUIDs using `.json` files in the `KnownGUIDs` folder. 257 | 2. You can enrich this mapping using a built-in helper script: 258 | ```powershell 259 | .\KnownGUIDs\Get-Intune-Apps-and-Scripts-GUIDs-and-Names.ps1 260 | ``` 261 | 3. Run the script once to generate a full list of: 262 | - Intune Apps 263 | - PowerShell Scripts 264 | - Remediation Scripts 265 | 266 | ### ✅ Result 267 | 268 | Once mapped, your report will display: 269 | ``` 270 | Instead of: 271 | ApplicationId: d8a3bc0d-2342-48b9-a0a1-7bc409b153f3 272 | 273 | You’ll see: 274 | Application: Microsoft Edge (Win32) – Install 275 | ``` 276 | 277 | No more digging through Intune manually. Just clear, meaningful names in the report. 278 | 279 | 🧠 This functionality alone can save **hours** of troubleshooting and is completely automated after a quick setup. 280 | 281 | --- 282 | 283 | 284 | ## 📘 PowerShell Script Parameters 285 | 286 | > Full parameter list is in the script comments or use `Get-Help`. 287 | 288 | --- 289 | 290 | 291 | ## 🗂️ Supported Log Files and Event Logs 292 | 293 | - Full support for **.evtx** logs (online/offline) 294 | - Support for Intune and ConfigMgr **CMTrace-style .log** files 295 | - Experimental support for **Procmon CSV** 296 | - Future: CBS.log, DISM.log, .etl, etc. 297 | - If you have a need or use case for additional .log support, contact Petri 298 | 299 | --- 300 | 301 | 302 | ## 🔐 Do I Need Admin Rights 303 | 304 | - Not required, but highly recommended for full access to Windows Event logs 305 | - **Admin = better coverage** 306 | - Offline logs don’t require admin 307 | 308 | --- 309 | 310 | 311 | ## 🧩 PowerShell Support 312 | 313 | - ✅ PowerShell Core (7.x) - This is preferred and faster! 314 | - ✅ Windows PowerShell 5.1 315 | 316 | --- 317 | 318 | 319 | ## 📄 License 320 | 321 | MIT License — see [LICENSE.md](LICENSE.md) 322 | 323 | --- 324 | 325 | 326 | ## 👨‍💻 Contributors 327 | 328 | - **Petri Paavola** – *Author* (Microsoft MVP - Windows and Intune) 329 | 📧 Petri.Paavola@yodamiitti.fi 330 | 331 | --- 332 | 333 | ## 🤖 Acknowledgments 334 | 335 | Special thanks to **GPT-4 from OpenAI** for helping with documentation generation, text refactoring, and markdown polishing. AI helped us work faster, so we can troubleshoot better. 💡 336 | 337 | [🔝 Back to top](#table-of-contents) 338 | --- 339 | -------------------------------------------------------------------------------- /v1.0/EventRules/EventRules-Intune - MDM Autopilot ESP.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Intune - MDM Autopilot ESP", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Intune - MDM Autopilot ESP", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 8 | "Id": 1311, 9 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "", 14 | "DeveloperNotes": "Enrollment Status Tracking: Status of resource is unknown. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": "" 17 | }, 18 | { 19 | "CategoryName": "Intune - MDM Autopilot ESP", 20 | "LogType": ".evtx", 21 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 22 | "Id": 1310, 23 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "ToolTipText": "", 27 | "Color": "", 28 | "DeveloperNotes": "Enrollment Status Tracking: Installation of resource completed successfully. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "" 31 | }, 32 | { 33 | "CategoryName": "Intune - MDM Autopilot ESP", 34 | "LogType": ".evtx", 35 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 36 | "Id": 1309, 37 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 38 | "IncludeEventXMLDataInMessage": false, 39 | "IncludeEventXMLDataInToolTip": false, 40 | "ToolTipText": "", 41 | "Color": "Red", 42 | "DeveloperNotes": "Enrollment Status Tracking: Installation of resource encountered an error and could not complete. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 43 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 44 | "LinkToBlogArticle": "" 45 | }, 46 | { 47 | "CategoryName": "Intune - MDM Autopilot ESP", 48 | "LogType": ".evtx", 49 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 50 | "Id": 1300, 51 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 52 | "IncludeEventXMLDataInMessage": false, 53 | "IncludeEventXMLDataInToolTip": false, 54 | "ToolTipText": "", 55 | "Color": "Green", 56 | "DeveloperNotes": "Enrollment Status Tracking: Starting status tracking for resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": "" 59 | }, 60 | { 61 | "CategoryName": "Intune - MDM Autopilot ESP", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 64 | "Id": 1304, 65 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "", 69 | "Color": "Red", 70 | "DeveloperNotes": "Enrollment Status Tracking: Download of resource encountered an error and could not complete. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": "" 73 | }, 74 | { 75 | "CategoryName": "Intune - MDM Autopilot ESP", 76 | "LogType": ".evtx", 77 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 78 | "Id": 1302, 79 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": false, 82 | "ToolTipText": "", 83 | "Color": "", 84 | "DeveloperNotes": "Enrollment Status Tracking: Downloading resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 85 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 86 | "LinkToBlogArticle": "" 87 | }, 88 | { 89 | "CategoryName": "Intune - MDM Autopilot ESP", 90 | "LogType": ".evtx", 91 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 92 | "Id": 1303, 93 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 94 | "IncludeEventXMLDataInMessage": false, 95 | "IncludeEventXMLDataInToolTip": false, 96 | "ToolTipText": "", 97 | "Color": "", 98 | "DeveloperNotes": "Enrollment Status Tracking: Pending download retry for resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 99 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 100 | "LinkToBlogArticle": "" 101 | }, 102 | { 103 | "CategoryName": "Intune - MDM Autopilot ESP", 104 | "LogType": ".evtx", 105 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 106 | "Id": 1305, 107 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 108 | "IncludeEventXMLDataInMessage": false, 109 | "IncludeEventXMLDataInToolTip": false, 110 | "ToolTipText": "", 111 | "Color": "", 112 | "DeveloperNotes": "Enrollment Status Tracking: Download of resource completed successfully. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 113 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 114 | "LinkToBlogArticle": "" 115 | }, 116 | { 117 | "CategoryName": "Intune - MDM Autopilot ESP", 118 | "LogType": ".evtx", 119 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 120 | "Id": 1307, 121 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 122 | "IncludeEventXMLDataInMessage": false, 123 | "IncludeEventXMLDataInToolTip": false, 124 | "ToolTipText": "", 125 | "Color": "", 126 | "DeveloperNotes": "Enrollment Status Tracking: Installing resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 127 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 128 | "LinkToBlogArticle": "" 129 | }, 130 | { 131 | "CategoryName": "Intune - MDM Autopilot ESP", 132 | "LogType": ".evtx", 133 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 134 | "Id": 1308, 135 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 136 | "IncludeEventXMLDataInMessage": false, 137 | "IncludeEventXMLDataInToolTip": false, 138 | "ToolTipText": "", 139 | "Color": "", 140 | "DeveloperNotes": "Enrollment Status Tracking: Pending installation retry for resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 141 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 142 | "LinkToBlogArticle": "" 143 | }, 144 | { 145 | "CategoryName": "Intune - MDM ESP Tracking", 146 | "LogType": ".evtx", 147 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 148 | "Id": 293, 149 | "LevelDisplayName": "Information\u0000", 150 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 151 | "IncludeEventXMLDataInMessage": false, 152 | "IncludeEventXMLDataInToolTip": false, 153 | "ToolTipText": "", 154 | "Color": "", 155 | "DeveloperNotes": "Tracking resource type %1. Policy provider '%2' provided a list of %3 policies to track.\u0000", 156 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 157 | "LinkToBlogArticle": "" 158 | }, 159 | { 160 | "CategoryName": "Intune - MDM ESP Tracking", 161 | "LogType": ".evtx", 162 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 163 | "Id": 294, 164 | "LevelDisplayName": "Error\u0000", 165 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 166 | "IncludeEventXMLDataInMessage": false, 167 | "IncludeEventXMLDataInToolTip": false, 168 | "ToolTipText": "", 169 | "Color": "Red", 170 | "DeveloperNotes": "Tracking resource type %1. Policy provider '%2' encountered an error and the tracking list could not be completed. Error: %3\u0000", 171 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 172 | "LinkToBlogArticle": "" 173 | }, 174 | { 175 | "CategoryName": "Intune - MDM ESP Tracking", 176 | "LogType": ".evtx", 177 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 178 | "Id": 296, 179 | "LevelDisplayName": "Information\u0000", 180 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 181 | "IncludeEventXMLDataInMessage": false, 182 | "IncludeEventXMLDataInToolTip": false, 183 | "ToolTipText": "", 184 | "Color": "", 185 | "DeveloperNotes": "Tracking resource type %1. App '%2' installation completed successfully. \u0000", 186 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 187 | "LinkToBlogArticle": "" 188 | }, 189 | { 190 | "CategoryName": "Intune - MDM ESP Tracking", 191 | "LogType": ".evtx", 192 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 193 | "Id": 297, 194 | "LevelDisplayName": "Information\u0000", 195 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 196 | "IncludeEventXMLDataInMessage": false, 197 | "IncludeEventXMLDataInToolTip": false, 198 | "ToolTipText": "", 199 | "Color": "", 200 | "DeveloperNotes": "Tracking resource type %1. Starting installation tracking app '%2'.\u0000", 201 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 202 | "LinkToBlogArticle": "" 203 | }, 204 | { 205 | "CategoryName": "Intune - MDM ESP Tracking", 206 | "LogType": ".evtx", 207 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 208 | "Id": 298, 209 | "LevelDisplayName": "Information\u0000", 210 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 211 | "IncludeEventXMLDataInMessage": false, 212 | "IncludeEventXMLDataInToolTip": false, 213 | "ToolTipText": "", 214 | "Color": "", 215 | "DeveloperNotes": "Tracking resource type %1. An error occurred while installing app '%2'. HRESULT = %3\u0000", 216 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 217 | "LinkToBlogArticle": "" 218 | }, 219 | { 220 | "CategoryName": "Intune - MDM ESP Tracking", 221 | "LogType": ".evtx", 222 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 223 | "Id": 299, 224 | "LevelDisplayName": "Information\u0000", 225 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 226 | "IncludeEventXMLDataInMessage": false, 227 | "IncludeEventXMLDataInToolTip": false, 228 | "ToolTipText": "", 229 | "Color": "", 230 | "DeveloperNotes": "Tracking resource type %1. Reboot required to complete installation of app '%2'.\u0000", 231 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 232 | "LinkToBlogArticle": "" 233 | } 234 | ] 235 | } 236 | -------------------------------------------------------------------------------- /v1.1/EventRules/EventRules-Intune - MDM Autopilot ESP.json: -------------------------------------------------------------------------------- 1 | { 2 | "CategoryName": "Intune - MDM Autopilot ESP", 3 | "KnownEventRules": [ 4 | { 5 | "CategoryName": "Intune - MDM Autopilot ESP", 6 | "LogType": ".evtx", 7 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 8 | "Id": 1311, 9 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 10 | "IncludeEventXMLDataInMessage": false, 11 | "IncludeEventXMLDataInToolTip": false, 12 | "ToolTipText": "", 13 | "Color": "", 14 | "DeveloperNotes": "Enrollment Status Tracking: Status of resource is unknown. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 15 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 16 | "LinkToBlogArticle": "" 17 | }, 18 | { 19 | "CategoryName": "Intune - MDM Autopilot ESP", 20 | "LogType": ".evtx", 21 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 22 | "Id": 1310, 23 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 24 | "IncludeEventXMLDataInMessage": false, 25 | "IncludeEventXMLDataInToolTip": false, 26 | "ToolTipText": "", 27 | "Color": "", 28 | "DeveloperNotes": "Enrollment Status Tracking: Installation of resource completed successfully. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 29 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 30 | "LinkToBlogArticle": "" 31 | }, 32 | { 33 | "CategoryName": "Intune - MDM Autopilot ESP", 34 | "LogType": ".evtx", 35 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 36 | "Id": 1309, 37 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 38 | "IncludeEventXMLDataInMessage": false, 39 | "IncludeEventXMLDataInToolTip": false, 40 | "ToolTipText": "", 41 | "Color": "Red", 42 | "DeveloperNotes": "Enrollment Status Tracking: Installation of resource encountered an error and could not complete. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 43 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 44 | "LinkToBlogArticle": "" 45 | }, 46 | { 47 | "CategoryName": "Intune - MDM Autopilot ESP", 48 | "LogType": ".evtx", 49 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 50 | "Id": 1300, 51 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 52 | "IncludeEventXMLDataInMessage": false, 53 | "IncludeEventXMLDataInToolTip": false, 54 | "ToolTipText": "", 55 | "Color": "Green", 56 | "DeveloperNotes": "Enrollment Status Tracking: Starting status tracking for resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 57 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 58 | "LinkToBlogArticle": "" 59 | }, 60 | { 61 | "CategoryName": "Intune - MDM Autopilot ESP", 62 | "LogType": ".evtx", 63 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 64 | "Id": 1304, 65 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 66 | "IncludeEventXMLDataInMessage": false, 67 | "IncludeEventXMLDataInToolTip": false, 68 | "ToolTipText": "", 69 | "Color": "Red", 70 | "DeveloperNotes": "Enrollment Status Tracking: Download of resource encountered an error and could not complete. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 71 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 72 | "LinkToBlogArticle": "" 73 | }, 74 | { 75 | "CategoryName": "Intune - MDM Autopilot ESP", 76 | "LogType": ".evtx", 77 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 78 | "Id": 1302, 79 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 80 | "IncludeEventXMLDataInMessage": false, 81 | "IncludeEventXMLDataInToolTip": false, 82 | "ToolTipText": "", 83 | "Color": "", 84 | "DeveloperNotes": "Enrollment Status Tracking: Downloading resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 85 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 86 | "LinkToBlogArticle": "" 87 | }, 88 | { 89 | "CategoryName": "Intune - MDM Autopilot ESP", 90 | "LogType": ".evtx", 91 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 92 | "Id": 1303, 93 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 94 | "IncludeEventXMLDataInMessage": false, 95 | "IncludeEventXMLDataInToolTip": false, 96 | "ToolTipText": "", 97 | "Color": "", 98 | "DeveloperNotes": "Enrollment Status Tracking: Pending download retry for resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 99 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 100 | "LinkToBlogArticle": "" 101 | }, 102 | { 103 | "CategoryName": "Intune - MDM Autopilot ESP", 104 | "LogType": ".evtx", 105 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 106 | "Id": 1305, 107 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 108 | "IncludeEventXMLDataInMessage": false, 109 | "IncludeEventXMLDataInToolTip": false, 110 | "ToolTipText": "", 111 | "Color": "", 112 | "DeveloperNotes": "Enrollment Status Tracking: Download of resource completed successfully. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 113 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 114 | "LinkToBlogArticle": "" 115 | }, 116 | { 117 | "CategoryName": "Intune - MDM Autopilot ESP", 118 | "LogType": ".evtx", 119 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 120 | "Id": 1307, 121 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 122 | "IncludeEventXMLDataInMessage": false, 123 | "IncludeEventXMLDataInToolTip": false, 124 | "ToolTipText": "", 125 | "Color": "", 126 | "DeveloperNotes": "Enrollment Status Tracking: Installing resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 127 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 128 | "LinkToBlogArticle": "" 129 | }, 130 | { 131 | "CategoryName": "Intune - MDM Autopilot ESP", 132 | "LogType": ".evtx", 133 | "Channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot", 134 | "Id": 1308, 135 | "ProviderName": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider", 136 | "IncludeEventXMLDataInMessage": false, 137 | "IncludeEventXMLDataInToolTip": false, 138 | "ToolTipText": "", 139 | "Color": "", 140 | "DeveloperNotes": "Enrollment Status Tracking: Pending installation retry for resource. Resource Area: (%1) Resource Name: (%2) Resource Type: (%3).\u0000", 141 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 142 | "LinkToBlogArticle": "" 143 | }, 144 | { 145 | "CategoryName": "Intune - MDM ESP Tracking", 146 | "LogType": ".evtx", 147 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 148 | "Id": 293, 149 | "LevelDisplayName": "Information\u0000", 150 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 151 | "IncludeEventXMLDataInMessage": false, 152 | "IncludeEventXMLDataInToolTip": false, 153 | "ToolTipText": "", 154 | "Color": "", 155 | "DeveloperNotes": "Tracking resource type %1. Policy provider '%2' provided a list of %3 policies to track.\u0000", 156 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 157 | "LinkToBlogArticle": "" 158 | }, 159 | { 160 | "CategoryName": "Intune - MDM ESP Tracking", 161 | "LogType": ".evtx", 162 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 163 | "Id": 294, 164 | "LevelDisplayName": "Error\u0000", 165 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 166 | "IncludeEventXMLDataInMessage": false, 167 | "IncludeEventXMLDataInToolTip": false, 168 | "ToolTipText": "", 169 | "Color": "Red", 170 | "DeveloperNotes": "Tracking resource type %1. Policy provider '%2' encountered an error and the tracking list could not be completed. Error: %3\u0000", 171 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 172 | "LinkToBlogArticle": "" 173 | }, 174 | { 175 | "CategoryName": "Intune - MDM ESP Tracking", 176 | "LogType": ".evtx", 177 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 178 | "Id": 296, 179 | "LevelDisplayName": "Information\u0000", 180 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 181 | "IncludeEventXMLDataInMessage": false, 182 | "IncludeEventXMLDataInToolTip": false, 183 | "ToolTipText": "", 184 | "Color": "", 185 | "DeveloperNotes": "Tracking resource type %1. App '%2' installation completed successfully. \u0000", 186 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 187 | "LinkToBlogArticle": "" 188 | }, 189 | { 190 | "CategoryName": "Intune - MDM ESP Tracking", 191 | "LogType": ".evtx", 192 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 193 | "Id": 297, 194 | "LevelDisplayName": "Information\u0000", 195 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 196 | "IncludeEventXMLDataInMessage": false, 197 | "IncludeEventXMLDataInToolTip": false, 198 | "ToolTipText": "", 199 | "Color": "", 200 | "DeveloperNotes": "Tracking resource type %1. Starting installation tracking app '%2'.\u0000", 201 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 202 | "LinkToBlogArticle": "" 203 | }, 204 | { 205 | "CategoryName": "Intune - MDM ESP Tracking", 206 | "LogType": ".evtx", 207 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 208 | "Id": 298, 209 | "LevelDisplayName": "Information\u0000", 210 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 211 | "IncludeEventXMLDataInMessage": false, 212 | "IncludeEventXMLDataInToolTip": false, 213 | "ToolTipText": "", 214 | "Color": "", 215 | "DeveloperNotes": "Tracking resource type %1. An error occurred while installing app '%2'. HRESULT = %3\u0000", 216 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 217 | "LinkToBlogArticle": "" 218 | }, 219 | { 220 | "CategoryName": "Intune - MDM ESP Tracking", 221 | "LogType": ".evtx", 222 | "Channel": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot", 223 | "Id": 299, 224 | "LevelDisplayName": "Information\u0000", 225 | "ProviderName": "Microsoft-Windows-ModernDeployment-Diagnostics-Provider", 226 | "IncludeEventXMLDataInMessage": false, 227 | "IncludeEventXMLDataInToolTip": false, 228 | "ToolTipText": "", 229 | "Color": "", 230 | "DeveloperNotes": "Tracking resource type %1. Reboot required to complete installation of app '%2'.\u0000", 231 | "Author": "Petri.Paavola@yodamiitti.fi / Microsoft MVP - Windows and Intune", 232 | "LinkToBlogArticle": "" 233 | } 234 | ] 235 | } 236 | --------------------------------------------------------------------------------