azureEventHub_windows-security.rules

# Sagan windows-security.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

# These rules are to monitor event based on Microsoft "Events to monitor" guide at
# github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md
#
# Steve Rawls (srawls@quadrantsec.com) - 2018/05/22

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A monitored security event pattern has occurred"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4618; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009378; metadata: created_on 2022_11_22, old_sid 5003766; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A replay attack was detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4649; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009379; metadata: created_on 2022_11_22, old_sid 5003767; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] System audit policy was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4719,612; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009380; metadata: created_on 2022_11_22, old_sid 5003768; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] SID History was added to an account"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4765; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009381; metadata: created_on 2022_11_22, old_sid 5003769; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt to add SID History to an account failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4766; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009382; metadata: created_on 2022_11_22, old_sid 5003770; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt was made to set the Directory Services Restore Mode Administrator Password"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4794; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009383; metadata: created_on 2022_11_22, old_sid 5003764; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Role separation enabled:"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4897,801; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009384; metadata: created_on 2022_11_22, old_sid 5003761; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Special groups have been assigned to a new logon"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4964; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009385; metadata: created_on 2022_11_22, old_sid 5003765; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security setting was updated on the OCSP Responder Service"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5124; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009386; metadata: created_on 2022_11_22, old_sid 5003762; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Possible denial-of-service (DoS) attack"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 550; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009387; metadata: created_on 2022_11_22, old_sid 5003763; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The audit log was cleared"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1102,517; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009388; metadata: created_on 2022_11_22, old_sid 5003392; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Administrator recovered system from CrashOnAuditFail"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4621; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009389; metadata: created_on 2022_11_22, old_sid 5003393; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] SIDs were filtered"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4675; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009390; metadata: created_on 2022_11_22, old_sid 5003394; rev: 2;)

# The following two rules have been particularly noisy as of late and doing some research shows that it is mostly automated processes between a workstation that
# locally stores a user's roaming profile for the domain it is joined to and the domain controller. These alerts will generate any time a password reset disk is made,
# and the backup of the master key is an automated process that provides no real live security screening other then troubleshooting the programs that use it to encrypt
# files. Microsoft also states as listed below the rules that it hold no real value. I recommend these two are disabled.
#
# Recovery of data protection master key was attempted.
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
#
# Backup of data protection master key was attempted.
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
#
# Jeff Ward 2018/09/12

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Backup of data protection master key was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4692; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009391; metadata: created_on 2022_11_22, old_sid 5003395; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Recovery of data protection master key was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4693; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009392; metadata: created_on 2022_11_22, old_sid 5003396; rev: 2;)


alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A new trust was created to a domain"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4706,610; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009393; metadata: created_on 2022_11_22, old_sid 5003397; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Kerberos policy was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4713,617; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009394; metadata: created_on 2022_11_22, old_sid 5003398; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Encrypted data recovery policy was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4714,618; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009395; metadata: created_on 2022_11_22, old_sid 5003399; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The audit policy (SACL) on an object was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4715; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009396; metadata: created_on 2022_11_22, old_sid 5003400; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Trusted domain information was modified"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4716,620; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009397; metadata: created_on 2022_11_22, old_sid 5003401; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt was made to reset an account's password"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4724,628; pcre: "/Subject: Security ID: [0-9S-]+ Account Name: [^$]+ /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009398; metadata: created_on 2022_11_22, old_sid 5003402; rev: 5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-enabled global group was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4727,631; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009399; metadata: created_on 2022_11_22, old_sid 5003403; rev: 3;)

# Champ Clark III - Removed Account Name of machines - 2018/10/20
# We may want to review this change.

# This rule used a pcre of "/^((?!Account Name: (.*)\$ ).)*$/"; When dealing with large strings, this pcre cause a fault.
# This is likely due to a libpcre match recurision issue (see https://stackoverflow.com/questions/27868180/preg-match-appears-to-hit-a-limit-when-using-two-matches).
# I re-wrote the rule to exclude pcre all together. See issue https://github.com/beave/sagan/issues/122

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-enabled local group was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4735,639; content:!"$ Account Domain|3a|"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009400; metadata: created_on 2022_11_22, old_sid 5003404; rev: 4;)


alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-enabled global group was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4737,641; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009401; metadata: created_on 2022_11_22, old_sid 5003405; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Domain Policy was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4739,643; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009402; metadata: created_on 2022_11_22, old_sid 5003406; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-enabled universal group was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4754,658; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009403; metadata: created_on 2022_11_22, old_sid 5003407; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-enabled universal group was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4755,659; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009404; metadata: created_on 2022_11_22, old_sid 5003408; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled group was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4763,667; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009405; metadata: created_on 2022_11_22, old_sid 5003409; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A group's type was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4764,668; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009406; metadata: created_on 2022_11_22, old_sid 5003410; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The ACL was set on accounts which are members of administrators groups"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4780,684; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009407; metadata: created_on 2022_11_22, old_sid 5003411; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] RPC detected an integrity violation while decrypting an incoming message"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4816; threshold: type suppress, track by_username, count 1, seconds 300; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009408; metadata: created_on 2022_11_22, old_sid 5003412; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was added"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4865; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009409; metadata: created_on 2022_11_22, old_sid 5003413; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was removed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4866; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009410; metadata: created_on 2022_11_22, old_sid 5003414; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was modified"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4867; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009411; metadata: created_on 2022_11_22, old_sid 5003415; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The certificate manager denied a pending certificate request"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4868,772; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009412; metadata: created_on 2022_11_22, old_sid 5003416; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services revoked a certificate"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4870,774; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009413; metadata: created_on 2022_11_22, old_sid 5003417; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The security permissions for Certificate Services changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4882,786; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009414; metadata: created_on 2022_11_22, old_sid 5003418; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The audit filter for Certificate Services changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4885,789; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009415; metadata: created_on 2022_11_22, old_sid 5003419; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The certificate manager settings for Certificate Services changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4890,794; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009416; metadata: created_on 2022_11_22, old_sid 5003420; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A property of Certificate Services changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4892,796; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009417; metadata: created_on 2022_11_22, old_sid 5003421; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] One or more rows have been deleted from the certificate database"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4896,800; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009418; metadata: created_on 2022_11_22, old_sid 5003422; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The CrashOnAuditFail value has changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4906; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009419; metadata: created_on 2022_11_22, old_sid 5003423; rev: 2;)

# Removed accounts ending with $ (machine names).
# Champ Clark III 2018/10/20

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Auditing settings on object were changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4907|; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009420; metadata: created_on 2022_11_22, old_sid 5003424; rev: 4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Special Groups Logon table modified"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4908; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009421; metadata: created_on 2022_11_22, old_sid 5003425; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Per User Audit Policy was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4912,807; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009422; metadata: created_on 2022_11_22, old_sid 5003426; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound packet that failed an integrity check"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4960; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009423; metadata: created_on 2022_11_22, old_sid 5003427; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound packet that failed a replay check"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4961; parse_src_ip: 1; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009424; metadata: created_on 2022_11_22, old_sid 5003428; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound packet that failed a replay check"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4962; parse_src_ip: 1; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009425; metadata: created_on 2022_11_22, old_sid 5003429; rev: 3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound clear text packet that should have been secured"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4963; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009426; metadata: created_on 2022_11_22, old_sid 5003430; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4965; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009427; metadata: created_on 2022_11_22, old_sid 5003431; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPSEC received an invalid packet during main mode negotiation"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4976; parse_src_ip: 1; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009428; metadata: created_on 2022_11_22, old_sid 5003432; rev: 4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPSEC received an invalid during quick mode negotiation"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4977; parse_src_ip: 1; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009429; metadata: created_on 2022_11_22, old_sid 5003433; rev: 4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPSEC received an invalid During extended mode negotiation"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4978; parse_src_ip: 1; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009430; metadata: created_on 2022_11_22, old_sid 5003434; rev: 4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Extended Mode negotiation failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4983; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009431; metadata: created_on 2022_11_22, old_sid 5003435; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Extended Mode negotiation failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4984; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009432; metadata: created_on 2022_11_22, old_sid 5003436; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service was unable to retrieve the security policy from the local storage"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5027; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009433; metadata: created_on 2022_11_22, old_sid 5003437; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service was unable to parse the new security policy"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5028; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009434; metadata: created_on 2022_11_22, old_sid 5003438; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service failed to initialize the driver"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5029; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009435; metadata: created_on 2022_11_22, old_sid 5003439; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service failed to start"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5030; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009436; metadata: created_on 2022_11_22, old_sid 5003440; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver failed to start"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5035; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009437; metadata: created_on 2022_11_22, old_sid 5003441; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver detected critical runtime error"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5037; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009438; metadata: created_on 2022_11_22, old_sid 5003442; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Code integrity determined that the image hash of a file is not valid"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5038; meta_content:"|5c|%sagan%|5c|",Program|20|Files,System32; content:!"ScriptControl64_"; nocase; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009439; metadata: created_on 2022_11_22, old_sid 5003443, updated_at 2023_08_01; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] OCSP Responder Service Started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5120; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009440; metadata: created_on 2022_11_22, old_sid 5003444; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] OCSP Responder Service Stopped"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5121; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009441; metadata: created_on 2022_11_22, old_sid 5003445; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A configuration entry changed in OCSP Responder Service"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5122; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009442; metadata: created_on 2022_11_22, old_sid 5003446; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A configuration entry changed in OCSP Responder Service"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5123; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009443; metadata: created_on 2022_11_22, old_sid 5003447; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Credential Manager credentials were backed up"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5376; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009444; metadata: created_on 2022_11_22, old_sid 5003448; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Credential Manager credentials were restored from a backup"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5377; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009445; metadata: created_on 2022_11_22, old_sid 5003449; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5453; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009446; metadata: created_on 2022_11_22, old_sid 5003450; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Services failed to get the complete list of network interfaces on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5480; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009447; metadata: created_on 2022_11_22, old_sid 5003451; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Services failed to initialize RPC server"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5483; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009448; metadata: created_on 2022_11_22, old_sid 5003452; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Services has experienced a critical failure and has been shut down"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5484; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009449; metadata: created_on 2022_11_22, old_sid 5003453; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5485; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009450; metadata: created_on 2022_11_22, old_sid 5003454; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] One or more errors occurred while processing security policy in the Group Policy objects"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6145; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009451; metadata: created_on 2022_11_22, old_sid 5003455; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Network Policy Server denied access to a user"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009452; metadata: created_on 2022_11_22, old_sid 5003456; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Network Policy Server discarded the request for a user"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6274; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009453; metadata: created_on 2022_11_22, old_sid 5003457; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Network Policy Server discarded the accounting request for a user"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6275; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009454; metadata: created_on 2022_11_22, old_sid 5003458; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Network Policy Server quarantined a user"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6276; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009455; metadata: created_on 2022_11_22, old_sid 5003459; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6277; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009456; metadata: created_on 2022_11_22, old_sid 5003460; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Network Policy Server granted full access to a user because the host met the defined health policy"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6278; parse_src_ip: 1; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009457; metadata: created_on 2022_11_22, old_sid 5003461; rev: 5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Network Policy Server locked the user account due to repeated failed authentication attempts"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6279; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009458; metadata: created_on 2022_11_22, old_sid 5003462; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Network Policy Server unlocked the user account"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6280; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009459; metadata: created_on 2022_11_22, old_sid 5003463; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] General account database changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 640; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009460; metadata: created_on 2022_11_22, old_sid 5003464; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Quality of Service Policy changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 619; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009461; metadata: created_on 2022_11_22, old_sid 5003465; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An error was encountered converting volume"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24586; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009462; metadata: created_on 2022_11_22, old_sid 5003466; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt to automatically restart conversion on volume failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24592; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009463; metadata: created_on 2022_11_22, old_sid 5003467; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Metadata write: Volume returning errors while trying to modify metadata"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24593; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009464; metadata: created_on 2022_11_22, old_sid 5003468; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Metadata rebuild: An attempt to write a copy of metadata on volume failed and may appear as disk corruption"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24594; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009465; metadata: created_on 2022_11_22, old_sid 5003469; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Windows is starting up"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4608,512; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009466; metadata: created_on 2022_11_22, old_sid 5003470; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Windows is shutting down"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4609,513; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009467; metadata: created_on 2022_11_22, old_sid 5003471; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An authentication package has been loaded by the Local Security Authority"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4610,514; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009468; metadata: created_on 2022_11_22, old_sid 5003472; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A trusted logon process has been registered with the Local Security Authority"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4611,515; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009469; metadata: created_on 2022_11_22, old_sid 5003473; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Internal resources allocated for the queuing of audit messages have been exhausted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4612,516; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009470; metadata: created_on 2022_11_22, old_sid 5003474; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A notification package has been loaded by the Security Account Manager"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4614,518; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009471; metadata: created_on 2022_11_22, old_sid 5003475; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Invalid use of LPC port"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4615,519; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009472; metadata: created_on 2022_11_22, old_sid 5003476; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The system time was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4616,520; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009473; metadata: created_on 2022_11_22, old_sid 5003477; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security package has been loaded by the Local Security Authority"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4622; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009474; metadata: created_on 2022_11_22, old_sid 5003478; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Low"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:P 4624,528; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009475; metadata: created_on 2022_11_22, old_sid 5003479; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Low"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4624,529,530,531,532,533,534,535,536,537; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009476; metadata: created_on 2022_11_22, old_sid 5003480; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An account was logged off"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4634,538; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009477; metadata: created_on 2022_11_22, old_sid 5003481; rev: 4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IKE DoS-prevention mode started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4646; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009478; metadata: created_on 2022_11_22, old_sid 5003482; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] User initiated logoff"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4647,551; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009479; metadata: created_on 2022_11_22, old_sid 5003483; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A logon was attempted using explicit credentials"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4648,552; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009480; metadata: created_on 2022_11_22, old_sid 5003484; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode security association was established"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4650; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009481; metadata: created_on 2022_11_22, old_sid 5003485; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode security association was established"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4651; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009482; metadata: created_on 2022_11_22, old_sid 5003486; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode negotiation failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4652; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009483; metadata: created_on 2022_11_22, old_sid 5003487; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode negotiation failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4653; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009484; metadata: created_on 2022_11_22, old_sid 5003488; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Quick Mode negotiation failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4654; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009485; metadata: created_on 2022_11_22, old_sid 5003489; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode security association ended"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4655; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009486; metadata: created_on 2022_11_22, old_sid 5003490; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A handle to an object was requested"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4656,560; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009487; metadata: created_on 2022_11_22, old_sid 5003491; rev: 4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A registry value was modified"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4657,567; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009488; metadata: created_on 2022_11_22, old_sid 5003492; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The handle to an object was closed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4658,562; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009489; metadata: created_on 2022_11_22, old_sid 5003493; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A handle to an object was requested with intent to delete"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4659; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009490; metadata: created_on 2022_11_22, old_sid 5003494; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An object was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4660,564; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009491; metadata: created_on 2022_11_22, old_sid 5003495; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A handle to an object was requested"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4661,565; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009492; metadata: created_on 2022_11_22, old_sid 5003496; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An operation was performed on an object"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4662,566; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009493; metadata: created_on 2022_11_22, old_sid 5003497; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt was made to access an object"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009494; metadata: created_on 2022_11_22, old_sid 5003498; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt was made to create a hard link"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4664; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009495; metadata: created_on 2022_11_22, old_sid 5003499; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt was made to create an application client context"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4665; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009496; metadata: created_on 2022_11_22, old_sid 5003500; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An application attempted an operation:"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4666; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009497; metadata: created_on 2022_11_22, old_sid 5003501; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An application client context was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4667; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009498; metadata: created_on 2022_11_22, old_sid 5003502; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An application was initialized"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4668; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009499; metadata: created_on 2022_11_22, old_sid 5003503; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Permissions on an object were changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4670; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009500; metadata: created_on 2022_11_22, old_sid 5003504; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An application attempted to access a blocked ordinal through the TBS"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4671; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009501; metadata: created_on 2022_11_22, old_sid 5003505; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Special privileges assigned to new logon"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4672,576; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009502; metadata: created_on 2022_11_22, old_sid 5003506; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A privileged service was called"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4673,557; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009503; metadata: created_on 2022_11_22, old_sid 5003507; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An operation was attempted on a privileged object"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4674,578; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009504; metadata: created_on 2022_11_22, old_sid 5003508; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A new process has been created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009505; metadata: created_on 2022_11_22, old_sid 5003509; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A process has exited"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4689,593; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009506; metadata: created_on 2022_11_22, old_sid 5003510; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt was made to duplicate a handle to an object"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4690,593; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009507; metadata: created_on 2022_11_22, old_sid 5003511; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Indirect access to an object was requested"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4691,595; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009508; metadata: created_on 2022_11_22, old_sid 5003512; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Protection of auditable protected data was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4694; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009509; metadata: created_on 2022_11_22, old_sid 5003513; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Unprotection of auditable protected data was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4695; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009510; metadata: created_on 2022_11_22, old_sid 5003514; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A primary token was assigned to process"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4696,600; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009511; metadata: created_on 2022_11_22, old_sid 5003515; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Attempt to install a service"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4697,601; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009512; metadata: created_on 2022_11_22, old_sid 5003516; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A scheduled task was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4698,602; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009513; metadata: created_on 2022_11_22, old_sid 5003517; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A scheduled task was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4699,602; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009514; metadata: created_on 2022_11_22, old_sid 5003518; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A scheduled task was enabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4700,602; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009515; metadata: created_on 2022_11_22, old_sid 5003519; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A scheduled task was disabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4701,602; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009516; metadata: created_on 2022_11_22, old_sid 5003520; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A scheduled task was updated"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4702,602; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009517; metadata: created_on 2022_11_22, old_sid 5003521; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A user right was assigned"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4704,608; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009518; metadata: created_on 2022_11_22, old_sid 5003522; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A user right was removed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4705,609; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009519; metadata: created_on 2022_11_22, old_sid 5003523; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A trust to a domain was removed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4707,611; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009520; metadata: created_on 2022_11_22, old_sid 5003524; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Services was started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4709; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009521; metadata: created_on 2022_11_22, old_sid 5003525; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Services was disabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4710; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009522; metadata: created_on 2022_11_22, old_sid 5003526; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine Activity Detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4711; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009523; metadata: created_on 2022_11_22, old_sid 5003527; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Services encountered a potentially serious failure"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4712; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009524; metadata: created_on 2022_11_22, old_sid 5003528; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] System security access was granted to an account"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4717,621; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009525; metadata: created_on 2022_11_22, old_sid 5003529; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] System security access was removed from an account"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4718,622; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009526; metadata: created_on 2022_11_22, old_sid 5003530; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A user account was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4720,624; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009527; metadata: created_on 2022_11_22, old_sid 5003531; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A user account was enabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4722,626; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009528; metadata: created_on 2022_11_22, old_sid 5003532; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt was made to change an account's password"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4723,627; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009529; metadata: created_on 2022_11_22, old_sid 5003533; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A user account was disabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4725,629; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009530; metadata: created_on 2022_11_22, old_sid 5003534; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A user account was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4726,630; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009531; metadata: created_on 2022_11_22, old_sid 5003535; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was added to a security-enabled global group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4728,632; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009532; metadata: created_on 2022_11_22, old_sid 5003536; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was removed from a security-enabled global group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4729,633; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009533; metadata: created_on 2022_11_22, old_sid 5003537; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-enabled global group was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4730,634; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009534; metadata: created_on 2022_11_22, old_sid 5003538; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-enabled local group was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4731,635; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009535; metadata: created_on 2022_11_22, old_sid 5003539; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was added to a security-enabled local group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4732,636; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009536; metadata: created_on 2022_11_22, old_sid 5003540; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was removed from a security-enabled local group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4733,637; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009537; metadata: created_on 2022_11_22, old_sid 5003541; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-enabled local group was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4734,638; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009538; metadata: created_on 2022_11_22, old_sid 5003542; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A user account was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4738,642; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009539; metadata: created_on 2022_11_22, old_sid 5003543; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A user account was locked out"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4740,544; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009540; metadata: created_on 2022_11_22, old_sid 5003544; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A computer account was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4741,645; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009541; metadata: created_on 2022_11_22, old_sid 5003545; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A computer account was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4742,646; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009542; metadata: created_on 2022_11_22, old_sid 5003546; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A computer account was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4743,647; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009543; metadata: created_on 2022_11_22, old_sid 5003547; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled local group was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4744,648; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009544; metadata: created_on 2022_11_22, old_sid 5003548; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled local group was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4745,649; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009545; metadata: created_on 2022_11_22, old_sid 5003549; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was added to a security-disabled local group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4746,650; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009546; metadata: created_on 2022_11_22, old_sid 5003550; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was removed from a security-disabled local group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4747,651; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009547; metadata: created_on 2022_11_22, old_sid 5003551; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled local group was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4748,652; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009548; metadata: created_on 2022_11_22, old_sid 5003552; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled global group was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4749,653; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009549; metadata: created_on 2022_11_22, old_sid 5003553; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled global group was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4750,654; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009550; metadata: created_on 2022_11_22, old_sid 5003554; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was added to a security-disabled global group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4751,655; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009551; metadata: created_on 2022_11_22, old_sid 5003555; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was removed from a security-disabled global group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4752,656; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009552; metadata: created_on 2022_11_22, old_sid 5003556; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled global group was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4753,657; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009553; metadata: created_on 2022_11_22, old_sid 5003557; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was added to a security-enabled universal group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4756,660; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009554; metadata: created_on 2022_11_22, old_sid 5003558; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was removed from a security-enabled universal group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4757,661; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009555; metadata: created_on 2022_11_22, old_sid 5003559; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-enabled universal group was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4758,662; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009556; metadata: created_on 2022_11_22, old_sid 5003560; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled universal group was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4759,663; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009557; metadata: created_on 2022_11_22, old_sid 5003561; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled universal group was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4760,664; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009558; metadata: created_on 2022_11_22, old_sid 5003562; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was added to a security-disabled universal group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4761,665; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009559; metadata: created_on 2022_11_22, old_sid 5003563; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was removed from a security-disabled universal group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4762,666; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009560; metadata: created_on 2022_11_22, old_sid 5003564; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A user account was unlocked"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4767,671; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009561; metadata: created_on 2022_11_22, old_sid 5003565; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Kerberos service ticket was requested"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4769,673; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009562; metadata: created_on 2022_11_22, old_sid 5003567; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Kerberos service ticket was renewed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4770,674; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009563; metadata: created_on 2022_11_22, old_sid 5003568; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Kerberos pre-authentication failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4771,675; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009564; metadata: created_on 2022_11_22, old_sid 5003569; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Kerberos authentication ticket request failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4772,672; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009565; metadata: created_on 2022_11_22, old_sid 5003570; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An account was mapped for logon"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4774,678; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009566; metadata: created_on 2022_11_22, old_sid 5003571; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An account could not be mapped for logon"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4775,679; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009567; metadata: created_on 2022_11_22, old_sid 5003572; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The domain controller failed to validate the credentials for an account"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4777; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009568; metadata: created_on 2022_11_22, old_sid 5003574; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A session was reconnected to a Window Station"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4778,682; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009569; metadata: created_on 2022_11_22, old_sid 5003575; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A session was disconnected from a Window Station"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4779,683; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009570; metadata: created_on 2022_11_22, old_sid 5003576; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The name of an account was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4781,685; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009571; metadata: created_on 2022_11_22, old_sid 5003577; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The password hash an account was accessed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4782; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009572; metadata: created_on 2022_11_22, old_sid 5003578; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A basic application group was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4783,667; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009573; metadata: created_on 2022_11_22, old_sid 5003579; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A basic application group was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4784; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009574; metadata: created_on 2022_11_22, old_sid 5003580; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was added to a basic application group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4785,689; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009575; metadata: created_on 2022_11_22, old_sid 5003581; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A member was removed from a basic application group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4786,690; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009576; metadata: created_on 2022_11_22, old_sid 5003582; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A nonmember was added to a basic application group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4787,691; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009577; metadata: created_on 2022_11_22, old_sid 5003583; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A nonmember was removed from a basic application group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4788,692; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009578; metadata: created_on 2022_11_22, old_sid 5003584; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A basic application group was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4789,693; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009579; metadata: created_on 2022_11_22, old_sid 5003585; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An LDAP query group was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4790,694; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009580; metadata: created_on 2022_11_22, old_sid 5003586; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Password Policy Checking API was called"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4793; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009581; metadata: created_on 2022_11_22, old_sid 5003587; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The workstation was locked"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4800; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009582; metadata: created_on 2022_11_22, old_sid 5003588; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The workstation was unlocked"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4801; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009583; metadata: created_on 2022_11_22, old_sid 5003589; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The screen saver was invoked"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4802; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009584; metadata: created_on 2022_11_22, old_sid 5003590; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The screen saver was dismissed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4803; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009585; metadata: created_on 2022_11_22, old_sid 5003591; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A namespace collision was detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4864; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009586; metadata: created_on 2022_11_22, old_sid 5003592; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services received a resubmitted certificate request"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4869,773; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009587; metadata: created_on 2022_11_22, old_sid 5003593; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services received a request to publish the certificate revocation list [CRL]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4871,775; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009588; metadata: created_on 2022_11_22, old_sid 5003594; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services published the certificate revocation list (CRL)"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4872,776; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009589; metadata: created_on 2022_11_22, old_sid 5003595; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A certificate request extension changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4873,777; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009590; metadata: created_on 2022_11_22, old_sid 5003596; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] One or more certificate request attributes changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4878,778; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009591; metadata: created_on 2022_11_22, old_sid 5003597; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services received a request to shut down"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4875,779; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009592; metadata: created_on 2022_11_22, old_sid 5003598; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services backup started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4876,780; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009593; metadata: created_on 2022_11_22, old_sid 5003599; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services backup completed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4877,781; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009594; metadata: created_on 2022_11_22, old_sid 5003600; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services restore started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4878,782; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009595; metadata: created_on 2022_11_22, old_sid 5003601; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services restore completed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4879,783; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009596; metadata: created_on 2022_11_22, old_sid 5003602; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4880,784; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009597; metadata: created_on 2022_11_22, old_sid 5003603; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services stopped"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4881,785; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009598; metadata: created_on 2022_11_22, old_sid 5003604; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services retrieved an archived key"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4883,787; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009599; metadata: created_on 2022_11_22, old_sid 5003605; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services imported a certificate into its database"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4884,788; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009600; metadata: created_on 2022_11_22, old_sid 5003606; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services received a certificate request"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4886,790; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009601; metadata: created_on 2022_11_22, old_sid 5003607; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services approved a certificate request and issued a certificate"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4887,791; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009602; metadata: created_on 2022_11_22, old_sid 5003608; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services denied a certificate request"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4888,792; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009603; metadata: created_on 2022_11_22, old_sid 5003609; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services set the status of a certificate request to pending"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4889,793; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009604; metadata: created_on 2022_11_22, old_sid 5003610; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A configuration entry changed in Certificate Services"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4891,795; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009605; metadata: created_on 2022_11_22, old_sid 5003611; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services archived a key"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4893,797; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009606; metadata: created_on 2022_11_22, old_sid 5003612; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services imported and archived a key"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4894,798; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009607; metadata: created_on 2022_11_22, old_sid 5003613; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services published the CA certificate to Active Directory Domain Services"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4895,799; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009608; metadata: created_on 2022_11_22, old_sid 5003614; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Certificate Services loaded a template"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4898,802; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009609; metadata: created_on 2022_11_22, old_sid 5003615; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Per-user audit policy table was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4902; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009610; metadata: created_on 2022_11_22, old_sid 5003616; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt was made to register a security event source"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4904; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009611; metadata: created_on 2022_11_22, old_sid 5003617; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt was made to unregister a security event source"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4905; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009612; metadata: created_on 2022_11_22, old_sid 5003618; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The local policy settings for the TBS were changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4909; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009613; metadata: created_on 2022_11_22, old_sid 5003619; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Group Policy settings for the TBS were changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4910; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009614; metadata: created_on 2022_11_22, old_sid 5003620; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An Active Directory replica source naming context was established"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4928; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009615; metadata: created_on 2022_11_22, old_sid 5003621; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An Active Directory replica source naming context was removed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4929; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009616; metadata: created_on 2022_11_22, old_sid 5003622; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An Active Directory replica source naming context was modified"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4930; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009617; metadata: created_on 2022_11_22, old_sid 5003623; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An Active Directory replica destination naming context was modified"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4931; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009618; metadata: created_on 2022_11_22, old_sid 5003624; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Synchronization of a replica of an Active Directory naming context has begun"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4932; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009619; metadata: created_on 2022_11_22, old_sid 5003625; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Synchronization of a replica of an Active Directory naming context has ended"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4933; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009620; metadata: created_on 2022_11_22, old_sid 5003626; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Attributes of an Active Directory object were replicated"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4934; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009621; metadata: created_on 2022_11_22, old_sid 5003627; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Replication failure begins"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4935; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009622; metadata: created_on 2022_11_22, old_sid 5003628; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Replication failure ends"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4936; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009623; metadata: created_on 2022_11_22, old_sid 5003629; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A lingering object was removed from a replica"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4937; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009624; metadata: created_on 2022_11_22, old_sid 5003630; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The following policy was active when the Windows Firewall started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4944; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009625; metadata: created_on 2022_11_22, old_sid 5003631; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A rule was listed when the Windows Firewall started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4945; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009626; metadata: created_on 2022_11_22, old_sid 5003632; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to Windows Firewall exception list"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4946; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009627; metadata: created_on 2022_11_22, old_sid 5003633; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to Windows Firewall exception list"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4947; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009628; metadata: created_on 2022_11_22, old_sid 5003634; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to Windows Firewall exception list"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4948; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009629; metadata: created_on 2022_11_22, old_sid 5003635; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Windows Firewall settings were restored to the default values"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4949; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009630; metadata: created_on 2022_11_22, old_sid 5003636; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Windows Firewall setting has changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4950; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009631; metadata: created_on 2022_11_22, old_sid 5003637; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A rule has been ignored because its major version number was not recognized by Windows Firewall"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4951; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009632; metadata: created_on 2022_11_22, old_sid 5003638; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4952; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009633; metadata: created_on 2022_11_22, old_sid 5003639; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A rule has been ignored by Windows Firewall because it could not parse the rule"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4953; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009634; metadata: created_on 2022_11_22, old_sid 5003640; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Windows Firewall Group Policy settings have changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4954; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009635; metadata: created_on 2022_11_22, old_sid 5003641; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Windows Firewall has changed the active profile"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4956; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009636; metadata: created_on 2022_11_22, old_sid 5003642; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Windows Firewall did not apply the following rule:"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4957; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009637; metadata: created_on 2022_11_22, old_sid 5003643; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4958; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009638; metadata: created_on 2022_11_22, old_sid 5003644; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4979; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009639; metadata: created_on 2022_11_22, old_sid 5003645; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4980; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009640; metadata: created_on 2022_11_22, old_sid 5003646; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4981; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009641; metadata: created_on 2022_11_22, old_sid 5003647; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4982; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009642; metadata: created_on 2022_11_22, old_sid 5003648; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The state of a transaction has changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4985; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009643; metadata: created_on 2022_11_22, old_sid 5003649; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service has started successfully"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5024; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009644; metadata: created_on 2022_11_22, old_sid 5003650; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service has been stopped"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5025; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009645; metadata: created_on 2022_11_22, old_sid 5003651; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service blocked an application from accepting incoming connections on the network"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5031; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009646; metadata: created_on 2022_11_22, old_sid 5003652; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5032; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009647; metadata: created_on 2022_11_22, old_sid 5003653; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver has started successfully"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5033; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009648; metadata: created_on 2022_11_22, old_sid 5003654; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver has been stopped"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5034; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009649; metadata: created_on 2022_11_22, old_sid 5003655; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A registry key was virtualized"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5039; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009650; metadata: created_on 2022_11_22, old_sid 5003656; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5040; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009651; metadata: created_on 2022_11_22, old_sid 5003657; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5041; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009652; metadata: created_on 2022_11_22, old_sid 5003658; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5042; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009653; metadata: created_on 2022_11_22, old_sid 5003659; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5043; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009654; metadata: created_on 2022_11_22, old_sid 5003660; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5044; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009655; metadata: created_on 2022_11_22, old_sid 5003661; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; evnet_id: 5045; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009656; metadata: created_on 2022_11_22, old_sid 5003662; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5046; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009657; metadata: created_on 2022_11_22, old_sid 5003663; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5047; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009658; metadata: created_on 2022_11_22, old_sid 5003664; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5048; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009659; metadata: created_on 2022_11_22, old_sid 5003665; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5050; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009660; metadata: created_on 2022_11_22, old_sid 5003666; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A file was virtualized"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5051; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009661; metadata: created_on 2022_11_22, old_sid 5003667; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic self test was performed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5056; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009662; metadata: created_on 2022_11_22, old_sid 5003668; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic primitive operation failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5057; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009663; metadata: created_on 2022_11_22, old_sid 5003669; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Key file operation"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5058; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009664; metadata: created_on 2022_11_22, old_sid 5003670; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Key migration operation"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5059; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009665; metadata: created_on 2022_11_22, old_sid 5003671; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Verification operation failed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5060; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009666; metadata: created_on 2022_11_22, old_sid 5003672; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Cryptographic operation"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5061; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009667; metadata: created_on 2022_11_22, old_sid 5003673; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A kernel-mode cryptographic self test was performed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5062; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009668; metadata: created_on 2022_11_22, old_sid 5003674; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic provider operation was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5063; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009669; metadata: created_on 2022_11_22, old_sid 5003675; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic context operation was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5064; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009670; metadata: created_on 2022_11_22, old_sid 5003676; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic context modification was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5065; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009671; metadata: created_on 2022_11_22, old_sid 5003677; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic function operation was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5066; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009672; metadata: created_on 2022_11_22, old_sid 5003678; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic function modification was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5067; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009673; metadata: created_on 2022_11_22, old_sid 5003679; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic function provider operation was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5068; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009674; metadata: created_on 2022_11_22, old_sid 5003680; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic function property operation was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5069; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009675; metadata: created_on 2022_11_22, old_sid 5003681; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A cryptographic function property modification was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5070; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009676; metadata: created_on 2022_11_22, old_sid 5003682; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A request was submitted to the OCSP Responder Service"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5125; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009677; metadata: created_on 2022_11_22, old_sid 5003683; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Signing Certificate was automatically updated by the OCSP Responder Service"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5126; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009678; metadata: created_on 2022_11_22, old_sid 5003684; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The OCSP Revocation Provider successfully updated the revocation information"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5127; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009679; metadata: created_on 2022_11_22, old_sid 5003685; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A directory service object was modified"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5136,566; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009680; metadata: created_on 2022_11_22, old_sid 5003686; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A directory service object was created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5137,566; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009681; metadata: created_on 2022_11_22, old_sid 5003687; rev: 3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A directory service object was undeleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5138; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009682; metadata: created_on 2022_11_22, old_sid 5003688; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A directory service object was moved"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5139; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009683; metadata: created_on 2022_11_22, old_sid 5003689; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A network share object was accessed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5140; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009684; metadata: created_on 2022_11_22, old_sid 5003690; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A directory service object was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5141; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009685; metadata: created_on 2022_11_22, old_sid 5003691; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform blocked a packet"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5152; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009686; metadata: created_on 2022_11_22, old_sid 5003692; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A more restrictive Windows Filtering Platform filter has blocked a packet"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5153; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009687; metadata: created_on 2022_11_22, old_sid 5003693; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5154; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009688; metadata: created_on 2022_11_22, old_sid 5003694; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5155; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009689; metadata: created_on 2022_11_22, old_sid 5003695; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has allowed a connection"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5156; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009690; metadata: created_on 2022_11_22, old_sid 5003696; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has blocked a connection"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5157; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009691; metadata: created_on 2022_11_22, old_sid 5003697; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has permitted a bind to a local port"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5158; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009692; metadata: created_on 2022_11_22, old_sid 5003698; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has blocked a bind to a local port"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5159; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009693; metadata: created_on 2022_11_22, old_sid 5003699; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The requested credentials delegation was disallowed by policy"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5378; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009694; metadata: created_on 2022_11_22, old_sid 5003700; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The following callout was present when the Windows Filtering Platform Base Filtering Engine started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5440; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009695; metadata: created_on 2022_11_22, old_sid 5003701; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The following filter was present when the Windows Filtering Platform Base Filtering Engine started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5441; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009696; metadata: created_on 2022_11_22, old_sid 5003702; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The following provider was present when the Windows Filtering Platform Base Filtering Engine started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5442; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009697; metadata: created_on 2022_11_22, old_sid 5003703; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The following provider context was present when the Windows Filtering Platform Base Filtering Engine started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5443; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009698; metadata: created_on 2022_11_22, old_sid 5003704; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5444; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009699; metadata: created_on 2022_11_22, old_sid 5003705; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform callout has been changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5446; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009700; metadata: created_on 2022_11_22, old_sid 5003706; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform filter has been changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5447; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009701; metadata: created_on 2022_11_22, old_sid 5003707; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform provider has been changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5448; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009702; metadata: created_on 2022_11_22, old_sid 5003708; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform provider context has been changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5449; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009703; metadata: created_on 2022_11_22, old_sid 5003709; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform sublayer has been changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5450; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009704; metadata: created_on 2022_11_22, old_sid 5003710; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Quick Mode security association was established"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5451; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009705; metadata: created_on 2022_11_22, old_sid 5003711; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Quick Mode security association ended"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5452; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009706; metadata: created_on 2022_11_22, old_sid 5003712; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine applied Active Directory storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5456; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009707; metadata: created_on 2022_11_22, old_sid 5003713; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply Active Directory storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5457; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009708; metadata: created_on 2022_11_22, old_sid 5003714; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5458; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009709; metadata: created_on 2022_11_22, old_sid 5003715; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5459; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009710; metadata: created_on 2022_11_22, old_sid 5003716; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine applied local registry storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5460; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009711; metadata: created_on 2022_11_22, old_sid 5003717; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply local registry storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5461; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009712; metadata: created_on 2022_11_22, old_sid 5003718; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply some rules of the active IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5462; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009713; metadata: created_on 2022_11_22, old_sid 5003719; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the active IPsec policy and detected no changes"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5463; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009714; metadata: created_on 2022_11_22, old_sid 5003720; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the active IPsec policy"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5464; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009715; metadata: created_on 2022_11_22, old_sid 5003721; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5465; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009716; metadata: created_on 2022_11_22, old_sid 5003722; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5466; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009717; metadata: created_on 2022_11_22, old_sid 5003723; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5467; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009718; metadata: created_on 2022_11_22, old_sid 5003724; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5468; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009719; metadata: created_on 2022_11_22, old_sid 5003725; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine loaded local storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5471; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009720; metadata: created_on 2022_11_22, old_sid 5003726; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to load local storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5472; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009721; metadata: created_on 2022_11_22, old_sid 5003727; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine loaded directory storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5473; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009722; metadata: created_on 2022_11_22, old_sid 5003728; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to load directory storage IPsec policy on the computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5474; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009723; metadata: created_on 2022_11_22, old_sid 5003729; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to add quick mode filter"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5477; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009724; metadata: created_on 2022_11_22, old_sid 5003730; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Services has been shut down successfully"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5479; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009725; metadata: created_on 2022_11_22, old_sid 5003731; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A request was made to authenticate to a wireless network"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5632; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009726; metadata: created_on 2022_11_22, old_sid 5003732; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A request was made to authenticate to a wired network"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5633; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009727; metadata: created_on 2022_11_22, old_sid 5003733; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A Remote Procedure Call (RPC) was attempted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5712; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009728; metadata: created_on 2022_11_22, old_sid 5003734; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An object in the COM+ Catalog was modified"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5888; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009729; metadata: created_on 2022_11_22, old_sid 5003735; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An object was deleted from the COM+ Catalog"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5889; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009730; metadata: created_on 2022_11_22, old_sid 5003736; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An object was added to the COM+ Catalog"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5890; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009731; metadata: created_on 2022_11_22, old_sid 5003737; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The previous system shutdown was unexpected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6008; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009732; metadata: created_on 2022_11_22, old_sid 5003738; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Security policy in the Group Policy objects has been applied successfully"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6144; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009733; metadata: created_on 2022_11_22, old_sid 5003739; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Network Policy Server granted access to a user"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6272; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009734; metadata: created_on 2022_11_22, old_sid 5003740; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A handle to an object was requested"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 561; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009735; metadata: created_on 2022_11_22, old_sid 5003741; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Object open for delete"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 563; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009736; metadata: created_on 2022_11_22, old_sid 5003742; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] User Account Type Changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 625; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009737; metadata: created_on 2022_11_22, old_sid 5003743; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec policy agent started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:613; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009738; metadata: created_on 2022_11_22, old_sid 5003744; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec policy agent disabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 614; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009739; metadata: created_on 2022_11_22, old_sid 5003745; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec policy agent"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 615; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009740; metadata: created_on 2022_11_22, old_sid 5003746; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec policy agent encountered a potential serious failure"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 616; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009741; metadata: created_on 2022_11_22, old_sid 5003747; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Encryption of volume started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24577; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009742; metadata: created_on 2022_11_22, old_sid 5003748; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Encryption of volume stopped"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24578; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009743; metadata: created_on 2022_11_22, old_sid 5003749; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Encryption of volume completed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24579; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009744; metadata: created_on 2022_11_22, old_sid 5003750; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Decryption of volume started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24580; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009745; metadata: created_on 2022_11_22, old_sid 5003751; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Decryption of volume stopped"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24581; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009746; metadata: created_on 2022_11_22, old_sid 5003752; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Decryption of volume completed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24582; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009747; metadata: created_on 2022_11_22, old_sid 5003753; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Conversion worker thread for volume started"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24583; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009748; metadata: created_on 2022_11_22, old_sid 5003754; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Conversion worker thread for volume temporarily stopped"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24584; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009749; metadata: created_on 2022_11_22, old_sid 5003755; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The conversion operation on volume encountered a bad sector error"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24588; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009750; metadata: created_on 2022_11_22, old_sid 5003756; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Volume contains bad clusters"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24595; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009751; metadata: created_on 2022_11_22, old_sid 5003757; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Initial state check: Rolling volume conversion transaction on"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 24621; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009752; metadata: created_on 2022_11_22, old_sid 5003758; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] An IPsec Security Association was deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5049; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009753; metadata: created_on 2022_11_22, old_sid 5003759; rev: 2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] IPsec Services has started successfully"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5478; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; sid:5009754; metadata: created_on 2022_11_22, old_sid 5003760; rev: 2;)

# Rule based off something I saw from Casey Pennington @ Quadrant
# Champ Clark III - 2018/10/02

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Potential NetBIOS name spoofing"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 8415; content: "NBNS spoofer was discovered"; nocase; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.packtpub.com/mapt/book/networking_and_servers/9781785285561/5/ch05lvl1sec32/nbns-spoofing; sid:5009755; metadata: created_on 2022_11_22, old_sid 5003937; rev: 2;)

# Detects Export of Secret Key. By SDrenning off of Golden SAML IOC's
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-SECURITY] Command to Export Secret Key Detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688; content: "certutil |2d|exportPFX";nocase; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url,sygnia.co/golden-saml-advisory; sid:5009756; metadata: created_on 2022_11_22, old_sid 5005956; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Suspicious Base64 Encoded Commands [1/2]"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4688; content: "powershell"; nocase; meta_content:" -%sagan% ",e,ec,enc,EncodedCommand; meta_content:" %sagan%",JAB,TVq,SUVY,SQBFAF,SQBuAH,aWV4,aQBlA,Y21k,Qzpc,Yzpc,UEs; meta_within:100; reference:url,gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639; classtype:suspicious-command; sid:5009757; metadata: created_on 2022_11_22, old_sid 5007159; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] A user's local group membership was enumerated"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4798; meta_content:"Group|3a| Security ID|3a| S-1-5-32-%sagan%",544,545,546,547,548,549,550,555; content:!"Process ID: 0x0"; content:!"Process Name: C:\\Windows\\System32"; content:"Process Name: "; content:!":\\Program Files"; distance:1; within:15; reference:url,docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799; reference:url,docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers; classtype:attempted-recon; sid:5009758; metadata: created_on 2022_11_22, old_sid 5007214; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] A user's local group membership was enumerated (Domain Groups)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4798; content:"Group|3a| Security ID|3a| S-1-5"; meta_content:"%sagan%-",500,501,502,512,513,514,515,516,517,518,519,520,553; content:!"Process ID: 0x0"; content:!"Process Name: C:\\Windows\\System32"; content:"Process Name: "; content:!":\\Program Files"; distance:1; within:15; reference:url,docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799; reference:url,docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers; classtype:attempted-recon; sid:5009759; metadata: created_on 2022_11_22, old_sid 5007215; rev:1;)


alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] A security-enabled local group membership was enumerated"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4799; content:"Account Name|3a| "; content:!"|24|"; distance:0; within:100; meta_content:"Group|3a| Security ID|3a| S-1-5-32-%sagan%",544,545,546,547,548,549,550,555; content:!"Process ID: 0x0"; content:!"Process Name: C:\\Windows\\System32"; content:"Process Name: "; content:!":\\Program Files"; distance:0; within:16; reference:url,docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799; reference:url,docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers; classtype:attempted-recon; sid:5009760; metadata: created_on 2022_11_22, old_sid 5007216; rev:3;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] A security-enabled local group membership was enumerated (Domain Groups)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4799; content:"Group|3a| Security ID|3a| S-1-5"; meta_content:"-%sagan%",500,501,502,512,513,514,515,516,517,518,519,520,553; content:!"Process ID: 0x0"; content:!"Process Name: C:\\Windows\\System32"; content:"Process Name: "; content:!":\\Program Files"; distance:0; within:16; reference:url,docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799; reference:url,docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers; classtype:attempted-recon; sid:5009761; metadata: created_on 2022_11_22, old_sid 5007217; rev:3;)

#added by bsmith @ 19 Sept 2022
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Possible Microsoft Teams token access via Cookies"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4663; content:"Object Name:"; content:"\\AppData\\Roaming\\Microsft\\Teams\\Cookies"; nocase; distance:0; content:"Process Name:"; content:!"\\Teams.exe "; nocase; distance:0; reference:url,www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens; classtype:suspicious-command; sid:5009762; metadata: created_on 2022_11_22, old_sid 5007694; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Possible Microsoft Teams token access via leveldb"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4663; content:"Object Name:"; content:"\\AppData\\Roaming\\Microsft\\Teams\\Local Storage\\leveldb"; nocase; distance:0; content:"Process Name:"; content:!"\\Teams.exe "; nocase; distance:0; reference:url,www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens; classtype:suspicious-command; sid:5009763; metadata: created_on 2022_11_22, old_sid 5007695; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Attack on Sysmon - Possible Driver Unload"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4672; content:!"Account Name: SYSTEM"; nocase; content:"SeLoadDriverPrivileges"; reference:url,codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html; reference:url,github.com/matterpreter/Shhmon; reference:url,posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650; classtype:suspicious-command; sid:5009764; metadata: created_on 2022_11_22, old_sid 5007700; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Attack on Sysmon - Process Injection"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4656; content:"Object Name:"; nocase; meta_content:"%sagan%",sysmon.exe,sysmon64.exe; meta_nocase; meta_distance:0; content:"Access Mask:"; nocase; content:"0x1FFFFF"; nocase; distance:0; reference:url,codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html; classtype:suspicious-command; sid:5009765; metadata: created_on 2022_11_22, old_sid 5007701; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Attack on Sysmon - Process Injection Duplicate Handle"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4656; content:"Object Name:"; nocase; meta_content:"%sagan%",sysmon.exe,sysmon64.exe; meta_nocase; meta_distance:0; content:"Duplicate handle into"; nocase; reference:url,codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html; classtype:suspicious-command; sid:5009766; metadata: created_on 2022_11_22, old_sid 5007702; rev:1;)

#2022-10-17 Bryant Smith
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Service being stopped by net command v1"; program:*Sysmon*|*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4688,1; content:"C|3a 5c 5c|Windows|5c 5c|system32|5c 5c|net1 stop"; nocase; meta_content:"%sagan%",|5c 5c|Windows|5c 5c|Temp,|5c 5c|AppData|5c 5c|Local|5c 5c|Temp|; meta_nocase; classtype:suspicious-command; sid:5009767; metadata: created_on 2022_11_22, old_sid 5008343; rev:2;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Service being stopped by net command v2"; program:*Sysmon*|*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4688,1; content:"C|3a 5c 5c|Windows|5c 5c|system32|5c 5c|net1 stop"; nocase; meta_content:"%sagan%",|5c 5c|Windows|5c 5c|Temp,|5c 5c|AppData|5c 5c|Local|5c 5c|Temp; content:!"SnowInventoryClient"; classtype:suspicious-command; sid:5009768; metadata: created_on 2022_11_22, old_sid 5008344; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Disable Windows Security"; program:*Sysmon|*Security; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1,4688; meta_content:"%sagan%",DisableRealtimeMonitoring,DisableAntiSpyware,Uninstall-WindowsFeature|20|-Name|20|Windows-Defender; meta_nocase; classtype:suspicious-command; sid:5009769; metadata: created_on 2022_11_22, old_sid 5008347; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Copied rundll32 command executing non-standard dll"; program:Clipboard; content:"rundll32.exe"; nocase; content:!".dll,"; distance:0; nocase; classtype:suspicious-command; sid:5009770; metadata: created_on 2022_11_22, old_sid 5008348; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Possible UAC Bypass - Rundll32.exe using DLLRegister"; program:*Sysmon|*Security; content:"CommandLine: C:\\Windows\\system32\\rundll32.exe"; nocase; content:",DllRegisterServer"; reference:url,redcanary.com/threat-detection-report/techniques/rundll32/; classtype:suspicious-command; sid:5009771; metadata: created_on 2022_11_22, old_sid 5008351; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Exfil software rclone detected"; program:*Security|*Sysmon; content:"rclone"; nocase; classtype:trojan-activity; sid:5009772; metadata: created_on 2022_11_22, old_sid 5008354; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] A service was installed in the system (powershell)"; program:System; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7045; content:"Service File Name"; content:"%COMSPEC%"; distance:0; content:"powershell"; distance:0; classtype:suspicious-command; sid:5009773; metadata: created_on 2022_11_22, old_sid 5008357; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] A service was installed in the system (DllRegisterServer)"; program:System; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7045; content:"Service File Name"; content:"rundll32"; distance:0; content:",DllRegisterServer"; nocase; distance:0; classtype:suspicious-command; sid:5009774; metadata: created_on 2022_11_22, old_sid 5008358; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] A service was installed in the system (rundll32 .xls)"; program:System; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7045; content:"Service File Name"; content:"rundll32"; distance:0; content:".xls,"; nocase; distance:0; classtype:suspicious-command; sid:5009775; metadata: created_on 2022_11_22, old_sid 5008359; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] A service was installed in the system (rundll32 public directory)"; program:System; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7045; content:"Service File Name"; content:"rundll32"; distance:0; content:"C:\\users\\public\\"; nocase; distance:0; classtype:suspicious-command; sid:5009776; metadata: created_on 2022_11_22, old_sid 5008360; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Blackbasta ransomware file extension detected (.basta)"; program:*Security*,*Sysmon*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:11,4663,567,5145; content:".basta "; nocase; after: track by_username, count 10, seconds 300; threshold: type suppress, track by_username, count 10, seconds 3600; classtype:ransomware; sid:5009777; metadata: created_on 2022_11_22, old_sid 5008361; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] bcedit safeboot command (Blackbasta)"; program:*Sysmon*|*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1,4688; content:"bcdedit"; nocase; content:"set"; distance:0; content:"safeboot"; distance:0; reference:url,www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence; classtype:trojan-activity; sid:5009778; metadata: created_on 2022_11_22, old_sid 5008400; rev:1;)

#updated by bs 15 Apr 2024
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Fax service installed - Possible BlackBasta"; program:*System*|*Service*; content:"EventID=|22|7045|22|"; nocase; content:"ServiceName=|22|Fax|22|"; content:"A service was installed in the system"; reference:url,minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/; classtype:trojan-activity; sid:5014548; metadata: created_on 2022_11_22, old_sid 5010458; rev:1;)

alert tcp $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Password Protected Zip File Opened"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:5379; content:"Microsoft_Windows_Shell_ZipFolder"; reference:url,www.socinvestigation.com/windows-event-id-5379-to-detect-malicious-password-protected-file-unlock/; classtype:suspicious-command; sid:5014549; metadata: created_on 2022_11_22, old_sid 5010484; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Comsrvc MiniDump Command"; program:*Security*|*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1,4688; content:"rundll32.exe"; content:"C:\Windows\System32\comsvcs.dll, MiniDump"; nocase; distance:0; reference:url,gist.github.com/JohnLaTwC/3e7dd4cd8520467df179e93fb44a434e; classtype:suspicious-command; sid:5014550; metadata: created_on 2022_11_22, old_sid 5010485; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Comsrvc MiniDump Command"; program:*Security*|*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1,4688; content:"rundll32.exe"; content:"C:\Windows\System32\comsvcs.dll,MiniDump"; nocase; distance:0; reference:url,gist.github.com/JohnLaTwC/3e7dd4cd8520467df179e93fb44a434e; classtype:suspicious-command; sid:5014551; metadata: created_on 2022_11_22, old_sid 5010486; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Comsrvc MiniDump Command"; program:*Security*|*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1,4688; content:"rundll32"; content:"comsvcs,#24"; nocase; distance:0; reference:url,gist.github.com/JohnLaTwC/3e7dd4cd8520467df179e93fb44a434e; classtype:suspicious-command; sid:5014552; metadata: created_on 2022_11_22, old_sid 5010487; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Comsrvc MiniDump Command via Service Control"; program:*Security*|*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1,4688; content:"sc.exe"; content:"create"; content:"binpath="; content:"C:\Windows\System32\comsvcs.dll"; nocase; reference:url,gist.github.com/JohnLaTwC/3e7dd4cd8520467df179e93fb44a434e; classtype:suspicious-command; sid:5014553; metadata: created_on 2022_11_22, old_sid 5010488; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Possible Obfuscation - CMD with Caret in Redirection"; program:*Security*|*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1,4688; content:"cmd.exe"; content:"2^>"; content:!"|5c|Microsoft SQL Server|5c|"; reference:url,blog.alphathreat.in/index.php?post/2021/08/03/Malware-techniques%3A-Windows-Command-Obfuscation; classtype:suspicious-command; sid:5014554; metadata: created_on 2022_11_22, old_sid 5010489; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Right to Left Masquerading Detected"; program:*Sysmon*|*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1,4688; meta_content:"%sagan%",\\u202E,%E2%80%AE,[U+202E],<202e>; meta_nocase; reference:url,micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0; reference:url,attack.mitre.org/techniques/T1036/002/; classtype:trojan-activity; sid:5014555; metadata: created_on 2022_11_22, old_sid 5010909; rev:1; metadata:deployment Both,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_01, updated_at 2023_02_01, mitre_tactic_id TA0005, mitre_technique_id T1036.002;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Possible Rclone Exfil CommandLine Parameters"; program:*Security*|*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1,4688; content:"copy"; meta_content:"%sagan%",--ignore-existing,--auto-confirm,--transfers,--multi-thread-streams; reference:url,thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/; classtype:trojan-activity; sid:5014556; metadata: created_on 2022_11_22, old_sid 5010910; rev:1; metadata:deployment Endpoint,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_07, updated_at 2023_02_07, mitre_tactic_id TA0010, mitre_technique_id T1567.002;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] RDP Tunnel Detected"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4778,4779; content:"|3a 3a 25|16777216"; reference:url,www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial; reference:url,www.logpoint.com/en/blog/a-deep-look-at-the-darkside-ransomware-operators-and-their-affiliates/; classtype:trojan-activity; sid:5014557; metadata: created_on 2022_11_22, old_sid 5012094; rev:1; metadata:deployment Both,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_05_22, updated_at 2023_05_22, mitre_tactic_id TA0011, mitre_technique_id T1572;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[TERMINAL-SERVICES] RDP Tunnel Detected"; program:*TerminalServices*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; content:"|3a 3a 25|16777216"; reference:url,www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial; reference:url,www.logpoint.com/en/blog/a-deep-look-at-the-darkside-ransomware-operators-and-their-affiliates/; classtype:trojan-activity; sid:5014558; metadata: created_on 2022_11_22, old_sid 5012095; rev:1; metadata:deployment Both,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_05_22, updated_at 2023_05_22, mitre_tactic_id TA0011, mitre_technique_id T1572;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] VMAccessExtension Administrator group enumeration"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4799; content:"Administrators"; content:"JsonVMAccessExtension.exe"; reference:url,www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial; classtype:trojan-activity; sid:5014559; metadata: created_on 2022_11_22, old_sid 5012096; rev:1; metadata:deployment Both,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_05_22, updated_at 2023_05_22, mitre_tactic_id TA0003, mitre_technique_id T1098;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Collect Guest logs Executed"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4688; content:"cmd.exe"; nocase; content:"CollectGuestLogs.exe"; nocase; reference:url,www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial; classtype:trojan-activity; sid:5014560; metadata: created_on 2022_11_22, old_sid 5012097; rev:1; metadata:deployment Both,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_05_22, updated_at 2023_05_22, mitre_tactic_id TA0002, mitre_technique_id T1204;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Inbound RDP Tunneling"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4688; content:"cmd.exe"; nocase; content:"ssh.exe"; nocase; meta_content:"|3a|%sagan%|3a|3389",127.0.0.1,localhost; reference:url,www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial; classtype:trojan-activity; sid:5014561; metadata: created_on 2022_11_22, old_sid 5012098; rev:1; metadata:deployment Both,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_05_22, updated_at 2023_05_22, mitre_tactic_id TA0011, mitre_technique_id T1572;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Sacsess.exe spawn cmd.exe"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4688; content:"sacsess.exe"; nocase; content:"cmd.exe"; nocase; reference:url,www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial; classtype:trojan-activity; sid:5014562; metadata: created_on 2022_11_22, old_sid 5012099; rev:1; metadata:deployment Both,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_05_22, updated_at 2023_05_22, mitre_tactic_id TA0002, mitre_technique_id T1059;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SECURITY] Sacsess.exe spawned cmd.exe"; program:*Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4648; content:"sacsess.exe"; nocase; content:"cmd.exe"; nocase; reference:url,www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial; classtype:trojan-activity; sid:5014563; metadata: created_on 2022_11_22, old_sid 5012100; rev:1; metadata:deployment Both,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_05_22, updated_at 2023_05_22, mitre_tactic_id TA0002, mitre_technique_id T1059;)