Alert Templates are pre-configured monitoring rules that serve as a starting point with preloaded conditions and actions. Instead of setting up alerts from scratch, you can quickly select from a comprehensive list of templates, including Microsoft's recommended security alerts, and add them directly to your policies for immediate deployment across managed assets.
In this article, discover what each alert template monitors so you can decide which ones to include in your policies.
There are around 250 available alert templates, if you're trying to find out what a particular alert does, we recommend searching for it by hitting Cmd/Ctrl + F and typing the name of the alert.
Hardware monitoring alerts
Alert Name | Description |
Low Disk Free Space | Monitors when available disk space falls below a defined threshold (typically 10-20% remaining). Important for preventing system crashes, ensuring applications can write temporary files, and maintaining system performance. Critical for servers handling logs or databases. |
High CPU Usage | Tracks when processor utilization exceeds normal thresholds (typically 80-90% for sustained periods). Important for detecting performance bottlenecks, potential malware activity, or applications consuming excessive resources. Can indicate need for hardware upgrades or process optimization. |
Public Firewall Disabled | Critical security alert when the Windows Firewall is disabled on public network profiles. Immediate security concern as systems become vulnerable to network attacks when connected to untrusted networks like public Wi-Fi. |
S.M.A.R.T Status is not OK | Critical hardware alert indicating hard drive health issues detected by Self-Monitoring Analysis and Reporting Technology. Suggests impending drive failure requiring immediate backup and drive replacement to prevent data loss. |
High Memory Usage | Monitors when RAM utilization exceeds defined thresholds (typically 80-90%). Important for detecting memory leaks, applications consuming excessive memory, or insufficient RAM for current workload. Can cause system slowdowns and application crashes. |
Disk Space is critically low | Emergency alert when disk space reaches critically low levels (typically <5% or <1GB remaining). Immediate action required as systems may crash, fail to boot, or become unstable when completely out of space. |
High Disk Activity | Tracks when disk input/output operations exceed normal levels for sustained periods. Important for detecting performance bottlenecks, potential malware scanning activities, or applications with excessive disk usage patterns. |
Extreme Disk Usage | Critical alert for severe disk activity levels that may indicate system thrashing, failing hardware, or runaway processes. Can cause severe performance degradation and potential system instability requiring immediate investigation. |
CPU Overload | Critical alert when processor utilization reaches maximum capacity (95-100%) for extended periods. Indicates severe performance issues that can cause system unresponsiveness, application timeouts, and poor user experience. |
Memory Usage Overload | Critical alert when RAM usage approaches maximum capacity. Can lead to system instability, application crashes, excessive page file usage, and severe performance degradation. May require immediate process termination or system restart. |
Unused Memory Alert | Monitors when significant amounts of memory remain unused, potentially indicating over-provisioned systems or applications not utilizing available resources efficiently. Useful for capacity planning and resource optimization. |
High Network Traffic | Tracks when network utilization exceeds normal thresholds on network interfaces. Important for detecting bandwidth bottlenecks, potential DDoS attacks, data exfiltration, or applications consuming excessive bandwidth. |
Severe Network Congestion | Critical alert for extreme network utilization levels that may cause packet loss, timeouts, and application failures. Can indicate network attacks, hardware failures, or severely under-provisioned network capacity. |
Low Network Activity | Monitors unusually low network traffic which may indicate connectivity issues, failed network services, or systems not functioning properly. Useful for detecting network isolation or service failures. |
Network Interface is Down | Critical alert when network adapters become unavailable or disconnected. Immediate connectivity concern that can isolate systems from network resources, prevent remote management, and disrupt business operations. |
Network Interface Failure | Critical hardware alert indicating network adapter hardware failure or driver issues. Can cause complete network connectivity loss requiring hardware replacement or driver troubleshooting. |
Bitlocker disabled | Critical security alert when BitLocker drive encryption is disabled on systems that should be encrypted. Creates significant data protection risk, especially for laptops and mobile devices that could be lost or stolen. |
Decryption Stalled | Alert when BitLocker decryption process has stopped progressing. Important for tracking encryption status changes and detecting issues that prevent completion of decryption operations. |
Decryption in Progress | Informational alert tracking ongoing BitLocker decryption operations. Important for monitoring encryption status changes and ensuring decryption processes complete successfully without data loss. |
Encryption Stalled | Alert when BitLocker encryption process has stopped progressing. Critical for data protection as stalled encryption leaves data partially protected and may indicate system issues requiring intervention. |
Server Agent Down | Critical alert when the SuperOps monitoring agent on a server becomes unresponsive or stops communicating with the management platform. Indicates loss of monitoring visibility and remote management capabilities. Could suggest system issues, network connectivity problems, service failures, or potential security incidents affecting the monitored server. |
Patch monitoring alerts
Alert Name | Description |
A patch has been rolled back | Alert when a previously installed update or patch has been automatically or manually rolled back. Important for tracking system stability issues and security posture changes. Rollbacks may indicate compatibility problems, system instability, or deliberate removal of security updates, potentially leaving systems vulnerable. |
A patch has failed | Alert when system updates or patches fail to install properly. Critical for maintaining security posture and system stability. Failed patches can leave systems vulnerable to known security threats, indicate underlying system issues, or suggest insufficient disk space, permission problems, or software conflicts requiring investigation. |
Event log monitoring
Alert Name | Description |
A Kerberos authentication ticket (TGT) request has been detected | Monitors when users request authentication tickets to access domain resources. Use this to track user logon activity, detect authentication attempts from unauthorized locations, and identify potential credential-based attacks. Logs both successful and failed requests. |
Kerberos pre-authentication failure has occurred | Triggers when Kerberos authentication fails before issuing a ticket. This can occur when a domain controller doesn't have a certificate installed for smart card authentication, the user's password has expired, or the wrong password was provided. Critical for detecting brute force attacks, password spraying, and compromised accounts. |
A user account was created in the asset | Logs when a new user account is created in Active Directory or locally. Essential for tracking unauthorized account creation, monitoring user lifecycle changes, and ensuring proper access controls. Important for compliance and security auditing. |
A user account was enabled in the asset | Monitors when disabled user accounts are re-enabled. Important for tracking changes to account status and ensuring only authorized personnel can activate accounts. Helps detect unauthorized account reactivation. |
An attempt was made to change an account's password | Tracks password change attempts by users. Useful for monitoring password policies, detecting unauthorized password changes, and ensuring users follow security procedures. Can help identify compromised accounts. |
An attempt was made to reset an account's password | Monitors administrative password resets performed by privileged users. Critical for tracking help desk activities and ensuring proper authorization for password resets. Important for audit trails. |
A user account was disabled in the asset | Logs when user accounts are disabled. Important for tracking account lifecycle, ensuring proper offboarding procedures, and monitoring security-related account actions. Helps verify proper deprovisioning. |
A user account was deleted in the asset | Monitors permanent removal of user accounts. Essential for audit trails, ensuring proper data retention policies, and tracking administrative actions. Critical for compliance requirements. |
A security-enabled global group was created in the domain controller | Tracks creation of new security groups that can be used for access control. Important for monitoring privilege escalation and ensuring proper group management procedures. Critical for maintaining least privilege. |
A member was added to a security-enabled global group in the domain controller | Monitors additions to domain-level security groups. Essential for tracking domain privilege assignments and access control changes. Critical for detecting unauthorized privilege escalation. |
A security-disabled/ local distribution group was created | Logs creation of local groups that are not security-enabled (distribution groups). Useful for tracking organizational changes and group management activities. Important for organizational structure monitoring. |
A security-disabled/a local distribution group was changed | Monitors modifications to local distribution groups. Important for tracking organizational structure changes and group property modifications. Helps maintain proper group configurations. |
A member was added to a security-disabled local group | Tracks additions to local distribution groups. Useful for monitoring organizational group membership changes and email distribution list modifications. Important for communication structure oversight. |
A member was removed from a security-disabled/ local distribution group | Monitors removal from local distribution groups. Important for tracking organizational changes and ensuring proper group membership management. Helps maintain accurate distribution lists. |
A security-disabled/ local distribution group was deleted | Logs deletion of local distribution groups. Essential for audit trails and tracking organizational structure changes. Important for maintaining proper group lifecycle management. |
A security-disabled global group was created | Monitors creation of global distribution groups. Important for tracking domain-wide organizational structure changes and distribution list creation. Useful for organizational oversight. |
A security-disabled global group was changed | Tracks modifications to global distribution groups. Useful for monitoring organizational changes and group property updates. Helps ensure proper group configurations. |
A member was added to a security-disabled global group | Monitors additions to global distribution groups. Important for tracking domain-wide organizational membership changes. Useful for maintaining proper distribution structures. |
A member was removed from a security-disabled global group | Tracks removal from global distribution groups. Essential for monitoring organizational structure and ensuring proper group maintenance. Important for accurate membership records. |
A security-disabled global group has been deleted | Logs deletion of global distribution groups. Critical for audit trails and tracking domain-wide organizational changes. Important for maintaining proper group lifecycle. |
The screen saver was dismissed in the asset | Monitors when users return to active sessions after screen saver activation. Useful for tracking user activity patterns and session management. Can help identify unauthorized access to unlocked workstations. |
A handle to an object was requested | Tracks requests for handles to system objects like files and registry keys. Part of detailed object access monitoring for high-security environments. Can generate high volumes, configure carefully. |
An object was deleted in the account | Monitors deletion of files, folders, or other system objects. Important for tracking data loss, unauthorized deletions, and maintaining audit trails for critical resources. |
An attempt was made to access an object | Monitors file system and registry access attempts. Configure carefully as it can generate high volumes. Useful for sensitive file monitoring and compliance requirements. Critical for data protection. |
Object's permissions were changed | Tracks modifications to access control lists (ACLs) on files, folders, or registry keys. Critical for maintaining security posture and detecting unauthorized permission changes that could lead to privilege escalation. |
Auditing settings on an object were changed | Monitors changes to audit configurations on specific objects. Important for ensuring audit integrity and detecting attempts to disable monitoring on sensitive resources. |
An object was opened for deletion | Tracks when objects are opened with delete intent. Useful for monitoring potential data loss and detecting unauthorized deletion attempts before they occur. |
A logon was attempted using explicit credentials | Tracks when users authenticate using different credentials than their current session (e.g., RunAs commands). Important for detecting credential theft and monitoring privileged access. |
Network Policy Server granted access to a user | Monitors successful network access policy decisions. Useful for tracking authorized network access and ensuring policy compliance in NAP/NAC environments. |
Network Policy Server denied access to a user | Tracks network access denials by policy enforcement. Important for detecting unauthorized access attempts and troubleshooting connectivity issues in managed networks. |
Network Policy Server discarded the request for a user | Monitors when NPS discards authentication requests due to malformed or invalid data. Useful for detecting network attacks or configuration issues. |
Network Policy Server discarded the accounting request for a user | Tracks when NPS discards accounting information. Important for maintaining accurate usage records and detecting potential logging bypass attempts. |
Network Policy Server quarantined a user | Monitors when users are placed in network quarantine due to policy violations. Critical for tracking security policy enforcement and managing non-compliant devices. |
NPS granted access to a user, but the host isn't on defined health policy | Tracks access grants to devices that don't meet health requirements. Important for monitoring security policy exceptions and potential security risks. |
NPS granted access to a user because the host met the defined health policy | Monitors successful access based on health policy compliance. Useful for tracking properly configured and secure device access. |
NPS locked the user account due to repeat failed authentication attempts | Tracks account lockouts due to authentication failures in network access scenarios. Critical for detecting brute force attacks against network services. |
NPS unlocked the user account | Monitors when network access account lockouts are cleared. Important for tracking administrative actions and ensuring proper account management. |
User met connection and resource authorization policy requirements, but can't connect to resource | Tracks policy compliance with connection failures. Useful for troubleshooting access issues and identifying infrastructure problems despite proper authorization. |
A Kerberos service ticket was requested | Monitors requests for service tickets to access specific network resources. Important for tracking resource access patterns and detecting unauthorized service access attempts. |
Special privileges assigned to new logon | Tracks when users receive high-level privileges during logon (e.g., administrators, backup operators). Critical for monitoring administrative access and privilege escalation. |
The special groups logon table was modified | Monitors changes to the list of groups considered to have special privileges. Important for tracking security configuration changes that affect privilege assignments. |
A user's local group membership was enumerated | Tracks when processes or users query local group memberships. Can indicate reconnaissance activities or legitimate administrative tasks. Useful for detecting privilege enumeration. |
A security-enabled local group was created | Monitors creation of new local security groups on individual machines. Important for tracking local privilege assignments and ensuring proper access controls on endpoints. |
A member was added to a security-enabled local group | Tracks additions to local security groups (e.g., local administrators). Critical for monitoring privilege escalation and ensuring only authorized users receive elevated local access. |
A member was removed from a security-enabled local group | Monitors removal from local security groups. Important for tracking deprovisioning and access control modifications on individual systems. |
A security-enabled local group was deleted | Tracks deletion of local security groups. Critical for audit trails and ensuring proper group lifecycle management on endpoints. |
A security-enabled local group was changed | Monitors modifications to local security groups. Important for tracking group management activities and maintaining proper access controls on individual machines. |
A user account was changed in the asset | Logs modifications to user account properties such as description, home directory, or account flags. Important for tracking account lifecycle and detecting unauthorized changes. |
Domain Policy was changed in the asset | Monitors changes to domain-level security policies including password policies, account lockout settings, and Kerberos policies. Critical for maintaining security posture and detecting policy weakening. |
A group type was changed | Tracks when a group's type is modified (e.g., from distribution to security group). Important for monitoring privilege changes since security groups can be used for access control while distribution groups cannot. |
The name of an account was changed | Monitors when user or computer account names are modified. Important for tracking identity changes and ensuring proper account management. Can indicate attempts to hide malicious accounts. |
A directory service object was created | Logs creation of new Active Directory objects such as OUs, containers, or other directory components. Important for tracking AD structure changes and unauthorized object creation. |
A directory service object was moved | Monitors when AD objects are moved between containers or OUs. Important for tracking organizational changes and detecting unauthorized object relocations that could affect security policies. |
A directory service object was deleted | Tracks deletion of Active Directory objects. Critical for audit trails and detecting unauthorized removal of important directory components. Essential for maintaining AD integrity. |
A new external device was recognized by the system | Monitors when new hardware devices (USB, external drives, etc.) are detected. Important for tracking potential data exfiltration vectors and enforcing device usage policies. |
Windows is starting up | Indicates system boot completion. Useful for tracking system availability, boot times, and detecting unexpected reboots that could indicate system compromise or instability. |
The audit log was cleared | Critical security event indicating someone cleared the Windows event logs. Always investigate as this often indicates attempts to hide malicious activity or cover tracks after an incident. |
A notification package has been loaded by the Security Account Manager | Monitors when notification packages are loaded by SAM. Important for detecting potential credential theft mechanisms or legitimate security software installation. |
The system time was changed | Tracks modifications to system time. Important for audit integrity since many security events depend on accurate timestamps. Can indicate attempts to evade time-based security controls. |
A user right was assigned | Monitors when user rights (privileges) are granted to accounts. Critical for tracking privilege escalation and ensuring only authorized personnel receive elevated permissions. |
A user right was removed | Tracks removal of user rights from accounts. Important for monitoring deprovisioning and ensuring proper privilege reduction when access is no longer needed. |
System audit policy was changed | Monitors modifications to Windows audit policy settings. Critical for maintaining audit integrity and detecting attempts to disable security monitoring. |
An operation was performed on an object | Tracks various operations performed on system objects. Provides detailed monitoring of file, registry, and other object interactions. Configure carefully due to potential high volume. |
A network share object was accessed | Monitors access attempts to network shares. Important for tracking file server access and detecting unauthorized attempts to access shared resources. |
A network share object was added | Logs creation of new network shares. Critical for tracking data exposure and ensuring proper authorization for new shared resources. |
A network share object was modified | Tracks changes to existing network shares including permission modifications. Important for maintaining proper access controls and detecting unauthorized share modifications. |
A network share object was deleted | Monitors removal of network shares. Important for tracking data access changes and ensuring proper authorization for share removal. |
A service was installed in the system | Monitors installation of new Windows services. Critical for detecting malicious service installation and tracking system changes that could affect security. |
The event logging service has shut down | Indicates event logging stopped, typically during shutdown. Important for maintaining audit continuity and detecting unexpected logging interruptions. |
A monitored security event pattern has occurred | Triggers when predefined security patterns are detected. Used for advanced threat detection and correlation of multiple related security events. |
A security-enabled local group membership was enumerated | Tracks when processes or users query local security group memberships. Can indicate reconnaissance activities or legitimate administrative tasks. Useful for detecting privilege enumeration. |
The requested credentials delegation was disallowed by policy | Monitors when credential delegation requests are blocked by policy. Important for tracking potential pass-the-hash attacks or legitimate delegation issues. |
A request was made to authenticate to a wired network | Tracks 802.1X authentication attempts on wired networks. Important for monitoring network access control and detecting unauthorized wired network access attempts. |
A request was made to authenticate to a wireless network | Monitors wireless network authentication attempts. Critical for tracking Wi-Fi access and detecting unauthorized wireless network access or rogue access points. |
An authentication package has been loaded by the Local Security Authority | Tracks loading of authentication packages by LSA. Important for detecting potential credential theft mechanisms or legitimate security software installation. |
A trusted logon process has been registered with the Local Security Authority | Monitors registration of authentication processes with LSA. Can indicate malware attempting to intercept credentials or legitimate security software installation. |
A security package has been loaded by the Local Security Authority | Tracks loading of security packages by LSA. Important for monitoring authentication mechanism changes and detecting potential security software or malware installation. |
A user account was locked out | Monitors when user accounts are locked due to failed authentication attempts. Critical for detecting brute force attacks and identifying compromised accounts or forgotten passwords. |
A computer account was created | Logs creation of new computer accounts in Active Directory. Important for tracking new systems joining the domain and ensuring proper computer account management. |
A computer account was changed | Monitors modifications to computer account properties. Important for tracking system configuration changes and ensuring proper computer account lifecycle management. |
A computer account was deleted | Tracks removal of computer accounts from Active Directory. Important for audit trails and ensuring proper system decommissioning procedures. |
A user account was unlocked | Monitors when locked user accounts are unlocked by administrators. Important for tracking administrative actions and ensuring proper account management procedures. |
A directory service object was modified | Tracks changes to Active Directory objects including property modifications. Important for monitoring AD changes and detecting unauthorized modifications to directory components. |
A directory service object was undeleted | Monitors when deleted AD objects are restored. Important for tracking administrative actions and ensuring proper object lifecycle management in Active Directory. |
An account successfully logged on | Tracks successful user logons across all methods (interactive, network, service). Essential baseline monitoring for user activity, access patterns, and establishing normal behavior. |
An account failed to log on | Monitors failed logon attempts. Critical for detecting brute force attacks, credential stuffing, password spraying, and unauthorized access attempts. Essential for security monitoring. |
A workstation was locked | Tracks when user workstations are locked (manually or automatically). Useful for monitoring user activity patterns and ensuring proper workstation security practices. |
A workstation was unlocked | Monitors when locked workstations are unlocked by user authentication. Important for tracking session resumption and detecting unauthorized workstation access. |
User initiated logoff | Tracks when users manually log off from their sessions. Useful for monitoring user activity patterns and session management. Helps distinguish between normal and abnormal logoffs. |
A session was reconnected to a Window Station | Monitors when disconnected sessions are reconnected (common in RDP scenarios). Important for tracking remote access patterns and session management. |
A session was disconnected from a Window Station | Tracks when user sessions are disconnected without proper logoff (common in RDP). Important for monitoring session state and detecting unexpected disconnections. |
The screen saver was invoked | Monitors when screen savers activate due to inactivity. Useful for tracking user activity patterns and ensuring workstation security policies are functioning. |
Encrypted data recovery policy was changed | Tracks modifications to EFS (Encrypted File System) recovery policies. Critical for maintaining data recovery capabilities and detecting unauthorized encryption policy changes. |
System security access was granted to an account | Monitors when accounts receive system-level security privileges. Critical for tracking high-level privilege assignments and detecting unauthorized system access grants. |
System security access was removed from an account | Tracks removal of system-level security privileges from accounts. Important for monitoring privilege reduction and ensuring proper deprovisioning of system access. |
A new process has been created | Tracks creation of new processes. Critical for detecting malicious software execution, monitoring application launches, and investigating security incidents. Can generate high volumes. |
A process has exited | Monitors when processes terminate on the system. Useful for tracking application behavior, detecting abnormal process termination, and monitoring system stability. |
A scheduled task was created | Tracks creation of new scheduled tasks. Important for detecting persistence mechanisms used by malware, unauthorized automation, and legitimate task scheduling. |
A scheduled task was deleted | Monitors removal of scheduled tasks. Useful for tracking system cleanup, detecting attempts to remove evidence, and maintaining proper task lifecycle management. |
A scheduled task was enabled | Tracks when disabled scheduled tasks are enabled. Important for monitoring task state changes and detecting unauthorized activation of potentially malicious scheduled tasks. |
A scheduled task was disabled | Monitors when active scheduled tasks are disabled. Useful for tracking task management activities and detecting attempts to disable legitimate security or maintenance tasks. |
A scheduled task was updated | Tracks modifications to existing scheduled tasks including timing, actions, or security context changes. Critical for detecting malicious task modifications and maintaining task integrity. |
The security log is now full | Indicates the Windows Security log has reached capacity. Critical alert as new security events will be lost. Requires immediate attention to prevent audit gaps. |
Event log automatic backup | Monitors when Windows automatically backs up event logs. Important for ensuring log retention and verifying backup procedures are functioning properly. |
The event logging service encountered an error | Tracks errors in the Windows event logging system. Critical for maintaining audit integrity and ensuring continuous security monitoring capabilities. |
Task Scheduler successfully completed a task | Monitors successful execution of scheduled tasks. Useful for verifying automation is working correctly and tracking legitimate administrative activities. |
Task Scheduler failed to complete a task | Tracks scheduled task failures. Important for detecting system issues, permission problems, or potential security interference with legitimate tasks. |
Task Scheduler failed to launch a task | Monitors when scheduled tasks fail to start. Critical for detecting configuration issues, missing executables, or potential security blocks on legitimate automation. |
Network Access Protection policies were not met, user can't be authorized to connect to TS Gateway | Tracks NAP policy violations preventing Terminal Services Gateway access. Important for monitoring compliance and detecting non-compliant devices attempting remote access. |
An attempt was made to set the Directory Services Restore Mode administrator password | Monitors attempts to change the DSRM password used for AD recovery. Critical security event as this password allows offline AD access and should be tightly controlled. |
Enabled Role separation | Tracks enabling of role separation in Certificate Services. Important for monitoring CA security configurations and ensuring proper separation of duties in PKI environments. |
AD CS server started role separation is changed | Monitors changes to Certificate Authority role separation settings. Critical for maintaining PKI security and ensuring proper CA administrative controls. |
Kerberos policy was changed | Tracks modifications to domain Kerberos policy settings including ticket lifetimes and encryption types. Critical for maintaining authentication security and detecting policy weakening. |
System has been shutdown by a process or user | Monitors system shutdown events initiated by users or processes. Important for tracking planned vs unplanned shutdowns and detecting unauthorized system shutdowns. |
Exchange Server Store - Blacklisted Events | Monitors Exchange-specific security events that indicate potential issues or attacks. Important for email security and detecting unauthorized Exchange access or modifications. |
Hyper-V Replication Events | Tracks Hyper-V replication activities including failures and status changes. Important for virtual environment monitoring and ensuring business continuity. |
Failed Login Attempts Detected | Aggregated alert for multiple failed authentication attempts. Critical for detecting brute force attacks, credential stuffing, and compromised account indicators. |
User Account Created or Enabled | Combined monitoring for new account creation and account activation. Essential for tracking user lifecycle changes and detecting unauthorized account provisioning. |
User Account Disabled or Deleted | Aggregated alert for account deactivation and removal. Important for monitoring user deprovisioning and ensuring proper offboarding procedures. |
An attempt was made to change/reset an account's password | Combined monitoring for both user-initiated password changes and administrative resets. Critical for tracking credential management and detecting unauthorized password modifications. |
User Account Locked Out | Monitors account lockouts due to failed authentication attempts. Critical for detecting brute force attacks, compromised accounts, and identifying users with password issues. |
User Account Unlocked | Tracks when locked accounts are unlocked by administrators. Important for monitoring administrative actions and ensuring proper account management procedures. |
Security-Enabled Group Created | Monitors creation of new security groups. Important for tracking privilege structure changes and ensuring proper group management procedures in access control. |
Security-Enabled Group Changed | Tracks modifications to security group properties. Critical for monitoring access control changes and detecting unauthorized group modifications that could affect permissions. |
Security-Enabled Group Deleted | Monitors deletion of security groups. Important for audit trails and ensuring proper group lifecycle management without leaving orphaned permissions. |
Member Added to Security-Enabled Group | Tracks additions to security groups. Critical for monitoring privilege escalation and detecting unauthorized access grants through group membership. |
Member Removed From Security-Enabled Group | Monitors removal from security groups. Important for tracking deprovisioning and ensuring proper privilege reduction when access is no longer needed. |
Windows Firewall Service Stopped | Critical alert indicating Windows Firewall has stopped running. Immediate security concern as the system loses network protection and becomes vulnerable to attacks. |
Windows Firewall Security Policy Issues Detected | Monitors detection of firewall policy problems or conflicts. Important for maintaining network security posture and ensuring firewall rules are properly configured. |
Windows Firewall Failure Detected | Tracks firewall operational failures. Critical for network security as failures could leave systems unprotected or cause connectivity issues. |
Windows Firewall Exceptions Updated | Monitors changes to firewall exception rules. Important for tracking network access changes and detecting unauthorized modifications to security policies. |
Windows Firewall Settings Modified | Tracks changes to firewall configuration settings. Critical for maintaining network security posture and detecting unauthorized modifications to firewall policies. |
DoS Attack Detected via Windows Filtering Platform | Monitors detection of Denial of Service attacks through WFP. Critical security alert indicating active network attacks that could affect system availability. |
Windows Filtering/ Filtering Platform Blocked a Packet | Tracks packets blocked by Windows Filtering Platform. Useful for monitoring blocked network traffic and detecting potential attacks or policy violations. |
Windows Filtering Platform Blocked a Connection | Monitors connections blocked by WFP. Important for detecting unauthorized connection attempts and verifying firewall policies are working effectively. |
Image File Hashes Incorrect | Critical security alert indicating executable files have been modified or corrupted. Could indicate malware infection, file corruption, or unauthorized software modifications. |
Administrator recovered system from CrashOnAuditFail. Users who are not administrators can log on | Tracks recovery from audit failure conditions. Important for monitoring system security state and ensuring audit failures don't permanently impact operations. |
SIDs were filtered | Monitors when Security Identifiers are filtered during authentication. Important for tracking cross-domain authentication issues and potential security boundary violations. |
Backup of data protection master key was attempted | Tracks attempts to backup DPAPI master keys. Important for data protection monitoring and ensuring proper key management procedures are followed. |
Recovery of data protection master key was attempted | Monitors attempts to recover DPAPI master keys. Critical for tracking data recovery activities and detecting potential unauthorized access to encrypted data. |
A new trust was created to a domain | Tracks creation of new domain trust relationships. Critical security event as trusts affect authentication boundaries and access control across domains. |
The audit policy (SACL) on an object was changed | Monitors changes to audit settings on specific objects. Important for maintaining audit integrity and detecting attempts to disable monitoring on sensitive resources. |
Trusted domain information was modified | Tracks changes to domain trust configurations. Critical for maintaining authentication boundaries and detecting unauthorized modifications to trust relationships. |
The ACL was set on accounts which are members of administrators groups | Monitors permission changes on administrative accounts. Critical for maintaining admin account security and detecting unauthorized access control modifications. |
RPC detected an integrity violation while decrypting an incoming message | Tracks RPC integrity violations during message decryption. Critical security event indicating potential network attacks or corruption in inter-system communication. |
A trusted forest information entry was added | Monitors additions to trusted forest configurations. Important for tracking cross-forest trust changes and ensuring proper forest security boundaries. |
A trusted forest information entry was removed | Tracks removal of trusted forest entries. Critical for monitoring trust relationship changes that could affect cross-forest authentication and access. |
A trusted forest information entry was modified | Monitors modifications to forest trust configurations. Important for maintaining forest security boundaries and detecting unauthorized trust modifications. |
The certificate manager denied a pending certificate request | Tracks denied certificate requests by Certificate Authority. Important for PKI security monitoring and detecting unauthorized certificate request attempts. |
Certificate Services revoked a certificate | Monitors when certificates are revoked by the Certificate Authority. Critical for PKI security to track certificate lifecycle and ensure compromised or expired certificates are properly invalidated. |
The security permissions for Certificate Services changed | Tracks changes to CA security permissions. Critical for maintaining PKI security and detecting unauthorized modifications to certificate authority access controls. |
The audit filter for Certificate Services changed | Monitors modifications to CA audit filtering settings. Important for maintaining audit integrity and ensuring proper certificate authority activity logging. |
The certificate manager settings for Certificate Services changed | Tracks changes to certificate manager configuration. Important for PKI management and detecting unauthorized modifications to certificate authority settings. |
A property of Certificate Services changed | Monitors modifications to CA properties and configuration settings. Critical for maintaining PKI security posture and tracking certificate authority changes. |
Rows have been deleted from the certificate database | Tracks deletions from the certificate database. Critical for audit integrity and detecting unauthorized removal of certificate records or tampering with PKI data. |
The CrashOnAuditFail value has changed | Monitors changes to the system setting that determines behavior when audit logging fails. Critical security setting that affects audit continuity and system availability. |
Per User Audit Policy was changed | Tracks modifications to individual user audit policies. Important for maintaining granular audit controls and detecting unauthorized changes to user-specific monitoring. |
Extended Mode negotiation failed and the corresponding Main Mode security association was deleted | Monitors IPsec negotiation failures. Important for network security troubleshooting and detecting potential VPN or secure communication issues. |
Windows Firewall Service failed to retrieve security policy from local storage | Tracks firewall policy retrieval failures. Critical for network security as policy failures could leave systems unprotected or improperly configured. |
Windows Firewall Service failed to parse the new security policy | Monitors firewall policy parsing errors. Critical for network security as parsing failures could result in incorrect firewall configurations or unprotected systems. |
The Windows Firewall Service failed to initialize the driver. Current policy will be enforced | Tracks firewall driver initialization failures. Important for network security monitoring and ensuring firewall functionality is maintained despite driver issues. |
The Windows Firewall Service failed to start | Critical alert indicating complete firewall service failure. Immediate security concern as the system loses all network protection and becomes highly vulnerable. |
The Windows Firewall Driver failed to start | Monitors firewall driver startup failures. Critical for network security as driver failures could prevent firewall functionality and leave systems unprotected. |
The Windows Firewall Driver detected critical runtime error. Terminating | Tracks critical firewall driver errors leading to termination. Critical security alert as firewall failure leaves systems completely unprotected from network threats. |
Invalid Hash Detected for files | Critical security alert indicating file integrity violations. Could indicate malware infection, unauthorized file modifications, or system corruption requiring immediate investigation. |
OCSP Responder Service Started | Monitors startup of Online Certificate Status Protocol service. Important for PKI infrastructure monitoring and ensuring certificate validation services are available. |
OCSP Responder Service Stopped | Tracks shutdown of OCSP responder service. Important for PKI availability as OCSP failures can prevent certificate validation and cause application issues. |
A configuration entry changed in OCSP Responder Service | Monitors configuration changes to OCSP responder. Important for PKI security and ensuring proper certificate status checking configuration is maintained. |
Credential Manager credentials were backed up | Tracks backup operations for stored credentials. Important for credential security monitoring and ensuring proper backup procedures for sensitive authentication data. |
Credential Manager credentials were restored from a backup | Monitors credential restoration from backup. Critical for tracking credential recovery activities and detecting unauthorized access to backed up authentication data. |
IPsec negotiation failed because the IKEEXT service is not started | Tracks IPsec failures due to service issues. Important for VPN and secure communication troubleshooting and ensuring encrypted network connectivity. |
IPsec Services failed to get the complete list of network interfaces | Monitors IPsec service interface enumeration failures. Important for secure networking and detecting issues that could affect VPN or encrypted communication setup. |
IPsec Services failed to initialize the RPC server and could not start | Tracks IPsec service startup failures. Critical for secure networking as IPsec failures could prevent VPN connections and encrypted communication. |
IPsec Services shut down after a critical failure | Monitors IPsec service critical failures leading to shutdown. Important for secure networking and detecting issues that could affect encrypted communications. |
IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces | Tracks IPsec filter processing failures during network changes. Important for maintaining secure networking during dynamic network configuration changes. |
The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account | Monitors rejection of vulnerable Netlogon connections from computers. Critical security feature protecting against Zerologon and similar domain controller attacks. |
The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account | Tracks rejection of vulnerable Netlogon connections from trust accounts. Critical for domain security and protecting against advanced persistent threat techniques. |
One or more errors occurred while processing security policy in the Group Policy objects | Monitors Group Policy security policy processing errors. Important for ensuring security policies are properly applied and detecting configuration issues. |
An error was encountered converting volume | Tracks BitLocker volume conversion errors. Important for data protection monitoring and ensuring encryption processes complete successfully without data loss. |
An attempt to automatically restart conversion on volume failed | Monitors failed BitLocker conversion restart attempts. Important for data protection and ensuring encryption processes can recover from interruptions. |
Volume returning errors while trying to modify metadata. If failures continue, decrypt volume | Critical BitLocker alert indicating potential disk corruption. Important for data protection and preventing data loss during encryption operations. |
Attempt to write metadata to volume failed and may appear as disk corruption | Critical BitLocker metadata write failure. Important for data integrity and detecting potential disk issues that could affect encrypted volume functionality. |
An account logged off | Tracks user logoff events. Useful for session monitoring, understanding user activity patterns, and detecting unusual logoff behavior or forced disconnections. |
A Kerberos authentication ticket request failed | Monitors failed Kerberos ticket requests. Important for detecting authentication issues, expired accounts, or potential attacks against the Kerberos authentication system. |
Password hash an account was accessed | Critical security event indicating password hash access. Could indicate credential dumping attacks, legitimate password recovery, or unauthorized access to authentication data. |
A registry value was changed | Tracks modifications to Windows registry values. Configure selectively as it can generate high volumes. Critical for tracking system configuration changes and detecting malware persistence. |
A rule was added to the Windows Firewall exception list | Monitors addition of new firewall exceptions. Important for network security as new exceptions could create attack vectors or indicate malware attempting to open network access. |
A rule was modified in the Windows Firewall exception list | Tracks changes to existing firewall rules. Critical for maintaining network security posture and detecting unauthorized modifications to firewall protections. |
Group Policy settings for Windows Firewall has changed | Monitors Group Policy changes affecting firewall configuration. Important for centralized security management and detecting unauthorized policy modifications. |
The Windows Firewall service has been stopped | Critical alert indicating firewall service shutdown. Immediate security concern as the system loses network protection and becomes vulnerable to attacks. |
Windows Firewall blocked an application from accepting incoming traffic | Tracks applications blocked from receiving network connections. Useful for security monitoring and detecting potential malware attempting to establish network communication. |
Windows Filtering Platform blocked an application or service from listening on a port | Monitors applications blocked from network listening. Important for detecting malware attempting to open network services or troubleshooting legitimate application connectivity. |
A Windows Filtering Platform filter was changed | Tracks modifications to WFP filtering rules. Important for network security monitoring and detecting unauthorized changes to advanced firewall filtering. |
PowerShell Module Logging | Monitors PowerShell module usage and loading. Critical for detecting malicious PowerShell usage, tracking administrative activities, and investigating security incidents involving PowerShell. |
PowerShell Script Block Logging | Tracks PowerShell script execution at the block level. Essential for security monitoring as PowerShell is commonly used in attacks and legitimate administration. |
Handle to an object was closed | Monitors when object handles are closed. Part of detailed object access auditing for high-security environments. Can help track resource usage and detect unusual access patterns. |
Attempt to create a hard link was made | Tracks hard link creation attempts. Important for file system security as hard links can be used to maintain access to files even after deletion attempts. |
Calling privileged service | Monitors calls to privileged system services. Important for tracking high-level system operations and detecting unauthorized use of privileged functionality. |
Attempted operation on a privileged object | Tracks operations attempted on privileged system objects. Critical for monitoring access to sensitive system resources and detecting privilege escalation attempts. |
Transaction state change | Monitors changes in transaction states for transactional file operations. Important for file system integrity and detecting issues with transactional NTFS operations. |
Indirect access to an object was requested | Tracks indirect object access requests. Part of detailed object access auditing for monitoring complex access patterns and potential security violations. |
File was virtualized | Monitors file virtualization events in Windows. Important for application compatibility monitoring and detecting issues with legacy application file access. |
Malware scan stopped before completing scan | Tracks incomplete antivirus scans. Important for security monitoring as incomplete scans could leave threats undetected and indicate system issues. |
Malware scan paused | Monitors when antivirus scans are paused. Important for ensuring continuous protection and detecting potential interference with security scanning. |
Malware scan failed | Tracks antivirus scan failures. Critical for security monitoring as scan failures could leave threats undetected and indicate system or antivirus issues. |
Malware or unwanted software detected | Critical security alert indicating threat detection by antivirus. Immediate attention required to assess threat severity and ensure proper remediation. |
Action to protect system performed | Monitors successful antivirus remediation actions. Important for tracking threat response and ensuring detected threats are properly contained or removed. |
Action to protect system failed | Tracks failed antivirus remediation attempts. Critical alert indicating threats that couldn't be automatically remediated and may require manual intervention. |
Item restored from quarantine | Monitors when quarantined items are restored. Important for tracking potential false positives and ensuring legitimate files aren't permanently lost to quarantine. |
Unable to delete item in quarantine | Tracks quarantine deletion failures. Important for security monitoring as persistent threats might indicate advanced malware or system integrity issues. |
Microsoft Defender Antivirus detected a suspicious behavior | Monitors behavioral detection by Windows Defender. Important for detecting zero-day threats and advanced attacks that don't match traditional signature-based detection. |
Critical error occurred when taking action on malware | Critical alert indicating severe antivirus operation failures. Could indicate system compromise, antivirus tampering, or critical system issues affecting security protection. |
Detected a BSOD error | Monitors Blue Screen of Death occurrences. Important for system stability and security as crashes could indicate hardware failures, driver issues, or potential security exploitation. |