Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Threat protection
Windows Defender Advanced Threat Protection
Overview
Attack surface reduction
Hardware-based isolation
Application isolation
System integrity
Application control
Exploit protection
Network protection
Controlled folder access
Attack surface reduction
Network firewall
Next generation protection
Endpoint detection and response
Security operations dashboard
Incidents queue
View and organize the Incidents queue
Manage incidents
Investigate incidents
Alerts queue
View and organize the Alerts queue
Manage alerts
Investigate alerts
Investigate files
Investigate machines
Investigate an IP address
Investigate a domain
Investigate a user account
Machines list
View and organize the Machines list
Manage machine group and tags
Alerts related to this machine
Machine timeline
Take response actions
Take response actions on a machine
Take response actions on a file
Automated investigation and remediation
Learn about the automated investigation and remediation dashboard
Secure score
Threat analytics
Advanced hunting
Query data using Advanced hunting
Advanced hunting reference
Advanced hunting query language best practices
Custom detections
Create custom detections rules
Management and APIs
Understand threat intelligence concepts
Windows Defender ATP APIs
Managed security service provider support
Microsoft threat protection
Protect users, data, and devices with conditional access
Microsoft Cloud App Security integration overview
Information protection in Windows overview
Microsoft Threat Experts
Portal overview
Get started
What's new in Windows Defender ATP
Minimum requirements
Validate licensing and complete setup
Preview features
Data storage and privacy
Assign user access to the portal
Evaluate Windows Defender ATP
Evaluate attack surface reduction
Hardware-based isolation
Application control
Exploit protection
Network Protection
Controlled folder access
Attack surface reduction
Network firewall
Evaluate next generation protection
Access the Windows Defender Security Center Community Center
Configure and manage capabilities
Configure attack surface reduction
Hardware-based isolation
System isolation
Application isolation
Application control
Device control
Control USB devices
Device Guard
Exploit protection
Import/export configurations
Network protection
Controlled folder access
Attack surface reduction controls
Customize attack surface reduction
Network firewall
Configure next generation protection
Utilize Microsoft cloud-delivered protection
Enable cloud-delivered protection
Specify the cloud-delivered protection level
Configure and validate network connections
Enable Block at first sight
Configure the cloud block timeout period
Configure behavioral, heuristic, and real-time protection
Detect and block Potentially Unwanted Applications
Enable and configure always-on protection and monitoring
Antivirus on Windows Server 2016
Antivirus compatibility
Use limited periodic antivirus scanning
Deploy, manage updates, and report on antivirus
Deploy and enable antivirus
Report on antivirus protection
Manage updates and apply baselines
Customize, initiate, and review the results of scans and remediation
Configure and validate exclusions in antivirus scans
Configure scanning antivirus options
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage antivirus in your business
Use Group Policy settings to configure and manage antivirus
Use System Center Configuration Manager and Microsoft Intune to configure
and manage antivirus
Use PowerShell cmdlets to configure and manage antivirus
Use Windows Management Instrumentation (WMI) to configure and manage
antivirus
Use the mpcmdrun.exe commandline tool to configure and manage antivirus
Manage scans and remediation
Configure and validate exclusions in antivirus scans
Configure scanning options
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage next generation protection in your business
Use Microsoft Intune and System Center Configuration Manager to manage
next generation protection
Use Group Policy settings to manage next generation protection
Use PowerShell cmdlets to manage next generation protection
Use Windows Management Instrumentation (WMI) to manage next generation
protection
Use the mpcmdrun.exe command line tool to manage next generation
protection
Configure Secure score dashboard security controls
Management and API support
Onboard machines
Onboard previous versions of Windows
Onboard Windows 10 machines
Onboard servers
Onboard non-Windows machines
Onboard machines without Internet access
Run a detection test on a newly onboarded machine
Run simulated attacks on machines
Configure proxy and Internet connectivity settings
Troubleshoot onboarding issues
Windows Defender ATP API
Get started with Windows Defender ATP APIs
APIs
How to use APIs - Samples
Windows updates (KB) info
Get KbInfo collection
Common Vulnerabilities and Exposures (CVE) to KB map
Get CVE-KB map
API for custom alerts
Enable the custom threat intelligence application
Use the threat intelligence API to create custom alerts
Create custom threat intelligence alerts
PowerShell code examples
Python code examples
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
Pull alerts to your SIEM tools
Enable SIEM integration
Configure Splunk to pull alerts
Configure HP ArcSight to pull alerts
Windows Defender ATP SIEM alert API fields
Pull alerts using SIEM REST API
Troubleshoot SIEM tool integration issues
Reporting
Create and build Power BI reports using Windows Defender ATP data
Threat protection reports
Machine health and compliance reports
Interoperability
Partner applications
Role-based access control
Manage portal access using RBAC
Configure managed security service provider (MSSP) support
Configure and manage Microsoft Threat Experts capabilities
Configure Microsoft threat protection integration
Configure conditional access
Configure Microsoft Cloud App Security integration
Configure information protection in Windows
Configure Windows Defender Security Center settings
General
Update data retention settings
Configure alert notifications
Enable and create Power BI reports using Windows Defender Security center
data
Enable Secure score security controls
Configure advanced features
Permissions
Use basic permissions to access the portal
Manage portal access using RBAC
APIs
Enable Threat intel
Enable SIEM integration
Rules
Manage suppression rules
Manage automation allowed/blocked lists
Manage indicators
Manage automation file uploads
Manage automation folder exclusions
Machine management
Onboarding machines
Offboarding machines
Configure Windows Defender Security Center time zone settings
Troubleshoot Windows Defender ATP
Troubleshoot sensor state
Check sensor state
Fix unhealthy sensors
Inactive machines
Misconfigured machines
Review sensor events and errors on machines with Event Viewer
Troubleshoot Windows Defender ATP service issues
Check service health
Troubleshoot attack surface reduction
Network protection
Attack surface reduction rules
Collect diagnostic data for files
Troubleshoot next generation protection
Security intelligence
Understand malware & other threats
Prevent malware infection
Malware names
Coin miners
Exploits and exploit kits
Fileless threats
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Industry antivirus tests
Industry collaboration programs
Virus information alliance
Microsoft virus initiative
Coordinated malware eradication
Information for developers
Software developer FAQ
Software developer resources
Windows Certifications
FIPS 140 Validations
Common Criteria Certifications
More Windows 10 security
The Windows Security app
Customize the Windows Security app for your organization
Hide Windows Security app notifications
Manage Windows Security app in Windows 10 in S mode
Virus and threat protection
Account protection
Firewall and network protection
App and browser control
Device security
Device performance and health
Family options
SmartScreen
SmartScreen Group Policy and mobile device management (MDM) settings
Set up and use SmartScreen on individual devices
Windows Defender Device Guard: virtualization-based security and WDAC
Control the health of Windows 10-based devices
Mitigate threats by using Windows 10 security features
Override Process Mitigation Options to help enforce app-related security policies
Use Windows Event Forwarding to help with intrusion detection
Block untrusted fonts in an enterprise
Security auditing
Basic security audit policies
Create a basic audit policy for an event category
Apply a basic audit policy on a file or folder
View the security event log
Basic security audit policy settings
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Advanced security audit policies
Planning and deploying advanced security audit policies
Advanced security auditing FAQ
Which editions of Windows support advanced audit policy configuration
How to list XML elements in <EventData>
Using advanced security auditing options to monitor dynamic access control
objects
Advanced security audit policy settings
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Audit DPAPI Activity
Audit PNP Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Audit Account Lockout
Audit User/Device Claims
Audit Group Membership
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Audit Sensitive Privilege Use
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Other Events
Appendix A: Security monitoring recommendations for many audit events
Registry (Global Object Access Auditing)
File System (Global Object Access Auditing)
Security policy settings
Administer security policy settings
Network List Manager policies
Configure security policy settings
Security policy settings reference
Account Policies
Password Policy
Account Lockout Policy
Kerberos Policy
Audit Policy
Security Options
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to
override audit policy category settings
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language
(SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language
(SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Don't display last signed-in
Interactive logon: Don't display username at sign-in
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain
controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock
workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
SMBv1 Microsoft network client: Digitally sign communications (always)
SMBv1 Microsoft network client: Digitally sign communications (if server
agrees)
Microsoft network client: Send unencrypted password to third-party SMB
servers
Microsoft network server: Amount of idle time required before suspending
session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
SMBv1 Microsoft network server: Digitally sign communications (always)
SMBv1 Microsoft network server: Digitally sign communications (if client
agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Network access: Do not allow storage of passwords and credentials for network
authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Restrict clients allowed to make remote calls to SAM
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use
online identities
Network security: Configure encryption types allowed for Kerberos Win7 only
Network security: Do not store LAN Manager hash value on next password
change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM
authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit incoming NTLM traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the
computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g.
Symbolic Links)
System settings: Optional subsystems
System settings: Use certificate rules on Windows executables for Software
Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator
account
User Account Control: Allow UIAccess applications to prompt for elevation
without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in
secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for
elevation
User Account Control: Virtualize file and registry write failures to per-user
locations
Advanced security audit policy settings
User Rights Assignment
Access Credential Manager as a trusted caller
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Windows security guidance for enterprises
Windows security baselines
Security Compliance Toolkit
Get support
Windows security configuration framework
Level 5 enterprise security
Level 4 enterprise high security
Level 3 enterprise VIP security
Level 2 enterprise dev/ops workstation
Level 1 enterprise administrator workstation
MBSA removal and alternatives
Windows 10 Mobile security guide
Change history for Threat protection
Threat Protection
4/30/2019 • 2 minutes to read • Edit Online
Windows Defender Advanced Threat Protection (Windows Defender ATP ) is a unified platform for preventative
protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects
endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and
improves security posture.
NOTE
The Windows Defender Security Center is currently going through rebranding. All references to Windows Defender will be
replaced with Microsoft Defender. You will see the updates in the user interface and in the documentation library in next few
months.
Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent,
detect, investigate, and respond to advanced threats.
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's
robust cloud service:
Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral
signals from the operating system and sends this sensor data to your private, isolated, cloud instance of
Windows Defender ATP.
Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the
Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals
are translated into insights, detections, and recommended responses to advanced threats.
Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat
intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker
tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.
TIP
Learn about the latest enhancements in Windows Defender ATP: What's new in Windows Defender ATP.
Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.
In this section
To help you maximize the effectiveness of the security platform, you can configure individual capabilities that
surface in Windows Defender Security Center.
TOPIC DESCRIPTION
Get started Learn about the requirements of the platform and the initial
steps you need to take to get started with Windows Defender
ATP.
Configure and manage capabilities Configure and manage the individual capabilities in Windows
Defender ATP.
TOPIC DESCRIPTION
Troubleshoot Windows Defender ATP Learn how to address issues that you might encounter while
using the platform.
Related topic
Windows Defender ATP helps detect sophisticated threats
Overview of Windows Defender ATP capabilities
4/30/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the
complete threat protection platform.
TIP
Learn about the latest enhancements in Windows Defender ATP: What's new in Windows Defender ATP.
Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.
In this section
TOPIC DESCRIPTION
Threat & Vulnerability Management Reduce organizational vulnerability exposure and increase
threat resilience while seamlessly connecting workflows across
security stakeholders—security administrators, security
operations, and IT administrators in remediating threats.
Attack surface reduction Leverage the attack surface reduction capabilities to protect
the perimeter of your organization.
Next generation protection Learn about the antivirus capabilities in Windows Defender
ATP so you can protect desktops, portable computers, and
servers.
Endpoint detection and response Understand how Windows Defender ATP continuously
monitors your organization for possible attacks against
systems, networks, or users in your organization and the
features you can use to mitigate and remediate threats.
Automated investigation and remediation In conjunction with being able to quickly respond to advanced
attacks, Windows Defender ATP offers automatic investigation
and remediation capabilities that help reduce the volume of
alerts in minutes at scale.
Secure score Quickly assess the security posture of your organization, see
machines that require attention, as well as recommendations
for actions to better protect your organization - all in one
place.
Microsoft Threat Experts Managed cybersecurity threat hunting service. Learn how you
can get expert-driven insights and data through targeted
attack notification and access to experts on demand.
TOPIC DESCRIPTION
Advanced hunting Use a powerful search and query language to create custom
queries and detection rules.
Management and APIs Windows Defender ATP supports a wide variety of tools to
help you manage and interact with the platform so that you
can integrate the service into your existing workflows.
Microsoft Threat Protection Microsoft security products work better together. Learn about
other security capabilities in the Microsoft threat protection
stack.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Attack surface reduction capabilities in Windows Defender ATP helps protect the devices and applications in your
organization from new and emerging threats.
CAPABILITY DESCRIPTION
Hardware-based isolation Protects and maintains the integrity of the system as it starts
and while it's running, and validates system integrity through
local and remote attestation. In addition, container isolation
for Microsoft Edge helps protect host operating system from
malicious websites.
Application control Moves away from the traditional application trust model
where all applications are assumed trustworthy by default to
one where applications must earn trust in order to run.
Network protection Extends the malware and social engineering protection offered
by Windows Defender SmartScreen in Microsoft Edge to cover
network traffic and connectivity on your organization's
devices. Requires Windows Defender AV.
Controlled folder access Helps protect files in key system folders from changes made
by malicious and suspicious apps, including file-encrypting
ransomware malware. Requires Windows Defender AV.
Attack surface reduction reduce the attack surface of your applications with intelligent
rules that stop the vectors used by Office-, script- and mail-
based malware. Requires Windows Defender AV.
Applies to: Windows Defender Advanced Threat Protection (Windows Defender ATP )
Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Windows Defender
ATP.
FEATURE DESCRIPTION
Windows Defender Application Guard Application Guard protects your device from advanced attacks
while keeping you productive. Using a unique hardware-based
isolation approach, the goal is to isolate untrusted websites
and PDF documents inside a lightweight container that is
separated from the operating system via the native Windows
Hypervisor. If an untrusted site or PDF document turns out to
be malicious, it still remains contained within Application
Guard’s secure container, keeping the desktop PC protected
and the attacker away from your enterprise data.
Windows Defender System Guard System Guard protects and maintains the integrity of the
system as it starts and after it's running, and validates system
integrity by using attestation.
Windows Defender Application Guard overview
4/8/2019 • 4 minutes to read • Edit Online
Applies to: Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging
attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy
the playbook that attackers use by making current attack methods obsolete.
HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount
- Default is 4 cores.
HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB -
Default is 8GB.
HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceIn
GB - Default is 5GB.
Q: Can employees copy and paste between the host device and
the Application Guard Edge session?
A: Depending on your organization's settings, employees can
copy and paste images (.bmp) and text to and from the
isolated container.
Related topics
TOPIC DESCRIPTION
System requirements for Windows Defender Application Specifies the pre-requisites necessary to install and use
Guard Application Guard.
Prepare and install Windows Defender Application Guard Provides instructions about determining which mode to use,
either Standalone or Enterprise-managed, and how to install
Application Guard in your organization.
Configure the Group Policy settings for Windows Defender Provides info about the available Group Policy and MDM
Application Guard settings.
Testing scenarios using Windows Defender Application Guard Provides a list of suggested testing scenarios that you can use
in your business or organization to test Windows Defender Application Guard (Application
Guard) in your organization.
System requirements for Windows Defender
Application Guard
4/30/2019 • 2 minutes to read • Edit Online
Applies to: Windows Defender Advanced Threat Protection (Windows Defender ATP )
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach
enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure
employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old,
and newly emerging attacks, to help keep employees productive.
NOTE
Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-
production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
Hardware requirements
Your environment needs the following hardware to run Windows Defender Application Guard.
HARDWARE DESCRIPTION
CPU virtualization extensions Extended page tables, also called Second Level Address
Translation (SLAT)
-AND-
VT-x (Intel)
-OR-
AMD-V
Input/Output Memory Management Unit (IOMMU) support Not required, but strongly recommended
Software requirements
Your environment needs the following software to run Windows Defender Application Guard.
SOFTWARE DESCRIPTION
-OR-
Group Policy
-OR-
In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the
Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must
be trustworthy.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof
and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
Protect and maintain the integrity of the system as it starts up
Validate that system integrity has truly been maintained through local and remote attestation
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM.
Upon request, a management system like Intune or System Center Configuration Manager can acquire them for
remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management
system can take a series of actions, such as denying the device access to resources.
Windows Defender Application Control
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows 10
Windows Server 2016
Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—
signature-based detection to fight against malware—provides an inadequate defense against new attacks. In most
organizations, information is the most valuable asset, and ensuring that only approved users have access to that
information is imperative.
However, when a user runs a process, that process has the same level of access to data that the user has. As a
result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or
unknowingly runs malicious software.
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has
an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the
traditional application trust model where all applications are assumed trustworthy by default to one where
applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand
this and frequently cite application control as one of the most effective means for addressing the threat of
executable file-based malware (.exe, .dll, etc.).
Windows Defender Application Control (WDAC ) can help mitigate these types of security threats by restricting the
applications that users are allowed to run and the code that runs in the System Core (kernel). WDAC policies also
block unsigned scripts and MSIs, and Windows PowerShell runs in Constrained Language Mode.
NOTE
Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes
and apps.
It is part of Windows Defender Exploit Guard. Exploit protection is supported beginning with Windows 10,
version 1709 and Windows Server 2016, version 1803.
TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.
Exploit protection works best with Windows Defender Advanced Threat Protection - which gives you detailed
reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.
You can enable exploit protection on an individual machine, and then use Group Policy to distribute the XML file
to multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can
customize the notification with your company details and contact information. You can also enable the rules
individually to customize what techniques the feature monitors.
You can also use audit mode to evaluate how exploit protection would impact your organization if it were enabled.
Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit
protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See
Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard for more
information on how Exploit protection supersedes EMET and what the benefits are when considering moving to
exploit protection on Windows 10.
IMPORTANT
If you are currently using EMET you should be aware that EMET reached end of life on July 31, 2018. You should consider
replacing EMET with exploit protection in Windows 10. You can convert an existing EMET configuration file into exploit
protection to make the migration easier and keep your existing settings.
WARNING
Some security mitigation technologies may have compatibility issues with some applications. You should test exploit
protection in all target use scenarios by using audit mode before deploying the configuration across a production
environment or the rest of your network.
This section compares exploit protection in Windows Defender ATP with the Enhance Mitigation Experience
Toolkit (EMET) for reference. The table in this section illustrates the differences between EMET and Windows
Defender Exploit Guard.
Windows versions
All versions of Windows 10 starting Windows 8.1; Windows 8; Windows 7
with version 1709 Cannot be installed on Windows 10,
version 1709 and later
User interface Modern interface integrated with the Older, complex interface that requires
Windows Security app considerable ramp-up training
Supportability
Dedicated submission-based support Ends after July 31, 2018
channel[1]
Part of the Windows 10 support
lifecycle
Updates
Ongoing updates and development of No planned updates or development
new features, released twice yearly as
part of the Windows 10 semi-annual
update channel
Exploit protection
All EMET mitigations plus new, specific Limited set of mitigations
mitigations (see table)
Can convert and import existing EMET
configurations
WINDOWS DEFENDER EXPLOIT GUARD EMET
Network protection[2]
Helps block malicious network Not available
connections
Microsoft Intune
Use Intune to customize, deploy, and Not available
manage configurations
Reporting
With Windows event logs and full audit Limited Windows event log monitoring
mode reporting
Full integration with Windows Defender
Advanced Threat Protection
Audit mode
Full audit mode with Windows event Limited to EAF, EAF+, and anti-ROP
reporting mitigations
(1) Requires an enterprise subscription with Azure Active Directory or a Software Assurance ID.
(2) Additional requirements may apply (such as use of Windows Defender Antivirus). See Windows Defender
Exploit Guard requirements for more details. Customizable mitigation options that are configured with exploit
protection do not require Windows Defender Antivirus.
Mitigation comparison
The mitigations available in EMET are included in Windows Defender Exploit Guard, under the exploit protection
feature.
The table in this section indicates the availability and support of native mitigations between EMET and exploit
protection.
AVAILABLE IN WINDOWS DEFENDER
MITIGATION EXPLOIT GUARD AVAILABLE IN EMET
NOTE
The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET
advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations
for a process.
See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs
existing EMET technology.
Related topics
Protect devices from exploits
Evaluate exploit protection
Enable exploit protection
Configure and audit exploit protection mitigations
Import, export, and deploy exploit protection configurations
Troubleshoot exploit protection
Protect your network
5/1/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents
employees from using any application to access dangerous domains that may host phishing scams, exploits, and
other malicious content on the Internet.
It expands the scope of Windows Defender SmartScreen to block all outbound HTTP (s) traffic that attempts to
connect to low -reputation sources (based on the domain or hostname).
Network protection is supported beginning with Windows 10, version 1709.
TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.
Network protection works best with Windows Defender Advanced Threat Protection, which gives you detailed
reporting into Windows Defender EG events and blocks as part of the usual alert investigation scenarios.
When network protection blocks a connection, a notification will be displayed from the Action Center. You can
customize the notification with your company details and contact information. You can also enable the rules
individually to customize what techniques the feature monitors.
You can also use audit mode to evaluate how Network protection would impact your organization if it were
enabled.
Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
Windows 10 version 1709 or later Windows Defender AV real-time protection and cloud-
delivered protection must be enabled
EVENT ID DESCRIPTION
Related topics
TOPIC DESCRIPTION
Evaluate network protection Undertake a quick scenario that demonstrate how the feature
works, and what events would typically be created.
Enable network protection Use Group Policy, PowerShell, or MDM CSPs to enable and
manage network protection in your network.
Protect important folders with controlled folder
access
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder
access works best with Windows Defender Advanced Threat Protection, which gives you detailed reporting into
controlled folder access events and blocks as part of the usual alert investigation scenarios.
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus,
which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then
it will not be allowed to make changes to any files in any protected folder.
This is especially useful in helping to protect your documents and information from ransomware that can attempt
to encrypt your files and hold them hostage.
A notification will appear on the computer where the app attempted to make changes to a protected folder. You
can customize the notification with your company details and contact information. You can also enable the rules
individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can add additional folders. You can also allow or
whitelist apps to give them access to the protected folders.
You can use audit mode to evaluate how controlled folder access would impact your organization if it were
enabled. You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the
feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
Requirements
Controlled folder access requires enabling Windows Defender Antivirus real-time protection.
EVENT ID DESCRIPTION
In this section
TOPIC DESCRIPTION
Evaluate controlled folder access Use a dedicated demo tool to see how controlled folder
access works, and what events would typically be created.
Enable controlled folder access Use Group Policy, PowerShell, or MDM CSPs to enable and
manage controlled folder access in your network
Customize controlled folder access Add additional protected folders, and allow specified apps to
access protected folders.
Reduce attack surfaces with attack surface reduction
rules
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious
code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later,
Windows Server 2016 1803 or later, or Windows Server 2019.
To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5
license gives you the advanced management capabilities to power them. These include monitoring, analytics, and
workflows available in Windows Defender Advanced Threat Protection, as well as reporting and configuration
capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you
can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers,
including:
Executable files and scripts used in Office apps or web mail that attempt to download or run files
Obfuscated or otherwise suspicious scripts
Behaviors that apps don't usually initiate during normal day-to-day work
You can use audit mode to evaluate how attack surface reduction rules would impact your organization if they
were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-
business applications. Many line-of-business applications are written with limited security concerns, and they
may perform tasks similar to malware. By monitoring audit data and adding exclusions for necessary
applications, you can deploy attack surface reduction rules without impacting productivity.
Triggered rules display a notification on the device. You can customize the notification with your company details
and contact information. The notification also displays in the Windows Defender Security Center and in the
Microsoft 365 securty center.
For information about configuring attack surface reduction rules, see Enable attack surface reduction rules.
Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps
apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack
surface reduction rules don't apply to any other Office apps.
Block executable content from email client and webmail
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and
other popular webmail providers:
Executable files (such as .exe, .dll, or .scr)
Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client)
(no exceptions)
SCCM name: Block executable content from email client and webmail
GUID: BE9BA2D9-53EA-4CDC -84E5-9B1EEEE46550
Block all Office applications from creating child processes
This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and
Access.
This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and
exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications
might also use behaviors like this, including spawning a command prompt or using PowerShell to configure
registry settings.
Intune name: Office apps launching child processes
SCCM name: Block Office application from creating child processes
GUID: D4F940AB -401B -4EFC -AADC -AD5F3C50688A
Block Office applications from creating executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save
malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious
code from being written to disk.
Intune name: Office apps/macros creating executable content
SCCM name: Block Office applications from creating executable content
GUID: 3B576869-A4EC -4529-8536-B80A7769E899
Block Office applications from injecting code into other processes
Attackers might attempt to use Office apps to migrate malicious code into other processes through code
injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office
apps into other processes. There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, and PowerPoint.
Intune name: Office apps injecting code into other processes (no exceptions)
SCCM name: Block Office applications from injecting code into other processes
GUID: 75668C1F -73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content
Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload
from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious
use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-
business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're
allowed to run.
IMPORTANT
File and folder exclusions don't apply to this attack surface reduction rule.
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
SCCM name: Block JavaScript or VBScript from launching downloaded executable content
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide
intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated
script.
Intune name: Obfuscated js/vbs/ps/macro code
SCCM name: Block execution of potentially obfuscated scripts.
GUID: 5BEB7EFE -FD9A-4556-801D -275E5FFC04CC
Block Win32 API calls from Office macros
Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't
use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using
Win32 APIs in VBA macros, which reduces the attack surface.
Intune name: Win32 imports from Office macro code
SCCM name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF -4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or
they're in a trusted list or exclusion list:
Executable files (such as .exe, .dll, or .scr)
NOTE
You must enable cloud-delivered protection to use this rule.
IMPORTANT
The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID
01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered
protection to update its trusted list regularly.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which
rules or exclusions apply to.
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system
to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from
running, unless they're in a trusted list or exclusion list.
NOTE
You must enable cloud-delivered protection to use this rule.
NOTE
In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This
rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise.
If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry
doesn't necessarily indicate a malicious threat.
Intune name: Flag credential stealing from the Windows local security authority subsystem
SCCM name: Block credential stealing from the Windows local security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution
that can spread malware attacks.
IMPORTANT
File and folder exclusions do not apply to this attack surface reduction rule.
WARNING
Only use this rule if you're managing your devices with Intune or another MDM solution. This rule is incompatible with
management through System Center Configuration Manager because this rule blocks WMI commands the SCCM client
uses to function correctly.
NOTE
This rule applies to Outlook and Outlook.com only.
Related topics
Enable attack surface reduction rules
Evaluate attack surface reduction rules
Windows Defender Firewall with Advanced Security
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS ) and Internet Protocol
security (IPsec) features.
Feature description
Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing
host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized
network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network
Awareness so that it can apply security settings appropriate to the types of networks to which the device is
connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated
into a single Microsoft Management Console (MMC ) named Windows Defender Firewall, so Windows Defender
Firewall is also an important part of your network’s isolation strategy.
Practical applications
To help address your organizational network security challenges, Windows Defender Firewall offers the following
benefits:
Reduces the risk of network security threats. Windows Defender Firewall reduces the attack surface of a
device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device
increases manageability and decreases the likelihood of a successful attack.
Safeguards sensitive data and intellectual property. With its integration with IPsec, Windows
Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It
provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and
optionally helping to protect the confidentiality of the data.
Extends the value of existing investments. Because Windows Defender Firewall is a host-based firewall
that is included with the operating system, there is no additional hardware or software required. Windows
Defender Firewall is also designed to complement existing non-Microsoft network security solutions
through a documented application programming interface (API).
In this section
TOPIC DESCRIPTION
Isolating Microsoft Store Apps on Your Network You can customize your Windows Defender Firewall
configuration to isolate the network access of Microsoft Store
apps that run on devices.
Securing End-to-End IPsec Connections by Using IKEv2 You can use IKEv2 to help secure your end-to-end IPSec
connections.
TOPIC DESCRIPTION
Windows Defender Firewall with Advanced Security Learn more about using Windows PowerShell to manage the
Administration with Windows PowerShell Windows Defender Firewall.
Windows Defender Firewall with Advanced Security Design Learn how to create a design for deploying Windows
Guide Defender Firewall with Advanced Security.
Windows Defender Firewall with Advanced Security Learn how to deploy Windows Defender Firewall with
Deployment Guide Advanced Security.
Windows Defender Antivirus in Windows 10 and
Windows Server 2016
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus is a built-in antimalware solution that provides next generation protection for
desktops, portable computers, and servers.
Windows Defender Antivirus includes:
Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along
with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-
gen technologies that power Windows Defender Antivirus.
Always-on scanning, using advanced file and process behavior monitoring and other heuristics (also
known as "real-time protection")
Dedicated protection updates based on machine-learning, human and automated big-data analysis, and
in-depth threat resistance research
You can configure and manage Windows Defender Antivirus with:
System Center Configuration Manager (as System Center Endpoint Protection, or SCEP )
Microsoft Intune
PowerShell
Windows Management Instrumentation (WMI)
Group Policy
TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the following features
are working and see how they work:
Cloud-delivered protection
Fast learning (including Block at first sight)
Potentially unwanted application blocking
Related topics
Windows Defender AV in the Windows Security app
Windows Defender AV on Windows Server 2016
Windows Defender AV compatibility
Evaluate Windows Defender AV protection
Deploy, manage updates, and report on Windows Defender AV
Configure Windows Defender AV features
Customize, initiate, and review the results of scans and remediation
Review event logs and error codes to troubleshoot issues
Reference topics for management and configuration tools
Overview of endpoint detection and response
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender ATP endpoint detection and response capabilities provide advanced attack detections that are
near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a
breach, and take response actions to remediate threats.
When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack
techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts in
this manner makes it easy for analysts to collectively investigate and respond to threats.
Inspired by the "assume breach" mindset, Windows Defender ATP continuously collects behavioral cyber
telemetry. This includes process information, network activities, deep optics into the kernel and memory manager,
user login activities, registry and file system changes, and others. The information is stored for six months,
enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and
approach an investigation through multiple vectors.
The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
In this section
TOPIC DESCRIPTION
Security operations dashboard Explore a high level overview of detections, highlighting where
response actions are needed.
Incidents queue View and organize the incidents queue, and manage and
investigate alerts.
Alerts queue View and organize the machine alerts queue, and manage and
investigate alerts.
Machines list Investigate machines with generated alerts and search for
specific events over time.
Take response actions Learn about the available response actions and apply them to
machines and files.
Windows Defender Security Center Security
operations dashboard
4/22/2019 • 4 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The Security operations dashboard is where the endpoint detection and response capabilities are surfaced. It
provides a high level overview of where detections were seen and highlights where response actions are needed.
The dashboard displays a snapshot of:
Active alerts
Machines at risk
Sensor health
Service health
Daily machines reporting
Active automated investigations
Automated investigations statistics
Users at risk
Suspicious activities
You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities
occurred in your network to help you understand the context they appeared in.
From the Security operations dashboard you will see aggregated events to facilitate the identification of
significant events or behaviors on a machine. You can also drill down into granular events and low -level
indicators.
It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a
detailed view of the corresponding overview.
Active alerts
You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are
grouped into New and In progress.
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts
inside each alert ring to see a sorted view of that category's queue (New or In progress).
For more information see, Alerts overview.
Each row includes an alert severity category and a short description of the alert. You can click an alert to see its
detailed view. For more information see, Investigate Windows Defender Advanced Threat Protection alerts and
Alerts overview.
Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each
machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far
end of the tile (hover over each severity bar to see its label).
Click the name of the machine to see details about that machine. For more information see, Investigate machines
in the Windows Defender Advanced Threat Protection Machines list.
You can also click Machines list at the top of the tile to go directly to the Machines list, sorted by the number of
active alerts. For more information see, Investigate machines in the Windows Defender Advanced Threat
Protection Machines list.
Sensor health
The Sensor health tile provides information on the individual machine’s ability to provide sensor data to the
Windows Defender ATP service. It reports how many machines require attention and helps you identify
problematic machines.
There are two status indicators that provide information on the number of machines that are not reporting
properly to the service:
Misconfigured – These machines might partially be reporting sensor data to the Windows Defender ATP
service and might have configuration errors that need to be corrected.
Inactive - Machines that have stopped reporting to the Windows Defender ATP service for more than seven
days in the past month.
When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more
information, see Check sensor state and Investigate machines.
Service health
The Service health tile informs you if the service is active or if there are issues.
For more information on the service health, see Check the Windows Defender ATP service health.
You can click on Automated investigations, Remidated investigations, and Alerts investigated to navigate
to the Investigations page, filtered by the appropriate category. This lets you see a detailed breakdown of
investigations in context.
Users at risk
The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high,
medium, or low alerts.
Click the user account to see details about the user account. For more information see Investigate a user account.
Suspicious activities
This tile shows audit events based on detections from various security components.
Related topics
Understand the Windows Defender Advanced Threat Protection portal
Portal overview
View the Secure Score dashboard and improve your secure score
View the Threat analytics dashboard and take recommended mitigation actions
Incidents in Windows Defender ATP
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and
procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching
automatic investigations.
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an
incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded
incident graph) and data representations to understand and deal with complex cross-entity threats to your
organization's network.
In this section
TOPIC DESCRIPTION
View and organize the Incidents queue See the list of incidents and learn how to apply filters to limit
the list and get a more focused view.
Manage incidents Learn how to manage incidents by assigning it, updating its
status, or setting its classification and other actions.
Investigate incidents See associated alerts, manage the incident, see alert
metadata, and visualizations to help you investigate an
incident.
View and organize the Windows Defender Advanced
Threat Protection Incidents queue
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The Incidents queue shows a collection of incidents that were flagged from machines in your network. It helps
you sort through incidents to prioritize and create an informed cybersecurity response decision.
By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top
of the list, helping you see the most recent incidents first.
There are several options you can choose from to customize the Incidents queue view.
On the top navigation you can:
Customize columns to add or remove columns
Modify the number of items to view per page
Select the items to show per page
Batch-select the incidents to assign
Navigate between pages
Apply filters
Category
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view
helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on
context.
Alerts
Indicates the number of alerts associated with or part of the incidents.
Machines
You can limit to show only the machines at risk which are associated with incidents.
Users
You can limit to show only the users of the machines at risk which are associated with incidents.
Assigned to
You can choose to show between unassigned incidents or those which are assigned to you.
Status
You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
Classification
Use this filter to choose between focusing on incidents flagged as true or false incidents.
Related topics
Incidents queue
Manage incidents
Investigate incidents
Manage Windows Defender ATP incidents
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting
an incident from the Incidents queue or the Incidents management pane. You can assign incidents to yourself,
change the status, classify, rename, or comment on them to keep track of their progress.
Selecting an incident from the Incidents queue brings up the Incident management pane where you can open
the incident page for details.
Assign incidents
If an incident has not been assigned yet, you can select Assign to me to assign the incident to yourself. Doing so
assumes ownership of not just the incident, but also all the alerts associated with it.
Rename incident
By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming
convention for easier cybersecurity threat identification.
Related topics
Incidents queue
View and organize the Incidents queue
Investigate incidents
Investigate incidents in Windows Defender ATP
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
Alerts
You can investigate the alerts and see how they were linked together in an incident. Alerts are grouped into
incidents based on the following reasons:
Automated investigation - The automated investigation triggered the linked alert while investigating the
original alert
File characteristics - The files associated with the alert have similar characteristics
Manual association - A user manually linked the alerts
Proximate time - The alerts were triggered on the same machine within a certain timeframe
Same file - The files associated with the alert are exactly the same
Same URL - The URL that triggered the alert is exactly the same
You can also manage an alert and see alert metadata along with other information. For more information, see
Investigate alerts.
Machines
You can also investigate the machines that are part of, or related to, a given incident. For more information, see
Investigate machines.
Investigations
Select Investigations to see all the automatic investigations launched by the system in response to the incident
alerts.
Related topics
Incidents queue
View and organize the Incidents queue
Manage incidents
View and organize the Windows Defender
Advanced Threat Protection Alerts queue
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The Alerts queue shows a list of alerts that were flagged from machines in your network. By default, the
queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top
of the list, helping you see the most recent alerts first.
There are several options you can choose from to customize the alerts queue view.
On the top navigation you can:
Select grouped view or list view
Customize columns to add or remove columns
Select the items to show per page
Navigate between pages
Apply filters
NOTE
The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default
real-time protection antimalware product.
OS platform
Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
Machine group
If you have specific machine groups that you're interested in checking the alerts on, you can select the groups
to limit the alerts queue view to display just those machine groups.
Associated threat
Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile
threats in Threat analytics.
Related topics
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate machines in the Windows Defender ATP Machines list
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Manage Windows Defender Advanced Threat
Protection alerts
4/30/2019 • 4 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through
alerts. A summary of new alerts is displayed in the Security operations dashboard, and you can access all
alerts in the Alerts queue.
You can manage alerts by selecting an alert in the Alerts queue or the Alerts related to this machine section
of the machine details view.
Selecting an alert in either of those places brings up the Alert management pane.
Assign alerts
If an alert is no yet assigned, you can select Assign to me to assign the alert to yourself.
Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security
Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be
innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not
affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that
satisfy the conditions set after the rule is created.
There are two contexts for a suppression rule that you can choose from:
Suppress alert on this machine
Suppress alert in my organization
The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts
are surfaced into the portal.
You can use the examples in the following table to help you choose the context for a suppression rule:
Suppress alert on this machine Alerts with the same alert title and on A security researcher is
that specific machine only will be investigating a malicious script
suppressed. that has been used to attack
other machines in your
All other alerts on that machine will organization.
not be suppressed. A developer regularly creates
PowerShell scripts for their
team.
Suppress alert in my organization Alerts with the same alert title on any A benign administrative tool is
machine will be suppressed. used by everyone in your
organization.
Alert classification
You can choose not to set a classification, or specify whether an alert is a true alert or a false alert. It's important
to provide the classification of true positive/false positive. This classification is used to monitor alert quality, and
make alerts more accurate. The "determination" field defines additional fidelity for a "true positive" classification.
Related topics
Manage suppression rules
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate machines in the Windows Defender ATP Machines list
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate Windows Defender Advanced Threat
Protection alerts
4/5/2019 • 4 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
Click an alert to see the alert details view and the various tiles that provide information about the alert.
You can also manage an alert and see alert metadata along with other information that can help you make
better decisions on how to approach them. You'll also see a status of the automated investigation on the upper
right corner. Clicking on the link will take you to the Automated investigations view. For more information, see
Automated investigations.
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click
on the icon beside the name or user account to bring up the machine or user details pane. The alert details
view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set
of recommended actions which you can expand.
For more information about managing alerts, see Manage alerts.
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted
automatically, and the timeline will display the appearance of the alert and its evidence in the Machine
timeline. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the
Machine timeline.
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the
actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed
worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools,
and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions
you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker
or campaign for offline reading.
NOTE
The alert process tree might not be available in some alerts.
Clicking in the circle immediately to the left of the indicator displays its details.
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information
about the execution details, file details, detections, observed worldwide, observed in organization, and other
details taken from the entity's page – while remaining on the alert page, so you never leave the current context
of your investigation.
Incident graph
The Incident Graph provides a visual representation of the organizational footprint of the alert and its
evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical
mapping from the original machine and evidence expanding to show other machines in the organization where
the triggering evidence was also observed.
The Incident Graph supports expansion by File, Process, command line, or Destination IP Address, as
appropriate.
The Incident Graph expansion by destination IP Address, shows the organizational footprint of
communications with this IP Address without having to change context by navigating to the IP Address page.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other
machines where the matching criteria were observed.
Artifact timeline
The Artifact timeline feature provides an addition view of the evidence that triggered the alert on the
machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it
was observed on the machine. This can help in understanding if the evidence was first observed at the time of
the alert, or whether it was observed on the machine earlier - without triggering an alert.
Selecting an alert detail brings up the Details pane where you'll be able to see more information about the
alert such as file details, detections, instances of it observed worldwide, and in the organization.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate machines in the Windows Defender ATP Machines list
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate a file associated with a Windows
Defender ATP alert
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file
exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
You can investigate files by using the search feature, clicking on a link from the Alert process tree, Incident
graph, Artifact timeline, or from an event listed in the Machine timeline.
You can get information from the following sections in the file view:
File details, Malware detection, Prevalence worldwide
Deep analysis
Alerts related to this file
File in organization
Most recent observed machines with file
This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the
organization. For example, if you’re trying to identify the origin of a network communication to a certain IP
Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files
that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate machines in the Windows Defender ATP Machines list
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate machines in the Windows Defender ATP
Machines list
4/5/2019 • 7 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be
related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
The Machines list
The Alerts queue
The Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific machine, you'll see:
Machine details, Logged on users, Machine risk, and Machine Reporting
Alerts related to this machine
Machine timeline
The machine details, logged on users, machine risk, and machine reporting sections display various attributes
about the machine.
Machine details
The machine details tile provides information such as the domain and OS of the machine. If there's an investigation
package available on the machine, you'll see a link that allows you to download the package.
For more information on how to take action on a machine, see Take response action on a machine.
Logged on users
Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following
information for logged on users in the past 30 days:
Interactive and remote interactive logins
Network, batch, and system logins
You'll also see details such as logon types for each user account, the user group, and when the account logon
occurred.
For more information, see Investigate user entities.
Machine risk
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined
using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and
their severity levels. You can influence a machine's risk level by resolving associated alerts manually or
automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be
exposed to.
Azure Advanced Threat Protection
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that
will take you to the Azure ATP page where more information about the alerts are provided.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender
ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see Turn on
advanced features.
Machine reporting
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen
reporting to the service.
Machine timeline
The Machine timeline section provides a chronological view of the events and associated alerts that have been
observed on the machine.
This feature also enables you to selectively drill down into events that occurred within a given time period. You can
view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and
displays the process tree flow in the Machine timeline. This gives you better context of the behavior which can
contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
Search for specific events
Use the search bar to look for specific timeline events. Harness the power of using the following defined search
queries based on type:value pairs and event filter types to sift through the search results:
Value - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search
supports defined search queries based on type:value pairs.
You can use any of the following values:
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
Informational level – Click the drop-down button to filter by the following levels:
Detections mode: displays Windows ATP Alerts and detections
Behaviors mode: displays "detections" and selected events of interest
Verbose mode: displays all raw events without aggregation or filtering
Event type - Click the drop-down button to filter by events such as Windows - Windows Defender ATP
alerts, Windows Defender Application Guard events, registry events, file events, and others.
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For
example, you can search for a file name, then filter the results to only see Process events matching the search
criteria or to only view file events, or even better: to view only network events over a period of time to make
sure no suspicious outbound communications go unnoticed.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall
covers the following events:
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection
User account – Click the drop-down button to filter the machine timeline by the following user associated
events:
Logon users
System
Network
Local service
The following example illustrates the use of type:value pair. The events were filtered by searching for the user
jonathan.wolcott and network events as the event type:
The results in the timeline only show network communication events run in the defined user context.
Filter events from a specific date
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the
events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and
older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the Alerts
view and click on the machine associated with the alert to jump to the specific date when the alert was observed,
enabling you to investigate the events that took place around the alert.
Export machine timeline events
You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to
export the machine timeline for the current date or specify a date range. You can export up to seven days of data
and specify the specific time between the two dates.
You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific machine.
Expand an event to view associated processes related to the event. Click on the circle next to any process or IP
address in the process tree to investigate additional details of the identified processes. This action brings up the
Details pane which includes execution context of processes, network communications and a summary of meta
data on the file or IP address.
The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the
need to switch between contexts. It lets you focus on the task of tracing associations between attributes without
leaving the current context.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate an IP address associated with a Windows
Defender ATP alert
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Examine possible communication between your machines and external internet protocol (IP ) addresses.
Identifying all machines in the organization that communicated with a suspected or known malicious IP address,
such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and
infected machines.
You can find information from the following sections in the IP address view:
IP worldwide, Reverse DNS names
Alerts related to this IP
IP in organization
Most recent observed machines with IP
IP in organization
The IP in organization section provides details on the prevalence of the IP address in the organization.
Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed
results of all machines in the organization observed communicating with the IP address, the file associated with
the communication and the last date observed.
Clicking any of the machine names will take you to that machine's view, where you can continue investigate
reported alerts, behaviors, and events.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate machines in the Windows Defender ATP Machines list
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate a domain associated with a Windows
Defender ATP alert
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a
known malicious domain.
You can investigate a domain by using the search feature or by clicking on a domain link from the Machine
timeline.
You can see information from the following sections in the URL view:
URL details, Contacts, Nameservers
Alerts related to this URL
URL in organization
Most recent observed machines with URL
URL Worldwide
The URL details, contacts, and nameservers sections display various attributes about the URL.
URL in organization
The URL in organization section provides details on the prevalence of the URL in the organization.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate machines in the Windows Defender ATP Machines list
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate a user account in Windows Defender
ATP
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
User details
The user account entity details, Azure ATP alerts, and logged on machines sections display various attributes
about the user account.
The user entity tile provides details about the user such as when the user was first and last seen. Depending on
the integration features you enable, you'll see other details. For example, if you enable the Skype for business
integration, you'll be able to contact the user from the portal.
Azure Advanced Threat Protection
If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that
will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile
also provides details such as the last AD site, total group memberships, and login failure associated with the
user.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows
Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.
Logged on machines
You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon
events on each machine.
Observed in organization
This section allows you to specify a date range to see a list of machines where this user was observed logged
on to, and the most frequent and least frequent logged on user account on each of these machines.
The machine health state is displayed in the machine icon and color as well as in a description text. Clicking on
the icon displays additional details regarding machine health.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate machines in the Windows Defender ATP Machines list
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
View and organize the Windows Defender ATP
Machines list
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The Machines list shows a list of the machines in your network where alerts were generated. By default, the
queue displays machines with alerts seen in the last 30 days.
At a glance you'll see information such as domain, risk level, OS platform, and other details.
There are several options you can choose from to customize the machines list view. On the top navigation you can:
Customize columns to add or remove columns
Export the entire list in CSV format
Select the items to show per page
Navigate between pages
Apply filters
Use the machine list in these main scenarios:
During onboarding
During the onboarding process, the Machines list is gradually populated with machines as they begin to
report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by
time of last report, Active malware category, or Sensor health state, or download the complete
endpoint list as a CSV file for offline analysis.
[NOTE ] Exporting the list depends on the number of machines in your organization. It might take a
significant amount of time to download, depending on how large your organization is. Exporting the list
in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the
organization, regardless of any filtering applied in the view itself.
Day-to-day work
The list enables easy identification of machines most at risk in a glance. High-risk machines have the
greatest number and highest-severity alerts. Sorting machines by Active alerts, helps identify the most
vulnerable machines and take action on them.
Sort and filter the machine list
You can apply the following filters to limit the list of alerts and get a more focused view.
Risk level
Machine risk levels are indicators of the active threats that machines could be exposed to. A machine's risk level is
determined using the number of active alerts and their severity levels. You can influence a machine's risk level by
resolving associated alerts manually or automatically and also by suppressing an alert.
OS Platform
Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
Health state
Filter the list to view specific machines grouped together by the following machine health states:
Active – Machines that are actively reporting sensor data to the service.
Misconfigured – Machines that have impaired communications with service or are unable to send sensor
data. Misconfigured machines can further be classified to:
No sensor data
Impaired communications
For more information on how to address issues on misconfigured machines see, Fix unhealthy sensors.
Inactive – Machines that have completely stopped sending signals for more than 7 days.
Security state
Filter the list to view specific machines that are well configured or require attention based on the Windows
Defender security controls that are enabled in your organization.
Well configured - Machines have the Windows Defender security controls well configured.
Requires attention - Machines where improvements can be made to increase the overall security posture of
your organization.
For more information, see View the Secure Score dashboard.
Tags
You can filter the list based on the grouping and tagging that you've added to individual machines.
Related topics
Investigate machines in the Windows Defender ATP Machines list
Create and manage machine tags
4/5/2019 • 2 minutes to read • Edit Online
Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic
location, specific activity, importance level and others.
You can create machine groups in the context of role-based access (RBAC ) to control who can take specific action or
who can see information on a specific machine group or groups by assigning the machine group to a user group.
For more information, see Manage portal access using role-based access control.
You can also use machine groups to assign specific remediation levels to apply during automated investigations.
For more information, see Create and manage machine groups.
In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter.
Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and
to enable dynamic list creation as part of an incident.
You can add tags on machines using the following ways:
By setting a registry key value
By using the portal
NOTE
Applicable only on the following machines:
Windows 10, version 1709 or later
Windows Server, version 1803 or later
Windows Server 2016
Windows Server 2012 R2
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
Registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (string): Group
NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to
restart the endpoint that would transfer a new machine information report.
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click Save and close.
Tags are added to the machine view and will also be reflected on the Machines list view. You can then use
the Tags filter to see the relevant list of machines.
Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the
machine details panel.
Add machine tags using APIs
For more information, see Add or remove machine tags API.
Investigate machines in the Windows Defender ATP
Machines list
4/5/2019 • 7 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be
related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
The Machines list
The Alerts queue
The Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific machine, you'll see:
Machine details, Logged on users, Machine risk, and Machine Reporting
Alerts related to this machine
Machine timeline
The machine details, logged on users, machine risk, and machine reporting sections display various attributes
about the machine.
Machine details
The machine details tile provides information such as the domain and OS of the machine. If there's an investigation
package available on the machine, you'll see a link that allows you to download the package.
For more information on how to take action on a machine, see Take response action on a machine.
Logged on users
Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following
information for logged on users in the past 30 days:
Interactive and remote interactive logins
Network, batch, and system logins
You'll also see details such as logon types for each user account, the user group, and when the account logon
occurred.
For more information, see Investigate user entities.
Machine risk
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined
using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and
their severity levels. You can influence a machine's risk level by resolving associated alerts manually or
automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be
exposed to.
Azure Advanced Threat Protection
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that
will take you to the Azure ATP page where more information about the alerts are provided.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender
ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see Turn on
advanced features.
Machine reporting
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen
reporting to the service.
Machine timeline
The Machine timeline section provides a chronological view of the events and associated alerts that have been
observed on the machine.
This feature also enables you to selectively drill down into events that occurred within a given time period. You can
view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and
displays the process tree flow in the Machine timeline. This gives you better context of the behavior which can
contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
Search for specific events
Use the search bar to look for specific timeline events. Harness the power of using the following defined search
queries based on type:value pairs and event filter types to sift through the search results:
Value - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search
supports defined search queries based on type:value pairs.
You can use any of the following values:
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
Informational level – Click the drop-down button to filter by the following levels:
Detections mode: displays Windows ATP Alerts and detections
Behaviors mode: displays "detections" and selected events of interest
Verbose mode: displays all raw events without aggregation or filtering
Event type - Click the drop-down button to filter by events such as Windows - Windows Defender ATP
alerts, Windows Defender Application Guard events, registry events, file events, and others.
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For
example, you can search for a file name, then filter the results to only see Process events matching the search
criteria or to only view file events, or even better: to view only network events over a period of time to make
sure no suspicious outbound communications go unnoticed.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall
covers the following events:
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection
User account – Click the drop-down button to filter the machine timeline by the following user associated
events:
Logon users
System
Network
Local service
The following example illustrates the use of type:value pair. The events were filtered by searching for the user
jonathan.wolcott and network events as the event type:
The results in the timeline only show network communication events run in the defined user context.
Filter events from a specific date
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the
events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and
older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the Alerts
view and click on the machine associated with the alert to jump to the specific date when the alert was observed,
enabling you to investigate the events that took place around the alert.
Export machine timeline events
You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to
export the machine timeline for the current date or specify a date range. You can export up to seven days of data
and specify the specific time between the two dates.
You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific machine.
Expand an event to view associated processes related to the event. Click on the circle next to any process or IP
address in the process tree to investigate additional details of the identified processes. This action brings up the
Details pane which includes execution context of processes, network communications and a summary of meta
data on the file or IP address.
The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the
need to switch between contexts. It lets you focus on the task of tracing associations between attributes without
leaving the current context.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate machines in the Windows Defender ATP
Machines list
4/5/2019 • 7 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be
related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
The Machines list
The Alerts queue
The Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific machine, you'll see:
Machine details, Logged on users, Machine risk, and Machine Reporting
Alerts related to this machine
Machine timeline
The machine details, logged on users, machine risk, and machine reporting sections display various attributes
about the machine.
Machine details
The machine details tile provides information such as the domain and OS of the machine. If there's an investigation
package available on the machine, you'll see a link that allows you to download the package.
For more information on how to take action on a machine, see Take response action on a machine.
Logged on users
Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following
information for logged on users in the past 30 days:
Interactive and remote interactive logins
Network, batch, and system logins
You'll also see details such as logon types for each user account, the user group, and when the account logon
occurred.
For more information, see Investigate user entities.
Machine risk
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined
using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and
their severity levels. You can influence a machine's risk level by resolving associated alerts manually or
automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be
exposed to.
Azure Advanced Threat Protection
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that
will take you to the Azure ATP page where more information about the alerts are provided.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender
ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see Turn on
advanced features.
Machine reporting
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen
reporting to the service.
Machine timeline
The Machine timeline section provides a chronological view of the events and associated alerts that have been
observed on the machine.
This feature also enables you to selectively drill down into events that occurred within a given time period. You can
view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and
displays the process tree flow in the Machine timeline. This gives you better context of the behavior which can
contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
Search for specific events
Use the search bar to look for specific timeline events. Harness the power of using the following defined search
queries based on type:value pairs and event filter types to sift through the search results:
Value - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search
supports defined search queries based on type:value pairs.
You can use any of the following values:
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
Informational level – Click the drop-down button to filter by the following levels:
Detections mode: displays Windows ATP Alerts and detections
Behaviors mode: displays "detections" and selected events of interest
Verbose mode: displays all raw events without aggregation or filtering
Event type - Click the drop-down button to filter by events such as Windows - Windows Defender ATP
alerts, Windows Defender Application Guard events, registry events, file events, and others.
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For
example, you can search for a file name, then filter the results to only see Process events matching the search
criteria or to only view file events, or even better: to view only network events over a period of time to make
sure no suspicious outbound communications go unnoticed.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall
covers the following events:
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection
User account – Click the drop-down button to filter the machine timeline by the following user associated
events:
Logon users
System
Network
Local service
The following example illustrates the use of type:value pair. The events were filtered by searching for the user
jonathan.wolcott and network events as the event type:
The results in the timeline only show network communication events run in the defined user context.
Filter events from a specific date
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the
events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and
older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the Alerts
view and click on the machine associated with the alert to jump to the specific date when the alert was observed,
enabling you to investigate the events that took place around the alert.
Export machine timeline events
You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to
export the machine timeline for the current date or specify a date range. You can export up to seven days of data
and specify the specific time between the two dates.
You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific machine.
Expand an event to view associated processes related to the event. Click on the circle next to any process or IP
address in the process tree to investigate additional details of the identified processes. This action brings up the
Details pane which includes execution context of processes, network communications and a summary of meta
data on the file or IP address.
The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the
need to switch between contexts. It lets you focus on the task of tracing associations between attributes without
leaving the current context.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate machines in the Windows Defender ATP
Machines list
4/5/2019 • 7 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be
related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
The Machines list
The Alerts queue
The Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific machine, you'll see:
Machine details, Logged on users, Machine risk, and Machine Reporting
Alerts related to this machine
Machine timeline
The machine details, logged on users, machine risk, and machine reporting sections display various attributes
about the machine.
Machine details
The machine details tile provides information such as the domain and OS of the machine. If there's an investigation
package available on the machine, you'll see a link that allows you to download the package.
For more information on how to take action on a machine, see Take response action on a machine.
Logged on users
Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following
information for logged on users in the past 30 days:
Interactive and remote interactive logins
Network, batch, and system logins
You'll also see details such as logon types for each user account, the user group, and when the account logon
occurred.
For more information, see Investigate user entities.
Machine risk
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined
using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and
their severity levels. You can influence a machine's risk level by resolving associated alerts manually or
automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be
exposed to.
Azure Advanced Threat Protection
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that
will take you to the Azure ATP page where more information about the alerts are provided.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender
ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see Turn on
advanced features.
Machine reporting
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen
reporting to the service.
Machine timeline
The Machine timeline section provides a chronological view of the events and associated alerts that have been
observed on the machine.
This feature also enables you to selectively drill down into events that occurred within a given time period. You can
view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and
displays the process tree flow in the Machine timeline. This gives you better context of the behavior which can
contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
Search for specific events
Use the search bar to look for specific timeline events. Harness the power of using the following defined search
queries based on type:value pairs and event filter types to sift through the search results:
Value - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search
supports defined search queries based on type:value pairs.
You can use any of the following values:
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
Informational level – Click the drop-down button to filter by the following levels:
Detections mode: displays Windows ATP Alerts and detections
Behaviors mode: displays "detections" and selected events of interest
Verbose mode: displays all raw events without aggregation or filtering
Event type - Click the drop-down button to filter by events such as Windows - Windows Defender ATP
alerts, Windows Defender Application Guard events, registry events, file events, and others.
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For
example, you can search for a file name, then filter the results to only see Process events matching the search
criteria or to only view file events, or even better: to view only network events over a period of time to make
sure no suspicious outbound communications go unnoticed.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall
covers the following events:
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection
User account – Click the drop-down button to filter the machine timeline by the following user associated
events:
Logon users
System
Network
Local service
The following example illustrates the use of type:value pair. The events were filtered by searching for the user
jonathan.wolcott and network events as the event type:
The results in the timeline only show network communication events run in the defined user context.
Filter events from a specific date
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the
events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and
older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the Alerts
view and click on the machine associated with the alert to jump to the specific date when the alert was observed,
enabling you to investigate the events that took place around the alert.
Export machine timeline events
You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to
export the machine timeline for the current date or specify a date range. You can export up to seven days of data
and specify the specific time between the two dates.
You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific machine.
Expand an event to view associated processes related to the event. Click on the circle next to any process or IP
address in the process tree to investigate additional details of the identified processes. This action brings up the
Details pane which includes execution context of processes, network communications and a summary of meta
data on the file or IP address.
The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the
need to switch between contexts. It lets you focus on the task of tracing associations between attributes without
leaving the current context.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate machines in the Windows Defender ATP
Machines list
4/5/2019 • 7 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be
related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
The Machines list
The Alerts queue
The Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific machine, you'll see:
Machine details, Logged on users, Machine risk, and Machine Reporting
Alerts related to this machine
Machine timeline
The machine details, logged on users, machine risk, and machine reporting sections display various attributes
about the machine.
Machine details
The machine details tile provides information such as the domain and OS of the machine. If there's an investigation
package available on the machine, you'll see a link that allows you to download the package.
For more information on how to take action on a machine, see Take response action on a machine.
Logged on users
Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following
information for logged on users in the past 30 days:
Interactive and remote interactive logins
Network, batch, and system logins
You'll also see details such as logon types for each user account, the user group, and when the account logon
occurred.
For more information, see Investigate user entities.
Machine risk
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined
using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and
their severity levels. You can influence a machine's risk level by resolving associated alerts manually or
automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be
exposed to.
Azure Advanced Threat Protection
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that
will take you to the Azure ATP page where more information about the alerts are provided.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender
ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see Turn on
advanced features.
Machine reporting
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen
reporting to the service.
Machine timeline
The Machine timeline section provides a chronological view of the events and associated alerts that have been
observed on the machine.
This feature also enables you to selectively drill down into events that occurred within a given time period. You can
view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and
displays the process tree flow in the Machine timeline. This gives you better context of the behavior which can
contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
Search for specific events
Use the search bar to look for specific timeline events. Harness the power of using the following defined search
queries based on type:value pairs and event filter types to sift through the search results:
Value - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search
supports defined search queries based on type:value pairs.
You can use any of the following values:
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
Informational level – Click the drop-down button to filter by the following levels:
Detections mode: displays Windows ATP Alerts and detections
Behaviors mode: displays "detections" and selected events of interest
Verbose mode: displays all raw events without aggregation or filtering
Event type - Click the drop-down button to filter by events such as Windows - Windows Defender ATP
alerts, Windows Defender Application Guard events, registry events, file events, and others.
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For
example, you can search for a file name, then filter the results to only see Process events matching the search
criteria or to only view file events, or even better: to view only network events over a period of time to make
sure no suspicious outbound communications go unnoticed.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall
covers the following events:
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection
User account – Click the drop-down button to filter the machine timeline by the following user associated
events:
Logon users
System
Network
Local service
The following example illustrates the use of type:value pair. The events were filtered by searching for the user
jonathan.wolcott and network events as the event type:
The results in the timeline only show network communication events run in the defined user context.
Filter events from a specific date
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the
events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and
older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the Alerts
view and click on the machine associated with the alert to jump to the specific date when the alert was observed,
enabling you to investigate the events that took place around the alert.
Export machine timeline events
You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to
export the machine timeline for the current date or specify a date range. You can export up to seven days of data
and specify the specific time between the two dates.
You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific machine.
Expand an event to view associated processes related to the event. Click on the circle next to any process or IP
address in the process tree to investigate additional details of the identified processes. This action brings up the
Details pane which includes execution context of processes, network communications and a summary of meta
data on the file or IP address.
The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the
need to switch between contexts. It lets you focus on the task of tracing associations between attributes without
leaving the current context.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate machines in the Windows Defender ATP
Machines list
4/5/2019 • 7 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be
related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
The Machines list
The Alerts queue
The Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific machine, you'll see:
Machine details, Logged on users, Machine risk, and Machine Reporting
Alerts related to this machine
Machine timeline
The machine details, logged on users, machine risk, and machine reporting sections display various attributes
about the machine.
Machine details
The machine details tile provides information such as the domain and OS of the machine. If there's an investigation
package available on the machine, you'll see a link that allows you to download the package.
For more information on how to take action on a machine, see Take response action on a machine.
Logged on users
Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following
information for logged on users in the past 30 days:
Interactive and remote interactive logins
Network, batch, and system logins
You'll also see details such as logon types for each user account, the user group, and when the account logon
occurred.
For more information, see Investigate user entities.
Machine risk
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined
using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and
their severity levels. You can influence a machine's risk level by resolving associated alerts manually or
automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be
exposed to.
Azure Advanced Threat Protection
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that
will take you to the Azure ATP page where more information about the alerts are provided.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender
ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see Turn on
advanced features.
Machine reporting
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen
reporting to the service.
Machine timeline
The Machine timeline section provides a chronological view of the events and associated alerts that have been
observed on the machine.
This feature also enables you to selectively drill down into events that occurred within a given time period. You can
view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and
displays the process tree flow in the Machine timeline. This gives you better context of the behavior which can
contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
Search for specific events
Use the search bar to look for specific timeline events. Harness the power of using the following defined search
queries based on type:value pairs and event filter types to sift through the search results:
Value - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search
supports defined search queries based on type:value pairs.
You can use any of the following values:
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
Informational level – Click the drop-down button to filter by the following levels:
Detections mode: displays Windows ATP Alerts and detections
Behaviors mode: displays "detections" and selected events of interest
Verbose mode: displays all raw events without aggregation or filtering
Event type - Click the drop-down button to filter by events such as Windows - Windows Defender ATP
alerts, Windows Defender Application Guard events, registry events, file events, and others.
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For
example, you can search for a file name, then filter the results to only see Process events matching the search
criteria or to only view file events, or even better: to view only network events over a period of time to make
sure no suspicious outbound communications go unnoticed.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall
covers the following events:
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection
User account – Click the drop-down button to filter the machine timeline by the following user associated
events:
Logon users
System
Network
Local service
The following example illustrates the use of type:value pair. The events were filtered by searching for the user
jonathan.wolcott and network events as the event type:
The results in the timeline only show network communication events run in the defined user context.
Filter events from a specific date
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the
events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and
older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the Alerts
view and click on the machine associated with the alert to jump to the specific date when the alert was observed,
enabling you to investigate the events that took place around the alert.
Export machine timeline events
You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to
export the machine timeline for the current date or specify a date range. You can export up to seven days of data
and specify the specific time between the two dates.
You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific machine.
Expand an event to view associated processes related to the event. Click on the circle next to any process or IP
address in the process tree to investigate additional details of the identified processes. This action brings up the
Details pane which includes execution context of processes, network communications and a summary of meta
data on the file or IP address.
The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the
need to switch between contexts. It lets you focus on the task of tracing associations between attributes without
leaving the current context.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Investigate machines in the Windows Defender
ATP Machines list
4/5/2019 • 7 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might
be related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
The Machines list
The Alerts queue
The Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific machine, you'll see:
Machine details, Logged on users, Machine risk, and Machine Reporting
Alerts related to this machine
Machine timeline
The machine details, logged on users, machine risk, and machine reporting sections display various attributes
about the machine.
Machine details
The machine details tile provides information such as the domain and OS of the machine. If there's an
investigation package available on the machine, you'll see a link that allows you to download the package.
For more information on how to take action on a machine, see Take response action on a machine.
Logged on users
Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the
following information for logged on users in the past 30 days:
Interactive and remote interactive logins
Network, batch, and system logins
You'll also see details such as logon types for each user account, the user group, and when the account logon
occurred.
For more information, see Investigate user entities.
Machine risk
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be
determined using the number of active alerts or by a combination of multiple risks that may increase the risk
assessment and their severity levels. You can influence a machine's risk level by resolving associated alerts
manually or automatically and also by suppressing an alert. It's also indicators of the active threats that
machines could be exposed to.
Azure Advanced Threat Protection
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the
link that will take you to the Azure ATP page where more information about the alerts are provided.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows
Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.
Machine reporting
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last
seen reporting to the service.
Machine timeline
The Machine timeline section provides a chronological view of the events and associated alerts that have
been observed on the machine.
This feature also enables you to selectively drill down into events that occurred within a given time period.
You can view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines
and displays the process tree flow in the Machine timeline. This gives you better context of the behavior
which can contribute to understanding the correlation between events, files, and IP addresses in relation to
the machine.
Search for specific events
Use the search bar to look for specific timeline events. Harness the power of using the following defined
search queries based on type:value pairs and event filter types to sift through the search results:
Value - Type in any search keyword to filter the timeline with the attribute you’re searching for. This
search supports defined search queries based on type:value pairs.
You can use any of the following values:
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
Informational level – Click the drop-down button to filter by the following levels:
Detections mode: displays Windows ATP Alerts and detections
Behaviors mode: displays "detections" and selected events of interest
Verbose mode: displays all raw events without aggregation or filtering
Event type - Click the drop-down button to filter by events such as Windows - Windows Defender
ATP alerts, Windows Defender Application Guard events, registry events, file events, and others.
Filtering by event type allows you to define precise queries so that you see events with a specific focus.
For example, you can search for a file name, then filter the results to only see Process events matching
the search criteria or to only view file events, or even better: to view only network events over a period
of time to make sure no suspicious outbound communications go unnoticed.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection.
Firewall covers the following events:
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection
User account – Click the drop-down button to filter the machine timeline by the following user associated
events:
Logon users
System
Network
Local service
The following example illustrates the use of type:value pair. The events were filtered by searching for the user
jonathan.wolcott and network events as the event type:
The results in the timeline only show network communication events run in the defined user context.
Filter events from a specific date
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display
the events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that
date and older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the
Alerts view and click on the machine associated with the alert to jump to the specific date when the alert was
observed, enabling you to investigate the events that took place around the alert.
Export machine timeline events
You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose
to export the machine timeline for the current date or specify a date range. You can export up to seven days of
data and specify the specific time between the two dates.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Take response actions in Windows Defender ATP
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can take response actions on machines and files to quickly respond to detected attacks so that you can contain
or reduce and prevent further damage caused by malicious attackers in your organization.
NOTE
The machine related response actions are only available for machines on Windows 10 (version 1703 or higher), Windows
Server, version 1803 and Windows Server 2019.
In this section
TOPIC DESCRIPTION
Take response actions on a file Stop and quarantine files or block a file from your network.
Take response actions on a machine
4/22/2019 • 11 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
IMPORTANT
This response action is available for machines on Windows 10, version 1703 or later.
You can download the package (Zip file) and investigate the events that occurred on a machine.
The package contains the following folders:
FOLDER DESCRIPTION
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetworkConnections.txt – Displays protocol statistics
and current TCP/IP network connections. Provides the ability
to look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains the services.txt file which lists services and their
states.
FOLDER DESCRIPTION
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Collect investigation package.
3. Type a comment and select Yes, collect package to take action on the machine.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Run antivirus scan.
3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment and select Yes, run scan to start the scan.
The Action center shows the scan information:
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
The action to restrict an application from running applies a code integrity policy that only allows running of files
that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from
controlling compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for
a machine from any of the following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Restrict app execution.
3. Type a comment and select Yes, restict app execution to take action on the file.
The Action center shows the submission information:
3. Type a comment and select Yes, remove restriction to take action on the application. The machine
application restriction will no longer apply on the machine.
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following
views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Isolate machine.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated
(a.k.a. 'Selective Isolation').
4. Type a comment and select Yes, isolate machine to take action on the machine.
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If
you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the
user while the machine is isolated.
3. Type a comment and select Yes, release machine to take action on the machine. The machine will be
reconnected to the network.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
IMPORTANT
This response action is available for machines on Windows 10, version 1703 or later.
You can download the package (Zip file) and investigate the events that occurred on a machine.
The package contains the following folders:
FOLDER DESCRIPTION
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetworkConnections.txt – Displays protocol statistics
and current TCP/IP network connections. Provides the ability
to look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains the services.txt file which lists services and their
states.
FOLDER DESCRIPTION
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Collect investigation package.
3. Type a comment and select Yes, collect package to take action on the machine.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Run antivirus scan.
3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment and select Yes, run scan to start the scan.
The Action center shows the scan information:
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
The action to restrict an application from running applies a code integrity policy that only allows running of files
that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from
controlling compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for
a machine from any of the following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Restrict app execution.
3. Type a comment and select Yes, restict app execution to take action on the file.
The Action center shows the submission information:
3. Type a comment and select Yes, remove restriction to take action on the application. The machine
application restriction will no longer apply on the machine.
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following
views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Isolate machine.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated
(a.k.a. 'Selective Isolation').
4. Type a comment and select Yes, isolate machine to take action on the machine.
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If
you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the
user while the machine is isolated.
3. Type a comment and select Yes, release machine to take action on the machine. The machine will be
reconnected to the network.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
IMPORTANT
This response action is available for machines on Windows 10, version 1703 or later.
You can download the package (Zip file) and investigate the events that occurred on a machine.
The package contains the following folders:
FOLDER DESCRIPTION
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetworkConnections.txt – Displays protocol statistics
and current TCP/IP network connections. Provides the ability
to look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains the services.txt file which lists services and their
states.
FOLDER DESCRIPTION
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Collect investigation package.
3. Type a comment and select Yes, collect package to take action on the machine.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Run antivirus scan.
3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment and select Yes, run scan to start the scan.
The Action center shows the scan information:
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
The action to restrict an application from running applies a code integrity policy that only allows running of files
that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from
controlling compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for
a machine from any of the following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Restrict app execution.
3. Type a comment and select Yes, restict app execution to take action on the file.
The Action center shows the submission information:
3. Type a comment and select Yes, remove restriction to take action on the application. The machine
application restriction will no longer apply on the machine.
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following
views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Isolate machine.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated
(a.k.a. 'Selective Isolation').
4. Type a comment and select Yes, isolate machine to take action on the machine.
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If
you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the
user while the machine is isolated.
3. Type a comment and select Yes, release machine to take action on the machine. The machine will be
reconnected to the network.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
IMPORTANT
This response action is available for machines on Windows 10, version 1703 or later.
You can download the package (Zip file) and investigate the events that occurred on a machine.
The package contains the following folders:
FOLDER DESCRIPTION
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetworkConnections.txt – Displays protocol statistics
and current TCP/IP network connections. Provides the ability
to look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains the services.txt file which lists services and their
states.
FOLDER DESCRIPTION
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Collect investigation package.
3. Type a comment and select Yes, collect package to take action on the machine.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Run antivirus scan.
3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment and select Yes, run scan to start the scan.
The Action center shows the scan information:
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
The action to restrict an application from running applies a code integrity policy that only allows running of files
that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from
controlling compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for
a machine from any of the following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Restrict app execution.
3. Type a comment and select Yes, restict app execution to take action on the file.
The Action center shows the submission information:
3. Type a comment and select Yes, remove restriction to take action on the application. The machine
application restriction will no longer apply on the machine.
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following
views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Isolate machine.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated
(a.k.a. 'Selective Isolation').
4. Type a comment and select Yes, isolate machine to take action on the machine.
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If
you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the
user while the machine is isolated.
3. Type a comment and select Yes, release machine to take action on the machine. The machine will be
reconnected to the network.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
IMPORTANT
This response action is available for machines on Windows 10, version 1703 or later.
You can download the package (Zip file) and investigate the events that occurred on a machine.
The package contains the following folders:
FOLDER DESCRIPTION
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetworkConnections.txt – Displays protocol statistics
and current TCP/IP network connections. Provides the ability
to look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains the services.txt file which lists services and their
states.
FOLDER DESCRIPTION
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Collect investigation package.
3. Type a comment and select Yes, collect package to take action on the machine.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Run antivirus scan.
3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment and select Yes, run scan to start the scan.
The Action center shows the scan information:
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
The action to restrict an application from running applies a code integrity policy that only allows running of files
that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from
controlling compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for
a machine from any of the following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Restrict app execution.
3. Type a comment and select Yes, restict app execution to take action on the file.
The Action center shows the submission information:
3. Type a comment and select Yes, remove restriction to take action on the application. The machine
application restriction will no longer apply on the machine.
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following
views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Isolate machine.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated
(a.k.a. 'Selective Isolation').
4. Type a comment and select Yes, isolate machine to take action on the machine.
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If
you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the
user while the machine is isolated.
3. Type a comment and select Yes, release machine to take action on the machine. The machine will be
reconnected to the network.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
IMPORTANT
This response action is available for machines on Windows 10, version 1703 or later.
You can download the package (Zip file) and investigate the events that occurred on a machine.
The package contains the following folders:
FOLDER DESCRIPTION
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetworkConnections.txt – Displays protocol statistics
and current TCP/IP network connections. Provides the ability
to look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains the services.txt file which lists services and their
states.
FOLDER DESCRIPTION
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Collect investigation package.
3. Type a comment and select Yes, collect package to take action on the machine.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Run antivirus scan.
3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment and select Yes, run scan to start the scan.
The Action center shows the scan information:
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
The action to restrict an application from running applies a code integrity policy that only allows running of files
that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from
controlling compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for
a machine from any of the following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Restrict app execution.
3. Type a comment and select Yes, restict app execution to take action on the file.
The Action center shows the submission information:
3. Type a comment and select Yes, remove restriction to take action on the application. The machine
application restriction will no longer apply on the machine.
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following
views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Isolate machine.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated
(a.k.a. 'Selective Isolation').
4. Type a comment and select Yes, isolate machine to take action on the machine.
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If
you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the
user while the machine is isolated.
3. Type a comment and select Yes, release machine to take action on the machine. The machine will be
reconnected to the network.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
IMPORTANT
This response action is available for machines on Windows 10, version 1703 or later.
You can download the package (Zip file) and investigate the events that occurred on a machine.
The package contains the following folders:
FOLDER DESCRIPTION
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetworkConnections.txt – Displays protocol statistics
and current TCP/IP network connections. Provides the ability
to look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains the services.txt file which lists services and their
states.
FOLDER DESCRIPTION
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Collect investigation package.
3. Type a comment and select Yes, collect package to take action on the machine.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Run antivirus scan.
3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment and select Yes, run scan to start the scan.
The Action center shows the scan information:
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
The action to restrict an application from running applies a code integrity policy that only allows running of files
that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from
controlling compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for
a machine from any of the following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Restrict app execution.
3. Type a comment and select Yes, restict app execution to take action on the file.
The Action center shows the submission information:
3. Type a comment and select Yes, remove restriction to take action on the application. The machine
application restriction will no longer apply on the machine.
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following
views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Isolate machine.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated
(a.k.a. 'Selective Isolation').
4. Type a comment and select Yes, isolate machine to take action on the machine.
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If
you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the
user while the machine is isolated.
3. Type a comment and select Yes, release machine to take action on the machine. The machine will be
reconnected to the network.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
IMPORTANT
This response action is available for machines on Windows 10, version 1703 or later.
You can download the package (Zip file) and investigate the events that occurred on a machine.
The package contains the following folders:
FOLDER DESCRIPTION
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain
the following message: “ERROR: The system was unable to
find the specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or
remote connections.
- ActiveNetworkConnections.txt – Displays protocol
statistics and current TCP/IP network connections. Provides
the ability to look for suspicious connectivity made by a
process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a
chosen machine to look for suspicious code which was set
to run automatically.
Security event log Contains the security event log which contains records of
login or logout activity, or other security-related events
specified by the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains the services.txt file which lists services and their
states.
FOLDER DESCRIPTION
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a
network. This can help identify data exfiltration or lateral
movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active
alerts section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Collect investigation package.
3. Type a comment and select Yes, collect package to take action on the machine.
You can also search for historical packages in the machine timeline.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of
the following views:
Security operations dashboard - Select the machine name from the Top machines with active
alerts section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Run antivirus scan.
3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment and select Yes, run scan to start the scan.
The Action center shows the scan information:
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
The action to restrict an application from running applies a code integrity policy that only allows running of
files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker
from controlling compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or
search for a machine from any of the following views:
Security operations dashboard - Select the machine name from the Top machines with active
alerts section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Restrict app execution.
3. Type a comment and select Yes, restict app execution to take action on the file.
3. Type a comment and select Yes, remove restriction to take action on the application. The machine
application restriction will no longer apply on the machine.
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can
also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active
alerts section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
2. Open the Actions menu and select Isolate machine.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is
isolated (a.k.a. 'Selective Isolation').
4. Type a comment and select Yes, isolate machine to take action on the machine.
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network.
If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate
to the user while the machine is isolated.
3. Type a comment and select Yes, release machine to take action on the machine. The machine will be
reconnected to the network.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Take response actions on a file
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Take response actions on a file
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Take response actions on a file
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Take response actions on a file
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Take response actions on a file
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Take response actions on a file
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Take response actions on a file
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Take response actions on a file
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Take response actions on a file
4/19/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on
files, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is
complete, you'll get a detailed report that provides information about the behavior of the file.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the
last 30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the
removal of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search
box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.
The Action center shows the submission information:
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the
organization.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files
that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To
enrich the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry
modifications, and communication with IPs. Deep analysis currently supports extensive analysis of portable
executable (PE ) files (including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed
behaviors, some of which can indicate malicious activity, and observables, including contacted IPs and files
created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate
alerts.
Submit files for analysis
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or
for any other reason where you suspect malicious behavior. This feature is available in the context of the file
view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not
observed on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines,
communication to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view
the report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Take response actions on a machine
Overview of Automated investigations
4/5/2019 • 4 minutes to read • Edit Online
The Windows Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics,
the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical
security operations team to individually address.
To address this challenge, Windows Defender ATP uses Automated investigations to significantly reduce the
volume of alerts that need to be investigated individually. The Automated investigation feature leverages various
inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate
remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations
experts to focus on more sophisticated threats and other high value initiatives.
The Automated investigations list shows all the investigations that have been initiated automatically and shows
other details such as its status, detection source, and the date for when the investigation was initiated.
NOTE
Currently, Automated investigation only supports Windows 10, version 1803 or later. Some investigation playbooks, like
memory investigations, require Windows 10, version 1809 or later.
The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to
see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in
the Automated investigation view.
Details of an Automated investigation
As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert
brings you to the investigation details view where you can pivot from the Investigation graph, Alerts,
Machines, Threats, Entities, and Log tabs.
In the Alerts tab, you'll see the alert that started the investigation.
The Machines tab shows where the alert was seen.
The Threats tab shows the entities that were found to be malicious during the investigation.
During an Automated investigation, details about each analyzed entity is categorized in the Entities tab. You'll be
able to see the determination for each entity type, such as whether it was determined to be malicious, suspicious,
or clean.
The Log tab reflects the chronological detailed view of all the investigation actions taken on the alert.
If there are pending actions on the investigation, the Pending actions tab will be displayed where you can
approve or reject actions.
How an Automated investigation expands its scope
While an investigation is running, any other alert generated from the machine will be added to an ongoing
Automated investigation until that investigation is completed. In addition, if the same threat is seen on other
machines, those machines are added to the investigation.
If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to
include that machine and a generic machine playbook will start on that machine. If 10 or more machines are
found during this expansion process from the same entity, then that expansion action will require an approval and
will be seen in the Pending actions view.
How threats are remediated
Depending on how you set up the machine groups and their level of automation, the Automated investigation will
either require user approval (default) or automatically remediate threats.
You can configure the following levels of automation:
Not protected Machines will not get any automated investigations run on
them.
Semi - require approval for any remediation This is the default automation level.
Semi - require approval for non-temp folders remediation An approval is required on files or executables that are not in
temporary folders.
Semi - require approval for core folders remediation An approval is required on files or executables that are in the
operating system directories such as Windows folder and
Program files folder.
Full - remediate threats automatically All remediation actions will be performed automatically.
For more information on how to configure these automation levels, see Create and manage machine groups.
The default machine group is configured for semi-automatic remediation. This means that any malicious entity
that needs to be remediated requires an approval and the investigation is added to the Pending actions section,
this can be changed to fully automatic so that no user approval is needed.
When a pending action is approved, the entity is then remediated and this new state is reflected in the Entities
tab of the investigation.
Related topic
Learn about the automated investigations dashboard
Learn about the automated investigations dashboard
4/5/2019 • 6 minutes to read • Edit Online
By default, the Automated investigations list displays investigations initiated in the last week. You can also choose
to select other time ranges from the drop-down menu or specify a custom range.
NOTE
If your organization has implemented role-based access to manage portal access, only authorized users or user groups who
have permission to view the machine or machine group will be able to view the entire investigation.
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the Export button, specify the number
of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your
preferred criteria.
Filters
You can use the following operations to customize the list of Automated investigations displayed:
Triggering alert
The alert the initiated the Automated investigation.
Status
An Automated investigation can be in one of the following status:
STATUS DESCRIPTION
Waiting for machine Investigation paused. The investigation will resume as soon as
the machine is available.
STATUS DESCRIPTION
Partially investigated Entities directly related to the alert have been investigated.
However, a problem stopped the investigation of collateral
entities.
Detection source
Source of the alert that initiated the Automated investigation.
Threat
The category of threat detected during the Automated investigation.
Tags
Filter using manually added tags that capture the context of an Automated investigation.
Machines
You can filter the Automated investigations list to zone in a specific machine to see other investigations related to
the machine.
Machine groups
Apply this filter to see specific machine groups that you might have created.
Comments
Select between filtering the list between Automated investigations that have comments and those that don't.
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore,
the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for
example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
Investigation page
The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
You'll also have access to the following sections that help you see details of the investigation with finer granularity:
Investigation graph
Alerts
Machines
Threats
Entities
Log
Pending actions
NOTE
The Pending actions tab is only displayed if there are actual pending actions.
NOTE
The Pending actions history tab is only displayed when an investigation is complete.
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
Investigation graph
The investigation graph provides a graphical representation of an Automated investigation. All investigation
related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the
relevant section where you can view more information.
Alerts
Shows details such as a short description of the alert that initiated the Automated investigation, severity, category,
the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is
assigned to.
Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is
ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the
alert page, manage the alert by changing its status, see alert details, Automated investigation details, related
machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
Machines
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation
count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If
10 or more machines are found during this expansion process from the same entity, then that expansion action will
require an approval and will be seen in the Pending actions view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information
such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
Threats
Shows details related to threats associated with this investigation.
Entities
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the
number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious,
or determined to be clean.
Log
Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type,
action, status, machine name, description of the action, comments entered by analysts who may have worked on
the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of
the action and input data.
Pending actions history
This tab is only displayed when an investigation is complete and shows all pending actions taken during the
investigation.
Pending actions
If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image.
When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to
the page from the navigation page by going to Automated investigation > Pending actions.
The pending actions view aggregates all investigations that require an action for an investigation to proceed or be
completed.
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the Export feature, specify the number
of items to show per page, and navigate between pages.
Pending actions are grouped together in the following tabs:
Quarantine file
Remove persistence
Stop process
Expand pivot
Quarantine service
NOTE
The tab will only appear if there are pending actions for that category.
From the panel, you can click on the Open investigation page link to see the investigation details.
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
Related topic
Investigate Windows Defender ATP alerts
Overview of Secure score in Windows Defender
Security Center
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The Secure score dashboard expands your visibility into the overall security posture of your organization. From
this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require
attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in
one place. From there you can take action based on the recommended configuration baselines.
IMPORTANT
This feature is available for machines on Windows 10, version 1703 or later.
Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the
score potential and calculated by multiplying the number of supported security controls (Windows Defender
security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each
pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by
Microsoft. For more information, see Introducing the Office 365 Secure Score.
In the example image, the total points for the Windows security controls and Office 365 add up to 602 points.
You can set the baselines for calculating the score of Windows Defender security controls on the Secure score
dashboard through the Settings. For more information, see Enable Secure score security controls.
Top recommendations
Reflects specific actions you can take to significantly increase the security stance of your organization and how
many points will be added to the secure score if you take the recommended action.
Improvement opportunities
Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the
gap between the perfect score and the current score for each control.
Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to
reflect the list of machines where improvements can be made.
Within the tile, you can click on each control to see the recommended optimizations.
Clicking the link under the Misconfigured machines column opens up the Machines list with filters applied to
show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a
target collection and apply relevant policies using a management solution of your choice.
Related topic
Threat analytics
Threat analytics for Spectre and Meltdown
Threat analytics
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly
assess their security posture, including impact, and organizational resilience in the context of specific emerging
threats.
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as
emerging threats and outbreaks are identified. The reports help you the assess impact of threats in your
environment and provides recommended actions to contain, increase organizational resilience, and prevent specific
threats.
NOTE
The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the
chart should be showing alerts being resolved within a few days.
Each threat report provides a summary to describe details such as where the threat is coming from, where it's been
seen, or techniques and tools that were used by the threat.
The dashboard shows the impact in your organization through the following tiles:
Machines with alerts - shows the current distinct number of impacted machines in your organization
Machines with alerts over time - shows the distinct number of impacted over time
Mitigation recommendations - lists the measurable mitigations and the number of machines that do not have
each of the mitigations in place
Mitigation status - shows the number of mitigated and unmitigated machines. Machines are considered
mitigated if they have all the measurable mitigations in place.
Mitigation status over time - shows the distinct number of machines that have been mitigated, unmitigated, and
unavailable over time
Organizational impact
You can assess the organizational impact of a threat using the Machines with alerts and Machines with alerts
over time tiles.
A machine is categorized as Active if there is at least 1 alert associated with that threat and Resolved if all alerts
associated with the threat on the machine are resolved.
The Machine with alerts over time, shows the number of distinct machines with Active and Resolved alerts
over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated
with a threat. Ideally, the chart should be showing alerts being resolved within a few days.
Organizational resilience
The Mitigation recommendations section provides specific actionable recommendations to improve your
visibility into this threat and increase your organizational resilience.
The Mitigation status and Mitigation status over time shows the endpoint configuration status assessed based
on the recommended mitigations.
IMPORTANT
The chart only reflects mitigations that are measurable and where an evaluation can be made on the machine state as
being compliant or non-compliant. There can be additional mitigations or compliance actions that currently cannot be
computed or measured that are not reflected in the charts and are covered in the threat description under Mitigation
recommendations section.
Even if all mitigations were measurable, there is no absolute guarantee of complete resilience but reflects the best possible
actions that need to be taken to improve resiliency.
NOTE
The Unavailable category indicates that there is no data available from the specific machine yet.
Related topics
Threat analytics for Spectre and Meltdown
Overview of advanced hunting
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and
query tool. You can also create custom detection rules based on the queries you created and surface alerts in
Windows Defender Security Center.
With advanced hunting, you can take advantage of the following capabilities:
Powerful query language with IntelliSense - Built on top of a query language that gives you the flexibility
you need to take hunting to the next level.
Query the stored telemetry - The telemetry data is accessible in tables for you to query. For example, you can
query process creation, network communication, and many other event types.
Links to portal - Certain query results, such as machine names and file names are actually direct links to the
portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
Query examples - A welcome page provides examples designed to get you started and get you familiar with
the tables and the query language.
In this section
TOPIC DESCRIPTION
Query data using Advanced hunting Learn how to use the basic or advanced query examples to
search for possible emerging threats in your organization.
Custom detections With custom detections, you can create custom queries to
monitor events for any kind of behavior such as suspicious or
emerging threats.
Query data using Advanced hunting in Windows
Defender ATP
4/5/2019 • 4 minutes to read • Edit Online
To get you started in querying your data, you can use the basic or Advanced query examples that have some
preloaded queries for you to understand the basic query syntax.
2. Select Delete and confirm that you want to delete the query.
Related topic
Advanced hunting reference
Advanced hunting query language best practices
Advanced hunting reference in Windows Defender
ATP
4/16/2019 • 7 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Related topic
Query data using Advanced hunting
Advanced hunting query language best practices
Advanced hunting query best practices Windows
Defender ATP
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NetworkCommunicationEvents
| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4)
| summarize RemoteIPCount=dcount(RemoteIP) by ComputerName, InitiatingProcessId,
InitiatingProcessCreationTime, InitiatingProcessFileName
| where RemoteIPCount > 10
The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query
looks at a single process, and not mixing multiple processes with the same process ID.
Using command line queries
Command lines may vary - when applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task.
For example, a malicious attacker could specify the process image file name without a path, with full path, without
the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change
the order of some parameters, add multiple quotes or spaces, and much more.
To create more durable queries using command lines, we recommended the following guidelines:
Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields,
instead of filtering on the command line field.
When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in
a certain order. Instead, use regular expressions or use multiple separate contains operators.
Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with
spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS
obfuscation techniques, but it does mitigate the most common ones.
The following example query shows various ways to construct a query that looks for the file net.exe to stop the
Windows Defender Firewall service:
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With
custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or
emerging threats.
This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
Custom detections are queries that run periodically every 24 hours and can be configured so that when the query
meets the criteria you set, alerts are created and are surfaced in Windows Defender Security Center. These alerts
will be treated like any other alert in the system.
This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified
quickly of emerging threats.
Related topic
Create custom detection rules
Create custom detections rules
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
1. In the navigation pane, select Advanced hunting.
2. Select an existing query that you'd like to base the monitor on or create a new query.
3. Select Create detection rule.
4. Specify the alert details:
Alert title
Severity
Category
Description
Recommended actions
5. Click Create.
TIP
TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview
of the data you can expect to be returned.
When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by
this rule. After that, the rule will automatically run every 24 hours.
TIP #2: Since the detection automatically runs every 24 hours, it's best to query data in the last 24 hours.
NOTE
The next run for the query will be in 24 hours after the last run.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
Acknowledging that customer environments and structures can vary, Windows Defender ATP was created with
flexibility and granular control to fit varying customer requirements.
Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client
machines and Azure Security Center for server machines, providing complete end-to-end experience of
configuration, deployment, and monitoring. In addition, Windows Defender ATP supports Group Policy and other
third-party tools used for machines management.
Windows Defender ATP provides fine-grained control over what users with access to the portal can see and do
through the flexibility of role-based access control (RBAC ). The RBAC model supports all flavors of security teams
structure:
Globally distributed organizations and security teams
Tiered model security operations teams
Fully segregated devisions with single centralized global security operations teams
The Windows Defender ATP solution is built on top of an integration-ready platform:
It supports integration with a number of security information and event management (SIEM ) solutions and
also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution.
It supports a rich set of application programming interface (APIs) providing flexibility for those who are already
heavily invested in data enrichment and automation:
Enriching events coming from other security systems with foot print or prevalence information
Triggering file or machine level response actions through APIs
Keeping systems in-sync such as importing machine tags from asset management systems into
Windows Defender ATP, synchronize alerts and incidents status cross ticketing systems with Windows
Defender ATP.
An important aspect of machine management is the ability to analyze the environment from varying and broad
perspectives. This often helps drive new insights and proper priority identification:
The Secure score dashboard provides metrics based method of prioritizing the most important proactive
security measures.
Windows Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and
details related to Windows Defender ATP alerts and secure score of machines. The platform also supports full
customization of the reports, including mashing of Windows Defender ATP data with your own data stream to
produce business specific reports.
In this section
TOPIC DESCRIPTION
Understand threat intelligence concepts Learn about alert definitions, indicators of compromise, and
other threat intelligence concepts.
Supported Windows Defender ATP APIs Learn more about the individual supported entities where you
can run API calls to and details such as HTTP request values,
request headers and expected responses.
Managed security service provider Get a quick overview on managed security service provider
support.
Related topics
Onboard machines
Enable the custom threat intelligence application
Windows Defender ATP Public API
Pull alerts to your SIEM tools
Create and build Power BI reports using Windows Defender ATP data
Role-based access control
Understand threat intelligence concepts
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual
information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your
knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when
to call an observed behavior as suspicious.
With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack
activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack
chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of
compromise (IOCs) and the relationship between them.
Alert definitions
Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible
cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by
an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is
critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an
attacker's objective is reached.
Related topics
Enable the custom threat intelligence API in Windows Defender ATP
Create custom alerts using the threat intelligence API
PowerShell code examples for the custom threat intelligence API
Python code examples for the custom threat intelligence API
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
Windows Defender ATP API overview
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will
enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access
requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Windows Defender ATP API
You can access Windows Defender ATP API with Application Context or User Context.
Application Context: (Recommended)
Used by apps that run without a signed-in user present. for example, apps that run as background services
or daemons.
Steps that need to be taken to access Windows Defender ATP API with application context:
1. Create an AAD Web-Application.
2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
3. Create a key for this Application.
4. Get token using the application with its key.
5. Use the token to access Windows Defender ATP API
For more information, see Get access with application context.
User Context:
Used to perform actions in the API on behalf of a user.
Steps that needs to be taken to access Windows Defender ATP API with application context:
1. Create AAD Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials.
4. Use the token to access Windows Defender ATP API
For more information, see Get access with user context.
Related topics
Windows Defender ATP APIs
Access Windows Defender ATP with application context
Access Windows Defender ATP with user context
Managed security service provider support
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Security is recognized as a key component in running an enterprise, however some organizations might not have
the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints
and network, others may want to have a second set of eyes to review alerts in their network.
To address this demand, managed security service providers (MSSP ) offer to deliver managed detection and
response (MDR ) services on top of Windows Defender ATP.
Windows Defender ATP adds support for this scenario and to allow MSSPs to take the following actions:
Get access to MSSP customer's Windows Defender Security Center portal
Get email notifications, and
Fetch alerts through security information and event management (SIEM ) tools
Related topic
Configure managed security service provider integration
Microsoft Threat Protection
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end
security across possible attack surfaces in the modern workplace.
For more information on Microsoft Threat Protection, see Announcing Microsoft Threat Protection.
Microsoft's multiple layers of threat protection across data, applications, devices, and identities can help protect
your organization from advanced cyber threats.
Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between
these layers results in better protected customers.
Conditional access
Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation,
ensuring that only secure devices have access to resources.
Related topic
Protect users, data, and devices with conditional access
Enable conditional access to better protect users,
devices, and data
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Conditional access is a capability that helps you better protect your users and enterprise information by making
sure that only secure devices have access to applications.
With conditional access, you can control access to enterprise information based on the risk level of a device. This
helps keep trusted users on trusted devices using trusted applications.
You can define security conditions under which devices and applications can run and access information from your
network by enforcing policies to stop applications from running until a device returns to a compliant state.
The implementation of conditional access in Windows Defender ATP is based on Microsoft Intune (Intune) device
compliance policies and Azure Active Directory (Azure AD ) conditional access policies.
The compliance policy is used with conditional access to allow only devices that fulfill one or more device
compliance policy rules to access applications.
Related topic
Configure conditional access in Windows Defender ATP
Microsoft Cloud App Security in Windows Defender
ATP overview
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps
and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements
on data stored in the cloud. For more information, see Cloud App Security.
NOTE
This feature is available with an E5 license for Enterprise Mobility + Security on machines running Windows 10 version 1809
or later.
For more information about cloud discovery, see Working with discovered apps.
Related topic
Configure Microsoft Cloud App Security integration
Information protection in Windows overview
4/22/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep
sensitive data secure while enabling productivity in the workplace.
Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and
comprehensive data loss prevention (DLP ) solution for Windows devices. This solution is delivered and managed
as part of the unified Microsoft 365 information protection suite.
TIP
Read our blog post about how Windows Defender ATP integrates with Microsoft Information Protection to discover, protect,
and monitor sensitive data on Windows devices.
Windows Defender ATP applies two methods to discover and protect data:
Data discovery - Identify sensitive data on Windows devices at risk
Data protection - Windows Information Protection (WIP ) as outcome of Azure Information Protection label
Data discovery
Windows Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature
is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security
Center. For more information, see Configure advanced features.
After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to
Azure Information Protection from the device. When a labeled file is created or modified on a Windows device,
Windows Defender ATP automatically reports the signal to Azure Information Protection.
The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
Azure Information Protection - Data discovery dashboard
This dashboard presents a summarized discovery information of data discovered by both Windows Defender ATP
and Azure Information Protection. Data from Windows Defender ATP is marked with Location Type - Endpoint.
Notice the Device Risk column on the right, this device risk is derived directly from Windows Defender ATP,
indicating the risk level of the security device where the file was discovered, based on the active security threats
detected by Windows Defender ATP.
Clicking the device risk level will redirect you to the device page in Windows Defender ATP, where you can get a
comprehensive view of the device security status and its active alerts.
NOTE
Windows Defender ATP does not currently report the Information Types.
Log Analytics
Data discovery based on Windows Defender ATP is also available in Azure Log Analytics, where you can perform
complex queries over the raw data.
For more information on Azure Information Protection analytics, see Central reporting for Azure Information
Protection.
Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
To view Windows Defender ATP data, perform a query that contains:
InformationProtectionLogs_CL
| where Workload_s == "Windows Defender"
Prerequisites:
Customers must have a subscription for Azure Information Protection.
Enable Azure Information Protection integration in Windows Defender Security Center:
Go to Settings in Windows Defender Security Center, click on Advanced Settings under General.
Data protection
For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security
and Compliance (SCC ). Windows Defender ATP then uses the labels to identify endpoints that need Windows
Information Protection (WIP ) applied on them.
When you create sensitivity labels, you can set the information protection functionalities that will be applied on the
file. The setting that applies to Windows Defender ATP is the Data loss prevention. You'll need to turn on the Data
loss prevention and select Enable Windows end point protection (DLP for devices).
Once, the policy is set and published, Windows Defender ATP automatically enables WIP for labeled files. When a
labeled file is created or modified on a Windows device, Windows Defender ATP automatically detects it and
enables WIP on that file if its label corresponds with Office Security and Compliance (SCC ) policy.
This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
For more information, see Configure information protection in Windows.
Related topics
How Windows Information Protection protects files with a sensitivity label
Microsoft Threat Experts
5/2/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with
expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t
get missed.
This new capability provides expert-driven insights and data through targeted attack notification and access to
experts on demand.
Customers can engage our security experts directly from within Windows Defender Security Center for timely and
accurate response. Experts provide insights needed to better understand the complex threats affecting your
organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network
connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this
capability, you can:
Get additional clarification on alerts including root cause or scope of the incident
Gain clarity into suspicious machine behavior and next steps if faced with an advanced attacker
Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
Seamlessly transition to Microsoft Incident Response (IR ) or other third-party Incident Response services when
necessary
Related topic
Configure Microsoft Threat Experts capabilities
Windows Defender Advanced Threat Protection
portal overview
4/22/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Enterprise security teams can use Windows Defender Security Center to monitor and assist in responding to alerts
of potential advanced persistent threat (APT) activity or data breaches.
You can use Windows Defender Security Center to:
View, sort, and triage alerts from your endpoints
Search for more information on observed indicators such as files and IP Addresses
Change Windows Defender ATP settings, including time zone and review licensing information.
NOTE
Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time
protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table
for a description of each section.
AREA DESCRIPTION
(1) Navigation pane Use the navigation pane to move between the Dashboards,
Alerts queue, Automated investigations, Machines list,
Service health, Advanced hunting, and Settings.
AREA DESCRIPTION
Machines list Displays the list of machines that are onboarded to Windows
Defender ATP, some information about them, and the
corresponding number of alerts.
Settings Shows the settings you selected during onboarding and lets
you update your industry preferences and retention policy
period. You can also set other configuration settings such as
email notifications, activate the preview experience, enable or
turn off advanced features, SIEM integration, threat intel API,
build Power BI reports, and set baselines for the Secure Score
dashboard.
(2) Main portal Main area where you will see the different views such as the
Dashboards, Alerts queue, and Machines list.
(3) Community center, Time settings, Help and support, Community center -Access the Community center to learn,
Feedback collaborate, and share experiences about the product.
Time settings - Gives you access to the configuration
settings where you can set time zones and view license
information.
ICON DESCRIPTION
Machine icon
Response action
Process events
Network events
File events
Registry events
Other events
File creation
Signer
File path
Command line
Unsigned file
Process tree
Memory allocation
Process injection
Community center
Notifications
Related topics
Understand the Windows Defender Advanced Threat Protection portal
View the Security operations dashboard
View the Secure Score dashboard and improve your secure score
View the Threat analytics dashboard and take recommended mitigation actions
Get started with Windows Defender Advanced Threat
Protection
4/30/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
TIP
Learn about the latest enhancements in Windows Defender ATP: What's new in Windows Defender ATP.
Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.
Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender
ATP.
The following capabilities are available across multiple products that make up the Windows Defender ATP
platform.
Threat & Vulnerability Management
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security
program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR )
insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing
threat resilience.
Attack surface reduction
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring
configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist
attacks and exploitations.
Next generation protection
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation
protection designed to catch all types of emerging threats.
Endpoint detection and response
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced
threats that may have made it past the first two security pillars.
Auto investigation and remediation
In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic
investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
Secure score
Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of
your enterprise network, identify unprotected systems, and take recommended actions to improve the overall
security state of your network.
Microsoft Threat Experts
Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that provides
proactive hunting, prioritization, and additional context and insights that further empower security operations
centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise
and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
Advanced hunting
Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and
query tool. You can also create custom detection rules based on the queries you created and surface alerts in
Windows Defender Security Center.
Management and APIs
Integrate Windows Defender Advanced Threat Protection into your existing workflows.
Microsoft threat protection
Bring the power of Microsoft Threat Protection to your organization.
In this section
TOPIC DESCRIPTION
Minimum requirements Learn about the requirements for onboarding machines to the
platform.
Validate licensing and complete setup Get guidance on how to check that licenses have been
provisioned to your organization and how to access the portal
for the first time.
Preview features Learn about new features in the Windows Defender ATP
preview release and be among the first to try upcoming
features by turning on the preview experience.
Data storage and privacy Explains the data storage and privacy details related to
Windows Defender ATP.
Assign user access to the portal Set permissions to manage who can access the portal. You can
set basic permissions or set granular permissions using role-
based access control (RBAC).
Evaluate Windows Defender ATP Evaluate the various capabilities in Windows Defender ATP and
test features out.
Access the Windows Defender Security Center Community The Windows Defender ATP Community Center is a place
Center where community members can learn, collaborate, and share
experiences about the product.
What's new in Windows Defender ATP
5/3/2019 • 6 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows
10 and Windows Server.
May 2019
The following capability is generally available (GA).
Threat protection reports
The threat protection report provides high-level information about alerts generated in your organization.
Microsoft Threat Experts
Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that
provides proactive hunting, prioritization, and additional context and insights that further empower security
operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional
layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities
as part of Microsoft 365.
April 2019
The following capability is generally available (GA).
Microsoft Threat Experts Targeted Attack Notification capability
Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as
much information as can be quickly delivered thus bringing attention to critical threats in their network,
including the timeline, scope of breach, and the methods of intrusion.
Microsoft Defender ATP API
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those
APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities.
In preview
The following capabilities are included in the April 2019 preview release.
Threat & Vulnerability Management
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of
endpoint vulnerabilities and misconfigurations.
Interoperability
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and
threat intelligence capabilities of the platform.
March 2019
In preview
The following capability are included in the March 2019 preview release.
Machine health and compliance report The machine health and compliance report provides high-level
information about the devices in your organization.
February 2019
The following capabilities are generally available (GA).
Incidents
Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities
to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
Onboard previous versions of Windows
Onboard supported versions of Windows machines so that they can send sensor data to the Windows
Defender ATP sensor.
October 2018
The following capabilities are generally available (GA).
Attack surface reduction rules
All Attack surface reduction rules are now supported on Windows Server 2019.
Controlled folder access
Controlled folder access is now supported on Windows Server 2019.
Custom detection
With custom detections, you can create custom queries to monitor events for any kind of behavior such as
suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the
creation of custom detection rules.
Integration with Azure Security Center
Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server
protection solution. With this integration Azure Security Center can leverage the power of Windows
Defender ATP to provide improved threat detection for Windows Servers.
Managed security service provider (MSSP ) support
Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will
allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security
Center portal, fetch email notifications, and fetch alerts through security information and event
management (SIEM ) tools.
Removable device control
Windows Defender ATP provides multiple monitoring and control features to help prevent threats from
removable devices, including new settings to allow or block specific hardware IDs.
Support for iOS and Android devices
iOS and Android devices are now supported and can be onboarded to the service.
Threat analytics
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as
soon as emerging threats and outbreaks are identified. The reports help security operations teams assess
impact on their environment and provides recommended actions to contain, increase organizational
resilience, and prevent specific threats.
New in Windows 10 version 1809, there are two new attack surface reduction rules:
Block Adobe Reader from creating child processes
Block Office communication application from creating child processes.
Windows Defender Antivirus
Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. Office VBA +
AMSI: Parting the veil on malicious macros.
Windows Defender Antivirus, new in Windows 10 version 1809, can now run within a sandbox (preview ),
increasing its security.
Configure CPU priority settings for Windows Defender Antivirus scans.
In preview
The following capabilities are included in the October 2018 preview release.
For more information on how to turn on preview features, see Preview features.
Information protection
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection
to keep sensitive data secure while enabling productivity in the workplace. Windows Defender ATP is
seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss
prevention (DLP ) solution for Windows devices.
NOTE
Partially available from Windows 10, version 1809.
NOTE
Available from Windows 10, version 1809 or later.
March 2018
Advanced Hunting
Query data using Advanced hunting in Windows Defender ATP.
Attack surface reduction rules
New attack surface reduction rules:
Use advanced protection against ransomware
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB
Block executable content from email client and webmail
Automated investigation and remediation
Use Automated investigations to investigate and remediate threats.
NOTE
Available from Windows 10, version 1803 or later.
Conditional access
Enable conditional access to better protect users, devices, and data.
Windows Defender ATP Community center
The Windows Defender ATP Community Center is a place where community members can learn,
collaborate, and share experiences about the product.
Controlled folder access
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
Onboard non-Windows machines
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS ) in Windows
Defender Security Center and better protect your organization's network.
Role-based access control (RBAC )
Using role-based access control (RBAC ), you can create roles and groups within your security operations
team to grant appropriate access to the portal.
Windows Defender Antivirus
Windows Defender Antivirus now shares detection status between M365 services and interoperates with
Windows Defender ATP. For more information, see Use next-gen technologies in Windows Defender
Antivirus through cloud-delivered protection.
Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as
executable files. For more information, see Enable block at first sight.
Minimum requirements for Windows Defender ATP
4/8/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
There are some minimum requirements for onboarding machines to the service.
TIP
Learn about the latest enhancements in Windows Defender ATP: What's new in Windows Defender ATP.
Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.
Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
For more information on the array of features in Windows 10 editions, see Compare Windows 10 editions.
For a detailed comparison table of Windows 10 commercial edition comparison, see the comparison PDF.
For more information about licensing requirements for Windows Defender ATP platform on Windows Server, see
Protecting Windows Servers with Windows Defender ATP.
Related topic
Validate licensing and complete setup
Onboard machines
Validate licensing provisioning and complete set up
for Windows Defender ATP
4/22/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
2. To view your licenses go to the Microsoft Azure portal and navigate to the Microsoft Azure portal license
section.
You will need to set up your preferences for Windows Defender Security Center.
3. Set up preferences
WARNING
This option cannot be changed without completely offboarding from Windows Defender ATP and completing
a new enrollment process.
b. Select the data retention policy
Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however,
you have the option to set the data retention period for a shorter timeframe during this step of the
set up process.
NOTE
This option can be changed at a later time.
NOTE
The organization size question is not related to how many licenses were purchased for your organization. It
is used by the service to optimize the creation of the data cluster for your organization.
NOTE
This option can be changed at a later time.
4. You will receive a warning notifying you that you won't be able to change some of your preferences once
you click Continue.
NOTE
Some of these options can be changed at a later time in Windows Defender Security Center.
5. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will
take an average of 5 minutes to complete.
6. You are almost done. Before you can start using Windows Defender ATP you'll need to:
Onboard Windows 10 machines
Run detection test (optional)
IMPORTANT
If you click Start using Windows Defender ATP before onboarding machines you will receive the following
notification:
7. After onboarding machines you can click Start using Windows Defender ATP. You will now launch
Windows Defender ATP for the first time.
Related topics
Onboard machines to the Windows Defender Advanced Threat Protection service
Troubleshoot onboarding process and portal access issues
Windows Defender ATP preview features
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The Windows Defender ATP service is constantly being updated to include new feature enhancements and
capabilities.
Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming
features by turning on the preview experience.
For more information on capabilities that are generally available or in preview, see What's new in Windows
Defender. )
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This section covers some of the most frequently asked questions regarding privacy and data handling for
Windows Defender ATP.
NOTE
This document explains the data storage and privacy details related to Windows Defender ATP. For more information related
to Windows Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see Microsoft
Privacy Statement. See also Windows 10 privacy FAQ for more information.
Applies to:
Azure Active Directory
Office 365
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the
switch:
Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure
AD), are automatically assigned the default Windows Defender ATP administrator role, which also has full access.
Additional Azure AD user groups can be assigned to the Windows Defender ATP administrator role after switching to
RBAC. Only users assigned to the Windows Defender ATP administrator role can manage permissions using RBAC.
Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that
only Azure AD user groups can be assigned a role under RBAC.
After switching to RBAC, you will not be able to switch back to using basic permissions management.
Want to experience Windows Defender ATP? Sign up for a free trial.
Related topic
Use basic permissions to access the portal
Manage portal access using RBAC
Evaluate Windows Defender ATP
4/5/2019 • 2 minutes to read • Edit Online
Windows Defender Advanced Threat Protection (Windows Defender ATP ) is a unified platform for preventative
protection, post-breach detection, automated investigation, and response.
You can evaluate Windows Defender Advanced Threat Protection in your organization by starting your free trial.
You can also evaluate the different security capabilities in Windows Defender ATP by using the following
instructions.
See Also
Get started with Windows Defender Advanced Threat Protection
Application Guard testing scenarios
4/5/2019 • 6 minutes to read • Edit Online
Applies to: Windows Defender Advanced Threat Protection (Windows Defender ATP )
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
NOTE
Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load.
However, subsequent starts should occur without any perceivable delays.
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge
window, making sure you see the Application Guard visual cues.
Application Guard in Enterprise-managed mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
Install, set up, and turn on Application Guard
Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version
1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. Install Application Guard.
2. Restart the device and then start Microsoft Edge.
3. Set up the Network Isolation settings in Group Policy:
a. Click on the Windows icon, type Group Policy, and then click Edit Group Policy.
b. Go to the Administrative Templates\Network\Network Isolation\Enterprise resource domains
hosted in the cloud setting.
c. For the purposes of this scenario, type .microsoft.com into the Enterprise cloud resources box.
d. Go to the Administrative Templates\Network\Network Isolation\Domains categorized as both
work and personal setting.
e. For the purposes of this scenario, type bing.com into the Neutral resources box.
4. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode
setting.
5. Click Enabled, choose Option 1, and click OK.
NOTE
Enabling this setting verifies that all the necessary settings are properly configured on your employee devices,
including the network isolation settings set earlier in this scenario.
3. Based on the list provided in the setting, choose the number that best represents what type of printing
should be available to your employees. You can allow any combination of local, network, PDF, and XPS
printing.
4. Click OK.
Data persistence options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow data persistence for Windows Defender Application Guard
setting.
2. Click Enabled and click OK.
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
The website opens in the isolated session.
4. Add the site to your Favorites list and then close the isolated session.
5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your Favorites list.
NOTE
If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container
triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the
data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across
container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host
PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-
provided utility to reset the container and to discard any personal data.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Windows Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
Hardware acceleration options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender
Application Guard setting.
2. Click Enabled and click OK.
3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with
video, 3D, or other graphics-intensive content. The website opens in an isolated session.
4. Assess the visual experience and battery performance.
Applies to:
Windows 10 Enterpise edition, version 1809
Windows 10 Professional edition, version 1809
File trust options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow users to trust files that open in Windows Defender
Application Guard setting.
2. Click Enabled, set Options to 2, and click OK.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open a file in Edge, such an Office 365 file.
5. Check to see that an antivirus scan completed before the file was opened.
Camera and microphone options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow camera and microphone access in Windows Defender
Application Guard setting.
2. Click Enabled and click OK.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
Root certificate sharing options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate
Authorities from the user's device setting.
2. Click Enabled, copy the thumbprint of each certificate to share, separated by a comma, and click OK.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
Audit Windows Defender Application Control policies
3/19/2019 • 5 minutes to read • Edit Online
Applies to:
Windows 10
Windows Server 2016
Running Appication Control in audit mode allows administrators to discover any applications that were missed
during an initial policy scan and to identify any new applications that have been installed and run since the original
policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been
denied had the policy been enforced is logged in the Applications and Services
Logs\Microsoft\Windows\CodeIntegrity\Operational event log. When these logged binaries have been
validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can
merge it with your existing WDAC policies.
Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see
Create an initial Windows Defender Application Control policy from a reference computer.
To audit a Windows Defender Application Control policy with local policy:
1. Before you begin, find the *.bin policy file , for example, the DeviceGuardPolicy.bin. Copy the file to
C:\Windows\System32\CodeIntegrity.
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running
GPEdit.msc.
NOTE
The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process
that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or
malware to run.
An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into
C:\Windows\System32\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
NOTE
You can copy the WDAC policies to a file share to which all computer accounts have access rather than copy
them to every system.
You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of
the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the
computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow
the system to convert the policy names for you. By doing this, it ensures that the policies are easily
distinguishable when viewed in a share or any other central repository.
Figure 1. Deploy your Windows Defender Application Control policy
4. Restart the reference system for the WDAC policy to take effect.
5. Use the system as you normally would, and monitor code integrity events in the event log. While in audit
mode, any exception to the deployed WDAC policy will be logged in the Applications and Services
Logs\Microsoft\Windows\CodeIntegrity\Operational event log, as shown in Figure 2.
Figure 2. Exceptions to the deployed WDAC policy
You will be reviewing the exceptions that appear in the event log, and making a list of any applications that
should be allowed to run in your environment.
6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your
WDAC policy, this is a good time to create it. For information, see Deploy catalog files to support Windows
Defender Application Control.
Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in
the event log. This is described in the next section.
$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"
3. Use New -CIPolicy to generate a new WDAC policy from logged audit events. This example uses a file rule
level of Hash and includes 3> CIPolicylog.txt , which redirects warning messages to a text file,
CIPolicylog.txt.
New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt
NOTE
When you create policies from audit events, you should carefully consider the file rule level that you select to trust.
The preceding example uses the Hash rule level, which is the most specific. Any change to the file (such as replacing
the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
4. Find and review the WDAC audit policy .xml file that you created. If you used the example variables as
shown, the filename will be DeviceGuardAuditPolicy.xml, and it will be on your desktop. Look for the
following:
Any applications that were caught as exceptions, but should be allowed to run in your environment.
These are applications that should be in the .xml file. Leave these as-is in the file.
Any applications that actually should not be allowed to run in your environment. Edit these out of the
.xml file. If they remain in the .xml file, and the information in the file is merged into your existing
WDAC policy, the policy will treat the applications as trusted, and allow them to run.
You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two
policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section,
Merge Windows Defender Application Control policies.
NOTE
You may have noticed that you did not generate a binary version of this policy as you did in Create a Windows Defender
Application Control policy from a reference computer. This is because WDAC policies created from an audit log are not
intended to run as stand-alone policies but rather to update existing WDAC policies.
Evaluate exploit protection
4/8/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Exploit protection helps protect devices from malware that uses exploits to spread and infect other devices. It
consists of a number of mitigations that can be applied to either the operating system or an individual app. Many
of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit
protection.
This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. You can
enable audit mode for certain app-level mitigations to see how they will work in a test environment. This lets you
see a record of what would have happened if you had enabled the mitigation in production. You can make sure it
doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to see how exploit protection
works.
Where:
<Scope>:
-Name to indicate the mitigations should be applied to a specific app. Specify the app's executable after
this flag.
<Action>:
-Enable to enable the mitigation
-Disable to disable the mitigation
<Mitigation>:
The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
For example, to enable Arbitrary Code Guard (ACG ) in audit mode for an app named testing.exe, run the
following command:
Related topics
Comparison with Enhanced Mitigation Experience Toolkit
Enable exploit protection
Configure and audit exploit protection mitigations
Import, export, and deploy exploit protection configurations
Troubleshoot exploit protection
Enable network protection
Enable controlled folder access
Enable attack surface reduction
Evaluate network protection
4/8/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Network protection helps prevent employees from using any application to access dangerous domains that may
host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site
in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site
will replicate the behavior that would happen if a user visted a malicious site or domain.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to see how other protection
features work.
Related topics
Windows Defender Exploit Guard
Network protection
Enable network protection
Troubleshoot network protection
Evaluate controlled folder access
4/18/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Controlled folder access is a feature that helps protect your documents and files from modification by suspicious
or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from ransomware that can attempt to
encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the
feature directly in your organization.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working
and see how it works.
TIP
If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool
to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, MDM, or System Center
Configuration Manager to configure and deploy the setting, as described in the main controlled folder access topic.
EVENT ID DESCRIPTION
Related topics
Protect important folders with controlled folder access
Evaluate Windows Defender ATP
Use audit mode
Evaluate attack surface reduction rules
4/26/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to
infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10
clients.
This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test
the feature directly in your organization.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working
and see how it works.
TIP
If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management
tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, or MDM CSPs to
configure and deploy the setting, as described in the main Attack surface reduction rules topic.
EVENT ID DESCRIPTION
Related topics
Reduce attack surfaces with attack surface reduction rules
Evaluate Windows Defender Exploit Guard
Use audit mode to evaluate Windows Defender Exploit Guard
Evaluating Windows Defender Firewall with
Advanced Security Design Examples
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use
Windows Defender Firewall to improve the security of the devices connected to the network. You can use these
topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall
designs and to determine which design or combination of designs best suits the goals of your organization.
Firewall Policy with Advanced Security Design Example
Domain Isolation Policy Design Example
Server Isolation Policy Design Example
Certificate-based Isolation Policy Design Example
Evaluate Windows Defender Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and
potentially unwanted applications.
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the following features are
working and see how they work:
Cloud-delivered protection
Fast learning (including Block at first sight)
Potentially unwanted application blocking
It explains the important next generation protection features of Windows Defender Antivirus available for both
small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar
settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the
settings.
The guide is available in PDF format for offline viewing:
Download the guide in PDF format
You can also download a PowerShell that will enable all the settings described in the guide automatically. You can
obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
Download the PowerShell script to automatically configure the settings
IMPORTANT
The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in
this guide may not be suitable for real-world deployment.
For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a
network, see Deploy Windows Defender Antivirus.
Related topics
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
Access the Windows Defender ATP Community
Center
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and
share experiences about the product.
There are several spaces you can explore to learn about specific information:
Announcements
What's new
Threat Intelligence
There are several ways you can access the Community Center:
In the Windows Defender Security Center navigation pane, select Community center. A new browser tab
opens and takes you to the Windows Defender ATP Tech Community page.
Access the community through the Windows Defender Advanced Threat Protection Tech Community page
You can instantly view and read conversations that have been posted in the community.
To get the full experience within the community such as being able to comment on posts, you'll need to join the
community. For more information on how to get started in the Microsoft Tech Community, see Microsoft Tech
Community: Getting Started.
Configure and manage Windows Defender ATP
capabilities
4/30/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your
organization.
In this section
TOPIC DESCRIPTION
Configure attack surface reduction capabilities By ensuring configuration settings are properly set and exploit
mitigation techniques are applied, these set of capabilities
resist attacks and exploitations.
Configure next generation protection Configure next generation protection to catch all types of
emerging threats.
Configure Secure score dashboard security controls Configure the security controls in Secure score to increase the
security posture of your organization.
Configure Microsoft Threat Experts capabilities Configure and manage how you would like to get
cybersecurity threat intelligence from Microsoft Threat Experts.
Configure Microsoft Threat Protection integration Configure other solutions that integrate with Windows
Defender ATP.
Management and API support Pull alerts to your SIEM or use APIs to create custom alerts.
Create and build Power BI reports.
Configure Windows Defender Security Center settings Configure portal related settings such as general settings,
advanced features, enable the preview experience and others.
Configure attack surface reduction
4/5/2019 • 2 minutes to read • Edit Online
You can configure attack surface reduction with a number of tools, including:
Microsoft Intune
System Center Configuration Manager
Group Policy
PowerShell cmdlets
The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for
the applicable configuration tool (or tools).
In this section
TOPIC DESCRIPTION
Enable hardware-based isolation for Microsoft Edge How to preprare for and install Application Guard, including
hardware and softeware requirements
Enable application control How to control applications run by users and potect kernel
mode processes
Network protection How to prevent users from using any apps to acces
dangerous domains
Controlled folder access How to protect valuable data from malicious apps
Attack surface reduction How to prevent actions and apps that are typically used for by
exploit-seeking malware
This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM )
protection to improve the startup security of Windows 10 devices. The information below is presented from a
client perspective.
Registry
1. Open Registry editor.
2. Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard > Scenarios.
3. Right-click Scenarios > New > Key and name the new key SystemGuard.
4. Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled.
5. Double-click Enabled, change the value to 1, and click OK.
How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click Start, search for System
Information, and look under Virtualization-based Security Services Running and Virtualization-based
Security Services Configured.
NOTE
To enable System Guard Secure launch, the platform must meet all the baseline requirements for Device Guard, Credential
Guard, and Virtualization Based Security.
Trusted Platform Module (TPM) 2.0 Platforms must support a discrete TPM 2.0.
Integrated/firmware TPMs are not supported.
Windows DMA Protection Platforms must meet the Windows DMA Protection
Specification (all external DMA ports must be off by default
until the OS explicitly powers them).
TPM AUX Index Platform must set up a AUX index with index, attributes, and
policy that exactly corresponds to the AUX index specified in
the TXT DG with a data size of exactly 104 bytes (for SHA256
AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with:
Exactly the "TXT PS2" style Attributes on creation as
follows:
AuthWrite
PolicyDelete
WriteLocked
WriteDefine
AuthRead
WriteDefine
NoDa
Written
PlatformCreate
A policy of exactly PolicyCommandCode(CC =
TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg
and Policy)
Size of exactly 70 bytes
NameAlg = SHA256
In addition, it must have been initialized and locked
(TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED =
1) at time of OS launch.
PS index data DataRevocationCounters, SINITMinVersion, and
PolicyControl must all be 0x00
Platform firmware Platform firmware must carry all code required to execute an
Intel® Trusted Execution Technology secure launch:
Intel® SINIT ACM must be carried in the OEM BIOS
Platforms must ship with a production ACM signed by
the correct production Intel® ACM signer for the
platform
Monitor Mode Page Tables All Monitor Mode page tables must:
NOT contain any mappings to EfiConventionalMemory
(e.g. no OS/VMM owned memory)
They must NOT have execute and write permissions for
the same page
Platforms must only allow Monitor Mode pages
marked as executable
The memory map must report Monitor Mode as
EfiReservedMemoryType
Platforms must provide mechanism to protect the
Monitor Mode page tables from modification
Platform firmware Platform firmware must carry all code required to perform a
launch.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Hardware requirements
Your environment needs the following hardware to run Windows Defender Application Guard.
HARDWARE DESCRIPTION
64-bit CPU A 64-bit computer with minimum 4 cores is required for the
hypervisor. For more info about Hyper-V, see Hyper-V on
Windows Server 2016 or Introduction to Hyper-V on
Windows 10. For more info about hypervisor, see Hypervisor
Specifications.
CPU virtualization extensions Extended page tables, also called Second Level Address
Translation (SLAT)
-AND-
VT-x (Intel)
-OR-
AMD-V
Input/Output Memory Management Unit (IOMMU) support Not required, but strongly recommended
Software requirements
Your environment needs the following software to run Windows Defender Application Guard.
SOFTWARE DESCRIPTION
-OR-
Group Policy
-OR-
NOTE
Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking
system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is
recommended for enterprise managed scenarios only.
1. Click the Search or Cortana icon in the Windows 10 taskbar and type PowerShell.
2. Right-click Windows PowerShell, and then click Run as administrator.
Windows PowerShell opens with administrator credentials.
3. Type the following command:
Applies to: Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your
organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto
many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and
then apply all those settings to every computer in the domain.
Application Guard uses both network isolation and application-specific settings.
NOTE
You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings
on your employee devices to successfully turn on Application Guard using enterprise mode.
Private network ranges for apps At least Windows Server 2012, A comma-separated list of IP address
Windows 8, or Windows RT ranges that are in your corporate
network. Included endpoints or
endpoints that are included within a
specified IP address range, are rendered
using Microsoft Edge and won't be
accessible from the Application Guard
environment.
Enterprise resource domains hosted in At least Windows Server 2012, A pipe-separated (|) list of your domain
the cloud Windows 8, or Windows RT cloud resources. Included endpoints are
rendered using Microsoft Edge and
won't be accessible from the Application
Guard environment. Notes: 1) Please
include a full domain name
(www.contoso.com) in the configuration
2) You may optionally use "." as a
wildcard character to automatically trust
subdomains. Configuring
".constoso.com" will automatically trust
"subdomain1.contoso.com",
"subdomain2.contoso.com" etc.
POLICY NAME SUPPORTED VERSIONS DESCRIPTION
Domains categorized as both work and At least Windows Server 2012, A comma-separated list of domain
personal Windows 8, or Windows RT names used as both work or personal
resources. Included endpoints are
rendered using Microsoft Edge and will
be accessible from the Application
Guard and regular Edge environment.
Application-specific settings
These settings, located at Computer Configuration\Administrative Templates\Windows
Components\Windows Defender Application Guard, can help you to manage your company's
implementation of Application Guard.
Important
Allowing copied
content to go from
Microsoft Edge into
Application Guard
can cause potential
security risks and isn't
recommended.
Disabled or not
configured. Completely
turns Off the clipboard
functionality for Application
Guard.
NAME SUPPORTED VERSIONS DESCRIPTION OPTIONS
Configure Windows Windows 10 Enterprise, Determines whether Enabled. Turns On the print
Defender Application Guard 1709 or higher Application Guard can use functionality and lets you
print settings the print functionality. choose whether to
Windows 10 Pro, 1803 or additionally:
higher Enable Application
Guard to print into
the XPS format.
Enable Application
Guard to print into
the PDF format.
Enable Application
Guard to print to
locally attached
printers.
Enable Application
Guard to print from
previously connected
network printers.
Employees can't
search for additional
printers.
Disabled or not
configured. Completely
turns Off the print
functionality for Application
Guard.
Block enterprise websites to Windows 10 Enterprise, Determines whether to allow Enabled. Prevents network
load non-enterprise content 1709 or higher Internet access for apps not traffic from both Internet
in IE and Edge included on the Allowed Explorer and Microsoft Edge
Apps list. to non-enterprise sites that
can't render in the
Application Guard
container.Note This may also
block assets cached by CDNs
and references to analytics
sites. Please add them to the
trusted enterprise resources
to avoid broken pages.
Disabled or not
configured. Allows
Microsoft Edge to render
network traffic to non-
enterprise sites that can't
render in Application Guard.
NAME SUPPORTED VERSIONS DESCRIPTION OPTIONS
Allow Persistence Windows 10 Enterprise, Determines whether data Enabled. Application Guard
1709 or higher persists across different saves user-downloaded files
sessions in Windows and other items (such as,
Windows 10 Pro, 1803 or Defender Application Guard. cookies, Favorites, and so
higher on) for use in future
Application Guard sessions.
Disabled or not
configured. All user data
within Application Guard is
reset between sessions.
Note
If you later decide to stop
supporting data persistence
for your employees, you can
use our Windows-provided
utility to reset the container
and to discard any personal
data.
To reset the container:
1. Open a command-
line program and
navigate to
Windows/System32.
2. Type
wdagtool.exe
cleanup
.
The container
environment is reset,
retaining only the
employee-generated
data.
3. Type
wdagtool.exe cleanup
RESET_PERSISTENCE_LAYER
.
The container
environment is reset,
including discarding
all employee-
generated data.
NAME SUPPORTED VERSIONS DESCRIPTION OPTIONS
Turn on Windows Defender Windows 10 Enterprise, Determines whether to turn Enabled. Turns on
Application Guard in 1709 or higher on Application Guard for Application Guard for
Enterprise Mode Microsoft Edge. Microsoft Edge, honoring
the network isolation
settings, rendering non-
enterprise domains in the
Application Guard container.
Be aware that Application
Guard won't actually be
turned On unless the
required prerequisites and
network isolation settings
are already set on the device.
Allow files to download to Windows 10 Enterprise, Determines whether to save Enabled. Allows users to
host operating system 1803 or higher downloaded files to the host save downloaded files from
operating system from the the Windows Defender
Windows Defender Application Guard container
Application Guard container. to the host operating
system.
Disabled or not
configured. Users are not
able to saved downloaded
files from Application Guard
to the host operating
system.
NAME SUPPORTED VERSIONS DESCRIPTION OPTIONS
Important
Be aware that enabling
this setting with
potentially compromised
graphics devices or
drivers might pose a risk
to the host device.
Disabled or not
configured. Windows
Defender Application Guard
uses software-based (CPU)
rendering and won’t load
any third-party graphics
drivers or interact with any
connected graphics
hardware.
NAME SUPPORTED VERSIONS DESCRIPTION OPTIONS
Allow camera and Windows 10 Enterprise, Determines whether to allow Enabled. Applications inside
microphone access in 1809 or higher camera and microphone Windows Defender
Windows Defender access inside Windows Application Guard are able
Application Guard Windows 10 Pro, 1809 or Defender Application Guard. to access the camera and
higher microphone on the user's
device.
Important
Be aware that enabling this
policy with a potentially
compromised container
could bypass camera and
microphone permissions and
access the camera and
microphone without the
user's knowledge.
Disabled or not
configured. Applications
inside Windows Defender
Application Guard are unable
to access the camera and
microphone on the user's
device.
Allow Windows Defender Windows 10 Enterprise, Determines whether Root Enabled. Certificates
Application Guard to use 1809 or higher Certificates are shared with matching the specified
Root Certificate Authorities Windows Defender thumbprint are transferred
from a user's device Windows 10 Pro, 1809 or Application Guard. into the container. Use a
higher comma to separate multiple
certificates.
Disabled or not
configured. Certificates are
not shared with Windows
Defender Application Guard.
Allow users to trust files that Windows 10 Enterprise, Determines whether users Enabled. Users are able to
open in Windows Defender 1809 or higher are able to manually trust manually trust files or trust
Application Guard untrusted files to open them files after an antivirus check.
on the host.
Disabled or not
configured. Users are
unable to manually trust files
and files continue to open in
Windows Defender
Application Guard.
Windows Defender Application Control
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows 10
Windows Server 2016
Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—
signature-based detection to fight against malware—provides an inadequate defense against new attacks. In most
organizations, information is the most valuable asset, and ensuring that only approved users have access to that
information is imperative.
However, when a user runs a process, that process has the same level of access to data that the user has. As a
result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or
unknowingly runs malicious software.
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has
an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the
traditional application trust model where all applications are assumed trustworthy by default to one where
applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate,
understand this and frequently cite application control as one of the most effective means for addressing the
threat of executable file-based malware (.exe, .dll, etc.).
Windows Defender Application Control (WDAC ) can help mitigate these types of security threats by restricting the
applications that users are allowed to run and the code that runs in the System Core (kernel). WDAC policies also
block unsigned scripts and MSIs, and Windows PowerShell runs in Constrained Language Mode.
NOTE
Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity
policies.
Applies to: Windows Defender Advanced Threat Protection (Windows Defender ATP )
Microsoft recommends a layered approach to securing removable media, and Windows Defender ATP provides
multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising
your devices:
1. Prevent threats from removable storage introduced by removable storage devices by enabling:
Windows Defender Antivirus real-time protection (RTP ) to scan removable storage for malware.
The Exploit Guard Attack Surface Reduction (ASR ) USB rule to block untrusted and unsigned processes
that run from USB.
Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA
Protection for Thunderbolt and blocking DMA until a user signs in.
2. Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting
Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or
any other Windows Defender ATP events with custom detection rules.
3. Respond to threats from peripherals in real-time based on properties reported by each peripheral:
Granular configuration to deny write access to removable disks and approve or deny devices by USB
vendor code, product code, device IDs, or a combination.
Flexible policy assignment of device installation settings based on an individual or group of Azure Active
Directory (Azure AD ) users and devices.
These threat reduction measures help prevent malware from coming into your environment. To protect enterprise
data from leaving your environment, you can also configure data loss prevention measures. For example, on
Windows 10 devices you can configure BitLocker and Windows Information Protection, which will encrypt
company data even if it is stored on a personal device, or use the Storage/RemovableDiskDenyWriteAccess CSP to
deny write access to removable disks. Additionally, you can classify and protect files on Windows devices (including
their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
NOTE
We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10
in Device Restrictions > Configure > Windows Defender Antivirus > Real-time monitoring.
Respond to threats
Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats.
It does this by using the properties reported by USB peripherals to determine whether or not they can be installed
and used on the device.
NOTE
Always test and refine these settings with a pilot group of users and devices first before applying them in production.
The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB
peripherals. For more information about controlling USB devices, see the Microsoft Secure blog "WDATP has
protections for USB and removable devices".
CONTROL DESCRIPTION
Block installation and usage of removable storage Users can't install or use removable storage
Only allow installation and usage of specifically approved Users can only install and use approved peripherals that
peripherals report specific properties in their firmware
Prevent installation of specifically prohibited peripherals Users can't install or use prohibited peripherals that report
specific properties in their firmware
NOTE
Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing
specifically approved USB peripherals and limiting the users who can access them.
Related topics
Configure real-time protection for Windows Defender Antivirus
Defender/AllowFullScanRemovableDriveScanning
Policy/DeviceInstallation CSP
Perform a custom scan of a removable device
BitLocker
Windows Information Protection
Device Guard: Windows Defender Application
Control and virtualization-based protection of code
integrity
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to
"lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration,
specific technologies work together to restrict devices to only run authorized apps by using a feature called
configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use
of virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However,
when these two technologies are configured to work together, they present a very strong protection capability for
Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been
referred to as Windows Defender Device Guard.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other
solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early
in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user
mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by
digitally signing the policy. This would mean that changing the policy would require both administrative
privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker
with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the
application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a
vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is
significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would
otherwise have enough privilege to disable most system defenses and override the application control policies
enforced by configurable code integrity or any other application control solution.
Related topics
Windows Defender Application Control
Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard
Driver compatibility with Windows Defender Device Guard in Windows 10
Code integrity
Memory integrity
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V
hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or
unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from
malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.
Memory integrity helps block many types of malware from running on computers that run Windows 10 and
Windows Server 2016.
Baseline protections and additional qualifications for
virtualization-based protection of code integrity
4/5/2019 • 7 minutes to read • Edit Online
Applies to
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of
the virtualization-based security (VBS ) features in Windows Defender Device Guard. Computers lacking these
requirements can still be protected by Windows Defender Application Control (WDAC ) policies—the difference is
that those computers will not be as hardened against certain threats.
For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that
attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard
drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on
bootable media.
WARNING
Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly
recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on
production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error
(also called a stop error).
The following tables provide more information about the hardware, firmware, and software required for
deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus
protections for improved security that are associated with hardware and firmware options available in 2015, 2016,
and 2017.
NOTE
Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new
computers.
Baseline protections
BASELINE PROTECTIONS DESCRIPTION SECURITY BENEFITS
Hardware: CPU virtualization These hardware features are required VBS provides isolation of the secure
extensions, for VBS: kernel from the normal operating
plus extended page tables One of the following virtualization system. Vulnerabilities and zero-days in
extensions: the normal operating system cannot be
• VT-x (Intel) or exploited because of this isolation.
• AMD-V
And:
• Extended page tables, also called
Second Level Address Translation (SLAT).
Firmware: UEFI firmware version See the UEFI Secure Boot helps ensure that the
2.3.1.c or higher with UEFI Secure System.Fundamentals.Firmware.UEFISec device boots only authorized code. This
Boot ureBoot requirement in the Windows can prevent boot kits and root kits from
Hardware Compatibility Specifications installing and persisting across reboots.
for Windows 10, version 1809 and
Windows Server 2019 - Systems
download. You can find previous
versions of the Windows Hardware
Compatibility Program Specifications
and Policies here.
Firmware: Secure firmware update UEFI firmware must support secure UEFI firmware just like software can
process firmware update found under the have security vulnerabilities that, when
System.Fundamentals.Firmware.UEFISec found, need to be patched through
ureBoot requirement in the Windows firmware updates. Patching helps
Hardware Compatibility Specifications prevent root kits from getting installed.
for Windows 10, version 1809 and
Windows Server 2019 - Systems
download. You can find previous
versions of the Windows Hardware
Compatibility Program Specifications
and Policies here.
Software: HVCI compatible drivers See the HVCI Compatible drivers help ensure
Filter.Driver.DeviceGuard.DriverCompati that VBS can maintain appropriate
bility requirement in the Windows memory permissions. This increases
Hardware Compatibility Specifications resistance to bypassing vulnerable
for Windows 10, version 1809 and kernel drivers and helps ensure that
Windows Server 2019 - Filter driver malware cannot run in kernel. Only code
download. You can find previous verified through code integrity can run
versions of the Windows Hardware in kernel mode.
Compatibility Program Specifications
and Policies here.
Software: Qualified Windows Windows 10 Enterprise, Windows 10 Support for VBS and for management
operating system Education, Windows Server 2016, or features that simplify configuration of
Windows 10 IoT Enterprise Windows Defender Device Guard.
Important:
Windows Server 2016 running
as a domain controller does not
support Windows Defender
Credential Guard. Only
virtualization-based protection
of code integrity is supported in
this configuration.
Important The following tables list additional qualifications for improved security. You can use Windows
Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they
do not support protections for improved security. However, we strongly recommend meeting these additional
qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
PROTECTIONS FOR IMPROVED SECURITY DESCRIPTION SECURITY BENEFITS
Firmware: Hardware Rooted Trust • Boot Integrity (Platform Secure Boot) • Boot Integrity (Platform Secure Boot)
Platform Secure Boot must be supported. See the from Power-On provides protections
System.Fundamentals.Firmware.CS.UEFI against physically present attackers, and
SecureBoot.ConnectedStandby defense-in-depth against malware.
requirement in the Windows Hardware • HSTI 1.1.a provides additional security
Compatibility Specifications for Windows assurance for correctly secured silicon
10, version 1809 and Windows Server and platform.
2019 - Systems download. You can find
previous versions of the Windows
Hardware Compatibility Program
Specifications and Policies here.
• The Hardware Security Test Interface
(HSTI) 1.1.a must be implemented. See
Hardware Security Testability
Specification.
Firmware: Firmware Update through Firmware must support field updates Helps ensure that firmware updates are
Windows Update through Windows Update and UEFI fast, secure, and reliable.
encapsulation update.
PROTECTIONS FOR IMPROVED SECURITY DESCRIPTION SECURITY BENEFITS
Firmware: Securing Boot • Required BIOS capabilities: Ability of • Enterprises can choose to allow
Configuration and Management OEM to add ISV, OEM, or Enterprise proprietary EFI drivers/applications to
Certificate in Secure Boot DB at run.
manufacturing time. • Removing Microsoft UEFI CA from
• Required configurations: Microsoft Secure Boot DB provides full control to
UEFI CA must be removed from Secure enterprises over software that runs
Boot DB. Support for 3rd-party UEFI before the operating system boots.
modules is permitted but should
leverage ISV-provided certificates or
OEM certificate for the specific UEFI
software.
Firmware: VBS enablement of NX • VBS will enable No-Execute (NX) • Vulnerabilities in UEFI runtime, if any,
protection for UEFI runtime services protection on UEFI runtime service code will be blocked from compromising VBS
and data memory regions. UEFI runtime (such as in functions like UpdateCapsule
service code must support read-only and SetVariable)
page protections, and UEFI runtime • Reduces the attack surface to VBS
service data must not be exceutable. from system firmware.
• UEFI runtime service must meet these
requirements:
• Implement UEFI 2.6
EFI_MEMORY_ATTRIBUTES_TABLE. All
UEFI runtime service memory (code and
data) must be described by this table.
• PE sections need to be page-
aligned in memory (not required for in
non-volitile storage).
• The Memory Attributes Table needs
to correctly mark code and data as
RO/NX for configuration by the OS:
• All entries must include attributes
EFI_MEMORY_RO, EFI_MEMORY_XP, or
both
• No entries may be left with
neither of the above attributes,
indicating memory that is both
exceutable and writable. Memory must
be either readable and executable or
writeable and non-executable.
Notes:
• This only applies to UEFI
runtime service memory, and
not UEFI boot service memory.
• This protection is applied by
VBS on OS page tables.
Firmware: Firmware support for SMM The Windows SMM Security Mitigations • Protects against potential
protection Table (WSMT) specification contains vulnerabilities in UEFI runtime services,
details of an Advanced Configuration if any, will be blocked from
and Power Interface (ACPI) table that compromising VBS (such as in functions
was created for use with Windows like UpdateCapsule and SetVariable)
operating systems that support • Reduces the attack surface to VBS
Windows virtualization-based security from system firmware.
(VBS) features. • Blocks additional security attacks
against SMM.
Enable virtualization-based protection of code
integrity
4/8/2019 • 9 minutes to read • Edit Online
Applies to
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some
applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to
malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or
during the enablement process itself. If this happens, see Troubleshooting for remediation steps.
NOTE
HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required Mode based
execution control (MBE) Virtualization.
TIP
"The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the
SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode
(RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
HVCI Features
HVCI protects modification of the Code Flow Guard (CFG ) bitmap.
HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
If you want to customize the preceding recommended settings, use the following settings.
To enable VBS
To enable VBS with Secure Boot and DMA (value 3), in the preceding command, change /d 1 to /d 3.
To enable VBS with UEFI lock (value 1), in the preceding command, change /d 0 to /d 1.
To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)
To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1), in the
preceding command, change /d 0 to /d 1.
If you want to customize the preceding recommended settings, use the following settings.
To enable VBS (it is always locked to UEFI )
To enable VBS with Secure Boot and DMA (value 3), in the preceding command, change /d 1 to /d 3.
To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)
Validate enabled Windows Defender Device Guard hardware -based security features
Windows 10 and Windows Server 2016 have a WMI class for related properties and features:
Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the
following command:
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
NOTE
The Win32_DeviceGuard WMI class is only available on the Enterprise edition of Windows 10.
The output of this command provides details of the available hardware-based security features as well as those
features that are currently enabled.
AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device
Guard.
VALUE DESCRIPTION
InstanceIdentifier
A string that is unique to a particular device. Valid values are determined by WMI.
RequiredSecurityProperties
This field describes the required security properties to enable virtualization-based security.
VALUE DESCRIPTION
0. Nothing is required.
SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
VALUE DESCRIPTION
0. No services configured.
SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
VALUE DESCRIPTION
0. No services running.
Version
This field lists the version of this WMI class. The only valid value now is 1.0.
VirtualizationBasedSecurityStatus
This field indicates whether VBS is enabled and running.
VALUE DESCRIPTION
PSComputerName
This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run
msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device
Guard properties are displayed at the bottom of the System Summary section.
Troubleshooting
A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using Device
Manager.
B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are
able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location
in step 3 above and then restart your device.
C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn
on HVCI, you can recover using the Windows Recovery Environment (Windows RE ). To boot to Windows RE, see
Windows RE Technical Reference. After logging in to Windows RE, you can turn off HVCI by renaming or deleting
the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Exploit protection helps protect against malware that uses exploits to infect devices and spread. It consists of a
number of mitigations that can be applied to either the operating system or individual apps.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and
review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of the these methods:
Windows Security app
Microsoft Intune
Mobile Device Management (MDM )
System Center Configuration Manager (SCCM )
Group Policy
PowerShell
They are configured by default in Windows 10.
You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
You can export these settings as an XML file and deploy them to other machines.
Example 1
Mikael configures Data Execution Prevention (DEP ) in the System settings section to be Off by default.
Mikael then adds the app test.exe to the Program settings section. In the options for that app, under Data
Execution Prevention (DEP ), he enables the Override system settings option and sets the switch to On.
There are no other apps listed in the Program settings section.
The result will be that DEP only will be enabled for test.exe. All other apps will not have DEP applied.
Example 2
Josie configures Data Execution Prevention (DEP ) in the System settings section to be Off by default.
Josie then adds the app test.exe to the Program settings section. In the options for that app, under Data
Execution Prevention (DEP ), she enables the Override system settings option and sets the switch to On.
Josie also adds the app miles.exe to the Program settings section and configures Control flow guard (CFG) to
On. She doesn't enable the Override system settings option for DEP or any other mitigations for that app.
The result will be that DEP will be enabled for test.exe. DEP will not be enabled for any other app, including
miles.exe. CFG will be enabled for miles.exe.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the App & browser control tile (or the app icon on the left menu bar) and then click Exploit
protection.
3. Go to Program settings and choose the app you want to apply mitigations to:
a. If the app you want to configure is already listed, click it and then click Edit
b. If the app is not listed, at the top of the list click Add program to customize and then choose how you
want to add the app:
Use Add by program name to have the mitigation applied to any running process with that
name. You must specify a file with an extension. You can enter a full path to limit the mitigation to
only the app with that name in that location.
Use Choose exact file path to use a standard Windows Explorer file picker window to find and
select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing Audit will apply
the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you
need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click Apply when you're done setting
up your configuration.
Intune
1. Sign in to the Azure portal and open Intune.
2. Click Device configuration > Profiles > Create profile.
3. Name the profile, choose Windows 10 and later and Endpoint protection.
4. Click Configure > Windows Defender Exploit Guard > Exploit protection.
5. Upload an XML file with the exploit protection settings:
6. Click OK to save each open blade and click Create.
7. Click the profile Assignments, assign to All Users & All Devices, and click Save.
MDM
Use the ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings configuration service provider
(CSP ) to enable or disable exploit protection mitigations or to use audit mode.
SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard.
2. Click Home > Create Exploit Guard Policy.
3. Enter a name and a description, click Exploit protection, and click Next.
4. Browse to the location of the exploit protection XML file and click Next.
5. Review the settings and click Next to create the policy.
6. After the policy is created, click Close.
Group Policy
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Exploit Guard > Exploit Protection
> Use a common set of exploit protection settings.
4. Click Enabled and type the location of the XML file and click OK.
PowerShell
You can use the PowerShell verb Get or Set with the cmdlet ProcessMitigation . Using Get will list the current
configuration status of any mitigations that have been enabled on the device - add the -Name cmdlet and app exe
to see mitigations for just that app:
IMPORTANT
System-level mitigations that have not been configured will show a status of NOTSET .
For system-level settings, NOTSET indicates the default setting for that mitigation has been applied.
For app-level settings, NOTSET indicates the system-level setting for the mitigation will be applied.
The default setting for each system-level mitigation can be seen in the Windows Security.
Where:
<Scope>:
-Name to indicate the mitigations should be applied to a specific app. Specify the app's executable after
this flag.
-System to indicate the mitigation should be applied at the system level
<Action>:
-Enable to enable the mitigation
-Disable to disable the mitigation
<Mitigation>:
The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is
separated with a comma.
For example, to enable the Data Execution Prevention (DEP ) mitigation with ATL thunk emulation and for an
executable called testing.exe in the folder C:\Apps\LOB\tests, and to prevent that executable from creating child
processes, you'd use the following command:
IMPORTANT
Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each
mitigation.
Control flow guard (CFG) System and app-level CFG, StrictCFG, Audit not available
SuppressExports
Data Execution Prevention System and app-level DEP, EmulateAtlThunks Audit not available
(DEP)
Force randomization for System and app-level ForceRelocateImages Audit not available
images (Mandatory ASLR)
Randomize memory System and app-level BottomUp, HighEntropy Audit not available
allocations (Bottom-Up
ASLR)
Validate exception chains System and app-level SEHOP, SEHOPTelemetry Audit not available
(SEHOP)
Validate heap integrity System and app-level TerminateOnHeapError Audit not available
Export address filtering (EAF) App-level only EnableExportAddressFilterPl Audit not available
us,
EnableExportAddressFilter
[1]
MITIGATION APPLIES TO POWERSHELL CMDLETS AUDIT MODE CMDLET
Import address filtering (IAF) App-level only EnableImportAddressFilter Audit not available
[1]: Use the following format to enable EAF modules for dlls for a process:
Related topics
Comparison with Enhanced Mitigation Experience Toolkit
Evaluate exploit protection
Configure and audit exploit protection mitigations
Import, export, and deploy exploit protection configurations
Import, export, and deploy exploit protection
configurations
4/5/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of
a number of mitigations that can be applied at either the operating system level, or at the individual app level.
It is part of Windows Defender Exploit Guard.
Many of the features that are part of the Enhanced Mitigation Experience Toolkit (EMET) are now included in
exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You
can then export this configuration as an XML file and share it with multiple machines on your network so they all
have the same set of mitigation settings.
You can also convert and import an existing EMET configuration XML file into an exploit protection configuration
XML.
This topic describes how to create a configuration file and deploy it across your network, and how to convert an
EMET configuration.
The Exploit Guard Evaluation Package contains a sample configuration file (name ProcessMitigation-Selfhost-
v4.xml that you can use to see how the XML structure looks. The sample file also contains settings that have been
converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it
directly into exploit protection and then review the settings in the Windows Security app, as described further in
this topic.
NOTE
When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't
need to export a file from both the System settings and Program settings sections - either section will export all settings.
Change filename to the location and name of the exploit protection XML file.
IMPORTANT
Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET
configuration file, you must convert it first.
WARNING
You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to
help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file
will not work.
However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default
configuration file into EMET, then export the settings to a new file.
You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit
protection.
1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:
Change emetFile to the name and location of the EMET configuration file, and change filename to whichever
location and file name you want to use.
IMPORTANT
If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the
XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the
Mandatory ASLR mitigation setting is correctly configured:
1. Open the PowerShell-converted XML file in a text editor.
2. Search for ASLR ForceRelocateImages="false" and change it to ASLR ForceRelocateImages="true" for each app
that you want Mandatory ASLR to be enabled.
IMPORTANT
When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access
the configuration XML file. Ensure you place the file in a shared location.
4. Double-click the Use a common set of Exploit protection settings setting and set the option to
Enabled.
5. In the Options:: section, enter the location and filename of the Exploit protection configuration file that
you want to use, such as in the following examples:
C:\MitigationSettings\Config.XML
\\Server\Share\Config.xml
https://localhost:8080/Config.xml
6. Click OK and Deploy the updated GPO as you normally do.
Related topics
Protect devices from exploits
Comparison with Enhanced Mitigation Experience Toolkit
Evaluate exploit protection
Enable exploit protection
Configure and audit exploit protection mitigations
Enable network protection
4/24/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Network protection helps to prevent employees from using any application to access dangerous domains that
may host phishing scams, exploits, and other malicious content on the Internet. You can audit network protection
in a test environment to see which apps would be blocked before you enable it.
You can enable network protection by using any of the these methods:
Microsoft Intune
Mobile Device Management (MDM )
System Center Configuration Manager (SCCM )
Group Policy
PowerShell
Intune
1. Sign in to the Azure portal and open Intune.
2. Click Device configuration > Profiles > Create profile.
3. Name the profile, choose Windows 10 and later and Endpoint protection.
4. Click Configure > Windows Defender Exploit Guard > Network filtering > Enable.
SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard.
2. Click Home > Create Exploit Guard Policy.
3. Enter a name and a description, click Network protection, and click Next.
4. Choose whether to block or audit access to suspicious domains and click Next.
5. Review the settings and click Next to create the policy.
6. After the policy is created, click Close.
Group Policy
You can use the following procedure to enable network protection on domain-joined computers or on a
standalone computer.
1. On a standalone computer, click Start, type and then click Edit group policy.
-Or-
On a domain-joined Group Policy management computer, open the Group Policy Management Console,
right-click the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Network protection.
4. Double-click the Prevent users and apps from accessing dangerous websites setting and set the
option to Enabled. In the options section, you must specify one of the following:
Block - Users will not be able to access malicious IP addresses and domains
Disable (Default) - The Network protection feature will not work. Users will not be blocked from
accessing malicious domains
Audit Mode - If a user visits a malicious IP address or domain, an event will be recorded in the
Windows event log but the user will not be blocked from visiting the address.
IMPORTANT
To fully enable network protection, you must set the Group Policy option to Enabled and also select Block in the options
drop-down menu.
You can confirm network protection is enabled on a local computer by using Registry editor:
1. Click Start and type regedit to open Registry Editor.
2. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows
Defender Exploit Guard\Network Protection
3. Click EnableNetworkProtection and confirm the value:
0=Off
1=On
2=Audit
PowerShell
1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:
You can enable the feature in audit mode using the following cmdlet:
Related topics
Windows Defender Exploit Guard
Network protection
Evaluate network protection
Troubleshoot network protection
Enable controlled folder access
4/29/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It
is part of Windows Defender Exploit Guard. Controlled folder access is included with Windows 10 and Windows
Server 2019.
You can enable controlled folder access by using any of the these methods:
Windows Security app
Microsoft Intune
Mobile Device Management (MDM )
System Center Configuration Manager (SCCM )
Group Policy
PowerShell
Audit mode allows you to test how the feature would work (and review events) without impacting the normal use
of the machine.
Group Policy settings that disable local administrator list merging will override controlled folder access settings.
They also override protected folders and allowed apps set by the local administrator through controlled folder
access. These policies include:
Windows Defender Antivirus Configure local administrator merge behavior for lists
System Center Endpoint Protection Allow users to add exclusions and overrides
For more information about disabling local list merging, see Prevent or allow users to locally modify Windows
Defender AV policy settings.
NOTE
If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows
Security app after a restart of the device. If the feature is set to Audit mode with any of those tools, the Windows Security
app will show the state as Off.
Intune
1. Sign in to the Azure portal and open Intune.
2. Click Device configuration > Profiles > Create profile.
3. Name the profile, choose Windows 10 and later and Endpoint protection.
4. Click Configure > Windows Defender Exploit Guard > Network filtering > Enable.
5. Type the path to each application that has access to protected folders and the path to any additional folder that
MDM
Use the ./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders configuration service provider
(CSP ) to allow apps to make changes to protected folders.
SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard.
2. Click Home > Create Exploit Guard Policy.
3. Enter a name and a description, click Controlled folder access, and click Next.
4. Choose whether block or audit changes, allow other apps, or add other folders, and click Next. >[!NOTE ]
>Wilcard is supported for applications, but not for folders. Subfolders are not protected.
5. Review the settings and click Next to create the policy.
6. After the policy is created, click Close.
Group Policy
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Controlled folder access.
4. Double-click the Configure Controlled folder access setting and set the option to Enabled. In the
options section you must specify one of the following:
Enable - Malicious and suspicious apps will not be allowed to make changes to files in protected
folders. A notification will be provided in the Windows event log
Disable (Default) - The Controlled folder access feature will not work. All apps can make changes to
files in protected folders.
Audit Mode - If a malicious or suspicious app attempts to make a change to a file in a protected
folder, the change will be allowed but will be recorded in the Windows event log. This allows you to
assess the impact of this feature on your organization.
IMPORTANT
To fully enable controlled folder access, you must set the Group Policy option to Enabled and also select Enable in the
options drop-down menu.
PowerShell
1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator.
2. Enter the following cmdlet:
Set-MpPreference -EnableControlledFolderAccess Enabled
You can enable the feature in audit mode by specifying AuditMode instead of Enabled .
Use Disabled to turn the feature off.
Related topics
Protect important folders with controlled folder access
Customize controlled folder access
Evaluate Windows Defender ATP
Enable attack surface reduction rules
4/29/2019 • 5 minutes to read • Edit Online
Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You
can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
Each ASR rule contains three settings:
Not configured: Disable the ASR rule
Block: Enable the ASR rule
Audit: Evaluate how the ASR rule would impact your organization if enabled
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so
you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender
Advanced Threat Protection (Windows Defender ATP ). These advanced capabilities aren't available with an E3
license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
You can enable attack surface reduction rules by using any of the these methods:
Microsoft Intune
Mobile Device Management (MDM )
System Center Configuration Manager (SCCM )
Group Policy
PowerShell
Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will
overwrite any conflicting Group Policy or PowerShell settings on startup.
WARNING
Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and
no report or event will be recorded.
If ASR rules are detecting files that you believe shouldn't be detected, you should use audit mode first to test the rule.
IMPORTANT
File and folder exclusions do not apply to the following ASR rules:
Block process creations originating from PSExec and WMI commands
Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't
specify which rules the exclusions apply to.
ASR rules support environment variables and wildcards. For information about using wildcards, see Use
wildcards in the file name and folder path or extension exclusion lists.
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
Intune
1. In Intune, select Device configuration > Profiles. Choose an existing endpoint protection profile or
create a new one. To create a new one, select Create profile and enter information for this profile. For
Profile type, select Endpoint protection. If you've chosen an existing profile, select Properties and then
select Settings.
2. In the Endpoint protection pane, select Windows Defender Exploit Guard, then select Attack
Surface Reduction. Select the desired setting for each ASR rule.
3. Under Attack Surface Reduction exceptions, you can enter individual files and folders, or you can
select Import to import a CSV file that contains files and folders to exclude from ASR rules. Each line in
the CSV file should be in the following format:
C:\folder, %ProgramFiles%\folder\file, C:\path
4. Select OK on the three configuration panes and then select Create if you're creating a new endpoint
protection file or Save if you're editing an existing one.
MDM
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules configuration service provider
(CSP ) to individually enable and set the mode for each rule.
The following is a sample for reference, using GUID values for ASR rules.
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value: {75668C1F -73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC -4529-8536-B80A7769E899}=1|
{D4F940AB -401B -4EfC -AADC -AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D }=1|
{5BEB7EFE -FD9A-4556-801D -275E5FFC04CC }=0|{BE9BA2D9-53EA-4CDC -84E5-9B1EEEE46550}=1
The values to enable, disable, or enable in audit mode are:
Disable = 0
Block (enable ASR rule) = 1
Audit = 2
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service
provider (CSP ) to add exclusions.
Example:
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Value: c:\path|e:\path|c:\Whitelisted.exe
NOTE
Be sure to enter OMA-URI values without spaces.
SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard.
2. Click Home > Create Exploit Guard Policy.
3. Enter a name and a description, click Attack Surface Reduction, and click Next.
4. Choose which rules will block or audit actions and click Next.
5. Review the settings and click Next to create the policy.
6. After the policy is created, click Close.
Group Policy
WARNING
If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the
management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Attack surface reduction.
4. Select Configure Attack surface reduction rules and select Enabled. You can then set the individual
state for each rule in the options section:
Click Show... and enter the rule ID in the Value name column and your desired state in the Value
column as follows:
Disable = 0
Block (enable ASR rule) = 1
Audit = 2
5. To exclude files and folders from ASR rules, select the Exclude files and paths from Attack surface
reduction rules setting and set the option to Enabled. Click Show and enter each file or folder in the
Value name column. Enter 0 in the Value column for each item.
PowerShell
WARNING
If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the
management software will overwrite any conflicting PowerShell settings on startup.
1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator.
2. Enter the following cmdlet:
You can also the Add-MpPreference PowerShell verb to add new rules to the existing list.
WARNING
Set-MpPreference will always overwrite the existing set of rules. If you want to add to the existing set, you should
use Add-MpPreference instead. You can obtain a list of rules and their current state by using Get-MpPreference
3. To exclude files and folders from ASR rules, use the following cmdlet:
IMPORTANT
Use Add-MpPreference to append or add apps to the list. Using the Set-MpPreference cmdlet will overwrite the
existing list.
Related topics
Reduce attack surfaces with attack surface reduction rules
Evaluate attack surface reduction
Enable cloud-delivered protection
Customize attack surface reduction rules
4/26/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to
infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10
clients.
This topic describes how to customize attack surface reduction rules by excluding files and folders or adding
custom text to the notification alert that appears on a user's computer.
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
WARNING
Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have
been blocked by a rule will be allowed to run, and there will be no report or event recorded.
If you are encountering problems with rules detecting files that you believe should not be detected, you should use audit
mode first to test the rule.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot
specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are
enabled (or placed in audit mode) and that allow exclusions.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see
Use wildcards in the file name and folder path or extension exclusion lists.
Exclusions apply to all attack surface reduction rules.
Block untrusted and unsigned processes that run from USB b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
See the attack surface reduction topic for details on each rule.
Use Group Policy to exclude files and folders
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Attack surface reduction.
4. Double-click the Exclude files and paths from Attack surface reduction Rules setting and set the option
to Enabled. Click Show and enter each file or folder in the Value name column. Enter 0 in the Value
column for each item.
Use PowerShell to exclude files and folderss
1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:
Related topics
Reduce attack surfaces with attack surface reduction rules
Enable attack surface reduction rules
Evaluate attack surface reduction rules
Windows Defender Firewall with Advanced Security
Deployment Guide
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least
Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
You can use Windows Defender Firewall to control access to the device from the network. You can create rules that
allow or block network traffic in either direction based on your business requirements. You can also create IPsec
connection security rules to help protect your data as it travels across the network from device to device.
Caution: We recommend that you use the techniques documented in this guide only for GPOs that must be
deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active
Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of
GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU
hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to
which the GPO applies.
In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs
can result in user or device accounts that are members of an excessive number of groups; this can result in
network connectivity problems if network protocol limits are exceeded.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can configure Windows Defender Antivirus with a number of tools, including:
Microsoft Intune
System Center Configuration Manager
Group Policy
PowerShell cmdlets
Windows Management Instrumentation (WMI)
The following broad categories of features can be configured:
Cloud-delivered protection
Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
How end-users interact with the client on individual endpoints
The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each
topic includes instructions for the applicable configuration tool (or tools).
You can also review the Reference topics for management and configuration tools topic for an overview of each
tool and links to further help.
In this section
TOPIC DESCRIPTION
Utilize Microsoft cloud-provided Windows Defender Antivirus Cloud-delivered protection provides an advanced level of fast,
protection robust antivirus detection
Configure behavioral, heuristic, and real-time protection Enable behavior-based, heuristic, and real-time antivirus
protection
Configure end-user interaction with Windows Defender Configure how end-users interact with Windows Defender
Antivirus Antivirus, what notifications they see, and whether they can
override settings
Use next-gen technologies in Windows Defender
Antivirus through cloud-delivered protection
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection
against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of
interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems
driven by advanced machine learning models.
To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works
seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced
Protection Service (MAPS ), enhances standard real-time protection, providing arguably the best antivirus
defense.
NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than
traditional Security intelligence updates.
With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes
even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender
Antivirus in action:
https://www.microsoft.com/en-us/videoplayer/embed/RE1Yu4B
To understand how next-gen technologies shorten protection delivery time through the cloud, watch the
following video:
https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59
Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI:
Why Windows Defender Antivirus is the most deployed in the enterprise
Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign
How artificial intelligence stopped an Emotet outbreak
Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses
Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen
malware
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working
and see how it works.
The following table describes the differences in cloud-delivered protection between recent versions of Windows
and System Center Configuration Manager.
SYSTEM
SYSTEM CENTER
WINDOWS 10, WINDOWS 10, CENTER CONFIGURATI
WINDOWS 8.1 VERSION 1607 VERSION 1703 CONFIGURATI ON MANAGER
(GROUP (GROUP (GROUP ON MANAGER (CURRENT MICROSOFT
FEATURE POLICY) POLICY) POLICY) 2012 BRANCH) INTUNE
You can also configure Windows Defender AV to automatically receive new protection updates based on reports
from our cloud service.
In this section
TOPIC DESCRIPTION
Enable cloud-delivered protection You can enable cloud-delivered protection with System
Center Configuration Manager, Group Policy, Microsoft
Intune, and PowerShell cmdlets.
Specify the cloud-delivered protection level You can specify the level of protection offered by the cloud
with Group Policy and System Center Configuration Manager.
The protection level will affect the amount of information
shared with the cloud and how aggressively new files are
blocked.
Configure and validate network connections for Windows There are certain Microsoft URLs that your network and
Defender Antivirus endpoints must be able to connect to for cloud-delivered
protection to work effectively. This topic lists the URLs that
should be allowed via firewall or network filtering rules, and
instructions for confirming your network is properly enrolled
in cloud-delivered protection.
TOPIC DESCRIPTION
Configure the block at first sight feature The Block at First Sight feature can block new malware within
seconds, without having to wait hours for traditional Security
intelligence . You can enable and configure it with System
Center Configuration Manager and Group Policy.
Configure the cloud block timeout period Windows Defender Antivirus can block suspicious files from
running while it queries our cloud-delivered protection
service. You can configure the amount of time the file will be
prevented from running with System Center Configuration
Manager and Group Policy.
Enable cloud-delivered protection
4/5/2019 • 4 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than
traditional Security intelligence updates.
You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System
Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows
Security app.
See Use Microsoft cloud-delivered protection for an overview of Windows Defender Antivirus cloud-delivered
protection.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-
delivered protection service. See Configure and validate network connections for more details.
NOTE
In Windows 10, there is no difference between the Basic and Advanced options described in this topic. This is a legacy
distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in
the type or amount of information that is shared. See the Microsoft Privacy Statement for more information on what we
collect.
WARNING
Setting to Always Prompt will lower the protection state of the device. Setting to Never send means the
Block at First Sight feature will not function.
8. Click OK to exit the Windows Defender Antivirus settings pane, click OK to exit the Device
restrictions pane, and then click Save to save the changes to your Device restrictions profile.
For more information about Intune device profiles, including how to create and configure their settings, see
What are Microsoft Intune device profiles?
Use Configuration Manager to enable cloud-delivered protection:
See How to create and deploy antimalware policies: Cloud-protection service for details on configuring System
Center Configuration Manager (current branch).
Use Group Policy to enable cloud-delivered protection:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > MAPS
5. Double-click Join Microsoft MAPS and ensure the option is enabled and set to Basic MAPS or
Advanced MAPS. Click OK.
6. Double-click Send file samples when further analysis is required and ensure the option is set to
Enabled and the additional options are either of the following:
a. Send safe samples (1)
b. Send all samples (3)
NOTE
Send safe samples automatically option means that most samples will be sent automatically. Files that
are likely to contain personal information will still prompt and require additional confirmation.
WARNING
Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means
the Block at First Sight feature will not function.
7. Click OK.
Use PowerShell cmdlets to enable cloud-delivered protection:
Use the following cmdlets to enable cloud-delivered protection:
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent Always
NOTE
You can also set -SubmitSamplesConsent to None . Setting it to Never will lower the protection state of the device, and
setting it to 2 means the Block at First Sight feature will not function.
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to enable cloud-delivered protection:
Use the Set method of the MSFT_MpPreference class for the following properties:
MAPSReporting
SubmitSamplesConsent
NOTE
If the Configure local setting override for reporting Microsoft MAPS Group Policy setting is set to Disabled, then
the Cloud-based protection setting in Windows Settings will be greyed-out and unavailable. Changes made through a
Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus &
threat protection settings label:
3. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.
NOTE
If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
Related topics
Configure the cloud block timeout period
Configure block at first sight
Use PowerShell cmdlets to manage Windows Defender Antivirus
Help secure Windows PCs with Endpoint Protection for Microsoft Intune]
Defender cmdlets
Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
How to create and deploy antimalware policies: Cloud-protection service
Windows Defender Antivirus in Windows 10
Specify the cloud-delivered protection level
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and
System Center Configuration Manager.
NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional
Security intelligence updates.
WARNING
While unlikely, setting this switch to High might cause some legitimate files to be detected. The High +
setting might impact client performance. We recommend you set this to the default level (Not configured).
6. Click OK to exit the Windows Defender Antivirus settings pane, click OK to exit the Device restrictions
pane, and then click Save to save the changes to your Device restrictions profile.
For more information about Intune device profiles, including how to create and configure their settings, see What
are Microsoft Intune device profiles?
Use Configuration Manager to specify the level of cloud-delivered protection:
1. See How to create and deploy antimalware policies: Cloud-protection service for details on configuring System
Center Configuration Manager (current branch).
Use Group Policy to specify the level of cloud-delivered protection:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > MpEngine.
5. Double-click the Select cloud protection level setting and set it to Enabled. Select the level of
protection:
a. Setting to Default Windows Defender Antivirus blocking level provides strong detection without
increasing the risk of detecting legitimate files.
b. Setting to High blocking level applies a strong level of detection.
c. High + blocking level applies additional protection measures.
d. Zero tolerance blocking level blocks all unknown executables.
WARNING
While unlikely, setting this switch to High might cause some legitimate files to be detected (although you will
have the option to unblock or dispute that detection). The High + setting might impact client performance.
We recommend you set this to the default level (Not configured).
6. Click OK.
Related topics
Windows Defender Antivirus in Windows 10
Enable cloud-delivered protection
How to create and deploy antimalware policies: Cloud-protection service
Configure and validate Windows Defender Antivirus
network connections
4/5/2019 • 4 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your
network to allow connections between your endpoints and certain Microsoft servers.
This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for
validating your connection. This will help ensure you receive the best protection from our cloud-delivered
protection services.
See the Enterprise Mobility and Security blog post Important changes to Microsoft Active Protection Services
endpoint for some details about network connectivity.
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the following features are
working:
Cloud-delivered protection
Fast learning (including block at first sight)
Potentially unwanted application blocking
NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional
Security intelligence updates.
See Enable cloud-delivered protection for details on enabling the service with Intune, System Center
Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections
between it and your endpoints.
The following table lists the services and their associated URLs that your network must be able to connect to. You
should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may
need to create an allow rule specifically for them:
SERVICE DESCRIPTION URL
Certificate Revocation List (CRL) Used by Windows when creating the http://www.microsoft.com/pkiops/crl/
SSL connection to MAPS for updating http://www.microsoft.com/pkiops/certs
the CRL http://crl.microsoft.com/pki/crl/products
http://www.microsoft.com/pki/certs
Universal Telemetry Client Used by Windows to send client This update uses SSL (TCP Port 443) to
diagnostic data; Windows Defender download manifests and upload
Antivirus uses this for product quality diagnostic data to Microsoft that uses
monitoring purposes the following DNS endpoints:
vortex-win.data.microsoft.com
settings-win.data.microsoft.com
MpCmdRun -ValidateMapsConnection
NOTE
You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click Run
as administrator and click Yes at the permissions prompt. This command will only work on Windows 10, version 1703 or
higher.
See Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool for more information on
how to use the mpcmdrun.exe utility.
Attempt to download a fake malware file from Microsoft:
You can download a sample file that Windows Defender Antivirus will detect and block if you are properly
connected to the cloud.
Download the file by visiting the following link:
http://aka.ms/ioavtest
NOTE
This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
If you are properly connected, you will see a warning Windows Defender Antivirus notification:
If you are using Microsoft Edge, you'll also see a notification message:
You will also see a detection under Quarantined threats in the Scan history section in the Windows Security
app:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan
history label:
3. Under the Quarantined threats section, click the See full history label to see the detected fake malware:
NOTE
Versions of Windows 10 before version 1703 have a different user interface. See Windows Defender Antivirus in the
Windows Security app for more information about the differences between versions, and instructions on how to perform
common tasks in the different interfaces.
The Windows event log will also show Windows Defender client event ID 2050.
IMPORTANT
You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify
your proxy servers and any network filtering tools manually to ensure connectivity.
Related topics
Windows Defender Antivirus in Windows 10
Enable cloud-delivered protection
Run an Windows Defender Antivirus scan from the command line and Command line arguments
Important changes to Microsoft Active Protection Services endpoint
Enable block at first sight
5/1/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within
seconds.
It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite
settings are also enabled by default, so the feature is running without any intervention.
You can specify how long the file should be prevented from running while the cloud-based protection service
analyzes the file.
You can also customize the message displayed on users' desktops when a file is blocked. You can change the
company name, contact information, and message URL.
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the features are working
and see how they work.
How it works
When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection
backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine
whether the files are malicious or clean.
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS,
or macros) as well as executable files.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files
that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is
checked via the cloud backend to determine if this is a previously undetected file.
If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a
copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file
to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
In many cases, this process can reduce the response time for new malware from hours to seconds.
For more information about configuring Windows Defender Antivirus device restrictions in Intune, see
Configure device restriction settings in Microsoft Intune.
For a list of Windows Defender Antivirus device restrictions in Intune, see Device restriction for Windows 10
(and newer) settings in Intune.
Enable block at first sight with SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
AntiMalware Policies.
2. Click Home > Create Antimalware Policy.
3. Enter a name and a description, and add these settings:
Real time protection
Advanced
Cloud Protection Service
4. In the left column, click Real time protection, set Enable real-time protection to Yes, and set Scan
system files to Scan incoming and outgoing files.
5. Click Advanced, set Enable real-time protection to Yes, and set Scan system files to Scan incoming
and outgoing files.
6. Click Cloud Protection Service, set Cloud Protection Service membership type to Advanced
membership, set Level for blocking malicious files to High, and set Allow extended cloud check to
block and scan suspicious files for up to (seconds) to 50 seconds.
7. Click OK to create the policy.
Confirm block at first sight is enabled with Group Policy
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > MAPS and configure
the following Group Policies:
a. Double-click Join Microsoft MAPS and ensure the option is set to Enabled. Click OK.
b. Double-click Send file samples when further analysis is required and ensure the option is set
to Enabled and the additional options are either of the following:
Send safe samples (1)
Send all samples (3)
WARNING
Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send)
means block at first sight will not function.
c. Click OK.
4. In the Group Policy Management Editor, expand the tree to Windows components > Windows
Defender Antivirus > Real-time Protection:
a. Double-click Scan all downloaded files and attachments and ensure the option is set to
Enabled. Click OK.
b. Double-click Turn off real-time protection and ensure the option is set to Disabled. Click OK.
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to
ensure all endpoints are covered.
Confirm block at first sight is enabled with the Windows Security app
You can confirm that block at first sight is enabled in Windows Settings.
Block at first sight is automatically enabled as long as Cloud-based protection and Automatic sample
submission are both turned on.
Confirm Block at First Sight is enabled on individual clients
1. Open the Windows Security app by clicking the shield icon in the task bar.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then click Virus &
threat protection settings:
3. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.
NOTE
If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be
greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be
deployed to individual endpoints before the setting will be updated in Windows Settings.
You may choose to disable block at first sight if you want to retain the pre-requisite settings without using block
at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the
feature's impact on your network.
Disable block at first sight with Group Policy
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree through Windows components > Windows Defender Antivirus > MAPS.
4. Double-click Configure the 'Block at First Sight' feature and set the option to Disabled.
NOTE
Disabling block at first sight will not disable or alter the pre-requisite group policies.
Related topics
Windows Defender Antivirus in Windows 10
Enable cloud-delivered protection
Configure the cloud block timeout period
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the
Windows Defender Antivirus cloud service.
The default period that the file will be blocked is 10 seconds. You can specify an additional period of time to wait
before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from
the Windows Defender Antivirus cloud service.
Related topics
Windows Defender Antivirus in Windows 10
Use next-gen antivirus technologies through cloud-delivered protection
Configure block at first sight
Enable cloud-delivered protection
Configure behavioral, heuristic, and real-time
protection
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus uses several methods to provide threat protection:
Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time
protection")
Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-
depth threat resistance research
You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center
Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed
unsafe, but may not be detected as malware.
See Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection for how to
enable and configure Windows Defender Antivirus cloud-delivered protection.
In this section
TOPIC DESCRIPTION
Detect and block potentially unwanted applications Detect and block apps that may be unwanted in your
network, such as adware, browser modifiers and toolbars, and
rogue or fake antivirus apps
Enable and configure Windows Defender Antivirus protection Enable and configure real-time protection, heuristics, and
capabilities other always-on Windows Defender Antivirus monitoring
features
Detect and block potentially unwanted applications
4/26/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and
block PUAs on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on
endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to
have poor reputation.
Typical PUA behavior includes:
Various types of software bundling
Ad injection into web browsers
Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint
and make no changes or optimizations (also known as "rogue antivirus" programs)
These applications can increase the risk of your network being infected with malware, cause malware infections to
be harder to identify, and can waste IT resources in cleaning up the applications.
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.
How it works
Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them.
Blocked PUA files are then moved to quarantined.
When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user (unless
notifications have been disabled) in the same format as normal threat detections (prefaced with "PUA:").
They will also appear in the usual quarantine list in the Windows Security app.
NOTE
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
Set-MpPreference -PUAProtection
Setting the value for this cmdlet to Enabled will turn the feature on if it has been disabled.
Setting AuditMode will detect PUAs but will not block them.
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Related topics
Next gen protection
Configure behavioral, heuristic, and real-time protection
Enable and configure antivirus always-on
protection and monitoring
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify
malware based on known suspicious and malicious activities.
These activities include events such as processes making unusual changes to existing files, modifying or
creating automatic startup registry keys and startup locations (also known as auto-start extensibility points,
or ASEPs), and other changes to the file system or file structure.
Real-time protection Monitor file and program The Windows Defender Enabled
activity on your computer Antivirus engine makes
note of any file changes
(file writes, such as moves,
copies, or modifications)
and general program
activity (programs that are
opened or running and
that cause other programs
to run)
Real-time protection Scan all downloaded files Downloaded files and Enabled
and attachments attachments are
automatically scanned. This
operates in addition to the
SmartScreen filter, which
scans files before and
during downloading
DEFAULT SETTING (IF NOT
LOCATION SETTING DESCRIPTION CONFIGURED)
Real-time protection Turn on raw volume write Information about raw Enabled
notifications volume writes will be
analyzed by behavior
monitoring
Real-time protection Define the maximum size You can define the size in Enabled
of downloaded files and kilobytes
attachments to be scanned
Real-time protection Configure monitoring for Specify whether monitoring Enabled (both directions)
incoming and outgoing file should occur on incoming,
and program activity outgoing, both, or neither
direction. This is relevant
for Windows Server
installations where you
have defined specific
servers or Server Roles that
see large amounts of file
changes in only one
direction and you want to
improve network
performance. Note that
fully updated endpoints
(and servers) on a network
will see little performance
impact irrespective of the
number or direction of file
changes.
Root Allow antimalware service You can lower the priority Enabled
to startup with normal of the Windows Defender
priority Antivirus engine, which
may be useful in
lightweight deployments
where you want to have as
lean a startup process as
possible. This may impact
protection on the
endpoint.
The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
Use Group Policy to disable real-time protection:
1. On your Group Policy management computer, open the Group Policy Management Console, right-
click the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click
Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Real-time
protection.
4. Double-click the Turn off real-time protection setting and set the option to Enabled. Click OK.
Related topics
Configure behavioral, heuristic, and real-time protection
Windows Defender Antivirus in Windows 10
Windows Defender Antivirus on Windows Server
2016
4/5/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint
Protection - however, the protection engine is the same.
While the functionality, configuration, and management is largely the same for Windows Defender AV either on
Windows 10 or Windows Server 2016, there are a few key differences:
In Windows Server 2016, automatic exclusions are applied based on your defined Server Role.
In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus
product.
This topic includes the following instructions for setting up and running Windows Defender AV on a server
platform:
Enable the interface
Verify Windows Defender AV is running
Update antimalware Security intelligence
Submit Samples
Configure automatic exclusions
NOTE
You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
If the interface is not installed, you can add it in the Add Roles and Features Wizard at the Features step, under
Windows Defender Features by selecting the GUI for Windows Defender option.
See the Install or uninstall roles, role services, or features topic for information on using the wizard.
The following PowerShell cmdlet will also enable the interface:
To hide the interface, use the Remove Roles and Features Wizard and deselect the GUI for Windows
Defender option at the Features step, or use the following PowerShell cmdlet:
IMPORTANT
Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you
disable the core Windows Defender feature.
The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016:
To install Windows Defender AV again, use the Add Roles and Features Wizard and ensure the Windows
Defender feature is selected. You can also enable the interface by selecting the GUID for Windows Defender
option.
You can also use the following PowerShell cmdlet to install Windows Defender AV:
TIP
Event messages for the antimalware engine included with Windows Defender AV can be found in Windows Defender AV
Events.
sc query Windefend
The sc query command returns information about the Windows Defender service. If Windows Defender is
running, the STATE value displays RUNNING .
Windows Defender Service (Windefend) C:\Program Files\Windows This is the main Windows Defender
Defender\MsMpEng.exe Antivirus service that needs to be
running at all times.
Windows Error Reporting Service C:\WINDOWS\System32\svchost.exe -k This service sends error reports back to
(Wersvc) WerSvcGroup Microsoft.
Submit Samples
Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide
continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and
produce updated antimalware Security intelligence.
We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal
data, like Microsoft Word documents and PDF files.
Enable automatic sample submission
To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set
the SubmitSamplesConsent value data according to one of the following settings:
0 Always prompt. The Windows Defender service prompts you to confirm submission of all required
files. This is the default setting for Windows Defender, but is not recommended for Windows Server
2016 installations without a GUI.
1 Send safe samples automatically. The Windows Defender service sends all files marked as "safe"
and prompts for the remainder of the files.
2 Never send. The Windows Defender service does not prompt and does not send any files.
3 Send all samples automatically. The Windows Defender service sends all files without a prompt for
confirmation.
Related topics
Windows Defender Antivirus in Windows 10
Configure exclusions in Windows Defender AV on Windows Server
Windows Defender Antivirus compatibility
4/5/2019 • 4 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are
running Windows 10.
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app,
Windows Defender Antivirus will automatically disable itself. You can then choose to enable an optional,
limited protection feature, called limited periodic scanning.
If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter
a passive mode.
The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus
products or Windows Defender ATP are also used.
(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have
also installed a third-party antivirus product. If you install a third-party antivirus product, you should
uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple
antivirus products installed on a machine.
See the Windows Defender Antivirus on Windows Server 2016 topic for key differences and management
options for Windows Server installations.
IMPORTANT
Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as System Center
Endpoint Protection, which is managed through System Center Configuration Manager.
Windows Defender is also offered for consumer devices on Windows 8.1 and Windows Server 2012, although it does
not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
This table indicates the functionality and features that are available in each state:
REAL-TIME FILE
PROTECTION LIMITED SCANNING
AND CLOUD- PERIODIC AND SECURITY
DELIVERED SCANNING DETECTION THREAT INTELLIGENCE
STATE DESCRIPTION PROTECTION AVAILABILITY INFORMATION REMEDIATION UPDATES
Automatic Windows
disabled Defender AV
mode will not be
used as the
antivirus app.
Files will not
be scanned
and threats
will not be
remediated.
REAL-TIME FILE
PROTECTION LIMITED SCANNING
AND CLOUD- PERIODIC AND SECURITY
DELIVERED SCANNING DETECTION THREAT INTELLIGENCE
STATE DESCRIPTION PROTECTION AVAILABILITY INFORMATION REMEDIATION UPDATES
If you are enrolled in Windows Defender ATP and you are using a third party antimalware product then
passive mode is enabled because the service requires common information sharing from the Windows
Defender AV service in order to properly monitor your devices and network for intrusion attempts and
attacks.
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product
expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows
Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It
also allows you to enable limited periodic scanning, which uses the Windows Defender AV engine to
periodically check for threats in addition to your main antivirus app.
In passive and automatic disabled mode, you can still manage updates for Windows Defender AV, however
you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date
third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your
endpoints, Windows Defender AV will automatically return to its normal active mode.
WARNING
You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV,
Windows Defender ATP, or the Windows Security app.
This includes the wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and process.
Manually modifying these services can cause severe instability on your endpoints and open your network to infections
and attacks.
It can also cause problems when using third-party antivirus apps and how their information is displayed in the
Windows Security app.
Related topics
Windows Defender Antivirus in Windows 10
Windows Defender Antivirus on Windows Server 2016
Use limited periodic scanning in Windows Defender
Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have
installed another antivirus product on a Windows 10 device.
It can only be enabled in certain situations. See Windows Defender Antivirus compatibility for more information
on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV
products.
Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily
intended for consumers. This feature only uses a very limited subset of the Windows Defender Antivirus
capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software.
Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their
primary antivirus solution and use it exclusively.
Sliding the swtich to On will show the standard Windows Defender AV options underneath the 3rd party AV
product. The limited periodic scanning option will appear at the bottom of the page.
Related topics
Configure behavioral, heuristic, and real-time protection
Windows Defender Antivirus in Windows 10
Deploy, manage, and report on Windows Defender
Antivirus
4/8/2019 • 4 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can deploy, manage, and report on Windows Defender Antivirus in a number of ways.
Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional
deployment of a client to your endpoints does not apply.
However, in most cases you will still need to enable the protection service on your endpoints with Microsoft
Intune, System Center Configuration Manager, Azure Security Center, or Group Policy Objects, which is
described in the following table.
You'll also see additional links for:
Managing Windows Defender Antivirus protection, including managing product and protection updates
Reporting on Windows Defender Antivirus protection
IMPORTANT
In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running
and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will
function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows
Defender Antivirus.
MANAGEMENT OPTIONS
(NETWORK-WIDE
CONFIGURATION AND POLICY
OR BASELINE DEPLOYMENT)
TOOL DEPLOYMENT OPTIONS (2) (3) REPORTING OPTIONS
Microsoft Intune Add endpoint protection Configure device restriction Use the Intune console to
settings in Intune settings in Intune manage devices
System Center Use the Endpoint With default and With the default
Configuration Manager (1) Protection point site customized antimalware Configuration Manager
system role and enable policies and client Monitoring workspace and
Endpoint Protection with management email alerts
custom client settings
Group Policy and Active Use a Group Policy Object Use Group Policy Objects Endpoint reporting is not
Directory (domain-joined) to deploy configuration (GPOs) to Configure available with Group Policy.
changes and ensure update options for You can generate a list of
Windows Defender Windows Defender Group Policies to determine
Antivirus is enabled. Antivirus and Configure if any settings or policies
Windows Defender features are not applied
MANAGEMENT OPTIONS
(NETWORK-WIDE
CONFIGURATION AND POLICY
OR BASELINE DEPLOYMENT)
TOOL DEPLOYMENT OPTIONS (2) (3) REPORTING OPTIONS
PowerShell Deploy with Group Policy, Use the Set-MpPreference Use the appropriate Get-
System Center and Update-MpSignature cmdlets available in the
Configuration Manager, or cmdlets available in the Defender module
manually on individual Defender module
endpoints.
Windows Management Deploy with Group Policy, Use the Set method of the Use the
Instrumentation System Center MSFT_MpPreference class MSFT_MpComputerStatus
Configuration Manager, or and the Update method of class and the get method
manually on individual the MSFT_MpSignature of associated classes in the
endpoints. class Windows Defender WMIv2
Provider
1. The availability of some functions and features, especially related to cloud-delivered protection, differ
between System Center Configuration Manager (Current Branch) and System Center Configuration
Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System
Center Configuration Manager (Current Branch). See Use Microsoft cloud-provided protection in
Windows Defender Antivirus for a table that describes the major differences. (Return to table)
2. In Windows 10, Windows Defender Antivirus is a component available without installation or
deployment of an additional client or service. It will automatically be enabled when third-party antivirus
products are either uninstalled or out of date (except on Windows Server 2016). Traditional deployment
therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus
component is available and enabled on endpoints or servers. (Return to table)
3. Configuration of features and protection, including configuring product and protection updates, are
further described in the Configure Windows Defender Antivirus features section in this library. (Return
to table)
In this section
TOPIC DESCRIPTION
TOPIC DESCRIPTION
Deploy and enable Windows Defender Antivirus protection While the client is installed as a core part of Windows 10,
and traditional deployment does not apply, you will still
need to enable the client on your endpoints with System
Center Configuration Manager, Microsoft Intune, or Group
Policy Objects.
Manage Windows Defender Antivirus updates and apply There are two parts to updating Windows Defender
baselines Antivirus: updating the client on endpoints (product
updates), and updating Security intelligence (protection
updates). You can update Security intelligence in a number
of ways, using System Center Configuration Manager,
Group Policy, PowerShell, and WMI.
Monitor and report on Windows Defender Antivirus You can use Microsoft Intune, System Center Configuration
protection Manager, the Update Compliance add-in for Microsoft
Operations Management Suite, or a third-party SIEM
product (by consuming Windows event logs) to monitor
protection status and create reports about endpoint
protection.
Deploy and enable Windows Defender Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Depending on the management tool you are using, you may need to specifically enable or configure Windows
Defender Antivirus protection.
See the table in Deploy, manage, and report on Windows Defender Antivirus for instructions on how to enable
protection with Microsoft Intune, System Center Configuration Manager, Group Policy, Active Directory, Microsoft
Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender
Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
The remaining topic in this section provides end-to-end advice and best practices for setting up Windows
Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS ) environment.
Related topics
Windows Defender Antivirus in Windows 10
Deploy, manage updates, and report on Windows Defender Antivirus
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
Deployment guide for Windows Defender Antivirus
in a virtual desktop infrastructure (VDI) environment
4/5/2019 • 13 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in
a remote desktop (RDS ) or virtual desktop infrastructure (VDI) environment.
Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and
performance impact on your hardware.
NOTE
We've recently introduced a new feature that helps reduce the network and CPU overhead ov VMs when obtaining security
intelligence updates. If you'd like to test this feature before it's released generally, download the PDF guide for VDI
performance improvement testing.
We recommend setting the following when deploying Windows Defender Antivirus in a VDI environment:
For more details on the best configuration options to ensure a good balance between performance and protection,
including detailed instructions for System Center Configuration Manager and Group Policy, see the Configure
endpoints for optimal performance section.
See the Microsoft Desktop virtualization site for more details on Microsoft Remote Desktop Services and VDI
support.
For Azure-based virtual machines, you can also review the Install Endpoint Protection in Azure Security Center
topic.
There are three main steps in this guide to help roll out Windows Defender Antivirus protection across your VDI:
1. Create and deploy the base image (for example, as a virtual hard disk (VHD )) that your virtual machines
(VMs) will use
2. Manage the base image and updates for your VMs
3. Configure the VMs for optimal protection and performance, including:
Randomize scheduled scans
Use quick scans
Prevent notifications
Disable scans from occurring after every update
Scan out-of-date machines or machines that have been offline for a while
IMPORTANT
While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be
running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in
earlier versions of Windows.
NOTE
When you manage Windows with System Center Configuration Manager, Windows Defender Antivirus protection will be
referred to as Endpoint Protection or System Center Endpoint Protection. See the Endpoint Protection section at the
Configuration Manager library for more information.
NOTE
Quick scan versus full scan Quick scan looks at all the locations where there could be malware registered to start with the
system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection
capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder – quick scan
helps provide strong coverage both for malware that starts with the system and kernel-level malware.
Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment –
it makes sense to use a quick scan only. A full scan, however, can be useful on a VM that has encountered a malware threat
to identify if there are any inactive components lying around and help perform a thorough clean-up.
IMPORTANT
Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates.
Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying
the base image.
Additional resources
Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012
manages VDI and integrates with App-V
TechNet forums on Remote Desktop Services and VDI
SignatureDownloadCustomTask PowerShell script
Report on Windows Defender Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
There are a number of ways you can review protection status and alerts, depending on the management tool you
are using for Windows Defender Antivirus.
You can use System Center Configuration Manager to monitor Windows Defender Antivirus or create email alerts,
or you can also monitor protection using Microsoft Intune.
Microsoft Operations Management Suite has an Update Compliance add-in that reports on key Windows
Defender Antivirus issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM ) tool, you can also consume
Windows Defender client events.
Windows events comprise several security event sources, including Security Account Manager (SAM ) events
(enhanced for Windows 10, also see the Security audting topic) and Windows Defender events.
These events can be centrally aggregated using the Windows event collector. It is common practice for SIEMs to
have connectors for Windows events. This technique allows for correlation of all security events from the machine
in the SIEM.
You can also monitor malware events using the Malware Assessment solution in Log Analytics.
For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the (Deployment,
management, and reporting options table).
Related topics
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
Troubleshoot Windows Defender Antivirus reporting
in Update Compliance
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
When you use Windows Analytics Update Compliance to obtain reporting into the protection status of machines or
endpoints in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
Typically, the most common indicators of a problem are:
You only see a small number or subset of all the devices you were expecting to see
You do not see any devices at all
The reports and information you do see is outdated (older than a few days)
For common error codes and event IDs related to the Windows Defender Antivirus service that are not related to
Update Compliance, see Windows Defender Antivirus events.
There are three steps to troubleshooting these problems:
1. Confirm that you have met all pre-requisites
2. Check your connectivity to the Windows Defender cloud-based service
3. Submit support logs
IMPORTANT
It typically takes 3 days for devices to start appearing in Update Compliance.
Confirm pre-requisites
In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both
the Update Compliance service and for Windows Defender Antivirus:
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus
app will cause Windows Defender AV to disable itself and the endpoint will not be reported in Update
Compliance.
Cloud-delivered protection is enabled.
Endpoints can connect to the Windows Defender AV cloud
If the endpoint is running Windows 10 version 1607 or earlier, Windows 10 diagnostic data must be set to the
Enhanced level.
It has been 3 days since all requirements have been met
If the above pre-requisites have all been met, you may need to proceed to the next step to collect diagnostic
information and send it to us.
Collect diagnostic data for Update Compliance troubleshooting
Related topics
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and
apply baselines
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
There are two types of updates related to keeping Windows Defender Antivirus up to date:
1. Protection updates
2. Product updates
You can also apply Windows security baselines to quickly bring your endpoints up to a uniform level of
protection.
Protection updates
Windows Defender Antivirus uses both cloud-delivered protection (also called the Microsoft Advanced
Protection Service or MAPS ) and periodically downloaded protection updates to provide protection. These
protection updates are also known as Security intelligence updates.
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while
the protection updates generally occur once a day (although this can be configured). See the Utilize Microsoft
cloud-provided protection in Windows Defender Antivirus topic for more details about enabling and
configuring cloud-provided protection.
Product updates
Windows Defender Antivirus requires monthly updates (known as "engine updates" and "platform updates"),
and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS ), with System
Center Configuration Manager, or in the normal manner that you deploy Microsoft and Windows updates to
endpoints in your network.
In this section
TOPIC DESCRIPTION
Manage how protection updates are downloaded and Protection updates can be delivered through a number of
applied sources.
Manage when protection updates should be downloaded You can schedule when protection updates should be
and applied downloaded.
Manage updates for endpoints that are out of date If an endpoint misses an update or scheduled scan, you can
force an update or scan at the next log on.
Manage event-based forced updates You can set protection updates to be downloaded at startup
or after certain cloud-delivered protection events.
TOPIC DESCRIPTION
Manage updates for mobile devices and virtual machines You can specify settings, such as whether updates should
(VMs) occur on battery power, that are especially useful for mobile
devices and virtual machines.
Manage the sources for Windows Defender
Antivirus protection updates
4/5/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
There are two components to managing protection updates - where the updates are downloaded from, and
when updates are downloaded and applied.
This topic describes where you can specify the updates should be downloaded from, also known as the fallback
order.
See Manage Windows Defender Antivirus updates and apply baselines topic for an overview on how updates
work, and how to configure other aspects of updates (such as scheduling updates).
There are five locations where you can specify where an endpoint should obtain updates. Typically, you would
configure endpoints to individually download the updates from a primary source, followed by the other sources
in order of priority based on your network configuration.
Updates will be obtained from the sources in the order you specify. If a source is not available, the next source in
the list will be used.
You can use the following sources:
Microsoft Update
Windows Server Update Service (WSUS )
System Center Configuration Manager
A network file share
The Microsoft Malware Protection Center Security intelligence page (MMPC )
When updates are published, some logic will be applied to minimize the size of the update. In most cases, only
the "delta" (or the differences between the latest update and the update that is currently installed on the
endpoint) will be downloaded and applied. However, the size of the delta depends on:
How old the current update on the endpoint is
Which source you use
The older the updates on an endpoint, the larger the download. However, you must also consider frequency
versus size - a more frequent update schedule may result in more ad hoc network usage, while a less-frequent
schedule may result in larger file sizes.
Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This
ensures the best protection, but may increase network bandwidth.
The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the
updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences
between the latest version and what is on the endpoint will be larger). This ensures consistent protection without
increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will
be fewer, but may be slightly larger).
IMPORTANT
If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC
when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply
updates from the WSUS or Microsoft Update services). You can, however, set the number of days before protection is
reported as out-of-date.
Each source has typical scenarios that depend on how your network is configured, in addition to how often they
publish updates, as described in the following table:
WSUS You are using WSUS to manage updates for your network.
You can manage the order in which update sources are used with Group Policy, System Center Configuration
Manager, PowerShell cmdlets, and WMI.
IMPORTANT
If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to
specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least
once a day. See To synchronize endpoint protection updates in standalone WSUS for more details.
The procedures in this article first describe how to set the order, and then how to set up the File share option if
you have enabled it.
Use Group Policy to manage the update location:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender > Signature updates and configure
the following settings:
a. Double-click the Define the order of sources for downloading definition updates setting and
set the option to Enabled.
b. Enter the order of sources, separated by a single pipe, for example:
InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC , as shown in the following screenshot.
a. Click OK. This will set the order of protection update sources.
b. Double-click the Define file shares for downloading definition updates setting and set the
option to Enabled.
c. Enter the file share source. If you have multiple sources, enter each source in the order they should
be used, separated by a single pipe. Use standard UNC notation for denoting the path, for example:
\\host-name1\share-name\object-name|\\host-name2\share-name\object-name . If you do not enter any
paths then this source will be skipped when the VM downloads updates.
d. Click OK. This will set the order of file shares when that source is referenced in the Define the
order of sources... group policy setting.
Use Configuration Manager to manage the update location:
See Configure Security intelligence Updates for Endpoint Protection for details on configuring System Center
Configuration Manager (current branch).
Use PowerShell cmdlets to manage the update location:
Use the following PowerShell cmdlets to set the update order.
Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH}
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Related topics
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and VMs
Windows Defender Antivirus in Windows 10
Manage the schedule for when protection updates
should be downloaded and applied
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus lets you determine when it should look for and download updates.
You can schedule updates for your endpoints by:
Specifying the day of the week to check for protection updates
Specifying the interval to check for protection updates
Specifying the time to check for protection updates
You can also randomize the times when each endpoint checks and downloads protection updates. See the
Schedule scans topic for more information.
Use Configuration Manager to schedule protection updates:
1. On your System Center Configuration Manager console, open the antimalware policy you want to change
(click Assets and Compliance in the navigation pane on the left, then expand the tree to Overview >
Endpoint Protection > Antimalware Policies)
2. Go to the Definition updates section.
3. To check and download updates at a certain time:
a. Set Check for Endpoint Protection definitions at a specific interval... to 0.
b. Set Check for Endpoint Protection definitions daily at... to the time when updates should be
checked. 3
4. To check and download updates on a continual interval, Set Check for Endpoint Protection definitions
at a specific interval... to the number of hours that should occur between updates.
5. Deploy the updated policy as usual.
Use Group Policy to schedule protection updates:
IMPORTANT
By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans.
Enabling these settings will override that default.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates and
configure the following settings:
a. Double-click the Specify the interval to check for definition updates setting and set the option to
Enabled. Enter the number of hours between updates. Click OK.
b. Double-click the Specify the day of the week to check for definition updates setting and set the
option to Enabled. Enter the day of the week to check for updates. Click OK.
c. Double-click the Specify the time to check for definition updates setting and set the option to
Enabled. Enter the time when updates should be checked. The time is based on the local time of the
endpoint. Click OK.
Use PowerShell cmdlets to schedule protection updates:
Use the following cmdlets:
Set-MpPreference -SignatureScheduleDay
Set-MpPreference -SignatureScheduleTime
Set-MpPreference -SignatureUpdateInterval
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule protection updates:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureScheduleDay
SignatureScheduleTime
SignatureUpdateInterval
Related topics
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and virtual machines (VMs)
Windows Defender Antivirus in Windows 10
Manage Windows Defender Antivirus updates and
scans for endpoints that are out of date
4/5/2019 • 6 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it
can miss before it is required to update and scan itself. This is especially useful in environments where devices
are not often connected to a corporate or external network, or devices that are not used on a daily basis.
For example, an employee that uses a particular PC is on break for three days and does not log on to their PC
during that time.
When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and
download the latest protection updates, and run a scan.
Set-MpPreference -SignatureUpdateCatchupInterval
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure catch-up protection updates:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureUpdateCatchupInterval
Set up catch-up scans for endpoints that have not been scanned for a
while
You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus
will force a scan.
The process for enabling this feature is:
1. Set up at least one scheduled scan (see the Schedule scans topic).
2. Enable the catch-up scan feature.
3. Define the number of scans that can be skipped before a catch-up scan occurs.
This feature can be enabled for both full and quick scans.
Use Group Policy to enable and configure the catch-up scan feature:
1. Ensure you have set up at least one scheduled scan.
2. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
3. In the Group Policy Management Editor go to Computer configuration.
4. Click Policies then Administrative templates.
5. Expand the tree to Windows components > Windows Defender Antivirus > Scan and configure the
following settings:
a. If you have set up scheduled quick scans, double-click the Turn on catch-up quick scan setting and
set the option to Enabled.
b. If you have set up scheduled full scans, double-click the Turn on catch-up full scan setting and set
the option to Enabled. Click OK.
c. Double-click the Define the number of days after which a catch-up scan is forced setting and set
the option to Enabled.
d. Enter the number of scans that can be missed before a scan will be automatically run when the user
next logs on to the PC. The type of scan that is run is determined by the Specify the scan type to use
for a scheduled scan (see the Schedule scans topic). Click OK.
NOTE
The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not
days) before the catch-up scan will be run.
Set-MpPreference -DisableCatchupFullScan
Set-MpPreference -DisableCatchupQuickScan
See Use PowerShell cmdlets to manage Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure catch-up scans:
Use the Set method of the MSFT_MpPreference class for the following properties:
DisableCatchupFullScan
DisableCatchupQuickScan
Related topics
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Manage event-based forced updates
Manage updates for mobile devices and virtual machines (VMs)
Windows Defender Antivirus in Windows 10
Manage event-based forced updates
4/30/2019 • 4 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain
events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
Set-MpPreference -CheckForSignaturesBeforeRunningScan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to check for protection updates before running a scan
Use the Set method of the MSFT_MpPreference class for the following properties:
CheckForSignaturesBeforeRunningScan
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
See Use PowerShell cmdlets to manage Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to download updates when Windows Defender
Antivirus is not present:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureDisableUpdateOnStartupWithoutEngine
See the following for more information:
Windows Defender WMIv2 APIs
NOTE
"Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to
cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
Related topics
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Manage updates for endpoints that are out of date
Manage updates for mobile devices and virtual machines (VMs)
Windows Defender Antivirus in Windows 10
Manage updates for mobile devices and virtual
machines (VMs)
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
There are two settings that are particularly useful for these devices:
Opt-in to Microsoft Update on mobile computers without a WSUS connection
Prevent Security intelligence updates when running on battery power
The following topics may also be useful in these situations:
Configuring scheduled and catch-up scans
Manage updates for endpoints that are out of date
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
Related topics
Manage Windows Defender Antivirus updates and apply baselines
Update and manage Windows Defender Antivirus in Windows 10
Customize, initiate, and review the results of Windows
Defender Antivirus scans and remediation
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows
Defender Antivirus scans.
In this section
TOPIC DESCRIPTION
Configure and validate file, folder, and process-opened file You can exclude files (including files modified by specified
exclusions in Windows Defender Antivirus scans processes) and folders from on-demand scans, scheduled
scans, and always-on real-time protection monitoring and
scanning
Configure Windows Defender Antivirus scanning options You can configure Windows Defender Antivirus to include
certain types of email storage files, back-up or reparse points,
and archived files (such as .zip files) in scans. You can also
enable network file scanning
Configure remediation for scans Configure what Windows Defender Antivirus should do when
it detects a threat, and how long quarantined files should be
retained in the quarantine folder
Configure scheduled scans Set up recurring (scheduled) scans, including when they should
run and whether they run as full or quick scans
Configure and run scans Run and configure on-demand scans using PowerShell,
Windows Management Instrumentation, or individually on
endpoints with the Windows Security app
Review scan results Review the results of scans using System Center Configuration
Manager, Microsoft Intune, or the Windows Security app
Configure and validate exclusions for Windows
Defender Antivirus scans
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans.
The exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring.
Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your
organization.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the
Windows Defender Antivirus exclusions on Windows Server 2016 topic for more information and a list of the
automatic exclusions.
WARNING
Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that
are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
In this section
TOPIC DESCRIPTION
Configure and validate exclusions based on file name, Exclude files from Windows Defender Antivirus scans based on
extension, and folder location their file extension, file name, or location
Configure and validate exclusions for files opened by processes Exclude files from scans that have been opened by a specific
process
Configure Windows Defender Antivirus exclusions on Windows Windows Server 2016 includes automatic exclusions, based on
Server the defined server role. You can also add custom exclusions.
Configure and validate exclusions based on file extension and
folder location
5/3/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Windows Defender Advanced Threat Protection does not adhere to Windows Defender Antivirus exclusion settings. This means that any Windows
Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP.
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists.
Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on
known operating system behaviors and typical management files, such as those used in enterprise management, database
management, and other enterprise scenarios and situations.
NOTE
Automatic exclusions apply only to Windows Server 2016 and above.
TIP
The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
This topic describes how to configure exclusion lists for the following:
Any file with a specific extension All files with the .test extension, anywhere on Extension exclusions
the machine
Any file under a specific folder All files under the c:\test\sample folder File and folder exclusions
A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions
A specific process The executable file c:\test\process.exe File and folder exclusions
IMPORTANT
The use of wildcards such as the asterisk (*) will alter how the exclusion rules are interpreted. See the Use wildcards in the file name and folder path
or extension exclusion lists section for important information about how wildcards work.
You cannot exclude mapped network drives. You must specify the actual network path.
Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list
will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see Configure and validate exclusions for files opened by processes.
The exclusions apply to scheduled scans, on-demand scans, and real-time protection.
IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI)
will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will
take precedence in case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override managed deployment
settings.
NOTE
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under
that folder are excluded.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object
you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click the Path Exclusions setting and add the exclusions:
a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each folder on its own line under the Value name column. If you are entering a file, ensure you enter a fully qualified
path to the file, including the drive letter, folder path, filename, and extension. Enter 0 in the Value column.
5. Click OK.
6. Double-click the Extension Exclusions setting and add the exclusions:
a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each file extension on its own line under the Value name column. Enter 0 in the Value column.
7. Click OK.
Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of
three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is:
All files under a folder (including files in subdirectories), or a specific file -ExclusionPath
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again will overwrite the
existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the .test file extension:
Add-MpPreference -ExclusionExtension ".test"
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to
use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure file name, folder, or file extension exclusions:
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:
ExclusionExtension
ExclusionPath
The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference , Add-MpPreference , and
Remove-MpPreference .
Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk * , question mark ? , or environment variables (such as %ALLUSERSPROFILE% ) as wildcards when defining items
in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other
apps and languages, so you should read this section to understand their specific limitations.
IMPORTANT
There are key limitations and usage scenarios for these wildcards:
Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
You cannot use a wildcard in place of a drive letter.
An asterisk * in a folder exclusion will stand in place for a single folder. Use multiple instances of \*\ to indicate multiple nested folders with
unspecified names.
The following table describes how the wildcards can be used and provides some examples.
WILDCARD USE IN FILE AND FILE USE IN FOLDER EXCLUSIONS EXAMPLE USE EXAMPLE MATCHES>
EX TENSION EXCLUSIONS
C:\Serv\Primary\Denied\Backup
and its
subfolders
C:\Serv\Secondary\Allowed\Backup
and its
subfolders
? (question mark) Replaces a single character. Replaces a single character 1. C:\MyData\my?.zip 1. C:\MyData\my1.zip
Only applies to files in the in a folder name. 2. C:\somepath\?\Dat 2. Any file in
last folder defined in the After matching to the a C:\somepath\P\Data
argument. number of wilcarded and 3. C:\somepath\test0 and its subfolders
named folders, all ?\Data 3. Any file in
subfolders will also be C:\somepath\test01\Data
included. and its subfolders
Environment variables The defined variable will be Same as file and extension 1. %ALLUSERSPROFI 1.
populated as a path when use. LE%\CustomLogFil C:\ProgramData\CustomLogFiles\Folder1
the exclusion is evaluated. es
IMPORTANT
If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will
not look for file matches in any subfolders.
For example, you can exclude all files that start with "date" in the folders c:\data\final\marked and c:\data\review\marked by using the rule
argument c:\data\*\marked\date*.*.
This argument, however, will not match any files in subfolders under c:\data\final\marked or c:\data\review\marked.
IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.
If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items
within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of
Add-MpPreference is written to a new line.
NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:
Use the following cmdlet:
Get-MpPreference
In the following example, the items contained in the ExclusionExtension list are highlighted:
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to
use PowerShell with Windows Defender Antivirus.
Retrieve a specific exclusions list by using PowerShell:
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label you want to name
the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to
use PowerShell with Windows Defender Antivirus.
If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file
exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the EICAR
testfile website.
You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the
Invoke-WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:
If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the
following PowerShell command:
[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
Related topics
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure exclusions for files opened by processes
4/5/2019 • 6 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
This topic describes how to configure exclusion lists for the following:
EXCLUSION EXAMPLE
Any file on the machine that is opened by any process with a Specifying "test.exe" would exclude files opened by:
specific file name c:\sample\test.exe
d:\internal\files\test.exe
Any file on the machine that is opened by any process under a Specifying "c:\test\sample\*" would exclude files opened by:
specific folder c:\test\sample\test.exe
c:\test\sample\test2.exe
c:\test\sample\utility.exe
Any file on the machine that is opened by a specific process in Specifying "c:\test\process.exe" would exclude files only opened
a specific folder by c:\test\process.exe
When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that
process, no matter where the files are located. The process itself, however, will be scanned unless it has also been
added to the file exclusion list.
The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-
demand scans.
Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app.
However, changes made in the Windows Security app will not show in the Group Policy lists.
You can add, remove, and review the lists for exclusions in Group Policy, System Center Configuration Manager,
Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with
PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration
Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.
Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a
combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is:
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again
will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is
opened by the specified process:
ExclusionProcess
The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .
Environment variables The defined variable will be %ALLUSERSPROFILE Any file opened by
populated as a path when %\CustomLogFiles\fil C:\ProgramData\Cust
the exclusion is evaluated e.exe omLogFiles\file.exe
NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December
2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using
PowerShell:
Use the following cmdlet:
Get-MpPreference
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Retrieve a specific exclusions list by using PowerShell:
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label
you want to name the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Related topics
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder location
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure Windows Defender Antivirus exclusions on
Windows Server
4/8/2019 • 6 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions,
as defined by your specified server role. See the end of this topic for a list of these exclusions.
These exclusions will not appear in the standard exclusion lists shown in the Windows Security app.
You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as
described in these exclusion-related topics:
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Custom exclusions take precedence over automatic exclusions.
TIP
Custom and duplicate exclusions do not conflict with automatic exclusions.
Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM ) tools to determine
which roles are installed on your computer.
WARNING
Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are
delivered automatically are optimized for Windows Server 2016 roles.
NOTE
This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on
exclusions.
TIP
Since the predefined exclusions only exclude default paths, if you move NTDS and SYSVOL to another drive or path different
than the original one, you would have to manually add the exclusions using the information here .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
Use Group Policy to disable the auto-exclusions list on Windows Server 2016:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click Turn off Auto Exclusions and set the option to Enabled. Click OK.
Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:
Use the following cmdlets:
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to disable the auto-exclusions list on Windows Server
2016:
Use the Set method of the MSFT_MpPreference class for the following properties:
DisableAutoExclusions
%windir%\Ntfrs\jet\sys\*\edb.chk
%windir%\Ntfrs\jet\*\Ntfrs.jdb
%windir%\Ntfrs\jet\log\*\*.log
FRS Database log files. The FRS Database log file folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory
-%windir%\Ntfrs\*\Edb*.log
The FRS staging folder. The staging folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica
Sets\GUID\Replica Set Stage
%systemroot%\Sysvol\*\Nntfrs_cmp*\
The FRS preinstall folder. This folder is specified by the folder
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\
The Distributed File System Replication (DFSR ) database and working folders. These folders
are specified by the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication
Groups\GUID\Replica Set Configuration File
NOTE
For custom locations, see Opt out of automatic exclusions.
%windir%\Ntds\ntds.dit
%windir%\Ntds\ntds.pat
The AD DS transaction log files. The transaction log files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files
%windir%\Ntds\EDB*.log
%windir%\Ntds\Res*.log
%windir%\Ntds\Edb*.jrs
%windir%\Ntds\Ntds*.pat
%windir%\Ntds\EDB*.log
%windir%\Ntds\TEMP.edb
The NTDS working folder. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
%windir%\Ntds\Temp.edb
%windir%\Ntds\Edb.chk
Process exclusions for AD DS and AD DS -related support files:
%systemroot%\System32\ntfrs.exe
%systemroot%\System32\lsass.exe
DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP
Server file locations are specified by the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters in
the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
%systemroot%\System32\DHCP\*\*.mdb
%systemroot%\System32\DHCP\*\*.pat
%systemroot%\System32\DHCP\*\*.log
%systemroot%\System32\DHCP\*\*.chk
%systemroot%\System32\DHCP\*\*.edb
DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you
install the DNS Server role.
File and folder exclusions for the DNS Server role:
%systemroot%\System32\Dns\*\*.log
%systemroot%\System32\Dns\*\*.dns
%systemroot%\System32\Dns\*\*.scc
%systemroot%\System32\Dns\*\BOOT
Process exclusions for the DNS Server role:
%systemroot%\System32\dns.exe
File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage
Services role. The exclusions listed below do not include exclusions for the Clustering role.
%SystemDrive%\ClusterStorage
%clusterserviceaccount%\Local Settings\Temp
%SystemDrive%\mscs
Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered
automatically when you install the Print Server role.
File type exclusions:
*.shd
*.spl
Folder exclusions. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory
%system32%\spool\printers\*
Process exclusions:
spoolsv.exe
Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install
the Web Server role.
Folder exclusions:
%SystemRoot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\ASP Compiled Templates
%systemDrive%\inetpub\logs
%systemDrive%\inetpub\wwwroot
Process exclusions:
%SystemRoot%\system32\inetsrv\w3wp.exe
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe
%SystemDrive%\PHP5433\php-cgi.exe
Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update
Services (WSUS ) role. The WSUS folder is specified in the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup
%systemroot%\WSUS\WSUSContent
%systemroot%\WSUS\UpdateServicesDBFiles
%systemroot%\SoftwareDistribution\Datastore
%systemroot%\SoftwareDistribution\Download
Related topics
Configure and validate exclusions for Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure Windows Defender Antivirus scanning options
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Use Microsoft Intune to configure scanning options
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for
Windows 10 in Intune for more details.
Use Configuration Manager to configure scanning options:
See How to create and deploy antimalware policies: Scan settings for details on configuring System Center Configuration
Manager (current branch).
Use Group Policy to configure scanning options
To configure the Group Policy settings described in the following table:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy
Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location specified in the
table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired configuration. Click OK,
and repeat for any other settings.
POWERSHELL SET-MPPREFERENCE
DEFAULT SETTING (IF NOT PARAMETER OR WMI PROPERTY
DESCRIPTION LOCATION AND SETTING CONFIGURED) FOR MSFT_MPPREFERENCE CLASS
See Email scanning limitations) Scan > Turn on e-mail scanning Disabled -DisableEmailScanning
below
Scan reparse points Scan > Turn on reparse point Disabled Not available
scanning
Scan mapped network drives Scan > Run full scan on mapped Disabled -
network drives DisableScanningMappedNetworkDrivesForFullSca
Scan archive files (such as .zip or Scan > Scan archive files Enabled -DisableArchiveScanning
.rar files). The extensions
exclusion list will take
precedence over this setting.
Scan files on the network Scan > Scan network files Disabled -
DisableScanningNetworkFiles
Scan packed executables Scan > Scan packed executables Enabled Not available
Scan removable drives during Scan > Scan removable drives Disabled -
full scans only DisableRemovableDriveScanning
Specify the level of subfolders Scan > Specify the maximum 0 Not available
within an archive folder to scan depth to scan archive files
POWERSHELL SET-MPPREFERENCE
DEFAULT SETTING (IF NOT PARAMETER OR WMI PROPERTY
DESCRIPTION LOCATION AND SETTING CONFIGURED) FOR MSFT_MPPREFERENCE CLASS
Specify the maximum CPU load Scan > Specify the maximum 50 -ScanAvgCPULoadFactor
(as a percentage) during a scan. percentage of CPU utilization
Note: This is not a hard limit but during a scan
rather a guidance for the
scanning engine to not exceed
this maximum on average.
Specify the maximum size (in Scan > Specify the maximum No limit Not available
kilobytes) of archive files that size of archive files to be
should be scanned. The default, scanned
0, applies no limit
Configure low CPU priority for Scan > Configure low CPU Disabled Not available
scheduled scans priority for scheduled scans
NOTE
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including
those on mounted removable devices such as USB drives.
Related topics
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Configure and run on-demand Windows Defender Antivirus scans
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
Configure remediation for Windows Defender
Antivirus scans
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can
configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point
before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use System Center
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.
Root Turn off routine remediation You can specify whether Disabled (threats are
Windows Defender Antivirus remediated automatically)
automatically remediates
threats, or if it should ask
the endpoint user what to
do.
DEFAULT SETTING (IF NOT
LOCATION SETTING DESCRIPTION CONFIGURED)
Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed
Threats Specify threat alert levels at Every threat that is detected Not applicable
which default action should by Windows Defender
not be taken when detected Antivirus is assigned a threat
level (low, medium, high, or
severe). You can use this
setting to define how all
threats for each of the threat
levels should be remediated
(quarantined, removed, or
ignored)
Threats Specify threats upon which Specify how specific threats Not applicable
default action should not be (using their threat ID) should
taken when detected be remediated. You can
specify whether the specific
threat should be
quarantined, removed, or
ignored
IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all
additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See Restore quarantined files in Windows Defender Antivirus.
To avoid this problem in the future, you can exclude files from the scans. See Configure and validate exclusions for Windows
Defender Antivirus scans.
Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more remediation-
related settings.
Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Configure and run on-demand Windows Defender Antivirus scans
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure scheduled quick or full Windows Defender
Antivirus scans
4/8/2019 • 6 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can
Manage the schedule for when protection updates should be downloaded and applied to override this default.
In addition to always-on real-time protection and on-demand scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a protection
update or if the endpoint is being used. You can also specify when special scans to complete remediation should
occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can
also configure schedules scans with System Center Configuration Manager or Microsoft Intune.
To configure the Group Policy settings described in this topic:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus and then the Location
specified in the table below.
5. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK, and repeat for any other settings.
Also see the Manage when protection updates should be downloaded and applied and Prevent or allow users to
locally modify policy settings topics.
NOTE
By default, quick scans run on mounted removable devices, such as USB drives.
NOTE
If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event
1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next
scheduled time.
Scan Specify the day of the week Specify the day (or never) to Never
to run a scheduled scan run a scan.
Set-MpPreference -ScanParameters
Set-MpPreference -ScanScheduleDay
Set-MpPreference -ScanScheduleTime
Set-MpPreference -RandomizeScheduleTaskTimes
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule scans:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Scan Start the scheduled scan Scheduled scans will not run, Enabled
only when computer is on unless the computer is on
but not in use but not in use
Set-MpPreference -ScanOnlyIfIdleEnabled
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ):
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Remediation Specify the day of the week Specify the day (or never) to Never
to run a scheduled full scan run a scan.
to complete remediation
Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ):
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Scan Specify the interval to run Specify how many hours Never
quick scans per day should elapse before the
next quick scan. For example,
to run every two hours,
enter 2, for once a day, enter
24. Enter 0 to never run a
daily quick scan.
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule daily scans:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Signature updates Turn on scan after Security A scan will occur immediately Enabled
intelligence update after a new protection
update is downloaded
Related topics
Prevent or allow users to locally modify policy settings
Configure and run on-demand Windows Defender Antivirus scans
Configure Windows Defender Antivirus scanning options
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Windows Defender Antivirus in Windows 10
Configure and run on-demand Windows Defender
Antivirus scans
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define
parameters for the scan, such as the location or type.
NOTE
By default, quick scans run on mounted removable devices, such as USB drives.
See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for more
information on how to use the tool and additional parameters, including starting a full scan or defining paths.
Use Microsoft Intune to run a scan:
1. In Intune, go to Devices > All Devices and select the device you want to scan.
2. Select ...More and then select Quick Scan or Full Scan.
Use the Windows Security app to run a scan:
See Run a scan in the Windows Security app for instructions on running a scan on individual endpoints.
Use PowerShell cmdlets to run a scan:
Use the following cmdlet:
Start-MpScan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to run a scan:
Use the Start method of the MSFT_MpScan class.
See the following for more information and allowed parameters:
Windows Defender WMIv2 APIs
Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
Review Windows Defender Antivirus scan results
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
After an Windows Defender Antivirus scan completes, whether it is an on-demand or scheduled scan, the results
are recorded and you can view the results.
Use Microsoft Intune to review scan results:
1. In Intune, go to Devices > All Devices and select the device you want to scan.
2. Click the scan results in Device actions status.
Use Configuration Manager to review scan results:
See How to monitor Endpoint Protection status.
Use the Windows Security app to review scan results:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan history
label.
Click See full history for any of the sections to see previous detections and the action taken. You can
also clear the list.
Information about the last scan is displayed at the bottom of the page.
Use PowerShell cmdlets to review scan results:
The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat,
each detection will be listed separately, based on the time of each detection:
Get-MpThreatDetection
You can specify -ThreatID to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat into a single item, you can use the
following cmdlet:
Get-MpThreat
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to review scan results:
Use the Get method of the MSFT_MpThreat and MSFT_MpThreatDetection classes.
Related topics
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Run and review the results of a Windows Defender
Offline scan
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted
environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to
bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR ).
You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean
of the endpoint after a malware outbreak.
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Security app. In
previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the
endpoint, and load the bootable media.
NOTE
Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
NOTE
Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an
update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install
the latest protection updates from the Microsoft Malware Protection Center.
See the Manage Windows Defender Antivirus Security intelligence updates topic for more information.
Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender
determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it
to manage your endpoints.
The prompt can occur via a notification, similar to the following:
The user will also be notified within the Windows Defender client:
In Configuration Manager, you can identify the status of endpoints by navigating to Monitoring > Overview >
Security > Endpoint Protection Status > System Center Endpoint Protection Status.
Windows Defender Offline scans are indicated under Malware remediation status as Offline scan required.
Configure notifications
Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV
notifications.
For more information about notifications in Windows Defender, see the Configure the notifications that appear on
endpoints topic.
Run a scan
IMPORTANT
Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows
Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is
performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan
performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
You can run a Windows Defender Offline scan with the following:
PowerShell
Windows Management Instrumentation (WMI)
The Windows Security app
Use PowerShell cmdlets to run an offline scan:
Use the following cmdlets:
Start-MpWDOScan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to run an offline scan:
Use the MSFT_MpWDOScan class to run an offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the
endpoint to restart, run the offline scan, and then restart and boot into Windows.
Related topics
Customize, initiate, and review the results of scans and remediation
Windows Defender Antivirus in Windows 10
Restore quarantined files in Windows Defender AV
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender
Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open Windows Security.
2. Click Virus & threat protection and then click Threat History.
3. Under Quarantined threats, click See full history.
4. Click an item you want to keep, then click Restore. (If you prefer to remove the item, you can click Remove.)
Related topics
Configure remediation for scans
Review scan results
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
Manage Windows Defender Antivirus in your business
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can manage and configure Windows Defender Antivirus with the following tools:
Microsoft Intune
System Center Configuration Manager
Group Policy
PowerShell cmdlets
Windows Management Instruction (WMI)
The mpcmdrun.exe utility
The topics in this section provide further information, links, and resources for using these tools to manage and
configure Windows Defender Antivirus.
In this section
TOPIC DESCRIPTION
Manage Windows Defender Antivirus with Microsoft Intune Information about using Intune and System Center
and System Center Configuration Manager Configuration Manager to deploy, manage, report, and
configure Windows Defender Antivirus
Manage Windows Defender Antivirus with Group Policy List of all Group Policy settings located in ADMX templates
settings
Manage Windows Defender Antivirus with PowerShell cmdlets Instructions for using PowerShell cmdlets to manage Windows
Defender Antivirus, plus links to documentation for all cmdlets
and allowed parameters
Manage Windows Defender Antivirus with Windows Instructions for using WMI to manage Windows Defender
Management Instrumentation (WMI) Antivirus, plus links to documentation for the WMIv2 APIs
(including all classes, methods, and properties)
Manage Windows Defender Antivirus with the mpcmdrun.exe Instructions on using the dedicated command-line tool to
command-line tool manage and use Windows Defender Antivirus
Use Group Policy settings to configure and manage
Windows Defender Antivirus
4/5/2019 • 8 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can use Group Policy to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy
settings:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object (GPO ) you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus.
5. Expand the section (referred to as Location in the table in this topic) that contains the setting you want to
configure, double-click the setting to open it, and make configuration changes.
6. Deploy the updated GPO as you normally do.
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides
links to the appropriate topic in this documentation library (where applicable).
Client interface Enable headless UI mode Prevent users from seeing or interacting
with the Windows Defender Antivirus
user interface
Client interface Display additional text to clients when Configure the notifications that appear
they need to perform an action on endpoints
Client interface Suppress all notifications Configure the notifications that appear
on endpoints
Client interface Suppresses reboot notifications Configure the notifications that appear
on endpoints
MAPS Configure the 'Block at First Sight' Enable block at first sight
feature
MAPS Send file samples when further analysis Enable cloud-delivered protection
is required
MAPS Configure local setting override for Prevent or allow users to locally modify
reporting to Microsoft MAPS policy settings
MpEngine Configure extended cloud check Configure the cloud block timeout
period
Network inspection system Specify additional definition sets for Not used
network traffic inspection
Quarantine Configure local setting override for the Prevent or allow users to locally modify
removal of items from Quarantine folder policy settings
Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring file and program activity on policy settings
your computer
Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring for incoming and outgoing policy settings
file activity
Real-time protection Configure local setting override for Prevent or allow users to locally modify
scanning all downloaded files and policy settings
attachments
Real-time protection Configure local setting override for turn Prevent or allow users to locally modify
on behavior monitoring policy settings
Real-time protection Configure local setting override to turn Prevent or allow users to locally modify
on real-time protection policy settings
Real-time protection Define the maximum size of Enable and configure Windows
downloaded files and attachments to be Defender Antivirus always-on protection
scanned and monitoring
LOCATION SETTING DOCUMENTED IN TOPIC
Real-time protection Monitor file and program activity on Enable and configure Windows
your computer Defender Antivirus always-on protection
and monitoring
Real-time protection Scan all downloaded files and Enable and configure Windows
attachments Defender Antivirus always-on protection
and monitoring
Real-time protection Turn off real-time protection Enable and configure Windows
Defender Antivirus always-on protection
and monitoring
Real-time protection Turn on process scanning whenever Enable and configure Windows
real-time protection is enabled Defender Antivirus always-on protection
and monitoring
Real-time protection Turn on raw volume write notifications Enable and configure Windows
Defender Antivirus always-on protection
and monitoring
Real-time protection Configure monitoring for incoming and Enable and configure Windows
outgoing file and program activity Defender Antivirus always-on protection
and monitoring
Remediation Configure local setting override for the Prevent or allow users to locally modify
time of day to run a scheduled full scan policy settings
to complete remediation
Remediation Specify the day of the week to run a Configure scheduled Windows Defender
scheduled full scan to complete Antivirus scans
remediation
Remediation Specify the time of day to run a Configure scheduled Windows Defender
scheduled full scan to complete Antivirus scans
remediation
Reporting Turn off enhanced notifications Configure the notifications that appear
on endpoints
Root Turn off Windows Defender Antivirus Not used (This setting must be set to
Not configured to ensure any installed
third-party antivirus apps work
correctly)
Root Configure local administrator merge Prevent or allow users to locally modify
behavior for lists policy settings
Root Randomize scheduled task times Configure scheduled scans for Windows
Defender Antivirus
Scan Allow users to pause scan Prevent users from seeing or interacting
with the Windows Defender Antivirus
user interface
Scan Check for the latest virus and spyware Manage event-based forced updates
definitions before running a scheduled
scan
Scan Define the number of days after which a Manage updates for endpoints that are
catch-up scan is forced out of date
Scan Turn on catch up full scan Manage updates for endpoints that are
out of date
Scan Turn on catch up quick scan Manage updates for endpoints that are
out of date
LOCATION SETTING DOCUMENTED IN TOPIC
Scan Configure local setting override for Prevent or allow users to locally modify
maximum percentage of CPU utilization policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
schedule scan day policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
scheduled quick scan time policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
scheduled scan time policy settings
Scan Configure local setting override for the Prevent or allow users to locally modify
scan type to use for a scheduled scan policy settings
Scan Turn on removal of items from scan Configure remediation for Windows
history folder Defender Antivirus scans
Scan Run full scan on mapped network drives Configure scanning options in Windows
Defender Antivirus
Scan Specify the maximum depth to scan Configure scanning options in Windows
archive files Defender Antivirus
Scan Specify the maximum size of archive files Configure scanning options in Windows
to be scanned Defender Antivirus
LOCATION SETTING DOCUMENTED IN TOPIC
Scan Specify the day of the week to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Specify the interval to run quick scans Configure scheduled scans for Windows
per day Defender Antivirus
Scan Specify the scan type to use for a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Specify the time for a daily quick scan Configure scheduled scans for Windows
Defender Antivirus
Scan Specify the time of day to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Start the scheduled scan only when Configure scheduled scans for Windows
computer is on but not in use Defender Antivirus
Security intelligence updates Allow definition updates from Microsoft Manage updates for mobile devices and
Update virtual machines (VMs)
Security intelligence updates Allow definition updates when running Manage updates for mobile devices and
on battery power virtual machines (VMs)
Security intelligence updates Allow notifications to disable definitions Manage event-based forced updates
based repots to Microsoft MAPS
Security intelligence updates Allow real-time definition updates based Manage event-based forced updates
on reports to Microsoft MAPS
Security intelligence updates Check for the latest virus and spyware Manage event-based forced updates
definitions on startup
Security intelligence updates Define file shares for downloading Manage Windows Defender Antivirus
definition updates protection and definition updates
Security intelligence updates Define the number of days after which a Manage updates for endpoints that are
catch up definition update is required out of date
Security intelligence updates Define the number of days before Manage updates for endpoints that are
spyware definitions are considered out out of date
of date
Security intelligence updates Define the number of days before virus Manage updates for endpoints that are
definitions are considered out of date out of date
Security intelligence updates Define the order of sources for Manage Windows Defender Antivirus
downloading definition updates protection and definition updates
Security intelligence updates Initiate definition update on startup Manage event-based forced updates
Security intelligence updates Specify the day of the week to check for Manage when protection updates
definition updates should be downloaded and applied
LOCATION SETTING DOCUMENTED IN TOPIC
Security intelligence updates Specify the interval to check for Manage when protection updates
definition updates should be downloaded and applied
Security intelligence updates Specify the time to check for definition Manage when protection updates
updates should be downloaded and applied
Security intelligence updates Turn on scan after Security intelligence Configure scheduled scans for Windows
update Defender Antivirus
Threats Specify threat alert levels at which Configure remediation for Windows
default action should not be taken when Defender Antivirus scans
detected
Threats Specify threats upon which default Configure remediation for Windows
action should not be taken when Defender Antivirus scans
detected
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use System Center Configuration Manager and
Microsoft Intune to configure and manage Windows
Defender Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your
network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used
by Windows Defender Antivirus.
See the Endpoint Protection library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the Microsoft Intune library and Configure device restriction settings in Intune.
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use PowerShell cmdlets to configure and manage
Windows Defender Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or
command line, PowerShell is a task-based command-line shell and scripting language designed especially for
system administration, and you can read more about it at the PowerShell hub on MSDN.
For a list of the cmdlets and their functions and available parameters, see the Defender cmdlets topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface
(GUI) to configure software.
NOTE
PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as System
Center Configuration Manager, Group Policy Management Console, or Windows Defender Antivirus Group Policy ADMX
templates.
Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made.
This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft
Intune can overwrite changes made with PowerShell.
You can configure which settings can be overridden locally with local policy overrides.
PowerShell is typically installed under the folder %SystemRoot%\system32\WindowsPowerShell.
Use Windows Defender Antivirus PowerShell cmdlets:
1. Click Start, type powershell, and press Enter.
2. Click Windows PowerShell to open the interface.
3. Enter the command and parameters.
NOTE
You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click Run as
administrator and click Yes at the permissions prompt.
To open online help for any of the cmdlets type the following:
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use Windows Management Instrumentation (WMI) to
configure and manage Windows Defender Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and
update settings.
Read more about WMI at the Microsoft Developer Network System Administration library.
Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same
functions as Group Policy and other management tools. Many of the classes are analogous to Defender PowerShell
cmdlets.
The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI classes for Windows
Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This
means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune
can overwrite changes made with WMI.
You can configure which settings can be overridden locally with local policy overrides.
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Configure and manage Windows Defender Antivirus
with the mpcmdrun.exe command-line tool
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can perform various Windows Defender Antivirus functions with the dedicated command-line tool
mpcmdrun.exe.
This utility can be useful when you want to automate Windows Defender Antivirus use.
You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You must run it from a command
prompt.
NOTE
You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click
Run as administrator and click Yes at the permissions prompt.
COMMAND DESCRIPTION
-Restore [- ListAll | [[- Name ] [- All] | [- FilePath ]] [- Path ]] Restores or lists quarantined item(s)
COMMAND DESCRIPTION
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Customize, initiate, and review the results of
Windows Defender Antivirus scans and remediation
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure
Windows Defender Antivirus scans.
In this section
TOPIC DESCRIPTION
Configure and validate file, folder, and process-opened file You can exclude files (including files modified by specified
exclusions in Windows Defender Antivirus scans processes) and folders from on-demand scans, scheduled
scans, and always-on real-time protection monitoring and
scanning
Configure Windows Defender Antivirus scanning options You can configure Windows Defender Antivirus to include
certain types of email storage files, back-up or reparse
points, and archived files (such as .zip files) in scans. You can
also enable network file scanning
Configure remediation for scans Configure what Windows Defender Antivirus should do
when it detects a threat, and how long quarantined files
should be retained in the quarantine folder
Configure scheduled scans Set up recurring (scheduled) scans, including when they
should run and whether they run as full or quick scans
Configure and run scans Run and configure on-demand scans using PowerShell,
Windows Management Instrumentation, or individually on
endpoints with the Windows Security app
Review scan results Review the results of scans using System Center
Configuration Manager, Microsoft Intune, or the Windows
Security app
Configure and validate exclusions for Windows
Defender Antivirus scans
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus
scans.
The exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and
monitoring. Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your
organization.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See
the Windows Defender Antivirus exclusions on Windows Server 2016 topic for more information and a list of
the automatic exclusions.
WARNING
Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks
that are associated with implementing exclusions, and you should only exclude files that you are confident are not
malicious.
In this section
TOPIC DESCRIPTION
Configure and validate exclusions based on file name, Exclude files from Windows Defender Antivirus scans based
extension, and folder location on their file extension, file name, or location
Configure and validate exclusions for files opened by Exclude files from scans that have been opened by a specific
processes process
Configure Windows Defender Antivirus exclusions on Windows Server 2016 includes automatic exclusions, based
Windows Server on the defined server role. You can also add custom
exclusions.
Configure and validate exclusions based on file extension and
folder location
5/3/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Windows Defender Advanced Threat Protection does not adhere to Windows Defender Antivirus exclusion settings. This means that any
Windows Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP.
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists.
Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on
known operating system behaviors and typical management files, such as those used in enterprise management, database
management, and other enterprise scenarios and situations.
NOTE
Automatic exclusions apply only to Windows Server 2016 and above.
TIP
The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
This topic describes how to configure exclusion lists for the following:
Any file with a specific extension All files with the .test extension, anywhere on Extension exclusions
the machine
Any file under a specific folder All files under the c:\test\sample folder File and folder exclusions
A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions
A specific process The executable file c:\test\process.exe File and folder exclusions
IMPORTANT
The use of wildcards such as the asterisk (*) will alter how the exclusion rules are interpreted. See the Use wildcards in the file name and folder
path or extension exclusion lists section for important information about how wildcards work.
You cannot exclude mapped network drives. You must specify the actual network path.
Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion
list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see Configure and validate exclusions for files opened by processes.
The exclusions apply to scheduled scans, on-demand scans, and real-time protection.
IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and
WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy
lists will take precedence in case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override managed
deployment settings.
NOTE
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories
under that folder are excluded.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy
Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click the Path Exclusions setting and add the exclusions:
a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each folder on its own line under the Value name column. If you are entering a file, ensure you enter a fully
qualified path to the file, including the drive letter, folder path, filename, and extension. Enter 0 in the Value column.
5. Click OK.
6. Double-click the Extension Exclusions setting and add the exclusions:
a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each file extension on its own line under the Value name column. Enter 0 in the Value column.
7. Click OK.
Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of
three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is:
All files under a folder (including files in subdirectories), or a specific file -ExclusionPath
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again will overwrite the
existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the .test file extension:
Add-MpPreference -ExclusionExtension ".test"
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how
to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure file name, folder, or file extension exclusions:
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:
ExclusionExtension
ExclusionPath
The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference , Add-MpPreference , and
Remove-MpPreference .
Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk * , question mark ? , or environment variables (such as %ALLUSERSPROFILE% ) as wildcards when defining
items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in
other apps and languages, so you should read this section to understand their specific limitations.
IMPORTANT
There are key limitations and usage scenarios for these wildcards:
Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
You cannot use a wildcard in place of a drive letter.
An asterisk * in a folder exclusion will stand in place for a single folder. Use multiple instances of \*\ to indicate multiple nested folders
with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
WILDCARD USE IN FILE AND FILE USE IN FOLDER EXCLUSIONS EXAMPLE USE EXAMPLE MATCHES>
EX TENSION EXCLUSIONS
C:\Serv\Primary\Denied\Backup
and its
subfolders
C:\Serv\Secondary\Allowed\Backup
and its
subfolders
? (question mark) Replaces a single Replaces a single 1. C:\MyData\my?.zip 1.
character. character in a folder 2. C:\somepath\?\Dat C:\MyData\my1.zip
Only applies to files in the name. a 2. Any file in
last folder defined in the After matching to the 3. C:\somepath\test0 C:\somepath\P\Data
argument. number of wilcarded and ?\Data and its subfolders
named folders, all 3. Any file in
subfolders will also be C:\somepath\test01\Data
included. and its subfolders
Environment variables The defined variable will Same as file and extension 1. %ALLUSERSPROF 1.
be populated as a path use. ILE%\CustomLogFi C:\ProgramData\CustomLogFiles\Folder
when the exclusion is les
evaluated.
IMPORTANT
If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will
not look for file matches in any subfolders.
For example, you can exclude all files that start with "date" in the folders c:\data\final\marked and c:\data\review\marked by using the rule
argument c:\data\*\marked\date*.*.
This argument, however, will not match any files in subfolders under c:\data\final\marked or c:\data\review\marked.
IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.
If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the
items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of
Add-MpPreference is written to a new line.
NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:
Use the following cmdlet:
Get-MpPreference
In the following example, the items contained in the ExclusionExtension list are highlighted:
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how
to use PowerShell with Windows Defender Antivirus.
Retrieve a specific exclusions list by using PowerShell:
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label you want to name
the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how
to use PowerShell with Windows Defender Antivirus.
If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded
file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the
EICAR testfile website.
You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the
Invoke-WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:
If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the
following PowerShell command:
[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to
exclude.
Related topics
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure exclusions for files opened by processes
4/5/2019 • 6 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
This topic describes how to configure exclusion lists for the following:
EXCLUSION EXAMPLE
Any file on the machine that is opened by any process with a Specifying "test.exe" would exclude files opened by:
specific file name c:\sample\test.exe
d:\internal\files\test.exe
Any file on the machine that is opened by any process under Specifying "c:\test\sample\*" would exclude files opened by:
a specific folder c:\test\sample\test.exe
c:\test\sample\test2.exe
c:\test\sample\utility.exe
Any file on the machine that is opened by a specific process Specifying "c:\test\process.exe" would exclude files only
in a specific folder opened by c:\test\process.exe
When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by
that process, no matter where the files are located. The process itself, however, will be scanned unless it has also
been added to the file exclusion list.
The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or
on-demand scans.
Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app.
However, changes made in the Windows Security app will not show in the Group Policy lists.
You can add, remove, and review the lists for exclusions in Group Policy, System Center Configuration Manager,
Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made
with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy,
Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.
Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a
combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender
module.
The format for the cmdlets is:
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet
again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is
opened by the specified process:
ExclusionProcess
The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .
Environment variables The defined variable will be %ALLUSERSPROFILE Any file opened by
populated as a path when %\CustomLogFiles\fil C:\ProgramData\Cus
the exclusion is evaluated e.exe tomLogFiles\file.exe
NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in
December 2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using
PowerShell:
Use the following cmdlet:
Get-MpPreference
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Retrieve a specific exclusions list by using PowerShell:
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever
label you want to name the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Related topics
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder location
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure Windows Defender Antivirus exclusions
on Windows Server
4/8/2019 • 6 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain
exclusions, as defined by your specified server role. See the end of this topic for a list of these exclusions.
These exclusions will not appear in the standard exclusion lists shown in the Windows Security app.
You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as
described in these exclusion-related topics:
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Custom exclusions take precedence over automatic exclusions.
TIP
Custom and duplicate exclusions do not conflict with automatic exclusions.
Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM ) tools to
determine which roles are installed on your computer.
WARNING
Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that
are delivered automatically are optimized for Windows Server 2016 roles.
NOTE
This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect
on exclusions.
TIP
Since the predefined exclusions only exclude default paths, if you move NTDS and SYSVOL to another drive or path
different than the original one, you would have to manually add the exclusions using the information here .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
Use Group Policy to disable the auto-exclusions list on Windows Server 2016:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click Turn off Auto Exclusions and set the option to Enabled. Click OK.
Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:
Use the following cmdlets:
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to disable the auto-exclusions list on Windows Server
2016:
Use the Set method of the MSFT_MpPreference class for the following properties:
DisableAutoExclusions
%windir%\Ntfrs\jet\sys\*\edb.chk
%windir%\Ntfrs\jet\*\Ntfrs.jdb
%windir%\Ntfrs\jet\log\*\*.log
FRS Database log files. The FRS Database log file folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File
Directory
-%windir%\Ntfrs\*\Edb*.log
The FRS staging folder. The staging folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica
Sets\GUID\Replica Set Stage
%systemroot%\Sysvol\*\Nntfrs_cmp*\
The FRS preinstall folder. This folder is specified by the folder
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\
The Distributed File System Replication (DFSR ) database and working folders. These
folders are specified by the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication
Groups\GUID\Replica Set Configuration File
NOTE
For custom locations, see Opt out of automatic exclusions.
%windir%\Ntds\ntds.dit
%windir%\Ntds\ntds.pat
The AD DS transaction log files. The transaction log files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files
%windir%\Ntds\EDB*.log
%windir%\Ntds\Res*.log
%windir%\Ntds\Edb*.jrs
%windir%\Ntds\Ntds*.pat
%windir%\Ntds\EDB*.log
%windir%\Ntds\TEMP.edb
The NTDS working folder. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
%windir%\Ntds\Temp.edb
%windir%\Ntds\Edb.chk
Process exclusions for AD DS and AD DS -related support files:
%systemroot%\System32\ntfrs.exe
%systemroot%\System32\lsass.exe
DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The
DHCP Server file locations are specified by the DatabasePath, DhcpLogFilePath, and BackupDatabasePath
parameters in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
%systemroot%\System32\DHCP\*\*.mdb
%systemroot%\System32\DHCP\*\*.pat
%systemroot%\System32\DHCP\*\*.log
%systemroot%\System32\DHCP\*\*.chk
%systemroot%\System32\DHCP\*\*.edb
DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when
you install the DNS Server role.
File and folder exclusions for the DNS Server role:
%systemroot%\System32\Dns\*\*.log
%systemroot%\System32\Dns\*\*.dns
%systemroot%\System32\Dns\*\*.scc
%systemroot%\System32\Dns\*\BOOT
Process exclusions for the DNS Server role:
%systemroot%\System32\dns.exe
File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and
Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
%SystemDrive%\ClusterStorage
%clusterserviceaccount%\Local Settings\Temp
%SystemDrive%\mscs
Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered
automatically when you install the Print Server role.
File type exclusions:
*.shd
*.spl
Folder exclusions. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory
%system32%\spool\printers\*
Process exclusions:
spoolsv.exe
Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you
install the Web Server role.
Folder exclusions:
%SystemRoot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\ASP Compiled Templates
%systemDrive%\inetpub\logs
%systemDrive%\inetpub\wwwroot
Process exclusions:
%SystemRoot%\system32\inetsrv\w3wp.exe
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe
%SystemDrive%\PHP5433\php-cgi.exe
Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server
Update Services (WSUS ) role. The WSUS folder is specified in the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup
%systemroot%\WSUS\WSUSContent
%systemroot%\WSUS\UpdateServicesDBFiles
%systemroot%\SoftwareDistribution\Datastore
%systemroot%\SoftwareDistribution\Download
Related topics
Configure and validate exclusions for Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure Windows Defender Antivirus scanning options
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Use Microsoft Intune to configure scanning options
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for
Windows 10 in Intune for more details.
Use Configuration Manager to configure scanning options:
See How to create and deploy antimalware policies: Scan settings for details on configuring System Center Configuration
Manager (current branch).
Use Group Policy to configure scanning options
To configure the Group Policy settings described in the following table:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group
Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location specified in
the table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired configuration. Click
OK, and repeat for any other settings.
POWERSHELL SET-MPPREFERENCE
DEFAULT SETTING (IF NOT PARAMETER OR WMI PROPERTY
DESCRIPTION LOCATION AND SETTING CONFIGURED) FOR MSFT_MPPREFERENCE CLASS
See Email scanning limitations) Scan > Turn on e-mail Disabled -DisableEmailScanning
below scanning
Scan reparse points Scan > Turn on reparse point Disabled Not available
scanning
Scan mapped network drives Scan > Run full scan on Disabled -
mapped network drives DisableScanningMappedNetworkDrivesForFullS
Scan archive files (such as .zip Scan > Scan archive files Enabled -DisableArchiveScanning
or .rar files). The extensions
exclusion list will take
precedence over this setting.
Scan files on the network Scan > Scan network files Disabled -
DisableScanningNetworkFiles
Scan packed executables Scan > Scan packed Enabled Not available
executables
Scan removable drives during Scan > Scan removable drives Disabled -
full scans only DisableRemovableDriveScanning
Specify the level of subfolders Scan > Specify the maximum 0 Not available
within an archive folder to scan depth to scan archive files
POWERSHELL SET-MPPREFERENCE
DEFAULT SETTING (IF NOT PARAMETER OR WMI PROPERTY
DESCRIPTION LOCATION AND SETTING CONFIGURED) FOR MSFT_MPPREFERENCE CLASS
Specify the maximum CPU load Scan > Specify the maximum 50 -ScanAvgCPULoadFactor
(as a percentage) during a percentage of CPU utilization
scan. Note: This is not a hard during a scan
limit but rather a guidance for
the scanning engine to not
exceed this maximum on
average.
Specify the maximum size (in Scan > Specify the maximum No limit Not available
kilobytes) of archive files that size of archive files to be
should be scanned. The default, scanned
0, applies no limit
Configure low CPU priority for Scan > Configure low CPU Disabled Not available
scheduled scans priority for scheduled scans
NOTE
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files,
including those on mounted removable devices such as USB drives.
Related topics
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Configure and run on-demand Windows Defender Antivirus scans
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
Configure remediation for Windows Defender
Antivirus scans
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds.
You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a
restore point before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use System Center
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.
Root Turn off routine You can specify whether Disabled (threats are
remediation Windows Defender remediated automatically)
Antivirus automatically
remediates threats, or if it
should ask the endpoint
user what to do.
DEFAULT SETTING (IF NOT
LOCATION SETTING DESCRIPTION CONFIGURED)
Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed
Threats Specify threat alert levels at Every threat that is Not applicable
which default action should detected by Windows
not be taken when Defender Antivirus is
detected assigned a threat level (low,
medium, high, or severe).
You can use this setting to
define how all threats for
each of the threat levels
should be remediated
(quarantined, removed, or
ignored)
Threats Specify threats upon which Specify how specific threats Not applicable
default action should not (using their threat ID)
be taken when detected should be remediated. You
can specify whether the
specific threat should be
quarantined, removed, or
ignored
IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to
ensure all additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See Restore quarantined files in Windows Defender Antivirus.
To avoid this problem in the future, you can exclude files from the scans. See Configure and validate exclusions for
Windows Defender Antivirus scans.
Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more
remediation-related settings.
Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Configure and run on-demand Windows Defender Antivirus scans
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure scheduled quick or full Windows
Defender Antivirus scans
4/8/2019 • 6 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans.
You can Manage the schedule for when protection updates should be downloaded and applied to override this
default.
In addition to always-on real-time protection and on-demand scans, you can set up regular, scheduled
scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a
protection update or if the endpoint is being used. You can also specify when special scans to complete
remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI.
You can also configure schedules scans with System Center Configuration Manager or Microsoft Intune.
To configure the Group Policy settings described in this topic:
1. On your Group Policy management machine, open the Group Policy Management Console, right-
click the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus and then the
Location specified in the table below.
5. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK, and repeat for any other settings.
Also see the Manage when protection updates should be downloaded and applied and Prevent or allow
users to locally modify policy settings topics.
NOTE
By default, quick scans run on mounted removable devices, such as USB drives.
NOTE
If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with
event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan
at the next scheduled time.
Scan Specify the day of the Specify the day (or never) Never
week to run a scheduled to run a scan.
scan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule scans:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Scan Start the scheduled scan Scheduled scans will not Enabled
only when computer is on run, unless the computer
but not in use is on but not in use
Set-MpPreference -ScanOnlyIfIdleEnabled
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ):
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Remediation Specify the day of the Specify the day (or never) Never
week to run a scheduled to run a scan.
full scan to complete
remediation
Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ):
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Scan Specify the interval to run Specify how many hours Never
quick scans per day should elapse before the
next quick scan. For
example, to run every two
hours, enter 2, for once a
day, enter 24. Enter 0 to
never run a daily quick
scan.
DEFAULT SETTING (IF NOT
LOCATION SETTING DESCRIPTION CONFIGURED)
Set-MpPreference -ScanScheduleQuickTime
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule daily scans:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Related topics
Prevent or allow users to locally modify policy settings
Configure and run on-demand Windows Defender Antivirus scans
Configure Windows Defender Antivirus scanning options
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Windows Defender Antivirus in Windows 10
Configure and run on-demand Windows Defender
Antivirus scans
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can
define parameters for the scan, such as the location or type.
NOTE
By default, quick scans run on mounted removable devices, such as USB drives.
See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for
more information on how to use the tool and additional parameters, including starting a full scan or defining
paths.
Use Microsoft Intune to run a scan:
1. In Intune, go to Devices > All Devices and select the device you want to scan.
2. Select ...More and then select Quick Scan or Full Scan.
Use the Windows Security app to run a scan:
See Run a scan in the Windows Security app for instructions on running a scan on individual endpoints.
Use PowerShell cmdlets to run a scan:
Use the following cmdlet:
Start-MpScan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to run a scan:
Use the Start method of the MSFT_MpScan class.
See the following for more information and allowed parameters:
Windows Defender WMIv2 APIs
Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
Review Windows Defender Antivirus scan results
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
After an Windows Defender Antivirus scan completes, whether it is an on-demand or scheduled scan, the results
are recorded and you can view the results.
Use Microsoft Intune to review scan results:
1. In Intune, go to Devices > All Devices and select the device you want to scan.
2. Click the scan results in Device actions status.
Use Configuration Manager to review scan results:
See How to monitor Endpoint Protection status.
Use the Windows Security app to review scan results:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan
history label.
Click See full history for any of the sections to see previous detections and the action taken. You can
also clear the list.
Information about the last scan is displayed at the bottom of the page.
Use PowerShell cmdlets to review scan results:
The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same
threat, each detection will be listed separately, based on the time of each detection:
Get-MpThreatDetection
You can specify -ThreatID to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat into a single item, you can use the
following cmdlet:
Get-MpThreat
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to review scan results:
Use the Get method of the MSFT_MpThreat and MSFT_MpThreatDetection classes.
Related topics
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Run and review the results of a Windows Defender
Offline scan
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted
environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to
bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR ).
You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough
clean of the endpoint after a malware outbreak.
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Security app. In
previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the
endpoint, and load the bootable media.
NOTE
Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
NOTE
Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an
update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install
the latest protection updates from the Microsoft Malware Protection Center.
See the Manage Windows Defender Antivirus Security intelligence updates topic for more information.
Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender
determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using
it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
The user will also be notified within the Windows Defender client:
In Configuration Manager, you can identify the status of endpoints by navigating to Monitoring > Overview >
Security > Endpoint Protection Status > System Center Endpoint Protection Status.
Windows Defender Offline scans are indicated under Malware remediation status as Offline scan required.
Configure notifications
Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV
notifications.
For more information about notifications in Windows Defender, see the Configure the notifications that appear on
endpoints topic.
Run a scan
IMPORTANT
Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows
Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is
performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan
performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
You can run a Windows Defender Offline scan with the following:
PowerShell
Windows Management Instrumentation (WMI)
The Windows Security app
Use PowerShell cmdlets to run an offline scan:
Use the following cmdlets:
Start-MpWDOScan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to run an offline scan:
Use the MSFT_MpWDOScan class to run an offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the
endpoint to restart, run the offline scan, and then restart and boot into Windows.
Related topics
Customize, initiate, and review the results of scans and remediation
Windows Defender Antivirus in Windows 10
Restore quarantined files in Windows Defender AV
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender
Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open Windows Security.
2. Click Virus & threat protection and then click Threat History.
3. Under Quarantined threats, click See full history.
4. Click an item you want to keep, then click Restore. (If you prefer to remove the item, you can click Remove.)
Related topics
Configure remediation for scans
Review scan results
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
Manage Windows Defender Antivirus in your
business
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can manage and configure Windows Defender Antivirus with the following tools:
Microsoft Intune
System Center Configuration Manager
Group Policy
PowerShell cmdlets
Windows Management Instruction (WMI)
The mpcmdrun.exe utility
The topics in this section provide further information, links, and resources for using these tools to manage and
configure Windows Defender Antivirus.
In this section
TOPIC DESCRIPTION
Manage Windows Defender Antivirus with Microsoft Intune Information about using Intune and System Center
and System Center Configuration Manager Configuration Manager to deploy, manage, report, and
configure Windows Defender Antivirus
Manage Windows Defender Antivirus with Group Policy List of all Group Policy settings located in ADMX templates
settings
Manage Windows Defender Antivirus with PowerShell Instructions for using PowerShell cmdlets to manage
cmdlets Windows Defender Antivirus, plus links to documentation for
all cmdlets and allowed parameters
Manage Windows Defender Antivirus with Windows Instructions for using WMI to manage Windows Defender
Management Instrumentation (WMI) Antivirus, plus links to documentation for the WMIv2 APIs
(including all classes, methods, and properties)
Manage Windows Defender Antivirus with the Instructions on using the dedicated command-line tool to
mpcmdrun.exe command-line tool manage and use Windows Defender Antivirus
Use System Center Configuration Manager and
Microsoft Intune to configure and manage Windows
Defender Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your
network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used
by Windows Defender Antivirus.
See the Endpoint Protection library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the Microsoft Intune library and Configure device restriction settings in Intune.
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use Group Policy settings to configure and manage
Windows Defender Antivirus
4/5/2019 • 8 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can use Group Policy to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy
settings:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object (GPO ) you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus.
5. Expand the section (referred to as Location in the table in this topic) that contains the setting you want to
configure, double-click the setting to open it, and make configuration changes.
6. Deploy the updated GPO as you normally do.
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and
provides links to the appropriate topic in this documentation library (where applicable).
Client interface Display additional text to clients when Configure the notifications that appear
they need to perform an action on endpoints
Client interface Suppress all notifications Configure the notifications that appear
on endpoints
Client interface Suppresses reboot notifications Configure the notifications that appear
on endpoints
MAPS Configure the 'Block at First Sight' Enable block at first sight
feature
MAPS Send file samples when further analysis Enable cloud-delivered protection
is required
MAPS Configure local setting override for Prevent or allow users to locally modify
reporting to Microsoft MAPS policy settings
MpEngine Configure extended cloud check Configure the cloud block timeout
period
Network inspection system Specify additional definition sets for Not used
network traffic inspection
Quarantine Configure local setting override for the Prevent or allow users to locally modify
removal of items from Quarantine policy settings
folder
Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring file and program activity on policy settings
your computer
Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring for incoming and outgoing policy settings
file activity
Real-time protection Configure local setting override for Prevent or allow users to locally modify
scanning all downloaded files and policy settings
attachments
Real-time protection Configure local setting override for turn Prevent or allow users to locally modify
on behavior monitoring policy settings
Real-time protection Configure local setting override to turn Prevent or allow users to locally modify
on real-time protection policy settings
LOCATION SETTING DOCUMENTED IN TOPIC
Real-time protection Define the maximum size of Enable and configure Windows
downloaded files and attachments to Defender Antivirus always-on
be scanned protection and monitoring
Real-time protection Monitor file and program activity on Enable and configure Windows
your computer Defender Antivirus always-on
protection and monitoring
Real-time protection Scan all downloaded files and Enable and configure Windows
attachments Defender Antivirus always-on
protection and monitoring
Real-time protection Turn off real-time protection Enable and configure Windows
Defender Antivirus always-on
protection and monitoring
Real-time protection Turn on process scanning whenever Enable and configure Windows
real-time protection is enabled Defender Antivirus always-on
protection and monitoring
Real-time protection Turn on raw volume write notifications Enable and configure Windows
Defender Antivirus always-on
protection and monitoring
Real-time protection Configure monitoring for incoming and Enable and configure Windows
outgoing file and program activity Defender Antivirus always-on
protection and monitoring
Remediation Configure local setting override for the Prevent or allow users to locally modify
time of day to run a scheduled full scan policy settings
to complete remediation
Remediation Specify the day of the week to run a Configure scheduled Windows
scheduled full scan to complete Defender Antivirus scans
remediation
Reporting Turn off enhanced notifications Configure the notifications that appear
on endpoints
Root Turn off Windows Defender Antivirus Not used (This setting must be set to
Not configured to ensure any installed
third-party antivirus apps work
correctly)
Root Configure local administrator merge Prevent or allow users to locally modify
behavior for lists policy settings
Root Randomize scheduled task times Configure scheduled scans for Windows
Defender Antivirus
Scan Check for the latest virus and spyware Manage event-based forced updates
definitions before running a scheduled
scan
Scan Define the number of days after which Manage updates for endpoints that are
a catch-up scan is forced out of date
Scan Turn on catch up full scan Manage updates for endpoints that are
out of date
LOCATION SETTING DOCUMENTED IN TOPIC
Scan Turn on catch up quick scan Manage updates for endpoints that are
out of date
Scan Configure local setting override for Prevent or allow users to locally modify
maximum percentage of CPU utilization policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
schedule scan day policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
scheduled quick scan time policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
scheduled scan time policy settings
Scan Configure local setting override for the Prevent or allow users to locally modify
scan type to use for a scheduled scan policy settings
Scan Turn on removal of items from scan Configure remediation for Windows
history folder Defender Antivirus scans
Scan Run full scan on mapped network Configure scanning options in Windows
drives Defender Antivirus
Scan Specify the maximum depth to scan Configure scanning options in Windows
archive files Defender Antivirus
Scan Specify the maximum size of archive Configure scanning options in Windows
files to be scanned Defender Antivirus
Scan Specify the day of the week to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Specify the interval to run quick scans Configure scheduled scans for Windows
per day Defender Antivirus
Scan Specify the scan type to use for a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Specify the time for a daily quick scan Configure scheduled scans for Windows
Defender Antivirus
Scan Specify the time of day to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Start the scheduled scan only when Configure scheduled scans for Windows
computer is on but not in use Defender Antivirus
Security intelligence updates Allow definition updates from Microsoft Manage updates for mobile devices and
Update virtual machines (VMs)
Security intelligence updates Allow definition updates when running Manage updates for mobile devices and
on battery power virtual machines (VMs)
Security intelligence updates Allow notifications to disable definitions Manage event-based forced updates
based repots to Microsoft MAPS
Security intelligence updates Allow real-time definition updates Manage event-based forced updates
based on reports to Microsoft MAPS
Security intelligence updates Check for the latest virus and spyware Manage event-based forced updates
definitions on startup
Security intelligence updates Define file shares for downloading Manage Windows Defender Antivirus
definition updates protection and definition updates
Security intelligence updates Define the number of days after which Manage updates for endpoints that are
a catch up definition update is required out of date
Security intelligence updates Define the number of days before Manage updates for endpoints that are
spyware definitions are considered out out of date
of date
Security intelligence updates Define the number of days before virus Manage updates for endpoints that are
definitions are considered out of date out of date
Security intelligence updates Define the order of sources for Manage Windows Defender Antivirus
downloading definition updates protection and definition updates
Security intelligence updates Initiate definition update on startup Manage event-based forced updates
LOCATION SETTING DOCUMENTED IN TOPIC
Security intelligence updates Specify the day of the week to check for Manage when protection updates
definition updates should be downloaded and applied
Security intelligence updates Specify the interval to check for Manage when protection updates
definition updates should be downloaded and applied
Security intelligence updates Specify the time to check for definition Manage when protection updates
updates should be downloaded and applied
Security intelligence updates Turn on scan after Security intelligence Configure scheduled scans for Windows
update Defender Antivirus
Threats Specify threat alert levels at which Configure remediation for Windows
default action should not be taken Defender Antivirus scans
when detected
Threats Specify threats upon which default Configure remediation for Windows
action should not be taken when Defender Antivirus scans
detected
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use PowerShell cmdlets to configure and
manage Windows Defender Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can use PowerShell to perform various functions in Windows Defender. Similar to the command
prompt or command line, PowerShell is a task-based command-line shell and scripting language
designed especially for system administration, and you can read more about it at the PowerShell hub on
MSDN.
For a list of the cmdlets and their functions and available parameters, see the Defender cmdlets topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user
interface (GUI) to configure software.
NOTE
PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure,
such as System Center Configuration Manager, Group Policy Management Console, or Windows Defender
Antivirus Group Policy ADMX templates.
Changes made with PowerShell will affect local settings on the endpoint where the changes are
deployed or made. This means that deployments of policy with Group Policy, System Center
Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
You can configure which settings can be overridden locally with local policy overrides.
PowerShell is typically installed under the folder %SystemRoot%\system32\WindowsPowerShell.
Use Windows Defender Antivirus PowerShell cmdlets:
1. Click Start, type powershell, and press Enter.
2. Click Windows PowerShell to open the interface.
3. Enter the command and parameters.
NOTE
You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click
Run as administrator and click Yes at the permissions prompt.
To open online help for any of the cmdlets type the following:
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use Windows Management Instrumentation (WMI)
to configure and manage Windows Defender
Antivirus
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and
update settings.
Read more about WMI at the Microsoft Developer Network System Administration library.
Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same
functions as Group Policy and other management tools. Many of the classes are analogous to Defender
PowerShell cmdlets.
The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI classes for Windows
Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This
means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune
can overwrite changes made with WMI.
You can configure which settings can be overridden locally with local policy overrides.
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Configure and manage Windows Defender Antivirus
with the mpcmdrun.exe command-line tool
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can perform various Windows Defender Antivirus functions with the dedicated command-line tool
mpcmdrun.exe.
This utility can be useful when you want to automate Windows Defender Antivirus use.
You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You must run it from a
command prompt.
NOTE
You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click
Run as administrator and click Yes at the permissions prompt.
COMMAND DESCRIPTION
-Restore [- ListAll | [[- Name ] [- All] | [- FilePath ]] [- Path ]] Restores or lists quarantined item(s)
COMMAND DESCRIPTION
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Configure the security controls in Secure score
4/22/2019 • 10 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Each security control lists recommendations that you can take to increase the security posture of your
organization.
Endpoint detection and response (EDR ) optimization
For an machine to be considered "well configured", it must comply to a minimum baseline configuration setting.
This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline
configuration setting for your Endpoint detection and response tool.
IMPORTANT
This feature is available for machines on Windows 10, version 1607 or later.
You can take the following actions to increase the overall security score of your organization:
Turn on sensor
Fix sensor data collection
Fix impaired communications
For more information, see Fix unhealthy sensors.
Windows Defender Antivirus (Windows Defender AV ) optimization
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting.
This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline
configuration setting for Windows Defender AV is fulfilled.
IMPORTANT
This feature is available for machines on Windows 10, version 1607 or later.
You can take the following actions to increase the overall security score of your organization:
NOTE
For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-
based protection is properly configured on the machine.
IMPORTANT
This feature is available for machines on Windows 10, version 1607 or later.
You can take the following actions to increase the overall security score of your organization:
Install the latest security updates
Fix sensor data collection
The Windows Defender ATP service relies on sensor data collection to determine the security state of a
machine. The service will not be able to determine the security state of machines that are not reporting
sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly.
For more information, see Fix unhealthy sensors.
For more information, see Windows Update Troubleshooter.
Windows Defender Exploit Guard (Windows Defender EG ) optimization
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting.
This tile shows you a specific list of actions you must apply on machines so that the minimum baseline
configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the
baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline.
IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.
The following system level configuration settings must be set to On or Force On:
1. Control Flow Guard
2. Data Execution Prevention (DEP )
3. Randomize memory allocations (Bottom-up ASLR )
4. Validate exception chains (SEHOP )
5. Validate heap integrity
NOTE
The setting Force randomization for images (Mandatory ASLR) is currently excluded from the baseline. Consider
configuring Force randomization for images (Mandatory ASLR) to On or Force On for better protection.
A t t a c k Su r fa c e R e d u c t i o n (A SR ) r u l e s:
NOTE
The setting Block Office applications from injecting into other processes with GUID 75668C1F-73B5-4CF0-BB93-
3ECF5CB7CC84 is excluded from the baseline. Consider enabling this rule in Audit or Block mode for better protection.
C o n t r o l l e d F o l d e r A c c e ss
The Controlled Folder Access setting must be configured to Audit mode or Enabled.
NOTE
Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block
suspicious applications. Consider enabling Controlled Folder Access for better protection.
R e c o m m e n d e d a c t i o n s:
You can take the following actions to increase the overall security score of your organization:
Turn on all system-level Exploit Protection settings
Set all ASR rules to enabled or audit mode
Turn on Controlled Folder Access
Turn on Windows Defender Antivirus on compatible machines
For more information, see Windows Defender Exploit Guard.
Windows Defender Application Guard (Windows Defender AG ) optimization
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting.
This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline
configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the
baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline.
IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.
You can take the following actions to increase the overall security score of your organization:
Ensure hardware and software prerequisites are met
NOTE
This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows
Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
WARNING
Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have
selected for your Windows Defender ATP data.
IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.
IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.
NOTE
If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make
sure that your third-party firewall is configured in a securely.
R e c o m m e n d e d a c t i o n s:
You can take the following actions to increase the overall security score of your organization:
Turn on firewall
Secure domain profile
Secure private profile
Secure public profile
Verify secure configuration of third-party firewall
Fix sensor data collection
The Windows Defender ATP service relies on sensor data collection to determine the security state of a
machine. The service will not be able to determine the security state of machines that are not reporting
sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly.
For more information, see Fix unhealthy sensors.
For more information, see Windows Defender Firewall with Advanced Security.
BitLocker optimization
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting.
This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline
configuration setting for BitLocker is fulfilled.
IMPORTANT
This security control is only applicable for machines with Windows 10, version 1803 or later.
You can take the following actions to increase the overall security score of your organization:
Encrypt all supported drives
Resume protection on all drives
Ensure drive compatibility
Fix sensor data collection
The Windows Defender ATP service relies on sensor data collection to determine the security state of a
machine. The service will not be able to determine the security state of machines that are not reporting
sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly.
For more information, see Fix unhealthy sensors.
For more information, see Bitlocker.
Windows Defender Credential Guard optimization
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting.
This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline
configuration setting for Windows Defender Credential Guard is fulfilled.
IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.
You can take the following actions to increase the overall security score of your organization:
Ensure hardware and software prerequisites are met
Turn on Credential Guard
Fix sensor data collection
The Windows Defender ATP service relies on sensor data collection to determine the security state of a
machine. The service will not be able to determine the security state of machines that are not reporting
sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly.
For more information, see Fix unhealthy sensors.
For more information, see Manage Windows Defender Credential Guard.
Want to experience Windows Defender ATP? Sign up for a free trial.
Related topics
Overview of Secure score
Onboard machines to the Windows Defender ATP
service
4/22/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You need to turn on the sensor to give visibility within Windows Defender ATP.
For more information, see Onboard your Windows 10 machines to Windows Defender ATP.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see Windows 10 Licensing.
NOTE
Machines that are running mobile versions of Windows are not supported.
NOTE
You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the
integration to work.
NOTE
You cannot change your data storage location after the first-time setup.
Review the Windows Defender ATP data storage and privacy for more information on where and how Microsoft stores
your data.
sc qc diagtrack
If the service is enabled, then the result should look like the following screenshot:
If the START_TYPE is not set to AUTO_START, then you'll need to set the service to automatically start.
Use the command line to set the Windows 10 diagnostic data service to automatically start:
1. Open an elevated command-line prompt on the endpoint:
a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:
3. A success message is displayed. Verify the change by entering the following command, and press Enter:
sc qc diagtrack
Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the
Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and
investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings see, Configure machine proxy and Internet
connectivity settings .
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in
Windows 10.
In this section
TOPIC DESCRIPTION
Onboard previous versions of Windows Onboard Windows 7 and Windows 8.1 machines to Windows
Defender ATP.
Onboard Windows 10 machines You'll need to onboard machines for it to report to the
Windows Defender ATP service. Learn about the tools and
methods you can use to configure machines in your
enterprise.
Onboard servers Onboard Windows Server 2012 R2 and Windows Server 2016
to Windows Defender ATP
Run a detection test on a newly onboarded machine Run a script on a newly onboarded machine to verify that it is
properly reporting to the Windows Defender ATP service.
Configure proxy and Internet settings Enable communication with the Windows Defender ATP cloud
service by configuring the proxy and Internet connectivity
settings.
Troubleshoot onboarding issues Learn about resolving issues that might arise during
onboarding.
Applies to:
Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8.1 Pro
Windows 8.1 Enterprise
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender ATP extends support to include down-level operating systems, providing advanced attack
detection and investigation capabilities on supported Windows versions.
IMPORTANT
This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more
information, see Preview features.
To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to:
Configure and update System Center Endpoint Protection clients.
Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as
instructed below.
TIP
After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service.
For more information, see Run a detection test on a newly onboarded Windows Defender ATP endpoint.
Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware
detections and to stop propagation of an attack in your organization by banning potentially malicious files or
suspected malware.
The following steps are required to enable this integration:
Install the January 2017 anti-malware platform update for Endpoint Protection clients
Configure the SCEP client Cloud Protection Service membership to the Advanced setting
Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information,
see Allow connections to the Windows Defender Antivirus cloud
Install and configure Microsoft Monitoring Agent (MMA) to report
sensor data to Windows Defender ATP
Before you begin
Review the following details to verify minimum system requirements:
Install the February monthly update rollup
NOTE
Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
NOTE
Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. Don't install .NET framework 4.0.x, since it will
negate the above installation.
Meet the Azure Log Analytics agent minimum system requirements. For more information, see Collect data
from computers in you environment with Log Analytics
1. Download the agent setup file: Windows 64-bit agent or Windows 32-bit agent.
2. Obtain the workspace ID:
In the Windows Defender ATP navigation pane, select Settings > Machine management >
Onboarding
Select Windows 7 SP1 and 8.1 as the operating system
Copy the workspace ID and workspace key
3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the
agent:
Manually install the agent using setup
On the Agent Setup Options page, select Connect the agent to Azure Log Analytics (OMS )
Install the agent using command line and configure the agent using a script
4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
Once completed, you should see onboarded endpoints in the portal within an hour.
Configure proxy and Internet connectivity settings
Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct,
using a proxy, or through the OMS Gateway.
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS
scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit
communication with Windows Defender ATP service:
*.oms.opinsights.azure.com 443
AGENT RESOURCE PORTS
*.blob.core.windows.net 443
*.azure-automation.net 443
*.ods.opinsights.azure.com 443
winatp-gw-cus.microsoft.com 443
winatp-gw-eus.microsoft.com 443
winatp-gw-neu.microsoft.com 443
winatp-gw-weu.microsoft.com 443
winatp-gw-uks.microsoft.com 443
winatp-gw-ukw.microsoft.com 443
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Machines in your organization must be configured so that the Windows Defender ATP service can get sensor
data from them. There are various methods and deployment tools that you can use to configure the machines
in your organization.
The following deployment tools and methods are supported:
Group Policy
System Center Configuration Manager
Mobile Device Management (including Microsoft Intune)
Local script
In this section
TOPIC DESCRIPTION
Onboard Windows 10 machines using Group Policy Use Group Policy to deploy the configuration package on
machines.
Onboard Windows 10 machines using System Center You can use either use System Center Configuration
Configuration Manager Manager (current branch) version 1606 or System Center
Configuration Manager(current branch) version 1602 or
earlier to deploy the configuration package on machines.
Onboard Windows 10 machines using Mobile Device Use Mobile Device Management tools or Microsoft Intune
Management tools to deploy the configuration package on machine.
Onboard Windows 10 machines using a local script Learn how to use the local script to deploy the configuration
package on endpoints.
Onboard non-persistent virtual desktop infrastructure (VDI) Learn how to use the configuration package to configure
machines VDI machines.
Applies to:
Group Policy
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
NOTE
If you don't set a value, the default value is to enable sample collection.
NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will
cause unpredictable collisions.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference
to any alerts it has had will be retained for up to 6 months.
NOTE
It can take several days for machines to start showing on the Machines list. This includes the time it takes for the policies
to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start
reporting.
Related topics
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Windows Defender ATP machines
Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Onboard Windows 10 machines using System Center
Configuration Manager
4/8/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
System Center 2012 Configuration Manager or later versions
NOTE
If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match
the server version.
NOTE
Windows Defender ATP doesn't support onboarding during the Out-Of-Box Experience (OOBE) phase. Make sure users
complete OOBE after running Windows installation or upgrading.
TIP
After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to
the service. For more information, see Run a detection test on a newly onboarded Windows Defender ATP machine.
Where:
Key type is a D -WORD.
Possible values are:
0 - doesn't allow sample sharing from this machine
1 - allows sharing of all file types from this machine
The default value in case the registry key doesn’t exist is 1.
For more information about System Center Configuration Manager Compliance see Get started with compliance
settings in System Center Configuration Manager.
NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause
unpredictable collisions.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to
any alerts it has had will be retained for up to 6 months.
For more information about System Center Configuration Manager Compliance see Get started with compliance
settings in System Center Configuration Manager.
Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Windows Defender ATP machine
Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Onboard Windows 10 machines using Mobile Device
Management tools
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can use mobile device management (MDM ) solutions to configure machines. Windows Defender ATP supports
MDMs by providing OMA-URIs to create policies to manage machines.
For more information on using Windows Defender ATP CSP see, WindowsAdvancedThreatProtection CSP and
WindowsAdvancedThreatProtection DDF file.
NOTE
The Health Status for onboarded machines policy uses read-only properties and can't be remediated.
Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
TIP
After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the
service. For more information, see Run a detection test on a newly onboarded Windows Defender ATP machine.
NOTE
The Health Status for offboarded machines policy uses read-only properties and can't be remediated.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to
any alerts it has had will be retained for up to 6 months.
Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Windows Defender ATP machine
Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Onboard Windows 10 machines using Mobile Device
Management tools
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can use mobile device management (MDM ) solutions to configure machines. Windows Defender ATP
supports MDMs by providing OMA-URIs to create policies to manage machines.
For more information on using Windows Defender ATP CSP see, WindowsAdvancedThreatProtection CSP and
WindowsAdvancedThreatProtection DDF file.
NOTE
The Health Status for onboarded machines policy uses read-only properties and can't be remediated.
Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
TIP
After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the
service. For more information, see Run a detection test on a newly onboarded Windows Defender ATP machine.
NOTE
The Health Status for offboarded machines policy uses read-only properties and can't be remediated.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to
any alerts it has had will be retained for up to 6 months.
Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Windows Defender ATP machine
Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Onboard Windows 10 machines using a local script
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can also manually onboard individual machines to Windows Defender ATP. You might want to do this first
when testing the service before you commit to onboarding all machines in your network.
NOTE
The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other
deployment options. For more information on using other deployment options, see Onboard Window 10 machines.
Onboard machines
1. Open the GP configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from Windows Defender
Security Center:
a. In the navigation pane, select Settings > Onboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select Local Script.
d. Click Download package and save the .zip file.
2. Extract the contents of the configuration package to a location on the machine you want to onboard (for
example, the Desktop). You should have a file named WindowsDefenderATPOnboardingScript.cmd.
3. Open an elevated command-line prompt on the machine and run the script:
a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
4. Type the location of the script file. If you copied the file to the desktop, type:
%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd
5. Press the Enter key or click OK.
For information on how you can manually validate that the machine is compliant and correctly reports sensor
data see, Troubleshoot Windows Defender Advanced Threat Protection onboarding issues.
TIP
After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to
the service. For more information, see Run a detection test on a newly onboarded Windows Defender ATP endpoint.
Where:
Name type is a D -WORD.
Possible values are:
0 - doesn't allow sample sharing from this machine
1 - allows sharing of all file types from this machine
The default value in case the registry key doesn’t exist is 1.
NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will
cause unpredictable collisions.
4. Type the location of the script file. If you copied the file to the desktop, type:
%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd
5. Press the Enter key or click OK.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference
to any alerts it has had will be retained for up to 6 months.
Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Windows Defender ATP machine
Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Onboard non-persistent virtual desktop
infrastructure (VDI) machines
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Virtual desktop infrastructure (VDI) machines
WARNING
For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender
ATP sensor onboarding.
1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from Windows Defender
Security Center:
a. In the navigation pane, select Settings > Onboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select VDI onboarding scripts for non-persistent endpoints.
d. Click Download package and save the .zip file.
2. Copy the extracted files from the .zip into image under the path
golden/master
C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup . You should have a folder called
WindowsDefenderATPOnboardingPackage containing the file WindowsDefenderATPOnboardingScript.cmd .
NOTE
If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden.
You'll need to choose the Show hidden files and folders option from file explorer.
3. The following step is only applicable if you're implementing a single entry for each machine:
For single entry for each machine:
a. From the WindowsDefenderATPOnboardingPackage , copy the Onboard-NonPersistentMachine.ps1 file to
golden/master image to the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup .
NOTE
If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden.
You'll need to choose the Show hidden files and folders option from file explorer.
4. Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows
Settings > Scripts > Startup.
5. Depending on the method you'd like to implement, follow the appropriate steps:
For single entry for each machine:
Select the PowerShell Scripts tab, then click Add (Windows Explorer will open directly in the path where
you copied the onboarding script earlier). Navigate to onboarding PowerShell script
Onboard-NonPersistentMachine.ps1 .
Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Onboard servers to the Windows Defender ATP
service
5/3/2019 • 8 minutes to read • Edit Online
Applies to:
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows Server, 2019
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Windows Defender ATP extends support to also include the Windows Server operating system, providing
advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security
Center console.
The service supports the onboarding of the following servers:
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows Server 2019
For a practical guidance on what needs to be in place for licensing and infrastructure, see Protecting Windows
Servers with Windows Defender ATP.
NOTE
This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding
Windows Server 2012 R2.
TIP
After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service.
For more information, see Run a detection test on a newly onboarded Windows Defender ATP endpoint.
IMPORTANT
This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding
Windows Server 2012 R2.
Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware
detections and to stop propagation of an attack in your organization by banning potentially malicious files or
suspected malware.
The following steps are required to enable this integration:
Install the January 2017 anti-malware platform update for Endpoint Protection clients
Configure the SCEP client Cloud Protection Service membership to the Advanced setting
Turn on Server monitoring from the Windows Defender Security Center portal
1. In the navigation pane, select Settings > Machine management > Onboarding.
2. Select Windows Server 2012 R2 and 2016 as the operating system.
3. Click Turn on server monitoring and confirm that you'd like to proceed with the environment set up.
When the set up completes, the Workspace ID and Workspace key fields are populated with unique
values. You'll need to use these values to configure the MMA agent.
Install and configure Microsoft Monitoring Agent (MMA ) to report sensor data to Windows Defender ATP
1. Download the agent setup file: Windows 64-bit agent.
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the
following installation methods to install the agent on the server:
Manually install the agent using setup
On the Agent Setup Options page, choose Connect the agent to Azure Log Analytics (OMS ).
Install the agent using the command line and configure the agent using a script.
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see
Configure proxy settings.
Once completed, you should see onboarded servers in the portal within an hour.
Configure server proxy and Internet connectivity settings
Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct,
using a proxy, or through the OMS Gateway.
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS
scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit
communication with Windows Defender ATP service:
*.oms.opinsights.azure.com 443
*.blob.core.windows.net 443
*.azure-automation.net 443
*.ods.opinsights.azure.com 443
winatp-gw-cus.microsoft.com 443
winatp-gw-eus.microsoft.com 443
winatp-gw-neu.microsoft.com 443
winatp-gw-weu.microsoft.com 443
winatp-gw-uks.microsoft.com 443
winatp-gw-ukw.microsoft.com 443
winatp-gw-aus.microsoft.com 443
winatp-gw-aue.microsoft.com 443
c. Confirm that a recent event containing the passive mode event is found:
If the result is ‘The specified service does not exist as an installed service’, then you'll need to install
Windows Defender AV. For more information, see Windows Defender Antivirus in Windows 10.
NOTE
You'll need to have the appropriate license to enable this feature.
NOTE
Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure
Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across
clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center
console.
Server investigation - Azure Security Center customers can access Windows Defender Security Center to
perform detailed investigation to uncover the scope of a potential breach
IMPORTANT
When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The
Windows Defender ATP data is stored in Europe by default.
If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you
specified when you created your tenant even if you integrate with Azure Security Center at a later time.
Offboard servers
You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows
10 client machines.
For other server versions, you have two options to offboard servers from the service:
Uninstall the MMA agent
Remove the Windows Defender ATP workspace configuration
NOTE
Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any
alerts it has had will be retained for up to 6 months.
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and
replacing WorkspaceID :
# Load agent scripting object
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace
$AgentCfg.RemoveCloudWorkspace($WorkspaceID)
# Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration()
Related topics
Onboard Windows 10 machines
Onboard non-Windows machines
Configure proxy and Internet connectivity settings
Run a detection test on a newly onboarded Windows Defender ATP machine
Troubleshooting Windows Defender Advanced Threat Protection onboarding issues
Onboard non-Windows machines
4/24/2019 • 2 minutes to read • Edit Online
Applies to:
macOS
Linux
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS ) in Windows
Defender Security Center and better protect your organization's network.
You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP
for the integration to work.
Related topics
Onboard Windows 10 machines
Onboard servers
Configure proxy and Internet connectivity settings
Troubleshooting Windows Defender Advanced Threat Protection onboarding issues
Onboard machines without Internet access to
Windows Defender ATP
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
To onboard machines without Internet access, you'll need to take the following general steps:
On-premise machines
Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
Azure Log Analytics Agent
Install and configure Microsoft Monitoring Agent (MMA) point to Microsoft Defender ATP Workspace
key & ID
Offline machines in the same network of Azure Log Analytics
Configure MMA to point to:
Azure Log Analytics IP as a proxy
Microsoft Defender ATP workspace key & ID
Applies to:
Supported Windows 10 versions
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows Server, 2019
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the
Windows Defender ATP service.
1. Create a folder: 'C:\test-WDATP -test'.
2. Open an elevated command-line prompt on the machine and run the script:
a. Go to Start and type cmd.
b. Right-click Command Prompt and select Run as administrator.
The Command Prompt window will close automatically. If successful, the detection test will be marked as
completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.
Related topics
Onboard Windows 10 machines
Onboard servers
Experience Windows Defender ATP through
simulated attacks
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
TIP
Learn about the latest enhancements in Windows Defender ATP: What's new in Windows Defender ATP.
Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.
You might want to experience Windows Defender ATP before you onboard more than a few machines to the
service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated
attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an
efficient response.
Run a simulation
1. In Help > Simulations & tutorials, select which of the available attack scenarios you would like to
simulate:
Scenario 1: Document drops backdoor - simulates delivery of a socially engineered lure
document. The document launches a specially crafted backdoor that gives attackers control.
Scenario 2: PowerShell script in fileless attack - simulates a fileless attack that relies on
PowerShell, showcasing attack surface reduction and machine learning detection of malicious
memory activity.
Scenario 3: Automated incident response - triggers Automated investigation, which automatically
hunts for and remediates breach artifacts to scale your incident response capacity.
2. Download and read the corresponding walkthrough document provided with your selected scenario.
3. Download the simulation file or copy the simulation script by navigating to Help > Simulations &
tutorials. You can choose to download the file or script on the test machine but it's not mandatory.
4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
NOTE
Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
Want to experience Windows Defender ATP? Sign up for a free trial.
Related topics
Onboard machines
Onboard Windows 10 machines
Configure machine proxy and Internet connectivity
settings
5/3/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
communicate with the Windows Defender ATP service.
The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The
sensor uses Microsoft Windows HTTP Services (WinHTTP ) to enable communication with the Windows
Defender ATP cloud service.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy
settings and can only discover a proxy server by using the following discovery methods:
Auto-discovery methods:
Transparent proxy
Web Proxy Auto-discovery Protocol (WPAD )
NOTE
If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For
more information on Windows Defender ATP URL exclusions in the proxy, see Enable access to Windows Defender ATP
service URLs in the proxy server.
NOTE
This will affect all applications including Windows services which use WinHTTP with default proxy.
Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-
based static proxy configuration.
NOTE
URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example,
us-v20.events.data.microsoft.com is only needed if the machine is on Windows 10, version 1803 or later.
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system
context, make sure anonymous traffic is permitted in the previously listed URLs.
NOTE
As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
HardDrivePath\WDATPConnectivityAnalyzer.cmd
Replace HardDrivePath with the path where the WDATPConnectivityAnalyzer tool was downloaded to,
for example
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
5. Extract the WDATPConnectivityAnalyzerResult.zip file created by tool in the folder used in the
HardDrivePath.
6. Open WDATPConnectivityAnalyzer.txt and verify that you have performed the proxy configuration steps
to enable server discovery and access to the service URLs.
The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP
client is configured to interact with. It then prints the results into the WDATPConnectivityAnalyzer.txt file
for each URL that can potentially be used to communicate with the Windows Defender ATP services. For
example:
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist
If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can
communicate with the tested URL properly using this connectivity method.
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes).
You can then use the URLs in the table shown in Enable access to Windows Defender ATP service URLs in the
proxy server. The URLs you'll use will depend on the region selected during the onboarding procedure.
NOTE
When the TelemetryProxyServer is set, in Registry or via Group Policy, Windows Defender ATP will fall back to direct if it
can't access the defined proxy.
Related topics
Onboard Windows 10 machines
Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Troubleshoot Windows Defender Advanced Threat Protection
onboarding issues
4/8/2019 • 13 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Server 2012 R2
Windows Server 2016
You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. This page provides detailed steps
to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might
occur on the machines.
If you have completed the onboarding process and don't see machines in the Machines list after an hour, it might indicate an onboarding or
connectivity problem.
NOTE
The following event IDs are specific to the onboarding script only.
5 Offboarding data was found but couldn't be Check the permissions on the registry, specifically
deleted HKLM\SOFTWARE\Policies\Microsoft\Windows
Advanced Threat Protection
.
10 Onboarding data couldn't be written to registry Check the permissions on the registry, specifically
HKLM\SOFTWARE\Policies\Microsoft\Windows
Advanced Threat
.
Verify that the script was ran as an administrator.
15 Failed to start SENSE service Check the service health ( sc query sense
command). Make sure it's not in an intermediate
state ('Pending_Stopped', 'Pending_Running')
and try to run the script again (with
administrator rights).
15 Failed to start SENSE service If the message of the error is: System error 577
has occurred. You need to enable the Windows
Defender Antivirus ELAM driver, see Ensure that
Windows Defender Antivirus is not disabled by a
policy for instructions.
30 The script failed to wait for the service to start The service could have taken more time to start
running or has encountered errors while trying to start.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.
35 The script failed to find needed onboarding When the SENSE service starts for the first time,
status registry value it writes onboarding status to the registry
location
HKLM\SOFTWARE\Microsoft\Windows Advanced
Threat Protection\Status
.
The script failed to find it after several seconds.
You can manually test it and check if it's there.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.
40 SENSE service onboarding status is not set to 1 The SENSE service has failed to onboard properly.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.
Troubleshooting steps:
Check the event IDs in the
View agent onboarding
errors in the machine event
log section.
Troubleshooting steps:
Ensure that the following
registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr
Advanced Threat Protection
Troubleshooting steps:
Check the troubleshooting
steps in Troubleshoot
onboarding issues on the
machine.
Currently is supported
platforms: Enterprise,
Education, and Professional.
Server is not supported.
Currently is supported
platforms: Enterprise,
Education, and Professional.
Known issues with non-compliance
The following table provides information on issues with non-compliance and how you can address the issues.
1 Machine is compliant by SenseIsRunning OMA- Possible cause: Check that user passed OOBE
URI. But is non-compliant by OrgId, Onboarding after Windows installation or upgrade. During
and OnboardingState OMA-URIs. OOBE onboarding couldn't be completed but
SENSE is running already.
2 Machine is compliant by OrgId, Onboarding, and Possible cause: Sense service's startup type is
OnboardingState OMA-URIs, but is non- set as "Delayed Start". Sometimes this causes the
compliant by SenseIsRunning OMA-URI. Microsoft Intune server to report the machine as
non-compliant by SenseIsRunning when DM
session occurs on system start.
NOTE
SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
5 Windows Defender Advanced Threat Protection Ensure the machine has Internet access.
service failed to connect to the server at variable
6 Windows Defender Advanced Threat Protection Run the onboarding script again.
service is not onboarded and no onboarding
parameters were found. Failure code: variable
7 Windows Defender Advanced Threat Protection Ensure the machine has Internet access, then run
service failed to read the onboarding parameters. the entire onboarding process again.
Failure code: variable
9 Windows Defender Advanced Threat Protection If the event happened during onboarding, reboot
service failed to change its start type. Failure and re-attempt running the onboarding script.
code: variable For more information, see Run the onboarding
script again.
10 Windows Defender Advanced Threat Protection If the event happened during onboarding, re-
service failed to persist the onboarding attempt running the onboarding script. For more
information. Failure code: variable information, see Run the onboarding script again.
15 Windows Defender Advanced Threat Protection Ensure the machine has Internet access.
cannot start command channel with URL:
variable
17 Windows Defender Advanced Threat Protection Run the onboarding script again. If the problem
service failed to change the Connected User persists, contact support.
Experiences and Telemetry service location.
Failure code: variable
29 Failed to read the offboarding parameters. Error Ensure the machine has Internet access, then run
type: %1, Error code: %2, Description: %3 the entire offboarding process again.
32 $(build.sense.productDisplayName) service failed Verify that the service start type is manual and
to request to stop itself after offboarding reboot the machine.
process. Failure code: %1
63 Updating the start type of external service. Identify what is causing changes in start type of
Name: %1, actual start type: %2, expected start mentioned service. If the exit code is not 0, fix
type: %3, exit code: %4 the start type manually to expected start type.
64 Starting stopped external service. Name: %1, exit Contact support if the event keeps re-appearing.
code: %2
68 The start type of the service is unexpected. Identify what is causing changes in start type. Fix
Service name: %1, actual start type: %2, expected mentioned service start type.
start type: %3
69 The service is stopped. Service name: %1 Start the mentioned service. Contact support if
persists.
There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no
onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional
components are configured correctly.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start
and is running on the machine. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is
currently running (and start it if it isn't).
Ensure the service is set to start
Use the command line to check the Windows 10 diagnostic data service startup type:
1. Open an elevated command-line prompt on the machine:
a. Click Start, type cmd, and press Enter.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:
sc qc diagtrack
If the service is enabled, then the result should look like the following screenshot:
If the START_TYPE is not set to AUTO_START , then you'll need to set the service to automatically start.
Use the command line to set the Windows 10 diagnostic data service to automatically start:
1. Open an elevated command-line prompt on the machine:
a. Click Start, type cmd, and press Enter.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:
3. A success message is displayed. Verify the change by entering the following command, and press Enter:
sc qc diagtrack
sc start diagtrack
Check Event Viewer > Applications and Services Logs > Operation Manager to see if there are any errors.
In Services, check if the Microsoft Monitoring Agent is running on the server. For example,
In Microsoft Monitoring Agent > Azure Log Analytics (OMS ), check the Workspaces and verify that the status is running.
Check to see that machines are reflected in the Machines list in the portal.
Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see Windows 10 Licensing.
Related topics
Troubleshoot Windows Defender ATP
Onboard machines
Configure machine proxy and Internet connectivity settings
Troubleshoot subscription and portal access issues
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender
ATP service.
If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what
the issue is and relevant links will be supplied.
No subscriptions found
If while accessing Windows Defender Security Center you get a No subscriptions found message, it means the
Azure Active Directory (AAD ) used to login the user to the portal, does not have a Windows Defender ATP license.
Potential reasons:
The Windows E5 and Office E5 licenses are separate licenses.
The license was purchased but not provisioned to this AAD instance.
It could be a license provisioning issue.
It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for
authentication into the service.
For both cases you should contact Microsoft support at General Windows Defender ATP Support or Volume
license support.
NOTE
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired
offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of
the packages expiry date and it will also be included in the package name.
Related topics
Validate licensing provisioning and complete setup for Windows Defender ATP
Windows Defender ATP APIs
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
In this section
TOPIC DESCRIPTION
Windows Defender ATP API overview Learn how to access to Windows Defender ATP Public API and
on which context.
Supported Windows Defender ATP APIs Learn more about the individual supported entities where you
can run API calls to and details such as HTTP request values,
request headers and expected responses. Examples include
APIs for alert resource type, domain related alerts, or even
actions such as isolate machine.
How to use APIs - Samples Learn how to use Advanced hunting APIs and multiple APIs
such as PowerShell. Other examples include schedule
advanced hunting using Microsoft Flow or OData queries.
Windows Defender ATP API overview
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those
APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities.
The API access requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization
Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Windows Defender ATP API
You can access Windows Defender ATP API with Application Context or User Context.
Application Context: (Recommended)
Used by apps that run without a signed-in user present. for example, apps that run as background
services or daemons.
Steps that need to be taken to access Windows Defender ATP API with application context:
1. Create an AAD Web-Application.
2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
3. Create a key for this Application.
4. Get token using the application with its key.
5. Use the token to access Windows Defender ATP API
For more information, see Get access with application context.
User Context:
Used to perform actions in the API on behalf of a user.
Steps that needs to be taken to access Windows Defender ATP API with application context:
1. Create AAD Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials.
4. Use the token to access Windows Defender ATP API
For more information, see Get access with user context.
Related topics
Windows Defender ATP APIs
Access Windows Defender ATP with application context
Access Windows Defender ATP with user context
Windows Defender ATP API - Hello World
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
3. In the registration form, enter the following information, then click Create.
Name: Choose your own name.
Application type: Web app / API
Redirect URI: https://127.0.0.1
4. Allow your App to access Windows Defender ATP and assign it 'Read all alerts' permission:
Click Settings > Required permissions > Add.
# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current
directory
# Paste below your Tenant ID, App ID and App Secret (App key).
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
Sanity Check:
Run the script.
In your browser go to: https://jwt.ms/
Copy the token (the content of the Latest-token.txt file).
Paste in the top box.
Look for the "roles" section. Find the Alert.Read.All role.
Lets get the Alerts!
The script below will use Get-Token.ps1 to access the API and will get the past 48 hours Alerts.
Save this script in the same folder you saved the previous script Get-Token.ps1.
The script creates two files (json and csv) with the data in the same folder as the scripts.
# Returns Alerts created in the past 48 hours.
$token = ./Get-Token.ps1 #run the script Get-Token.ps1 - make sure you are running this script from the
same folder of Get-Token.ps1
# Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")
# The URL contains the type of query and the time filter we create above
# Read more about other query options and filters at Https://TBD- add the documentation link
$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime"
# Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}
Related topic
Windows Defender ATP APIs
Access Windows Defender ATP with application context
Access Windows Defender ATP with user context
Create an app to access Windows Defender ATP
without a user
4/22/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This page describes how to create an application to get programmatic access to Windows Defender ATP without
a user.
If you need programmatic access Windows Defender ATP on behalf of a user, see Get access wtih user context
If you are not sure which access you need, see Get started.
Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs
will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access
requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Windows Defender ATP API
This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate
the token.
Create an app
1. Log on to Azure with user that has Global Administrator role.
2. Navigate to Azure Active Directory > App registrations > New application registration.
3. In the Create window, enter the following information then click Create.
Name: Choose your own name.
Application type: Web app / API
Redirect URI: https://127.0.0.1
4. Click Settings > Required permissions > Add.
6. Click Select permissions > Check the desired permissions > Select.
Important note: You need to select the relevant permissions. 'Run advanced queries' is only an example!
For instance,
To run advanced queries, select 'Run advanced queries' permission
To isolate a machine, select 'Isolate machine' permission
To determine which permission you need, please look at the Permissions section in the API you are
interested to call.
7. Click Done
11. For Windows Defender ATP Partners only - Set your application to be multi-tenanted
This is required for 3rd party apps (for example, if you create an application that is intended to run in
multiple customers tenant).
This is not required if you create a service that you want to run in your tenant only (for example, if you
create an application for your own usage that will only interact with your own data)
Click Properties > Yes > Save.
Application consent for your multi-tenant App:
You need your application to be approved in each tenant where you intend to use it. This is because your
application interacts with Windows Defender ATP application on behalf of your customer.
You (or your customer if you are writing a 3rd party application) need to click the consent link and approve
your application. The consent should be done with a user who has admin privileges in the active directory.
Consent link is of the form:
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-
0000-000000000000&response_type=code&sso_reload=true
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
Using C#:
The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
using Microsoft.IdentityModel.Clients.ActiveDirectory;
Copy/Paste the below code in your application (do not forget to update the 3 variables:
tenantId, appId, appSecret )
Using Python
Refer to Get token using Python
Using Curl
NOTE
The below procedure supposed Curl for Windows is already installed on your computer
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N
iIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
Related topics
Supported Windows Defender ATP APIs
Access Windows Defender ATP on behalf of a user
Use Windows Defender ATP APIs
4/22/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This page describes how to create an application to get programmatic access to Windows Defender ATP on
behalf of a user.
If you need programmatic access Windows Defender ATP without a user, refer to Access Windows Defender ATP
with application context.
If you are not sure which access you need, read the Introduction page.
Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs
will enable you to automate work flows and innovate based on Windows Defender ATP capabilities. The API
access requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Windows Defender ATP API
This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate
the token.
NOTE
When accessing Windows Defender ATP API on behalf of a user, you will need the correct App permission and user
permission. If you are not familiar with user permissions on Windows Defender ATP, see Manage portal access using role-
based access control.
TIP
If you have the permission to perform an action in the portal, you have the permission to perform the action in the API.
Create an app
1. Log on to Azure with user that has Global Administrator role.
2. Navigate to Azure Active Directory > App registrations > New application registration.
3. In the Create window, enter the following information then click Create.
IMPORTANT
You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example. For instance,
7. Click Done
8. Click Grant permissions
In order to add the new selected permissions to the app, the Admin's tenant must press on the Grant
permissions button.
If in the future you will want to add more permission to the app, you will need to press on the Grant
permissions button again so the changes will take effect.
namespace WindowsDefenderATP
{
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json.Linq;
return jObject["access_token"].Value<string>();
}
}
}
}
}
Related topics
Windows Defender ATP APIs
Access Windows Defender ATP with application context
Supported Windows Defender ATP query APIs
4/8/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Versioning:
The API supports versioning.
The current version is V1.0.
To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example:
https://api.securitycenter.windows.com/api/v1.0/alerts
If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the
latest version.
Learn more about the individual supported entities where you can run API calls to and details such as HTTP
request values, request headers and expected responses.
In this section
TOPIC DESCRIPTION
Alerts Run API calls such as get alerts, alert information by ID, alert
related actor information, alert related IP information, and
alert related machine information.
Domain Run API calls such as get domain related machines, domain
related machines, statistics, and check if a domain is seen in
your organization.
File Run API calls such as get file information, file related alerts,
file related machines, and file statistics.
TOPIC DESCRIPTION
Machines Run API calls such as find machine information by IP, get
machines, get machines by ID, information about logged on
users, and alerts related to a given machine ID.
User Run API calls such as get alert related user information, user
information, user related alerts, and user related machines.
Related topic
Windows Defender ATP APIs
Advanced hunting API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This API allows you to run programmatic queries that you are used to running from Windows Defender ATP
Portal.
Limitations
1. You can only run a query on data from the last 30 days
2. The results will include a maximum of 10,000 rows
3. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4
hours of running time a day)
4. The maximal execution time of a single request is 10 minutes.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have 'View Data' AD role
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/advancedqueries/run
Request headers
HEADER VALUE
Content-Type application/json
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 200 OK, and QueryResponse object in the response body.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com
POST https://api.securitycenter.windows.com/api/advancedqueries/run
Content-type: application/json
{
"Query":"ProcessCreationEvents
| where InitiatingProcessFileName =~ \"powershell.exe\"
| where ProcessCommandLine contains \"appdata\"
| project EventTime, FileName, InitiatingProcessFileName
| limit 2"
}
Response
Here is an example of the response.
NOTE
The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
HTTP/1.1 200 OK
Content-Type: application/json
{
"Schema": [{
"Name": "EventTime",
"Type": "DateTime"
},
{
"Name": "FileName",
"Type": "String"
},
{
"Name": "InitiatingProcessFileName",
"Type": "String"
}],
"Results": [{
"EventTime": "2018-07-09T07:16:26.8017265",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe"
},
{
"EventTime": "2018-07-08T19:00:02.7798905",
"FileName": "gpresult.exe",
"InitiatingProcessFileName": "powershell.exe"
}]
}
Troubleshoot issues
Error: (403) Forbidden / (401) Unauthorized
If you get this error when calling Windows Defender ATP API, your token might not include the necessary
permission.
If the 'roles' section in the token does not include the necessary permission:
- The necessary permission to your app might not have been granted. For more information, see [Access Windows
Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP
on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or,
- The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-
webapp.md#application-consent).
Related topic
Windows Defender ATP APIs
Advanced Hunting from Portal
Advanced Hunting using PowerShell
Schedule Advanced Hunting
Alert resource type
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Represents an alert entity in Windows Defender ATP.
Methods
METHOD RETURN TYPE DESCRIPTION
List related domains Domain collection List URLs associated with the alert.
List related files File collection List the file entities that are associated
with the alert.
List related IPs IP collection List IPs that are associated with the
alert.
Get related machines Machine The machine that is associated with the
alert.
Get related users User The user that is associated with the
alert.
Properties
PROPERTY TYPE DESCRIPTION
alertCreationTime DateTimeOffset The date and time (in UTC) the alert
was created.
JSON representation
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
List alerts API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of Alerts.
Supports OData V4 queries.
The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and
"Category".
See examples at OData queries with Windows Defender ATP
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The response will include only alerts that are associated with machines that the user can access, based on machine group
settings (See Create and manage machine groups for more information)
HTTP request
GET /api/alerts
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful, this method returns 200 OK, and a list of alert objects in the response body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/alerts
Response
Here is an example of the response.
NOTE
The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
Related topics
OData queries with Windows Defender ATP
Create alert from event API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Enables using event data, as obtained from the Advanced Hunting for creating a new alert entity.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply the following values (all are required):
Response
If successful, this method returns 200 OK, and a new alert object in the response body. If event with the specified
properties (reportId, eventTime and machineId) was not found - 404 Not Found.
Example
Request
Here is an example of the request.
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Content-Length: application/json
{
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"severity": "Low",
"title": "test alert",
"description": "test alert",
"recommendedAction": "test alert",
"eventTime": "2018-08-03T16:45:21.7115183Z",
"reportId": "20776",
"category": "None"
}
Update alert
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Update the properties of an alert entity.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
PATCH /api/alerts/{id}
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not
included in the request body will maintain their previous values or be recalculated based on changes to other
property values. For best performance you shouldn't include existing values that haven't change.
PROPERTY TYPE DESCRIPTION
Response
If successful, this method returns 200 OK, and the alert entity in the response body with the updated properties. If
alert with the specified id was not found - 404 Not Found.
Example
Request
Here is an example of the request.
PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
{
"assignedTo": "secop2@contoso.com"
}
Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop2@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
Get alert information by ID API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves an alert by its ID.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful, this method returns 200 OK, and the alert entity in the response body. If alert with the specified id
was not found - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
Get alert related domain information API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves all domains related to a specific alert.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/domains
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains",
"value": [
{
"host": "www.example.com"
}
]
}
Get alert related files information API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves all files related to a specific alert.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/files
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
"value": [
{
"sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d",
"sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87",
"md5": "82849dc81d94056224445ea73dc6153a",
"globalPrevalence": 33,
"globalFirstObserved": "2018-07-17T18:17:27.5909748Z",
"globalLastObserved": "2018-08-06T16:07:12.9414137Z",
"windowsDefenderAVThreatName": null,
"size": 801112,
"fileType": "PortableExecutable",
"isPeFile": true,
"filePublisher": null,
"fileProductName": null,
"signer": "Microsoft Windows",
"issuer": "Microsoft Development PCA 2014",
"signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f",
"isValidCertificate": true
}
]
}
Get alert related IP information API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves all IPs related to a specific alert.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/ips
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips",
"value": [
{
"id": "104.80.104.128"
},
{
"id": "23.203.232.228
}
]
}
Get alert related machine information API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves machine that is related to a specific alert.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/machine
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
Get alert related user information API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves the user associated to a specific alert.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/user
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
"id": "contoso\\user1",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"logonTypes": "Network",
"logOnMachinesCount": 3,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
}
Machine resource type
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Methods
METHOD RETURN TYPE DESCRIPTION
List machines machine collection List set of machine entities in the org.
Get logged on users user collection Get the set of User that logged on to
the machine.
Get related alerts alert collection Get the set of alert entities that were
raised on the machine.
Properties
PROPERTY TYPE DESCRIPTION
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This API can do the following actions:
Retrieves a collection of machines that have communicated with Windows Defender ATP cloud on the last 30
days.
Get Machines collection API supports OData V4 queries.
The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress",
"HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
See examples at OData queries with Windows Defender ATP
Permissions
PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines,that the user have access to, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET https://api.securitycenter.windows.com/api/machines
Request headers
NAME TYPE DESCRIPTION
Response
If successful and machines exists - 200 OK with list of machine entities in the body. If no recent machines - 404 Not
Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/machines
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
Related topics
OData queries with Windows Defender ATP
Get machine by ID API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a machine entity by ID.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups for
more information)
HTTP request
GET /api/machines/{id}
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and machine exists - 200 OK with the machine entity in the body. If machine with the specified id was
not found - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
Get machine log on users API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of logged on users.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include users only if the machine is visible to the user, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/machines/{id}/logonusers
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and machine exist - 200 OK with list of user entities in the body. If machine was not found - 404 Not
Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users",
"value": [
{
"id": "contoso\\user1",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"logonTypes": "Network",
"logOnMachinesCount": 3,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
},
{
"id": "contoso\\user2",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-05T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"logonTypes": "Network",
"logOnMachinesCount": 3,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
}
]
}
Get machine related alerts API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of alerts related to a given machine ID.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups for
more information)
HTTP request
GET /api/machines/{id}/alerts
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and machine exists - 200 OK with list of alert entities in the body. If machine was not found - 404 Not
Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
Add or Remove Machine Tags API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This API adds or remove tag to a specific machine.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Manage security setting' (See Create and manage roles for
more information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups for
more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/tags
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
Example
Request
Here is an example of a request that adds machine tag.
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
Content-type: application/json
{
"Value" : "test Tag 2",
"Action": "Add"
}
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
Find machines by internal IP API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given
timestamp
The given timestamp must be in the past 30 days.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines,that the user have access to, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and machines were found - 200 OK with list of the machines in the response body. If no machine
found - 404 Not Found. If the timestamp is not in the past 30 days - 400 Bad Request.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-
22T08:44:05Z)
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-09-22T08:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
]
}
MachineAction resource type
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Get investigation package SAS URI Machine Action Get URI for downloading the
investigation package.
Release machine from isolation Machine Action Release machine from Isolation.
Properties
PROPERTY TYPE DESCRIPTION
creationDateTimeUtc DateTimeOffset The date and time when the action was
created.
lastUpdateTimeUtc DateTimeOffset The last date and time when the action
status was updated.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Gets collection of actions done on machines.
Get MachineAction collection API supports OData V4 queries.
The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and
"CreationDateTimeUtc".
See examples at OData queries with Windows Defender ATP
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET https://api.securitycenter.windows.com/api/machineactions
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of machineAction entities.
Example 1
Request
Here is an example of the request on an organization that has three MachineActions.
GET https://api.securitycenter.windows.com/api/machineactions
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
"relatedFileInfo": null
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
},
{
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
"lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
"relatedFileInfo": {
"fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
"fileIdentifierType": "Sha1"
}
}
]
}
Example 2
Request
Here is an example of a request that filters the MachineActions by machine ID and shows the latest two
MachineActions.
GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq
'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
"relatedFileInfo": null
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
}
]
}
Related topics
OData queries with Windows Defender ATP
Get machineAction API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Get action performed on a machine.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET https://api.securitycenter.windows.com/api/machineactions/{id}
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a Machine Action entity. If machine action entity with
the specified id was not found - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
}
Collect investigation package API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Collect investigation package from a machine.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts Investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST
https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackag
e
Content-type: application/json
{
"Comment": "Collect forensics due to alert 1234"
}
Response
Here is an example of the response.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Get a URI that allows downloading of an investigation package.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts Investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful, this method returns 200, Ok response code with object that holds the link to the package in the
“value” parameter. This link is valid for a very short time and should be used immediately for downloading the
package to a local storage.
Example
Request
Here is an example of the request.
GET
https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUr
i
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String",
"value": "\"https://userrequests-
us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?
token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeB
sxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoA
vmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9
Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNR
SnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6
Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3b
QOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXU
RYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh
4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPP
AJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0
zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4
fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY
0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4Jes
TjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYO
dT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
}
Isolate machine API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Isolates a machine from accessing external network.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Windows Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/isolate
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply a JSON object with the following parameters:
IsolationType controls the type of isolation to perform and can be one of the following:
Full – Full isolation
Selective – Restrict only limited set of applications from accessing the network (see Isolate machines from the
network for more details)
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
Content-type: application/json
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}
Response
Here is an example of the response.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "b89eb834-4578-496c-8be0-03f004061435",
"type": "Isolate",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Isolate machine due to alert 1234",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z",
"lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z",
"relatedFileInfo": null
}
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Undo isolation of a machine.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Windows Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
Content-type: application/json
{
"Comment": "Unisolate machine since it was clean and validated"
}
Response
Here is an example of the response.
NOTE
The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Restrict execution of all applications on the machine except a predefined set (see Response machine alerts for more
information)
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Windows Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution
Request headers
NAME TYPE DESCRIPTION
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecut
ion
Content-type: application/json
{
"Comment": "Restrict code execution due to alert 1234"
}
Response
Here is an example of the response.
To remove code execution restriction from a machine, see Remove app restriction.
Remove app restriction API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Enable execution of any application on the machine.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Windows Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExe
cution
Content-type: application/json
{
"Comment": "Unrestrict code execution since machine was cleaned and validated"
}
Response
Here is an example of the response.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Initiate Windows Defender Antivirus scan on a machine.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Windows Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply a JSON object with the following parameters:
ScanType controls the type of scan to perform and can be one of the following:
Quick – Perform quick scan on the machine
Full – Perform full scan on the machine
Response
If successful, this method returns 201, Created response code and MachineAction object in the response body.
Example
Request
Here is an example of the request.
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
Content-type: application/json
{
"Comment": "Check machine for viruses due to alert 3212",
“ScanType”: “Full”
}
Response
Here is an example of the response.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Offboard machine from Windows Defender ATP.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Windows Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to 'Global Admin' AD role
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/offboard
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply a JSON object with the following parameters:
PARAMETER TYPE DESCRIPTION
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
Content-type: application/json
{
"Comment": "Offboard machine by automation"
}
Response
Here is an example of the response.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Stop execution of a file on a machine and delete it.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Windows Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineF
ile
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
Response
Here is an example of the response.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
NOTE
This page focuses on performing an automated investigation on a machine. See Automated Investigation for more
information.
Limitations
1. The number of executions is limited (up to 5 calls per hour).
2. For Automated Investigation limitations, see Automated Investigation.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts Investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateInvestigation
Request headers
NAME TYPE DESCRIPTION
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 200 OK response code with object that holds the investigation ID in the "value"
parameter. If machine was not found - 404 Not Found.
Example
Request
Here is an example of the request.
POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateInvestigation
Content-type: application/json
{
"Comment": "Initiate an investigation on machine fb9ab6be3965095a09c057be7c90f0a2"
}
Response
Here is an example of the response.
HTTP/1.1 200 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.Int64",
"value": 5146
}
Indicator resource type
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Properties
PROPERTY TYPE DESCRIPTION
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
Currently this API is supported only for AppOnly context requests. (See Get access with application context for more
information)
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Get started
HTTP request
POST https://api.securitycenter.windows.com/api/indicators
Request headers
NAME TYPE DESCRIPTION
Response
If successful, this method returns 200 - OK response code and the created / updated Indicator entity in the
response body.
If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request
usually indicates incorrect body and Conflict can happen if you try to submit an Indicator that conflicts with an
existing Indicator type or Action.
Example
Request
Here is an example of the request.
POST https://api.securitycenter.windows.com/api/indicators
Content-type: application/json
{
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST"
}
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators/$entity",
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": []
}
List Indicators API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
Currently this API is supported only for AppOnly context requests. (See Get access with application context for more
information)
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Get started
HTTP request
GET https://api.securitycenter.windows.com/api/indicators
Request headers
NAME TYPE DESCRIPTION
Response
If successful, this method returns 200, Ok response code with a collection of Indicator entities.
NOTE
If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the
Indicators it created.
Example 1:
Request
Here is an example of a request that gets all Indicators
GET https://api.securitycenter.windows.com/api/indicators
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"indicatorValue": "12.13.14.15",
"indicatorType": "IpAddress",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "Alert",
"severity": "Informational",
"description": "test",
"recommendedActions": "test",
"rbacGroupNames": []
},
{
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
Example 2:
Request
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
Delete Indicator API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
Currently this API is only supported for AppOnly context requests. (See Get access with application context for more
information)
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Get started
HTTP request
Delete https://api.securitycenter.windows.com/api/indicators/{id}
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If Indicator exist and deleted successfully - 204 OK without content. If Indicator with the specified id was not found
- 404 Not Found.
Example
Request
Here is an example of the request.
DELETE https://api.securitycenter.windows.com/api/indicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
Response
Here is an example of the response.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of alerts related to a given domain address.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)
HTTP request
GET /api/domains/{domain}/alerts
Request headers
HEADER VALUE
Authorization String
Request body
Empty
Response
If successful and domain exists - 200 OK with list of alert entities. If domain does not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
Get domain related machines API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of machines that have communicated to or from a given domain address.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines that the user can access, based on machine group settings (See Create and manage
machine groups for more information)
HTTP request
GET /api/domains/{domain}/machines
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and domain exists - 200 OK with list of machine entities. If domain do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
Get domain statistics API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves the prevalence for the given domain.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/domains/{domain}/stats
Request headers
HEADER VALUE
Request body
Empty
Response
If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404
Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/domains/example.com/stats
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
"host": "example.com",
"orgPrevalence": "4070",
"orgFirstSeen": "2017-07-30T13:23:48Z",
"orgLastSeen": "2017-08-29T13:09:05Z"
}
Was domain seen in org
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Answers whether a domain was seen in the organization.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/domains/{domain}
Request headers
HEADER VALUE
Request body
Empty
Response
If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/domains/example.com
Content-type: application/json
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity",
"host": "example.com"
}
File resource type
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Represent a file entity in Windows Defender ATP.
Methods
METHOD RETURN TYPE DESCRIPTION
List file related alerts alert collection Get the alert entities that are associated
with the file.
List file related machines machine collection Get the machine entities associated
with the alert.
file statistics Statistics summary Retrieves the prevalence for the given
file.
Properties
PROPERTY TYPE DESCRIPTION
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a file by identifier Sha1, Sha256, or MD5.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/files/{id}
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and file exists - 200 OK with the file entity in the body. If file does not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
"sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
"sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf",
"md5": "7f05a371d2beffb3784fd2199f81d730",
"globalPrevalence": 7329,
"globalFirstObserved": "2018-04-08T05:50:29.4459725Z",
"globalLastObserved": "2018-08-07T23:35:11.1361328Z",
"windowsDefenderAVThreatName": null,
"size": 391680,
"fileType": "PortableExecutable",
"isPeFile": true,
"filePublisher": null,
"fileProductName": null,
"signer": null,
"issuer": null,
"signerHash": null,
"isValidCertificate": null
}
Get file related alerts API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of alerts related to a given file hash.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)
HTTP request
GET /api/files/{id}/alerts
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and file exists - 200 OK with list of alert entities in the body. If file do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
Get file related machines API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of machines related to a given file hash.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines, that the user have access to, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/files/{id}/machines
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and file exists - 200 OK with list of machine entities in the body. If file do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
Get file statistics API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves the prevalence for the given file.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/files/{id}/stats
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
"orgPrevalence": "3",
"orgFirstSeen": "2018-07-15T06:13:59Z",
"orgLastSeen": "2018-08-03T16:45:21Z",
"topFileNames": [
"chrome_1.exe",
"chrome_2.exe"
]
}
Get IP related alerts API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of alerts related to a given IP address.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)
HTTP request
GET /api/ips/{ip}/alerts
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and IP exists - 200 OK with list of alert entities in the body. If IP do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
Get IP related machines API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of machines that communicated with or from a particular IP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines, that the user have access to, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/ips/{ip}/machines
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and IP exists - 200 OK with list of machine entities in the body. If IP do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"riskScore": "Low",
"rbacGroupName": "The-A-Team",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
Get IP statistics API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves the prevalence for the given IP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/ips/{ip}/stats
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "10.209.67.177",
"orgPrevalence": "63515",
"orgFirstSeen": "2017-07-30T13:36:06Z",
"orgLastSeen": "2017-08-29T13:32:59Z"
}
Was IP seen in org
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Answers whether an IP was seen in the organization.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/ips/{ip}
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity",
"id": "10.209.67.177"
}
User resource type
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
List User related alerts alert collection List all the alerts that are associated
with a user.
List User related machines machine collection List all the machines that were logged
on by a user.
Get user related alerts API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of alerts related to a given user ID.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)
HTTP request
GET /api/users/{id}/alerts
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use
/api/users/user1/alerts) **
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and user exist - 200 OK. If the user do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/users/user1/alerts
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
Get user related machines API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of machines related to a given user ID.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines that the user can access, based on machine group settings (See Create and manage
machine groups for more information)
HTTP request
GET /api/users/{id}/machines
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com
use /api/users/user1/machines) **
Request headers
NAME TYPE DESCRIPTION
Request body
Empty
Response
If successful and user exists - 200 OK with list of machine entities in the body. If user does not exist - 404 Not
Found.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/users/user1/machines
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
Schedule Advanced Hunting using Microsoft Flow
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Use case
A common scenario is scheduling an advanced query and using the results for follow up actions and processing.
In this section we share sample for this purpose using Microsoft Flow (or Logic Apps).
3. You can use the "Parse JSON" action to get the schema of data – just "use sample payload to generate
schema" and copy an output from of the expected result.
Expand the flow to use the query results
The following section shows how to use the parsed results to insert them in SQL database.
This is an example only, you can use other actions supported by Microsoft Flow.
Add an 'Apply to each' action
Select the Results json (which was an output of the last parse action)
Add an 'Insert row' action – you will need to supply the connection details
Select the table you want to update and define the mapping between the WD -ATP output to the SQL. Note it is
possible to manipulate the data inside the flow. In the example I changed the type of the EventTime.
The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now
read from your table:
Full flow definition
You can find below the full definition
Related topic
Windows Defender ATP APIs
Advanced Hunting API
Advanced Hunting using PowerShell
Advanced Hunting using PowerShell
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Run advanced queries using PowerShell, see Advanced Hunting API.
In this section we share PowerShell samples to retrieve a token and use it to run a query.
Preparation instructions
Open a PowerShell window.
If your policy does not allow you to run the PowerShell commands, you can run the below command:
Set-ExecutionPolicy -ExecutionPolicy Bypass
Get token
Run the following:
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$body = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
$aadToken = $response.access_token
where
$tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data
of this tenant)
$appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender
ATP )
$appSecret: Secret of your AAD app
Run query
Run the following query:
$query = 'RegistryEvents | limit 10' # Paste your own query here
$url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
$headers = @{
'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $aadToken"
}
$body = ConvertTo-Json -InputObject @{ 'Query' = $query }
$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop
$response = $webResponse | ConvertFrom-Json
$results = $response.Results
$schema = $response.Schema
To output the results of the query in JSON format in file file1.json do the below:
Related topic
Windows Defender ATP APIs
Advanced Hunting API
Advanced Hunting using Python
Schedule Advanced Hunting
Advanced Hunting using Python
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Run advanced queries using Python, see Advanced Hunting API.
In this section we share Python samples to retrieve a token and use it to run a query.
Get token
Run the following:
import json
import urllib.request
import urllib.parse
resourceAppIdUri = 'https://api.securitycenter.windows.com'
body = {
'resource' : resourceAppIdUri,
'client_id' : appId,
'client_secret' : appSecret,
'grant_type' : 'client_credentials'
}
data = urllib.parse.urlencode(body).encode("utf-8")
where
tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of
this tenant)
appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP )
appSecret: Secret of your AAD app
Run query
Run the following query:
query = 'RegistryEvents | limit 10' # Paste your own query here
url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
headers = {
'Content-Type' : 'application/json',
'Accept' : 'application/json',
'Authorization' : "Bearer " + aadToken
}
To output the results of the query in CSV format in file file1.csv do the below:
import csv
outputFile.close()
To output the results of the query in JSON format in file file1.json do the below:
Run advanced queries and show results in Microsoft Power BI. Please read about Advanced Hunting API before.
In this section we share Power BI query sample to run a query using application token.
If you want to use user token instead please refer to this tutorial.
Run a query
Open Microsoft Power BI
Click Get Data > Blank Query
Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query
let
ResourceAppIdUrl = "https://api.securitycenter.windows.com",
OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run",
Response = Json.Document(Web.Contents(
AdvancedHuntingUrl,
[
Headers = [#"Content-Type"="application/json", #"Accept"="application/json",
#"Authorization"=Bearer],
Content=Json.FromValue([#"Query"=Query])
]
)),
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap ,
{"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
Click Done
Click Edit Credentials
Related topic
Create custom Power BI reports with user authentication
Windows Defender ATP APIs
Advanced Hunting API
Advanced Hunting using PowerShell
Schedule Advanced Hunting
Windows Defender ATP APIs using PowerShell
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Full scenario using multiple APIs from Windows Defender ATP.
In this section we share PowerShell samples to
Retrieve a token
Use token to retrieve the latest alerts in Windows Defender ATP
For each alert, if the alert has medium or high priority and is still in progress, check how many times the
machine has connected to suspicious URL.
Preparation Instructions
Open a PowerShell window.
If your policy does not allow you to run the PowerShell commands, you can run the below command:
Set-ExecutionPolicy -ExecutionPolicy Bypass
Get token
Run the below
$tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the
data of this tenant)
$appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender
ATP )
$appSecret: Secret of your AAD app
$suspiciousUrl: The URL
$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here
$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$aadToken = $authResponse.access_token
Foreach($alert in $alerts)
{
#echo $alert.id $alert.machineId $alert.severity $alert.status
$query = "NetworkCommunicationEvents
| where MachineId in ($commaSeparatedMachines)
| where RemoteUrl == `"$suspiciousUrl`"
| summarize ConnectionsCount = count() by MachineId"
$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run"
Related topic
Windows Defender ATP APIs
Advanced Hunting API
Advanced Hunting using Python
Schedule Advanced Hunting
OData queries with Windows Defender ATP
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
If you are not familiar with OData queries, see: OData V4 queries
Not all properties are filterable.
Properties that supports $filter:
Alert: Id, IncidentId, AlertCreationTime, Status, Severity and Category.
Machine: Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore,
MachineTags and RbacGroupId.
MachineAction: Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
Example 1
Get all the machines with the tag 'ExampleTag'
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
.
]
}
Example 2
Get all the alerts that created after 2018-10-20 00:00:00
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
.
.
.
]
}
Example 3
Get all the machines with 'High' 'RiskScore'
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
.
]
}
Example 4
Get top 100 machines with 'HealthStatus' not equals to 'Active'
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
.
]
}
Example 5
Get all the machines that last seen after 2018-10-20
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
.
]
}
Example 6
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows
Defender ATP
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "5c3e3322-d993-1234-1111-dfb136ebc8c5",
"type": "RunAntiVirusScan",
"requestor": "Analyst@examples.onmicrosoft.com",
"requestorComment": "1533",
"status": "Succeeded",
"machineId": "123321c10e44a82877af76b1d0161a17843f688a",
"creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z",
"lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
"relatedFileInfo": null
},
.
.
.
]
}
Example 7
Get the count of open alerts for a specific machine:
HTTP GET
https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?
$filter=status ne 'Resolved'
Response:
HTTP/1.1 200 OK
Content-type: application/json
Related topic
Windows Defender ATP APIs
Get KB collection API
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a collection of KB's and KB details.
Permissions
User needs read permissions.
HTTP request
GET /testwdatppreview/kbinfo
Request headers
HEADER VALUE
Request body
Empty
Response
If successful - 200 OK.
Example
Request
Here is an example of the request.
GET https://graph.microsoft.com/testwdatppreview/KbInfo
Content-type: application/json
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo",
"@odata.count": 271,
"value":[
{
"id": "KB3097617 (10240.16549) Amd64",
"release": "KB3097617 (10240.16549)",
"publishingDate": "2015-10-16T21:00:00Z",
"version": "10.0.10240.16549",
"architecture": "Amd64"
},
…
}
Get CVE-KB map API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Retrieves a map of CVE's to KB's and CVE details.
Permissions
User needs read permissions.
HTTP request
GET /testwdatppreview/cvekbmap
Request headers
HEADER VALUE
Request body
Empty
Response
If successful and map exists - 200 OK.
Example
Request
Here is an example of the request.
GET https://graph.microsoft.com/testwdatppreview/CveKbMap
Content-type: application/json
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap",
"@odata.count": 4168,
"value": [
{
"cveKbId": "CVE-2015-2482-3097617",
"cveId": "CVE-2015-2482",
"kbId":"3097617",
"title": "Cumulative Security Update for Internet Explorer",
"severity": "Critical"
},
…
}
Enable the custom threat intelligence API in Windows
Defender ATP
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat
intelligence application through Windows Defender Security Center.
1. In the navigation pane, select Settings > Threat intel.
2. Select Enable threat intel API. This activates the Azure Active Directory application setup sections
with pre-populated values.
3. Copy the individual values or select Save details to file to download a file that contains all the values.
WARNING
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
For more information about getting a new secret see, Learn how to get a new secret.
Related topics
Understand threat intelligence concepts
Create custom alerts using the threat intelligence API
PowerShell code examples for the custom threat intelligence API
Python code examples for the custom threat intelligence API
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
Use the threat intelligence API to create custom alerts
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can
proceed to create custom threat intelligence alerts that are specific to your organization.
You can use the code examples to guide you in creating calls to the custom threat intelligence API.
In this section
TOPIC DESCRIPTION
Understand threat intelligence concepts Understand the concepts around threat intelligence so that
you can effectively create custom intelligence for your
organization.
Enable the custom threat intelligence application Set up the custom threat intelligence application through
Windows Defender Security Center so that you can create
custom threat intelligence (TI) using REST API.
Create custom threat intelligence alerts Create custom threat intelligence alerts so that you can
generate specific alerts that are applicable to your
organization.
PowerShell code examples Use the PowerShell code examples to guide you in using the
custom threat intelligence API.
Python code examples Use the Python code examples to guide you in using the
custom threat intelligence API.
Experiment with custom threat intelligence alerts This article demonstrates an end-to-end usage of the threat
intelligence API to get you started in using the threat
intelligence API.
Troubleshoot custom threat intelligence issues Learn how to address possible issues you might encounter
while using the threat intelligence API.
Create custom alerts using the threat intelligence (TI)
application program interface (API)
4/5/2019 • 8 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can define custom alert definitions and indicators of compromise (IOC ) using the threat intelligence API.
Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your
organization.
https://TI.SecurityCenter.Windows.com/{version}/{resource}?[query_parameters]
Quotas
Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for
IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an
HTTP error status code 507 (Insufficient Storage).
NOTE
The authorization server URL is https://login.windows.net/<AADTenantID>/oauth2/token . Replace <AADTenantID>
with your Azure Active Directory tenant ID.
NOTE
The <ClientId> , <ClientSecret> , and the <AuthorizationServerUrl> are all provided to you when enabling the
custom threat intelligence application. For more information, see Enable the custom threat intelligence application.
grant_type=client_credentials
&client_id=<ClientId>
&client_secret=<ClientSecret>
&resource=https://graph.microsoft.com
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1449685363",
"not_before": "1449681463",
"resource": "https://graph.microsoft.com",
"access_token": "<token>"
}
https://TI.SecurityCenter.Windows.com/v1.0/$metadata
The metadata allows you to see and understand the data model of the custom threat intelligence, including the
entity types and sets, complex types, and enums that make up the request and response packets sent to and from
the threat intelligence API.
You can use the metadata to understand the relationships between entities in the custom threat intelligence and
establish URLs that navigate between entities.
The following sections show a few basic programming pattern calls to the threat intelligence API.
{
"Name": " The name of the alert definition. Does not appear in the portal. Max length: 100 ",
"Severity": "Low",
"InternalDescription": "Internal description for the alert definition. Does not appear in the portal. Max
length: 350",
"Title": "A short, one sentence, description of the alert definition. Max length: 120",
"UxDescription": "Max length: 500",
"RecommendedAction": "Custom text to explain what should be done in case of detection. Max length: 2000",
"Category": "Category from the metadata",
"Enabled": true
}
The following values correspond to the alert sections surfaced on Windows Defender Security Center:
1 Title
2 Severity
3 Category
4 UX description
5 Recommended Action
If successful, you should get a 201 CREATED response containing the representation of the newly created alert
definition, for example:
"Name": "Connection to restricted company IP address",
"Severity": "Low",
"InternalDescription": "Unusual connection to restricted IP from production machine",
"Title": "Connection to restricted company IP address",
"UxDescription": "Any connection to this IP address from a production machine should be suspicious. Only
special build machines should access this IP address.",
"RecommendedAction": "Isolate machine immediately and contact machine owner for awareness.",
"Category": "Trojan",
"Id": 2,
"CreatedAt": "2017-02-01T10:46:22.08Z",
"CreatedBy": "User1",
"LastModifiedAt": null,
"LastModifiedBy": null,
"Enabled": true
{
"Type": "SHA1",
"Value": "8311e8b377736fb93b18b15372355f3f26c4cd29",
"DetectionFunction": "Equals",
"Enabled": true,
"AlertDefinition@odata.bind": "AlertDefinitions(1)"
}
If successful, you should get a 201 CREATED response containing the representation of the newly created
indicators of compromise in the payload.
The API currently supports the following IOC types:
Sha1
Sha256
Md5
IpAddress
DomainName
And the following operators:
Equals
StartWith
EndWith
Contains
The request’s body should contain a single JSON object with a single field. The name of the field in the case that
the entity is alert definition is alertDefinitions and in the case of IOC is iocs . This field’s value should contain a
list of the desired entities.
For example: Sending an HTTP POST to
https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfCompromise/Actions.BulkUpload
JSON Body:
{
"iocs": [{
"Type": "SHA1",
"Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
"DetectionFunction": "Equals",
"Enabled": true,
"AlertDefinition@odata.bind": "AlertDefinitions(1)"
},
{
"Type": "SHA1",
"Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
"DetectionFunction": "Equals",
"Enabled": true,
"AlertDefinition@odata.bind": "AlertDefinitions(1)"
}
]
}
NOTE
Max bulk size is 5000 entities
If successful, you should get a 200 OK response containing a single indicator of compromise representation (for
the specified ID ) in the payload, as shown as follows:
HTTP/1.1 200 OK
content - type: application/json;odata.metadata = none
{
"value": [{
"Type": "SHA1",
"Value": "abcdeabcde1212121212abcdeabcde1212121212",
"DetectionFunction": "Equals",
"ExpiresAt": null,
"Id": 1,
"CreatedAt": "2016-12-05T15:51:02Z",
"CreatedBy": "user2@Company1.contoso.com",
"LastModifiedAt": null,
"LastModifiedBy": null,
"Enabled": true
}]
}
If successful, you should get a 200 OK response containing the collection of alert definitions representation in the
payload, as shown as follows:
HTTP/1.1 200 OK
content - type: application / json;odata.metadata = none
{
"@odata.context": "https://TI.SecurityCenter.Windows.com/V1.0/$metadata#AlertDefinitions",
"value": [{
"Name": "Demo alert definition",
"Severity": "Medium",
"InternalDescription": "Some description",
"Title": "Demo short ux description",
"UxDescription": "Demo ux description",
"RecommendedAction": "Actions",
"Category": "Malware",
"Id": 1,
"CreatedAt": "2016-12-05T15:50:53Z",
"CreatedBy": "user@Company1.contoso.com",
"LastModifiedAt": null,
"LastModifiedBy": null,
"Enabled": true
},
{
"Name": "Demo alert definition 2",
"Severity": "Low",
"InternalDescription": "Some description",
"Title": "Demo short ux description2",
"UxDescription": "Demo ux description2",
"RecommendedAction": null,
"Category": "Malware",
"Id": 2,
"CreatedAt": "2016-12-06T13:30:00Z",
"CreatedBy": "user2@Company1.contoso.com",
"LastModifiedAt": null,
"LastModifiedBy": null,
"Enabled": true
}
]
}
{
"Category": "Backdoor",
"Enabled": false
}
If successful, you should get a 200 OK response containing the updated alert definition representation (per the
specified ID ) in the payload.
{
"@odata.id": "https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(6)"
}
Delete a resource
DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
Authorization: Bearer <access_token>
NOTE
Deleting an alert definition also deletes its corresponding IOCs.
Deleting an IOC or an alert definition will not delete or hide past alerts matching the alert definition. However, deleting
an alert definition and creating a new one with the exact same metadata will result in new alerts in the portal. It's not
advised to delete an alert definition and create a new one with the same content.
Delete all
You can use the HTTP DELETE method sent to the relevant source to delete all resources.
NOTE
As with all OData actions, this action is sending an HTTP POST request not DELETE.
Code examples
The following articles provide detailed code examples that demonstrate how to use the custom threat intelligence
API in several programming languages:
PowerShell code examples
Python code examples
Related topics
Understand threat intelligence concepts
Enable the custom threat intelligence API in Windows Defender ATP
PowerShell code examples for the custom threat intelligence API
Python code examples for the custom threat intelligence API
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
PowerShell code examples for the custom threat
intelligence API
4/22/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This article provides PowerShell code examples for using the custom threat intelligence API.
These code examples demonstrate the following tasks:
Obtain an Azure AD access token
Create headers
Create calls to the custom threat intelligence API
Create a new alert definition
Create a new indicator of compromise
$tokenPayload = @{
"resource"='https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
Step 2: Create headers used for the requests with the API
Use the following code to create the headers used for the requests with the API:
$headers = @{
"Content-Type"="application/json"
"Accept"="application/json"
"Authorization"="Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
$alertDefinitionPayload = @{
"Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
Complete code
You can use the complete code to create calls to the API.
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
$tokenPayload = @{
"resource"='https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
$headers = @{
"Content-Type"="application/json"
"Accept"="application/json"
"Authorization"="Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
$alertDefinitionPayload = @{
"Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
Related topics
Understand threat intelligence concepts
Enable the custom threat intelligence API in Windows Defender ATP
Create custom alerts using the threat intelligence API
Python code examples for the custom threat intelligence API
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
Python code examples for the custom threat
intelligence API
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
import json
import requests
from pprint import pprint
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
alert_definition_id = json.loads(response.text)["Id"]
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
Complete code
You can use the complete code to create calls to the API.
import json
import requests
from pprint import pprint
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
alert_definition_id = json.loads(response.text)["Id"]
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
pprint(json.loads(response.text))
Related topics
Understand threat intelligence concepts
Enable the custom threat intelligence API in Windows Defender ATP
Create custom alerts using the threat intelligence API
PowerShell code examples for the custom threat intelligence API
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
Experiment with custom threat intelligence (TI) alerts
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can
help you keep track of possible attack activities in your organization.
For more information about threat intelligence concepts, see Understand threat intelligence concepts.
This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat
intelligence API.
You'll be guided through sample steps so you can experience how the threat intelligence API feature works.
Sample steps include creating alerts definitions and indicators of compromise (IOCs), and examples of how
triggered custom TI alerts look like.
Try
{
$tokenPayload = @{
"resource" = 'https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
$headers = @{
"Content-Type" = "application/json"
"Accept" = "application/json"
"Authorization" = "Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitionPayload = @{
"Name" = "Test Alert"
"Severity" = "Medium"
"InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API
feature"
"Title" = "Test alert."
"UxDescription" = "This is a test alert based on a sample custom alert definition. This
alert was triggered manually using a provided test command. It indicates that the Threat Intelligence
API has been properly enabled."
"RecommendedAction" = "No recommended action for this test alert."
"Category" = "SuspiciousNetworkTraffic"
"Enabled" = "true"}
$iocPayload = @{
"Type"="IpAddress"
"Value"="52.184.197.12"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
"All done!"
}
Catch
{
"Something went wrong! Got the following exception message: {0}" -f $_.Exception.Message
}
3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes
until the new or updated alert definition propagates to the detection engines.
NOTE:
If you get the exception “The remote server returned an error: (407) Proxy Authentication Required", you
need to add the proxy configuration by adding the following code to the PowerShell script:
$webclient=New-Object System.Net.WebClient
$creds=Get-Credential
$webclient.Proxy.Credentials=$creds
Related topics
Understand threat intelligence concepts
Enable the custom threat intelligence API in Windows Defender ATP
Create custom alerts using the threat intelligence API
PowerShell code examples for the custom threat intelligence API
Python code examples for the custom threat intelligence API
Troubleshoot custom threat intelligence issues
Troubleshoot custom threat intelligence issues
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You might need to troubleshoot issues while using the custom threat intelligence feature.
This page provides detailed steps to troubleshoot issues you might encounter while using the feature.
Related topics
Understand threat intelligence concepts
Enable the custom threat intelligence API in Windows Defender ATP
Create custom alerts using the threat intelligence API
PowerShell code examples for the custom threat intelligence API
Python code examples for the custom threat intelligence API
Experiment with custom threat intelligence alerts
Pull alerts to your SIEM tools
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
In this section
TOPIC DESCRIPTION
Enable SIEM integration in Windows Defender ATP Learn about enabling the SIEM integration feature in the
Settings page in the portal so that you can use and generate
the required information to configure supported SIEM tools.
Configure Splunk to pull Windows Defender ATP alerts Learn about installing the REST API Modular Input app and
other configuration settings to enable Splunk to pull Windows
Defender ATP alerts.
Configure HP ArcSight to pull Windows Defender ATP alerts Learn about installing the HP ArcSight REST FlexConnector
package and the files you need to configure ArcSight to pull
Windows Defender ATP alerts.
TOPIC DESCRIPTION
Windows Defender ATP alert API fields Understand what data fields are exposed as part of the alerts
API and how they map to Windows Defender Security Center.
Pull Windows Defender ATP alerts using REST API Use the Client credentials OAuth 2.0 flow to pull alerts from
Windows Defender ATP using REST API.
Troubleshoot SIEM tool integration issues Address issues you might encounter when using the SIEM
integration feature.
Enable SIEM integration in Windows Defender ATP
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Enable security information and event management (SIEM ) integration so you can pull alerts from Windows
Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
Prerequisites
The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD ). This
is typically someone with a Global administrator role.
During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow
pop-ups for this site.
TIP
If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of
your browser. It might be blocking the new window being opened when you enable the capability.
2. Select Enable SIEM integration. This activates the SIEM connector access details section with pre-
populated values and an application is created under you Azure Active Directory (AAD ) tenant.
WARNING
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
For more information about getting a new secret see, Learn how to get a new secret.
3. Choose the SIEM type you use in your organization.
NOTE
If you select HP ArcSight, you'll need to save these two configuration files:
WDATP-connector.jsonparser.properties
WDATP-connector.properties
If you want to connect directly to the alerts REST API through programmatic access, choose Generic API.
4. Copy the individual values or select Save details to file to download a file that contains all the values.
5. Select Generate tokens to get an access and refresh token.
NOTE
You'll need to generate a new Refresh token every 90 days.
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through
programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive
alerts from Windows Defender Security Center.
Integrate Windows Defender ATP with IBM QRadar
You can configure IBM QRadar to collect alerts from Windows Defender ATP. For more information, see IBM
Knowledge Center.
Related topics
Configure Splunk to pull Windows Defender ATP alerts
Configure HP ArcSight to pull Windows Defender ATP alerts
Windows Defender ATP alert API fields
Pull Windows Defender ATP alerts using REST API
Troubleshoot SIEM tool integration issues
Configure Splunk to pull Windows Defender ATP
alerts
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
Configure Splunk
1. Login in to Splunk.
2. Click Search & Reporting, then Settings > Data inputs.
3. Click REST under Local inputs.
NOTE: This input will only appear after you install the REST API Modular Input app.
4. Click New.
5. Type the following values in the required fields, then click Save:
NOTE: All other values in the form are optional and can be left blank.
FIELD VALUE
Endpoint URL Depending on the location of your datacenter, select any
of the following URL:
For EU:
https://wdatp-alertexporter-
eu.securitycenter.windows.com/api/alerts
For US:
https://wdatp-alertexporter-
us.securitycenter.windows.com/api/alerts
For UK:
https://wdatp-alertexporter-
uk.securitycenter.windows.com/api/alerts
OAuth 2 Access token Use the value that you generated when you enabled the
SIEM integration feature.
NOTE: The access token expires after an hour.
OAuth 2 Refresh Token Use the value that you generated when you enabled the
SIEM integration feature.
OAuth 2 Token Refresh URL Use the value from the details file you saved when you
enabled the SIEM integration feature.
OAuth 2 Client ID Use the value from the details file you saved when you
enabled the SIEM integration feature.
OAuth 2 Client Secret Use the value from the details file you saved when you
enabled the SIEM integration feature.
Polling Interval Number of seconds that Splunk will ping the Windows
Defender ATP machine. Accepted values are in seconds.
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
Other values are optional and can be left with the default values.
4. Click Save. The query is saved in the list of searches.
5. Find the query you saved in the list and click Run. The results are displayed based on your query.
TIP
To mininimize alert duplications, you can use the following query:
source="rest://windows atp alerts" | spath | dedup _raw | table *
Related topics
Enable SIEM integration in Windows Defender ATP
Configure ArcSight to pull Windows Defender ATP alerts
Windows Defender ATP alert API fields
Pull Windows Defender ATP alerts using REST API
Troubleshoot SIEM tool integration issues
Configure HP ArcSight to pull Windows Defender
ATP alerts
4/5/2019 • 6 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender
ATP alerts.
FIELD VALUE
Configuration File Type in the name of the client property file. The name
must match the file provided in the .zip that you
downloaded. For example, if the configuration file in
"flexagent" directory is named "WDATP-
Connector.jsonparser.properties", you must type
"WDATP-Connector" as the name of the client property
file.
7. A browser window is opened by the connector. Login with your application credentials. After you log in,
you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2
Client so that the connector configuration can authenticate.
If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that
requests for you to trust the certificate supplied by the connector running on the local host. You'll need to
trust this certificate if the redirect_uri is a https.
If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the
certificate.
8. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
9. Select the ArcSight Manager (encrypted) as the destination and click Next.
10. Type in the destination IP/hostname in Manager Hostname and your credentials in the parameters form.
All other values in the form should be retained with the default values. Click Next.
11. Type in a name for the connector in the connector details form. All other values in the form are optional
and can be left blank. Click Next.
12. The ESM Manager import certificate window is shown. Select Import the certificate to connector from
destination and click Next. The Add connector Summary window is displayed and the certificate is
imported.
13. Verify that the details in the Add connector Summary window is correct, then click Next.
14. Select Install as a service and click Next.
15. Type a name in the Service Internal Name field. All other values in the form can be retained with the
default values or left blank . Click Next.
16. Type in the service parameters and click Next. A window with the Install Service Summary is shown.
Click Next.
17. Finish the installation by selecting Exit and Next.
Solution:
1. Stop the process by clicking Ctrl + C on the Connector window. Click Y when asked "Terminate batch job
Y/N?".
2. Navigate to the folder where you stored the WDATP -connector.properties file and edit it to add the
following value: reauthenticate=true .
3. Restart the connector by running the following command: arcsight.bat connectors .
A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
NOTE
Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window
should appear.
Related topics
Enable SIEM integration in Windows Defender ATP
Configure Splunk to pull Windows Defender ATP alerts
Pull Windows Defender ATP alerts using REST API
Troubleshoot SIEM tool integration issues
Windows Defender ATP SIEM alert API fields
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center.
PORTAL LABEL SIEM FIELD NAME ARCSIGHT FIELD EXAMPLE VALUE DESCRIPTION
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
In general, the OAuth 2.0 protocol supports four types of flows:
Authorization grant flow
Implicit flow
Client credentials flow
Resource owner flow
For more information about the OAuth specifications, see the OAuth Website.
Windows Defender ATP supports the Authorization grant flow and Client credential flow to obtain access to generate alerts
from the portal, with Azure Active Directory (AAD ) as the authorization server.
The Authorization grant flow uses user credentials to get an authorization code, which is then used to obtain an access token.
The Client credential flow uses client credentials to authenticate against the Windows Defender ATP endpoint URL. This flow
is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
Use the following method in the Windows Defender ATP API to pull alerts in JSON format.
NOTE
Windows Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based
on the query parameters you set, enabling you to apply your own grouping and filtering.
resource=https%3A%2F%2Fgraph.windows.net&client_id=35e0f735-5fe4-4693-9e68-
3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1488720683",
"not_before": "1488720683",
"resource": "https://graph.windows.net",
"access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
}
You can now use the value in the access_token field in a request to the Windows Defender ATP API.
Request
With an access token, your app can make authenticated requests to the Windows Defender ATP API. Your app must append
the access token to the Authorization header of each request.
Request syntax
METHOD REQUEST URI
For EU:
https://wdatp-alertexporter-eu.windows.com/api/alerts
For US:
https://wdatp-alertexporter-us.windows.com/api/alerts
For UK:
https://wdatp-alertexporter-uk.windows.com/api/alerts
Request header
HEADER TYPE DESCRIPTION
Request parameters
Use optional query parameters to specify and control the amount of data returned in a response. If you call this method
without parameters, the response contains all the alerts in your organization in the last 2 hours.
string ago string Pulls alerts in the following time range: from
(current_time - ago) time to
current_time time.
Example:
https://wdatp-alertexporter-
eu.securitycenter.windows.com/api/Alerts/?
machinegroups=UKMachines&machinegroups=FranceMachines
Request example
The following example demonstrates how to retrieve all the alerts in your organization.
GET https://wdatp-alertexporter-eu.windows.com/api/alerts
Authorization: Bearer <your access token>
The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00.
GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
Authorization: Bearer <your access token>
Response
The return value is an array of alert objects in JSON format.
Here is an example return value:
{"AlertTime":"2017-01-23T07:32:54.1861171Z",
"ComputerDnsName":"desktop-bvccckk",
"AlertTitle":"Suspicious PowerShell commandline",
"Category":"SuspiciousActivity",
"Severity":"Medium",
"AlertId":"636207535742330111_-1114309685",
"Actor":null,
"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
"IocName":null,
"IocValue":null,
"CreatorIocName":null,
"CreatorIocValue":null,
"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
"FileName":"powershell.exe",
"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
"IpAddress":null,
"Url":null,
"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
"UserName":null,
"AlertPart":0,
"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
"ThreatCategory":null,
"ThreatFamily":null,
"ThreatName":null,
"RemediationAction":null,
"RemediationIsSuccess":null,
"Source":"Windows Defender ATP",
"Md5":null,
"Sha256":null,
"WasExecutingWhileDetected":null,
"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
Code examples
Get access token
The following code example demonstrates how to obtain an access token and call the Windows Defender ATP API.
Error codes
The Windows Defender ATP REST API returns the following error codes caused by an invalid request.
Related topics
Enable SIEM integration in Windows Defender ATP
Configure ArcSight to pull Windows Defender ATP alerts
Configure Splunk to pull Windows Defender ATP alerts
Windows Defender ATP alert API fields
Troubleshoot SIEM tool integration issues
Troubleshoot SIEM tool integration issues
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You might need to troubleshoot issues while pulling alerts in your SIEM tools.
This page provides detailed steps to troubleshoot issues you might encounter.
Related topics
Enable SIEM integration in Windows Defender ATP
Configure ArcSight to pull Windows Defender ATP alerts
Configure Splunk to pull Windows Defender ATP alerts
Windows Defender ATP alert API fields
Pull Windows Defender ATP alerts using REST API
Create and build Power BI reports using Windows
Defender ATP data
4/22/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
TIP
Go to Advanced features in the Settings page to turn on the preview features.
Want to experience Windows Defender ATP? Sign up for a free trial.
Understand the security status of your organization, including the status of machines, alerts, and investigations
using the Windows Defender ATP reporting feature that integrates with Power BI.
Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access
Windows Defender ATP data using Microsoft Graph.
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine
data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
Creating a dashboard on the Power BI service
Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting
requirements of your organization
You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI
Desktop are supported.
NOTE
Loading your data in the Power BI service can take a few minutes.
5. Click Accept. Power BI service will start downloading your Windows Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, you’ll the following notification:
4. In the AppSource window, select Apps and search for Windows Defender Advanced Threat Protection.
5. Click Get it now.
6. Specify the following details:
extensionDataSourceKind: WDATPConnector
extensionDataSourcePath: WDATPConnector
Authentication method: OAuth2
7. Click Sign in. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign
in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing
Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report
refresh.
8. Click Accept. Power BI service will start downloading your Windows Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, you’ll the following notification:
4. Create a new directory Microsoft Power BI Desktop\Custom Connectors under the user's Documents folder.
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
7. Click File > Options and settings > Custom data connectors.
8. Select New table and matrix visuals and Custom data connectors and click OK.
NOTE
If you are using Power BI Desktop July 2017 version (or later), you won't need to select New table and matrix
visuals. You'll only need to select Custom data connectors.
9. Restart Power BI Desktop.
2. Click Connect.
3. On the Preview Connector windows, click Continue.
4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give
consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender
ATP Power BI to sign in and read your profile, and access your data.
5. Click Accept. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft
Graph. When all data has been downloaded, you can proceed to customize your reports.
6. In the Navigator dialog box, select the Windows Defender ATP feeds you'd like to download and use in your
reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking Get data item in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
Related topic
Beta Create custom Power BI reports
Threat protection report in Windows Defender ATP
5/2/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The threat protection report provides high-level information about alerts generated in your organization. The
report includes trending information showing the detection sources, categories, severities, statuses, classifications,
and determinations of alerts across time.
The dashboard is structured into two sections:
SECTION DESCRIPTION
1 Alerts trends
2 Alert summary
By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain
better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the
time period shown. To adjust the time period, select a time range from the drop-down options:
30 days
3 months
6 months
Custom
While the alert trends shows trending alert information, the alert summary shows alert information scoped to the
current day.
The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it.
For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results
showing only alerts generated from EDR detections.
Alert attributes
The report is made up of cards that display the following alert attributes:
Detection sources: shows information about the sensors and detection technologies that provide the data
used by Windows Defender ATP to trigger alerts.
Threat categories: shows the types of threat or attack activity that triggered alerts, indicating possible
focus areas for your security operations.
Severity: shows the severity level of alerts, indicating the collective potential impact of threats to your
organization and the level of response needed to address them.
Status: shows the resolution status of alerts, indicating the efficiency of your manual alert responses and of
automated remediation (if enabled).
Classification & determination: shows how you have classified alerts upon resolution, whether you have
classified them as actual threats (true alerts) or as incorrect detections (false alerts). These cards also show
the determination of resolved alerts, providing additional insight like the types of actual threats found or the
legitimate activities that were incorrectly detected.
Filter data
Use the provided filters to include or exclude alerts with certain attributes.
NOTE
These filters apply to all the cards in the report.
Related topic
Machine health and compliance report
Machine health and compliance report in Windows
Defender ATP
5/2/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
The machines status report provides high-level information about the devices in your organization. The report
includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10
versions.
The dashboard is structured into two sections:
SECTION DESCRIPTION
1 Machine trends
By default, the machine trends displays machine information from the 30-day period ending in the latest full day.
To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by
adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
30 days
3 months
6 months
Custom
While the machines trends shows trending machine information, the machine summary shows machine
information scoped to the current day.
The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it.
For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with results
showing only machines whose sensor status is inactive.
Machine attributes
The report is made up of cards that display the following machine attributes:
Health state: shows information about the sensor state on devices, providing an aggregated view of
devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.
Antivirus status for active Windows 10 machines: shows the number of machines and status of
Windows Defender Antivirus.
OS platforms: shows the distribution of OS platforms that exists within your organization.
Windows 10 versions: shows the distribution of Windows 10 machines and their versions in your
organization.
Filter data
Use the provided filters to include or exclude machines with certain attributes.
You can select multiple filters to apply from the machine attributes.
NOTE
These filters apply to all the cards in the report.
For example, to show data about Windows 10 machines with Active sensor health state:
1. Under Filters > Sensor health state > Active.
2. Then select OS platforms > Windows 10.
3. Select Apply.
Related topic
Threat protection report
Partner applications in Microsoft Defender ATP
4/26/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Windows Defender ATP )
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat
intelligence capabilities of the platform.
The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other
vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration
with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP ), IoC
indicators ingestions and matching, automated device investigation and remediation based on external alerts, and
integration with Security orchestration and automation response (SOAR ) systems.
SIEM integration
Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system
interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API
enabling alert status management. For more information, see Enable SIEM integration.
Indicators matching
You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise
(IOCs).
Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich
telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to
block execution and take remediation actions when there's a match.
Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators.
Blocking is supported for file indicators.
Applies to:
Azure Active Directory
Office 365
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Using role-based access control (RBAC ), you can create roles and groups within your security operations team to
grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control
over what users with access to the portal can see and do.
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access
to security portals. Typical tiers include the following three levels:
TIER DESCRIPTION
Windows Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you
granular control over what roles can see, machines they can access, and actions they can take. The RBAC
framework is centered around the following controls:
Control who can take specific action
Create custom roles and control what Windows Defender ATP capabilities they can access with
granularity.
Control who can see information on specific machine group or groups
Create machine groups by specific criteria such as names, tags, domains, and others, then grant role
access to them using a specific Azure Active Directory (Azure AD ) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign
Azure AD user groups assigned to the roles.
Before you begin
Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences
of turning on RBAC.
WARNING
Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure
AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
When you first log in to Windows Defender Security Center, you're granted either full access or read only access.
Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read
only access is granted to users with a Security Reader role in Azure AD.
Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines,
regardless of their machine group association and the Azure AD user groups assignments
WARNING
Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles
in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important.
Turning on role-based access control will cause users with read-only permissions (for example, users assigned to
Azure AD Security reader role) to lose access until they are assigned to a role.
Users with admin permissions are automatically assigned the default built-in Windows Defender ATP global administrator role
with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security
Administrators to the Windows Defender ATP global administrator role.
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
Related topic
Create and manage machine groups in Windows Defender ATP
Create and manage roles for role-based access
control
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you
have already created Azure Active Directory user groups.
1. In the navigation pane, select Settings > Roles.
2. Click Add role.
3. Enter the role name, description, and permissions you'd like to assign to the role.
Role name
Description
Permissions
View data - Users can view information in the portal.
Alerts investigation - Users can manage alerts, initiate automated investigations, collect
investigation packages, manage machine tags, and export machine timeline.
Active remediation actions - Users can take response actions and approve or dismiss pending
remediation actions.
Manage portal system settings - Users can configure storage settings, SIEM and threat intel
API settings (applies globally), advanced settings, automated file uploads, roles and machine
groups.
NOTE
This setting is only available in the Windows Defender ATP administrator (default) role.
Manage security settings - Users can configure alert suppression settings, manage
allowed/blocked lists for automation, manage folder exclusions for automation, onboard and
offboard machines, and manage email notifications.
4. Click Next to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
6. Click Save and close.
7. Apply the configuration settings.
After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it
to a role that you just created.
Edit roles
1. Select the role you'd like to edit.
2. Click Edit.
3. Modify the details or the groups that are assigned to the role.
4. Click Save and close.
Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select Delete role.
Related topic
User basic permissions to access the portal
Create and manage machine groups
Create and manage machine groups in Windows
Defender ATP
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Azure Active Directory
Office 365
Windows Defender Advanced Threat Protection (Windows Defender ATP )
In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are
grouped together based on a set of attributes such as their domains, computer names, or designated tags.
In Windows Defender ATP, you can create machine groups and use them to:
Limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles
Configure different auto-remediation settings for different sets of machines
TIP
For a comprehensive look into RBAC application, read: Is your SOC running flat with RBAC.
NOTE
A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
NOTE
For more information on automation levels, see Understand the Automated investigation flow.
Description
Members
TIP
If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For
more information on device tagging, see Manage machine group and tags.
4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the Access
tab.
5. Assign the user groups that can access the machine group you created.
NOTE
You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
WARNING
Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule,
it will be removed from that rule. If the machine group is the only group configured for an email notification, that email
notification rule will be deleted along with the machine group.
By default, machine groups are accessible to all users with portal access. You can change the default behavior by
assigning Azure AD user groups to the machine group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot
change the rank of this group or delete it. However, you can change the remediation level of this group, and define
the Azure AD user groups that can access this group.
NOTE
Applying changes to machine group configuration may take up to several minutes.
Related topic
Manage portal access using role-based based access control
Get list of tenant machine groups using Graph API
Create and manage machine tags
4/5/2019 • 2 minutes to read • Edit Online
Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic
location, specific activity, importance level and others.
You can create machine groups in the context of role-based access (RBAC ) to control who can take specific action or
who can see information on a specific machine group or groups by assigning the machine group to a user group.
For more information, see Manage portal access using role-based access control.
You can also use machine groups to assign specific remediation levels to apply during automated investigations.
For more information, see Create and manage machine groups.
In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter.
Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and
to enable dynamic list creation as part of an incident.
You can add tags on machines using the following ways:
By setting a registry key value
By using the portal
NOTE
Applicable only on the following machines:
Windows 10, version 1709 or later
Windows Server, version 1803 or later
Windows Server 2016
Windows Server 2012 R2
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
Registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (string): Group
NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to
restart the endpoint that would transfer a new machine information report.
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click Save and close.
Tags are added to the machine view and will also be reflected on the Machines list view. You can then use
the Tags filter to see the relevant list of machines.
Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the
machine details panel.
Add machine tags using APIs
For more information, see Add or remove machine tags API.
Configure managed security service provider
integration
4/5/2019 • 8 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
You'll need to take the following configuration steps to enable the managed security service provider (MSSP )
integration.
NOTE
The following terms are used in this article to distinguish between the service provider and service consumer:
MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
MSSP customers: Organizations that engage the services of MSSPs.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows
Defender Security Center.
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD ) B2B
functionality.
You'll need to take the following 2 steps:
Add MSSP user to your tenant as a guest user
Grant MSSP user access to Windows Defender Security Center
Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more
information, see Add Azure Active Directory B2B collaboration users in the Azure portal.
Grant MSSP user access to Windows Defender Security Center
Grant the guest user access and permissions to your Windows Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator
role in your tenant. For more information, see Use basic permissions to access the portal.
If you're using role-based access control (RBAC ), the guest user must be to added to the appropriate group or
groups in your tenant. Fore more information on RBAC in Windows Defender ATP, see Manage portal access
using RBAC.
NOTE
There is no difference between the Member user and Guest user roles from RBAC perspective.
It is recommended that groups are created for MSSPs to make authorization access more manageable.
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the
Azure AD user groups.
By default, MSSP customers access their Windows Defender Security Center tenant through the following URL:
https://securitycenter.windows.com .
MSSPs however, will need to use a tenant-specific URL in the following format:
https://securitycenter.windows.com?tid=customer_tenant_id to access the MSSP customer portal.
In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific
URL:
1. As an MSSP, login to Azure AD with your credentials.
2. Switch directory to the MSSP customer's tenant.
3. Select Azure Active Directory > Properties. You'll find the tenant ID in the Directory ID field.
4. Access the MSSP customer portal by replacing the customer_tenant_id value in the following URL:
https://securitycenter.windows.com?tid=customer_tenant_id .
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when
alerts associated with the tenant are created and set conditions are met.
For more information, see Create rules for alert notifications.
These check boxes must be checked:
Include organization name - The customer name will be added to email notifications
Include tenant-specific portal link - Alert link URL will have tenant specific parameter (tid=target_tenant_id)
that allows direct access to target tenant portal
Fetch alerts from MSSP customer's tenant into the SIEM system
NOTE
This action is taken by the MSSP.
To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
Step 3: Whitelist your application on Windows Defender Security Center
Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows
Defender ATP tenant.
1. Sign in to the Azure AD portal.
2. Select Azure Active Directory > App registrations.
3. Click New application registration.
4. Specify the following values:
Name: <Tenant_name> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
Application type: Web app / API
Sign-on URL: https://SiemMsspConnector
5. Click Create. The application is displayed in the list of applications you own.
6. Select the application, then click Settings > Properties.
7. Copy the value from the Application ID field.
8. Change the value in the App ID URI to: https://<domain_name>/SiemMsspConnector (replace
<domain_name> with the tenant name.
9. Ensure that the Multi-tenanted field is set to Yes.
10. In the Settings panel, select Reply URLs and add the following URL:
https://localhost:44300/wdatpconnector .
NOTE
In line 30, replace authorzationUrl with authorizationUrl .
3. Create a file with the following content and save it with the name MsspTokensAcquisition.ps1 in the folder:
param (
[Parameter(Mandatory=$true)][string]$clientId,
[Parameter(Mandatory=$true)][string]$secret,
[Parameter(Mandatory=$true)][string]$tenantId
)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Configuration parameters
$login = "https://login.microsoftonline.com"
$redirectUri = "https://SiemMsspConnector"
$resourceId = "https://graph.windows.net"
Write-Host 'Prompt the user for his credentials, to get an authorization code'
$authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id=
{2}&redirect_uri={3}&resource={4}" -f
$login, $tenantId, $clientId, $redirectUri, $resourceId)
Write-Host "authorzationUrl: $authorizationUrl"
$Body = @{
grant_type = 'authorization_code'
client_id = $clientId
code = $code
redirect_uri = $redirectUri
resource = $resourceId
client_secret = $secret
}
$tokenEndpoint = "$login/$tenantId/oauth2/token?"
$Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
$token = $Response.access_token
$refreshToken= $Response.refresh_token
Replace <client_id> with the Application ID you got from the previous step.
Replace <app_key> with the application key you created from the previous step.
Replace <customer_tenant_id> with your customer's tenant ID.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to
configure your SIEM connector.
Step 3: Whitelist your application on Windows Defender Security Center
You'll need to whitelist the application you created in Windows Defender Security Center.
You'll need to have Manage portal system settings permission to whitelist the application. Otherwise, you'll
need to request your customer to whitelist the application for you.
1. Go to https://securitycenter.windows.com?tid=<customer_tenant_id> (replace <customer_tenant_id> with
the customer's tenant ID.
2. Click Settings > SIEM.
3. Select the MSSP tab.
4. Enter the Application ID from the first step and your Tenant ID.
5. Click Authorize application.
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP
API. For more information see, Pull alerts to your SIEM tools.
In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application
key manually by settings the secret value.
Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh
token (or acquire it by other means).
Related topics
Use basic permissions to access the portal
Manage portal access using RBAC
Pull alerts to your SIEM tools
Pull alerts using REST API
Configure and manage Microsoft Threat Experts
capabilities
4/30/2019 • 7 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
3. Enter your name and email address so that Microsoft can get back to you on your application.
4. Read the privacy statement, then click Submit when you're done. You will receive a welcome email once
your application is approved.
5. From the navigation pane, go to Settings > General > Advanced features to turn the Threat Experts
toggle on. Click Save preferences.
You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender
Security Center for timely and accurate response. Experts provide insights needed to better understand complex
threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially
compromised machine, or a threat intelligence context that you see on your portal dashboard.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the
Incident page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry.
2. From the upper right-hand menu, click ?, then select Ask a threat expert.
3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a
support ticket.
Step 1: Provide information
a. Provide enough information to give the Microsoft Threat Experts enough context to start the
investigation. Select the inquiry category from the Provide information > Inquiry details drop-down
menu.
b. Enter the additional details to give the threat experts more context of what you’d like to investigate. Click
Next, and it takes you to the Open support ticket tab.
c. Remember to use the ID number from the Open a support ticket tab page and include it to the details
you will provide in the subsequent Customer Services and Support (CSS ) pages.
Step 2: Open a support ticket
NOTE
To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a
Premier customer service and support account. However, you will not be charged for the Experts-on-demand service
during the preview.
a. In the New support request customer support page, select the following from the dropdown menu and
then click Next:
Select the product family: Security
Select a product: Microsoft Threat Experts
Select a category that best describes the issue: Windows Defender ATP
Select a problem that best describes the issue: Choose according to your inquiry category
b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when
you open a Customer Services and Support (CSS ) ticket. Then, click Next.
c. In the Select a support plan page, select Professional No Charge.
d. The severity of your issue has been pre-selected by default, per the support plan, Professional No
Charge, that you'll use for this public preview. Select the time zone by which you'd like to receive the
correspondence. Then, click Next.
e. Verify your contact details and add another if necessary. Then, click Next.
f. Review the summary of your support request, and update if necessary. Make sure that you read and
understand the Microsoft Services Agreement and Privacy Statement. Then, click Submit. You will see
the confirmation page indicating the response time and your support request number.
NOTE
Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However,
the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection
and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response
team to address issues that requires an incident response.
Scenario
Receive a progress report about your managed hunting inquiry
Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you
regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation
status from the following categories:
More information is needed to continue with the investigation
A file or several file samples are needed to determine the technical context
Investigation requires more time
Initial information was enough to conclude the investigation
It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and
support service level agreement for details.
Configure conditional access in Windows Defender
ATP
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
This section guides you through all the steps you need to take to properly implement conditional access.
Before you begin
WARNING
It's important to note that Azure AD registered devices is not supported in this scenario.
Only Intune enrolled devices are supported.
You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to
enroll devices in Intune:
IT Admin: For more information on how to enabling auto-enrollment, see Windows Enrollment
End-user: For more information on how to enroll your Windows 10 device in Intune, see Enroll your Windows
10 device in Intune
End-user alternative: For more information on joining an Azure AD domain, see Set up Azure Active Directory
joined devices.
There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal.
NOTE
You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
To benefit from Windows Defender Advanced Threat Protection (ATP ) cloud app discovery signals, turn on
Microsoft Cloud App Security integration.
NOTE
This feature will be available with an E5 license for Enterprise Mobility + Security on machines running Windows 10, version
1709 (OS Build 16299.1085 with KB4493441), Windows 10, version 1803 (OS Build 17134.704 with KB4493464), Windows
10, version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions.
This report is similar to the existing discovery report with one major difference: you can now benefit from visibility
to the machine context.
Notice the new Machines tab that allows you to view the data split to the device dimensions. This is available in
the main report page or any subpage (for example, when drilling down to a specific cloud app).
For more information about cloud discovery, see Working with discovered apps.
If you are interested in trying Microsoft Cloud App Security, see Microsoft Cloud App Security Trial.
Related topic
Microsoft Cloud App Security integration
Configure information protection in Windows
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP )
to protect files based on their label, regardless of their origin.
TIP
Read our blog post about how Windows Defender ATP integrates with Microsoft Information Protection to discover, protect,
and monitor sensitive data on Windows devices.
Prerequisites
Endpoints need to be on Windows 10, version 1809 or later
You'll need the appropriate license to leverage the Windows Defender ATP and Azure Information Protection
integration
Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see,
Configure a Log Analytics workspace for the reports
Configuration steps
1. Define a WIP policy and assign it to the relevant devices. For more information, see Protect your enterprise
data using Windows Information Protection (WIP ). If WIP is already configured on the relevant devices, skip
this step.
2. Define which labels need to get WIP protection in Office 365 Security and Compliance.
a. Go to: Classifications > Labels.
b. Create a new label or edit an existing one.
c. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
d. Repeat for every label that you want to get WIP applied to in Windows.
After completing these steps Windows Defender ATP will automatically identify labeled documents stored on the
device and enable WIP on them.
NOTE
The Windows Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take
effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information
Protection data.
Related topic
Information protection in Windows overview
Configure Windows Defender Security Center
settings
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Use the Settings menu to modify general settings, advanced features, enable the preview experience, email
notifications, and the custom threat intelligence feature.
In this section
TOPIC DESCRIPTION
General settings Modify your general settings that were previously defined as
part of the onboarding process.
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After
onboarding, you might want to update the data retention settings.
1. In the navigation pane, select Settings > Data rention.
2. Select the data retention duration from the drop-down list.
NOTE
Other settings are not editable.
Related topics
Update data retention settings
Configure alert notifications in Windows Defender ATP
Enable and create Power BI reports using Windows Defender ATP data
Enable Secure Score security controls
Configure advanced features
Configure alert notifications in Windows Defender
ATP
4/8/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This
feature enables you to identify a group of individuals who will immediately be informed and can act on alerts
based on their severity.
NOTE
Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic
permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email
notification. New recipients get notified about alerts encountered after they are added. For more information
about alerts, see View and organize the Alerts queue.
If you're using role-based access control (RBAC ), recipients will only receive notifications based on the machine
groups that were configured in the notification rule. Users with the proper permission can only create, edit, or
delete notifications that are limited to their machine group management scope. Only users assigned to the Global
administrator role can manage notification rules that are configured for all machine groups.
The email notification includes basic information about the alert and a link to the portal where you can do further
investigation.
Machines - Choose whether to notify recipients for alerts on all machines (Global administrator
role only) or on selected machine groups. For more information, see Create and manage machine
groups.
Alert severity - Choose the alert severity level.
4. Click Next.
5. Enter the recipient's email address then click Add recipient. You can add multiple email addresses.
6. Check that email recipients are able to receive the email notifications by selecting Send test email.
7. Click Save notification rule.
Here's an example email notification:
Related topics
Update data retention settings
Enable and create Power BI reports using Windows Defender ATP data
Enable Secure Score security controls
Configure advanced features
Create and build Power BI reports using Windows
Defender ATP data
4/22/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
TIP
Go to Advanced features in the Settings page to turn on the preview features.
Want to experience Windows Defender ATP? Sign up for a free trial.
Understand the security status of your organization, including the status of machines, alerts, and investigations
using the Windows Defender ATP reporting feature that integrates with Power BI.
Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access
Windows Defender ATP data using Microsoft Graph.
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine
data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
Creating a dashboard on the Power BI service
Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting
requirements of your organization
You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI
Desktop are supported.
NOTE
Loading your data in the Power BI service can take a few minutes.
5. Click Accept. Power BI service will start downloading your Windows Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, you’ll the following notification:
4. In the AppSource window, select Apps and search for Windows Defender Advanced Threat Protection.
5. Click Get it now.
6. Specify the following details:
extensionDataSourceKind: WDATPConnector
extensionDataSourcePath: WDATPConnector
Authentication method: OAuth2
7. Click Sign in. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to
sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing
Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report
refresh.
8. Click Accept. Power BI service will start downloading your Windows Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, you’ll the following notification:
3. Click Download connector to download the WDATPPowerBI.zip file and extract it.
4. Create a new directory Microsoft Power BI Desktop\Custom Connectors under the user's Documents folder.
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
7. Click File > Options and settings > Custom data connectors.
8. Select New table and matrix visuals and Custom data connectors and click OK.
NOTE
If you are using Power BI Desktop July 2017 version (or later), you won't need to select New table and matrix
visuals. You'll only need to select Custom data connectors.
9. Restart Power BI Desktop.
2. Click Connect.
3. On the Preview Connector windows, click Continue.
4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give
consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows
Defender ATP Power BI to sign in and read your profile, and access your data.
5. Click Accept. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft
Graph. When all data has been downloaded, you can proceed to customize your reports.
6. In the Navigator dialog box, select the Windows Defender ATP feeds you'd like to download and use in
your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking Get data item in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
Related topic
Beta Create custom Power BI reports
Enable Secure Score security controls
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard.
If you use third-party solutions, consider excluding the corresponding controls from the calculations.
NOTE
Changes might take up to a few hours to reflect on the dashboard.
Related topics
View the Secure Score dashboard
Update data retention settings for Windows Defender ATP
Configure alert notifications in Windows Defender ATP
Enable and create Power BI reports using Windows Defender ATP data
Configure advanced features in Windows Defender ATP
Configure advanced features in Windows Defender
ATP
5/2/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Depending on the Microsoft security products that you use, some advanced features might be available for you
to integrate Windows Defender ATP with.
Use the following advanced features to get better protected from potentially malicious files and gain better
insight during security investigations:
Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation
features of the service. For more information, see Automated investigations.
TIP
For tenants created prior that version, you'll need to manually turn this feature on from the Advanced features page.
NOTE
The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts
found on a machine.
If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve
capability will not overwrite it.
Block file
This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware
solution and that the cloud-based protection feature is enabled, see Block files in your network for more details.
If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block
potentially malicious files in your network. This operation will prevent it from being read, written, or executed on
machines in your organization.
NOTE
When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype
communications which allows communications to the user while they are disconnected from the network. This setting
applies to Skype and Outlook communication when machines are in isolation mode.
NOTE
You'll need to have the appropriate license to enable this feature.
Enable the Windows Defender ATP integration from the Azure ATP portal
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP
portal.
1. Login to the Azure portal with a Global Administrator or Security Administrator role.
2. Click Create a workspace or use your primary workspace.
3. Toggle the Integration setting to On and click Save.
When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine
details or user details page.
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows
Defender ATP settings in the Security & Compliance dashboard. For more information, see Office 365 Threat
Intelligence overview.
NOTE
The Microsoft Threat Experts capability in Windows Defender ATP is available with an E5 license for Enterprise Mobility +
Security.
NOTE
This feature is available with an E5 license for Enterprise Mobility + Security on machines running Windows 10 version
1809 or later.
NOTE
You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature.
Preview features
Learn about new features in the Windows Defender ATP preview release and be among the first to try
upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall
experience before features are generally available.
Related topics
Update data retention settings
Configure alert notifications
Enable and create Power BI reports using Windows Defender ATP data
Enable Secure Score security controls
Use basic permissions to access the portal
4/8/2019 • 2 minutes to read • Edit Online
Applies to:
Azure Active Directory
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
You need to run the PowerShell cmdlets in an elevated command-line.
Connect to your Azure Active Directory. For more information see, Connect-MsolService.
Full access
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and
download the onboarding package. Assigning full access rights requires adding the users to the "Security
Administrator" or "Global Administrator" AAD built-in roles.
Read only access
Users with read only access can log in, view all alerts, and related information. They will not be able to change
alert states, submit files for deep analysis or perform any state changing operations. Assigning read only access
rights requires adding the users to the "Security Reader" AAD built-in role.
Use the following steps to assign security roles:
For read and write access, assign users to the security administrator role by using the following command:
text Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress
"secadmin@Contoso.onmicrosoft.com"
For read only access, assign users to the security reader role by using the following command:
text Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress
"reader@Contoso.onmicrosoft.com"
For more information see, Add or remove group memberships.
Related topic
Manage portal access using RBAC
Manage portal access using role-based access
control
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Azure Active Directory
Office 365
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Using role-based access control (RBAC ), you can create roles and groups within your security operations team
to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained
control over what users with access to the portal can see and do.
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize
access to security portals. Typical tiers include the following three levels:
TIER DESCRIPTION
Windows Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you
granular control over what roles can see, machines they can access, and actions they can take. The RBAC
framework is centered around the following controls:
Control who can take specific action
Create custom roles and control what Windows Defender ATP capabilities they can access with
granularity.
Control who can see information on specific machine group or groups
Create machine groups by specific criteria such as names, tags, domains, and others, then grant role
access to them using a specific Azure Active Directory (Azure AD ) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and
assign Azure AD user groups assigned to the roles.
Before you begin
Before using RBAC, it's important that you understand the roles that can grant permissions and the
consequences of turning on RBAC.
WARNING
Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in
Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
When you first log in to Windows Defender Security Center, you're granted either full access or read only
access. Full access rights are granted to users with Security Administrator or Global Administrator roles in
Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines,
regardless of their machine group association and the Azure AD user groups assignments
WARNING
Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign
roles in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important.
Turning on role-based access control will cause users with read-only permissions (for example, users assigned
to Azure AD Security reader role) to lose access until they are assigned to a role.
Users with admin permissions are automatically assigned the default built-in Windows Defender ATP global administrator
role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or
Security Administrators to the Windows Defender ATP global administrator role.
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
Related topic
Create and manage machine groups in Windows Defender ATP
Create and manage roles for role-based access
control
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
NOTE
This setting is only available in the Windows Defender ATP administrator (default) role.
Edit roles
1. Select the role you'd like to edit.
2. Click Edit.
3. Modify the details or the groups that are assigned to the role.
4. Click Save and close.
Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select Delete role.
Related topic
User basic permissions to access the portal
Create and manage machine groups
Create and manage machine groups in
Windows Defender ATP
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Azure Active Directory
Office 365
Windows Defender Advanced Threat Protection (Windows Defender ATP )
In an enterprise scenario, security operation teams are typically assigned a set of machines. These
machines are grouped together based on a set of attributes such as their domains, computer names, or
designated tags.
In Windows Defender ATP, you can create machine groups and use them to:
Limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles
Configure different auto-remediation settings for different sets of machines
TIP
For a comprehensive look into RBAC application, read: Is your SOC running flat with RBAC.
NOTE
A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
NOTE
For more information on automation levels, see Understand the Automated investigation
flow.
Description
Members
TIP
If you want to group machines by organizational unit, you can configure the registry key for the group
affiliation. For more information on device tagging, see Manage machine group and tags.
4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click
the Access tab.
5. Assign the user groups that can access the machine group you created.
NOTE
You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
WARNING
Deleting a machine group may affect email notification rules. If a machine group is configured under an email
notification rule, it will be removed from that rule. If the machine group is the only group configured for an email
notification, that email notification rule will be deleted along with the machine group.
By default, machine groups are accessible to all users with portal access. You can change the default
behavior by assigning Azure AD user groups to the machine group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You
cannot change the rank of this group or delete it. However, you can change the remediation level of this
group, and define the Azure AD user groups that can access this group.
NOTE
Applying changes to machine group configuration may take up to several minutes.
Related topic
Manage portal access using role-based based access control
Get list of tenant machine groups using Graph API
Create and manage machine tags
4/5/2019 • 2 minutes to read • Edit Online
Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic
location, specific activity, importance level and others.
You can create machine groups in the context of role-based access (RBAC ) to control who can take specific action
or who can see information on a specific machine group or groups by assigning the machine group to a user
group. For more information, see Manage portal access using role-based access control.
You can also use machine groups to assign specific remediation levels to apply during automated investigations.
For more information, see Create and manage machine groups.
In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter.
Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and
to enable dynamic list creation as part of an incident.
You can add tags on machines using the following ways:
By setting a registry key value
By using the portal
NOTE
Applicable only on the following machines:
Windows 10, version 1709 or later
Windows Server, version 1803 or later
Windows Server 2016
Windows Server 2012 R2
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
Registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (string): Group
NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to
restart the endpoint that would transfer a new machine information report.
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click Save and close.
Tags are added to the machine view and will also be reflected on the Machines list view. You can then use
the Tags filter to see the relevant list of machines.
Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the
machine details panel.
Add machine tags using APIs
For more information, see Add or remove machine tags API.
Enable the custom threat intelligence API in
Windows Defender ATP
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat
intelligence application through Windows Defender Security Center.
1. In the navigation pane, select Settings > Threat intel.
2. Select Enable threat intel API. This activates the Azure Active Directory application setup sections
with pre-populated values.
3. Copy the individual values or select Save details to file to download a file that contains all the values.
WARNING
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
For more information about getting a new secret see, Learn how to get a new secret.
Related topics
Understand threat intelligence concepts
Create custom alerts using the threat intelligence API
PowerShell code examples for the custom threat intelligence API
Python code examples for the custom threat intelligence API
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
Enable SIEM integration in Windows Defender ATP
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Enable security information and event management (SIEM ) integration so you can pull alerts from Windows
Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
Prerequisites
The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD ).
This is typically someone with a Global administrator role.
During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you
allow pop-ups for this site.
TIP
If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker
settings of your browser. It might be blocking the new window being opened when you enable the capability.
2. Select Enable SIEM integration. This activates the SIEM connector access details section with pre-
populated values and an application is created under you Azure Active Directory (AAD ) tenant.
WARNING
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
For more information about getting a new secret see, Learn how to get a new secret.
3. Choose the SIEM type you use in your organization.
NOTE
If you select HP ArcSight, you'll need to save these two configuration files:
WDATP-connector.jsonparser.properties
WDATP-connector.properties
If you want to connect directly to the alerts REST API through programmatic access, choose Generic
API.
4. Copy the individual values or select Save details to file to download a file that contains all the values.
5. Select Generate tokens to get an access and refresh token.
NOTE
You'll need to generate a new Refresh token every 90 days.
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through
programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive
alerts from Windows Defender Security Center.
Integrate Windows Defender ATP with IBM QRadar
You can configure IBM QRadar to collect alerts from Windows Defender ATP. For more information, see IBM
Knowledge Center.
Related topics
Configure Splunk to pull Windows Defender ATP alerts
Configure HP ArcSight to pull Windows Defender ATP alerts
Windows Defender ATP alert API fields
Pull Windows Defender ATP alerts using REST API
Troubleshoot SIEM tool integration issues
Manage suppression rules
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
There might be scenarios where you need to suppress alerts from appearing in the portal. You can create
suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your
organization. For more information on how to suppress alerts, see Suppress alerts.
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert
suppression rule on or off.
Related topics
Manage alerts
Manage automation allowed/blocked lists
4/16/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Create a rule to control which entities are automatically incriminated or exonerated during Automated
investigations.
Entities added to the allowed list are considered safe and will not be analyzed during Automated investigations.
Entities added to the blocked list are considered malicious and will be remediated during Automated
investigations.
You can define the conditions for when entities are identified as malicious or safe based on certain attributes such
as hash values or certificates.
Edit a list
1. In the navigation pane, select Settings > Automation allowed/blocked list.
2. Select the tab of the entity type you'd like to edit the list from.
3. Update the details of the rule and click Update rule.
Delete a list
1. In the navigation pane, select Settings > Automation allowed/blocked list.
2. Select the tab of the entity type you'd like to delete the list from.
3. Select the list type by clicking the check-box beside the list type.
4. Click Delete.
Related topics
Manage automation file uploads
Manage allowed/blocked lists
Manage automation folder exclusions
Manage indicators
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be
taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
On the top navigation you can:
Import a list
Add an indicator
Customize columns to add or remove columns
Export the entire list in CSV format
Select the items to show per page
Navigate between pages
Apply filters
Create an indicator
1. In the navigation pane, select Settings > Allowed/blocked list.
2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following
entities:
File hash
IP address
URLs/Domains
3. Click Add indicator.
4. For each attribute specify the following details:
Indicator - Specify the entity details and define the expiration of the indicator.
Action - Specify the action to be taken and provide a description.
Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then click Save.
NOTE
Blocking IPs, domains, or URLs is currently available on limited preview only. This requires sending your custom list to
network protection to be enforced which is an option that will be generally available soon. As it is not yet generally available,
when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its
decision to automatically remediate (blocked list) or skip (allowed list) the entity.
Manage indicators
1. In the navigation pane, select Settings > Allowed/blocked list.
2. Select the tab of the entity type you'd like to manage.
3. Update the details of the indicator and click Save or click the Delete button if you'd like to remove the
entity from the list.
Import a list
You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other
details.
Download the sample CSV to know the supported column attributes.
Related topics
Manage automation allowed/blocked lists
Manage automation file uploads
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to
the cloud for additional inspection in Automated investigation.
Identify the files and email attachments by specifying the file extension names and email attachment extension
names.
For example, if you add exe and bat as file or attachment extension names, then all files or attachments with those
extensions will automatically be sent to the cloud for additional inspection during Automated investigation.
Related topics
Manage automation allowed/blocked lists
Manage automation folder exclusions
Manage automation folder exclusions
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
You can control the following attributes about the folder that you'd like to be skipped:
Folders
Extensions of the files
File names
Folders
You can specify a folder and its subfolders to be skipped. You can use wild cards so that all files under the directory
is skipped by the automated investigation.
Extensions
You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker
from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
File names
You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent
an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
Related topics
Manage automation allowed/blocked lists
Manage automation file uploads
Onboard machines to the Windows Defender ATP
service
4/22/2019 • 5 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You need to turn on the sensor to give visibility within Windows Defender ATP.
For more information, see Onboard your Windows 10 machines to Windows Defender ATP.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see Windows 10 Licensing.
NOTE
Machines that are running mobile versions of Windows are not supported.
NOTE
You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the
integration to work.
NOTE
You cannot change your data storage location after the first-time setup.
Review the Windows Defender ATP data storage and privacy for more information on where and how Microsoft stores
your data.
sc qc diagtrack
If the service is enabled, then the result should look like the following screenshot:
If the START_TYPE is not set to AUTO_START, then you'll need to set the service to automatically start.
Use the command line to set the Windows 10 diagnostic data service to automatically start:
1. Open an elevated command-line prompt on the endpoint:
a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:
3. A success message is displayed. Verify the change by entering the following command, and press Enter:
sc qc diagtrack
Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the
Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and
investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings see, Configure machine proxy and Internet
connectivity settings .
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in
Windows 10.
In this section
TOPIC DESCRIPTION
Onboard previous versions of Windows Onboard Windows 7 and Windows 8.1 machines to Windows
Defender ATP.
Onboard Windows 10 machines You'll need to onboard machines for it to report to the
Windows Defender ATP service. Learn about the tools and
methods you can use to configure machines in your
enterprise.
Run a detection test on a newly onboarded machine Run a script on a newly onboarded machine to verify that it is
properly reporting to the Windows Defender ATP service.
Configure proxy and Internet settings Enable communication with the Windows Defender ATP cloud
service by configuring the proxy and Internet connectivity
settings.
Troubleshoot onboarding issues Learn about resolving issues that might arise during
onboarding.
Applies to:
macOS
Linux
Windows Server 2012 R2
Windows Server 2016
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Offboard Servers
Offboard servers
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Use the Time zone menu to configure the time zone and view license information.
Troubleshoot issues that might arise as you use Windows Defender ATP capabilities.
In this section
TOPIC DESCRIPTION
Troubleshoot sensor state Find solutions for issues related to the Windows Defender ATP
sensor
Troubleshoot service issues Fix issues related to the Windows Defender Advanced Threat
service
Troubleshoot attack surface reduction Fix issues related to network protection and attack surface
reduction rules
Troubleshoot next generation protection If you encounter a problem with antivirus, you can search the
tables in this topic to find a matching issue and potential
solution
Check sensor health state in Windows Defender ATP
4/5/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The sensor health tile provides information on the individual machine’s ability to provide sensor data and
communicate with the Windows Defender ATP service. It reports how many machines require attention and helps
you identify problematic machines and take action to correct known issues.
There are two status indicators on the tile that provide information on the number of machines that are not
reporting properly to the service:
Misconfigured - These machines might partially be reporting sensor data to the Windows Defender ATP
service and might have configuration errors that need to be corrected.
Inactive - Machines that have stopped reporting to the Windows Defender ATP service for more than seven
days in the past month.
Clicking any of the groups directs you to Machines list, filtered according to your choice.
You can also download the entire list in CSV format using the Export to CSV feature. For more information on
filters, see View and organize the Machines list.
You can filter the health state list by the following status:
Active - Machines that are actively reporting to the Windows Defender ATP service.
Misconfigured - These machines might partially be reporting sensor data to the Windows Defender ATP
service but have configuration errors that need to be corrected. Misconfigured machines can have either one or
a combination of the following issues:
No sensor data - Machines has stopped sending sensor data. Limited alerts can be triggered from the
machine.
Impaired communications - Ability to communicate with machine is impaired. Sending files for deep
analysis, blocking files, isolating machine from network and other actions that require communication
with the machine may not work.
Inactive - Machines that have stopped reporting to the Windows Defender ATP service.
You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific
machine information when you click the information icon.
In the Machines list, you can download a full list of all the machines in your organization in a CSV format.
NOTE
Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization,
regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on
how large your organization is.
Related topic
Fix unhealthy sensors in Windows Defender ATP
Fix unhealthy sensors in Windows Defender ATP
4/18/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause
a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed
the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting
normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.
Misconfigured machines
Misconfigured machines can further be classified to:
Impaired communications
No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
communicate with the Windows Defender ATP service.
Verify client connectivity to Windows Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Windows
Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
communicate with the Windows Defender ATP service.
Verify client connectivity to Windows Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Windows
Defender ATP service URLs.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the
Windows Defender Antivirus Early Launch Antimalware (ELAM ) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
Related topic
Check sensor health state in Windows Defender ATP
Fix unhealthy sensors in Windows Defender ATP
4/18/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause
a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed
the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting
normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.
Misconfigured machines
Misconfigured machines can further be classified to:
Impaired communications
No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
communicate with the Windows Defender ATP service.
Verify client connectivity to Windows Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Windows
Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
communicate with the Windows Defender ATP service.
Verify client connectivity to Windows Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Windows
Defender ATP service URLs.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the
Windows Defender Antivirus Early Launch Antimalware (ELAM ) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
Related topic
Check sensor health state in Windows Defender ATP
Fix unhealthy sensors in Windows Defender ATP
4/18/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can
cause a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and
deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is
reporting normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.
Misconfigured machines
Misconfigured machines can further be classified to:
Impaired communications
No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data
and communicate with the Windows Defender ATP service.
Verify client connectivity to Windows Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Windows
Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data
and communicate with the Windows Defender ATP service.
Verify client connectivity to Windows Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Windows
Defender ATP service URLs.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs
the Windows Defender Antivirus Early Launch Antimalware (ELAM ) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
Related topic
Check sensor health state in Windows Defender ATP
Review events and errors using Event Viewer
4/5/2019 • 10 minutes to read • Edit Online
Applies to:
Event Viewer
Windows Defender Advanced Threat Protection (Windows Defender ATP )
You can review event IDs in the Event Viewer on individual machines.
For example, if machines are not appearing in the Machines list, you might need to look for event IDs on the
machines. You can then use this table to determine further troubleshooting steps.
NOTE
It can take several days for machines to begin reporting to the Windows Defender ATP service.
Open Event Viewer and find the Windows Defender ATP service event log:
1. Click Start on the Windows menu, type Event Viewer, and press Enter.
2. In the log list, under Log Summary, scroll until you see Microsoft-Windows-SENSE/Operational.
Double-click the item to open the log.
a. You can also access the log by expanding Applications and Services Logs > Microsoft > Windows >
SENSE and click on Operational.
NOTE
SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by
the service.
12 Windows Defender Service was unable to apply This error should resolve
Advanced Threat Protection the default configuration. after a short period of time.
failed to apply the default
configuration.
17 Windows Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
service failed to change the Check that the onboarding
Connected User Experiences settings and scripts were
and Telemetry service deployed properly. Try to
location. Failure code: redeploy the configuration
variable . packages.
See Onboard Windows 10
machines.
18 OOBE (Windows Welcome) Service will only start after Normal operating
is completed. any Windows updates have notification; no action
finished installing. required.
19 OOBE (Windows Welcome) Service will only start after Normal operating
has not yet completed. any Windows updates have notification; no action
finished installing. required.
If this error persists after a
system restart, ensure all
Windows updates have full
installed.
20 Cannot wait for OOBE Internal error. If this error persists after a
(Windows Welcome) to system restart, ensure all
complete. Failure code: Windows updates have full
variable . installed.
25 Windows Defender The machine did not Check that the onboarding
Advanced Threat Protection onboard correctly. It will settings and scripts were
service failed to reset health report to the portal, deployed properly. Try to
status in the registry. Failure however the service may redeploy the configuration
code: variable . not appear as registered in packages.
SCCM or the registry. See Onboard Windows 10
machines.
26 Windows Defender The machine did not Check that the onboarding
Advanced Threat Protection onboard correctly. settings and scripts were
service failed to set the It will report to the portal, deployed properly. Try to
onboarding status in the however the service may redeploy the configuration
registry. Failure code: not appear as registered in packages.
variable . SCCM or the registry. See Onboard Windows 10
machines.
28 Windows Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
Connected User Experiences Check that the onboarding
and Telemetry service settings and scripts were
registration failed. Failure deployed properly. Try to
code: variable . redeploy the configuration
packages.
See Onboard Windows 10
machines.
29 Failed to read the This event occurs when the Ensure the machine has
offboarding parameters. system can't read the Internet access, then run the
Error type: %1, Error code: offboarding parameters. entire offboarding process
%2, Description: %3 again.
31 Windows Defender An error occurred with the Check for errors with the
Advanced Threat Protection Windows telemetry service Windows telemetry service.
Connected User Experiences during onboarding. The
and Telemetry service offboarding process
unregistration failed. Failure continues.
code: variable .
32 Windows Defender An error occurred during Reboot the machine.
Advanced Threat Protection offboarding.
service failed to request to
stop itself after offboarding
process. Failure code: %1
34 Windows Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
service failed to add itself as Check that the onboarding
a dependency on the settings and scripts were
Connected User Experiences deployed properly. Try to
and Telemetry service, redeploy the configuration
causing onboarding process packages.
to fail. Failure code: See Onboard Windows 10
variable . machines.
35 Windows Defender An error occurred with the Check for errors with the
Advanced Threat Protection Windows telemetry service Windows diagnostic data
service failed to remove during offboarding. The service.
itself as a dependency on offboarding process
the Connected User continues.
Experiences and Telemetry
service. Failure code:
variable .
40 Battery state is identified as The machine has low battery Normal operating
low. Windows Defender level and will contact the notification; no action
Advanced Threat Protection server less frequently. required.
will contact the server every
%1 minutes. Battery state:
%2.
42 Windows Defender Internal error. The service If this error persists, contact
Advanced Threat Protection failed to start. Support.
WDATP component failed to
perform action. Component:
%1, Action: %2, Exception
Type: %3, Exception
message: %4
43 Windows Defender Internal error. The service If this error persists, contact
Advanced Threat Protection failed to start. Support.
WDATP component failed to
perform action. Component:
%1, Action: %2, Exception
Type: %3, Exception Error:
%4, Exception message: %5
45 Failed to register and to An error occurred on service If this error persists, contact
start the event trace session startup while creating ETW Support.
[%1]. Error code: %2 session. This caused service
start-up failure.
48 Failed to add a provider [%1] Failed to add a provider to Check the error code. If the
to event trace session [%2]. ETW session. As a result, the error persists contact
Error code: %3. This means provider events aren’t Support.
that events from this reported.
provider will not be
reported.
Related topics
Onboard Windows 10 machines
Configure machine proxy and Internet connectivity settings
Troubleshoot Windows Defender ATP
Troubleshoot service issues
4/22/2019 • 2 minutes to read • Edit Online
This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
NOTE
You must use the HTTPS protocol when adding the following endpoints.
Windows Defender ATP service shows event or error logs in the Event
Viewer
See the topic Review events and errors using Event Viewer for a list of event IDs that are reported by the Windows
Defender ATP service. The topic also contains troubleshooting steps for event errors.
Windows Defender ATP service fails to start after a reboot and shows
error 577
If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and
shows error 577, check that Windows Defender is not disabled by a policy.
For more information, see Ensure that Windows Defender Antivirus is not disabled by policy.
Related topics
Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Review events and errors using Event Viewer
Check the Windows Defender Advanced Threat
Protection service health
4/22/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
The Service health provides information on the current status of the Window Defender ATP service. You'll be
able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details
related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected
resolution time.
You'll also see information on historical issues that have been resolved and details such as the date and time when
the issue was resolved. When there are no issues on the service, you'll see a healthy status.
You can view details on the service health by clicking the tile from the Security operations dashboard or
selecting the Service health menu from the navigation pane.
The Service health details page has the following tabs:
Current status
Status history
Current status
The Current status tab shows the current state of the Windows Defender ATP service. When the service is
running smoothly a healthy service health is shown. If there are issues seen, the following service details are
shown to help you gain better insight about the issue:
Date and time for when the issue was detected
A short description of the issue
Update time
Summary of impact
Preliminary root cause
Next steps
Expected resolution time
Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on
information such as an updated estimate resolution time or next steps.
When an issue is resolved, it gets recorded in the Status history tab.
Status history
The Status history tab reflects all the historical issues that were seen and resolved. You'll see details of the
resolved issues along with the other information that were included while it was being resolved.
Related topic
View the Security operations dashboard
Troubleshoot network protection
4/29/2019 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
IT administrators
When you use Network protection you may encounter issues, such as:
Network protection blocks a website that is safe (false positive)
Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
4. Submit support logs
Confirm prerequisites
Network protection will only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators
Update).
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other
antivirus app will cause Windows Defender AV to disable itself.
Real-time protection is enabled.
Cloud-delivered protection is enabled.
Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0).
Related topics
Windows Defender Exploit Guard
Network protection
Evaluate network protection
Enable network protection
Troubleshoot attack surface reduction rules
4/8/2019 • 3 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
When you use attack surface reduction rules you may encounter issues, such as:
A rule blocks a file, process, or performs some other action that it should not (false positive)
A rule does not work as described, or does not block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
4. Submit support logs
Confirm prerequisites
Attack surface reduction rules will only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus
app will cause Windows Defender AV to disable itself.
Real-time protection is enabled.
Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0) as described in Enable attack
surface reduction rules.
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is
enabled.
Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and
may not have been disabled after the tests were completed.
If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on
pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based
on your situation:
1. If the attack surface reduction rule is blocking something that it should not block (also known as a false
positive), you can first add an attack surface reduction rule exclusion.
2. If the attack surface reduction rule is not blocking something that it should block (also known as a false
negative), you can proceed immediately to the last step, collecting diagnostic data and submitting the issue to
us.
IMPORTANT
You can specify individual files and folders to be excluded, but you cannot specify individual rules. This means any files or
folders that are excluded will be excluded from all ASR rules.
Related topics
Attack surface reduction rules
Enable attack surface reduction rules
Evaluate attack surface reduction rules
2 minutes to read
Review event logs and error codes to troubleshoot
issues with Windows Defender Antivirus
4/5/2019 • 34 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a
matching issue and potential solution.
The tables list:
Windows Defender Antivirus event IDs (these apply to both Windows 10 and Windows Server 2016)
Windows Defender Antivirus client error codes
Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the following features
are working:
Cloud-delivered protection
Fast learning (including Block at first sight)
Potentially unwanted application blocking
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
Scan
Res
ourc
es:
<Re
sour
ces
(suc
h as
files/
dire
ctori
es/B
HO)
that
wer
e
scan
ned.
>
User
:
<Do
mai
n>\
<Us
er>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Scan
Tim
e:
<Th
e
dura
tion
of a
scan
.>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>
<
User
>
Scan
Tim
e:
<Th
e
dura
tion
of a
scan
.>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
User action: The antivirus client encountered an error, and the current
scan has stopped. The scan might fail due to a client-side
issue. This event record includes the scan ID, type of scan
(Windows Defender Antivirus, antispyware, antimalware), scan
parameters, the user that started the scan, the error code,
and a description of the error. To troubleshoot this event:
1. Run the scan again.
2. If it fails in the same way, go to the Microsoft Support
site, enter the error number in the Search box to look
for the error code.
3. Contact Microsoft Technical Support.
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
Stat
us:
<St
atus
>
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Stat
us:
<St
atus
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Stat
us:
<St
atus
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
Stat
us:
<St
atus
>
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e ID:
Enu
mer
atio
n
mat
chin
g
seve
rity.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
Fidel
ity
Lab
el:
Targ
et
File
Na
me:
<Fil
e
nam
e>
Na
me
of
the
file.
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro O PERATING SYSTEM O PERATING SYSTEM VERSIO N
r
Cod Client Operating System Windows Vista (Service Pack
e: 1, or Service Pack 2),
<Err Windows 7 and later
or
cod Server Operating System Windows Server 2008,
e> Windows Server 2008 R2,
Res Windows Server 2012, and
ult Windows Server 2016
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: The Windows Defender Antivirus client encountered this error
due to critical issues. The endpoint might not be protected.
Review the error description then follow the relevant User
action steps below.
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Upd
ate
Typ
e:
<Up
date
type
>,
eith
er
Full
or
Delt
a.
User
:
<Do
mai
n>\
<Us
er>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
S
i
g
n
a
t
u
r
e
u
p
d
a
t
e
f
o
l
d
e
r
I
n
t
e
r
n
a
l
d
e
f
i
n
i
t
i
o
n
u
p
d
a
t
e
s
e
r
v
e
r
M
i
c
r
o
s
o
f
t
U
p
d
a
t
e
S
e
r
v
e
r
F
i
l
e
s
h
a
r
e
M
i
c
r
o
s
o
f
t
M
a
l
w
a
r
e
P
r
o
t
e
c
t
i
o
n
C
e
n
t
e
r
(
M
M
P
C
)
Upd
ate
Stag
e:
<Up
date
stag
e>,
for
exa
mpl
e:
S
e
a
r
c
h
D
o
w
n
l
o
a
d
I
n
s
t
a
l
l
Sour
ce
Path
: File
shar
e
nam
e for
Univ
ersal
Na
min
g
Con
vent
ion
(UN
C),
serv
er
nam
e for
Win
dow
s
Serv
er
Upd
ate
Serv
ices
(WS
US)/
Micr
osof
t
Upd
ate/
ADL
.
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Upd
ate
Typ
e:
<Up
date
type
>,
eith
er
Full
or
Delt
a.
User
:
<Do
mai
n>\
<Us
er>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
User action: The Windows Defender Antivirus client update failed. This
event occurs when the client fails to update itself. This event
is usually due to an interruption in network connectivity
during an update. To troubleshoot this event:
1. Update definitions and force a rescan directly on the
endpoint.
2. Contact Microsoft Technical Support.
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Dyn
amic
Sign
atur
e
Typ
e:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:
V
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
D
u
r
a
t
i
o
n
Pers
iste
nce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Pers
iste
nce
Limi
t
Typ
e:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:
V
D
M
v
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
Pers
iste
nce
Limi
t:
Pers
iste
nce
limit
of
the
fast
path
sign
atur
e.
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Dyn
amic
Sign
atur
e
Typ
e:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:
V
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
D
u
r
a
t
i
o
n
Pers
iste
nce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Rem
oval
Reas
on:
Pers
iste
nce
Limi
t
Typ
e:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:
V
D
M
v
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
Pers
iste
nce
Limi
t:
Pers
iste
nce
limit
of
the
fast
path
sign
atur
e.
Description:
Description:
Windows Defender Antivirus has encountered an error trying
to use Dynamic Signature Service.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Dyn
amic
Sign
atur
e
Typ
e:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:
V
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
D
u
r
a
t
i
o
n
Pers
iste
nce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Pers
iste
nce
Limi
t
Typ
e:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:
V
D
M
v
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
Pers
iste
nce
Limi
t:
Pers
iste
nce
limit
of
the
fast
path
sign
atur
e.
Description: The support for your operating system will expire shortly.
Running Windows Defender Antivirus on an out of support
operating system is not an adequate solution to protect
against threats.
Description: The support for your operating system has expired. Running
Windows Defender Antivirus on an out of support operating
system is not an adequate solution to protect against threats.
Description: The support for your operating system has expired. Windows
Defender Antivirus is no longer supported on your operating
system, has stopped functioning, and is not protecting
against malware threats.
O
n
A
c
c
e
s
s
I
n
t
e
r
n
e
t
E
x
p
l
o
r
e
r
d
o
w
n
l
o
a
d
s
a
n
d
M
i
c
r
o
s
o
f
t
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s
B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
real-
time
prot
ecti
on
has
rest
arte
da
feat
ure.
User action: You should restart the system then run a full scan because
it's possible the system was not protected for some time. The
Windows Defender Antivirus client's real-time protection
feature encountered an error because one of the services
failed to start. If it is followed by a 3007 event ID, the failure
was temporary and the antimalware client recovered from
the failure.
O
n
A
c
c
e
s
s
I
E
d
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s
B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
real-
time
prot
ecti
on
has
rest
arte
da
feat
ure.
User action: The real-time protection feature has restarted. If this event
happens again, contact Microsoft Technical Support.
O
n
A
c
c
e
s
s
I
E
d
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s
B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Con
figur
atio
n:
Message ERR_MP_NO_MEMORY
Possible reason This error indicates that you might have run out of memory.
Message ERR_MP_BAD_INPUT_DATA
Possible reason This error indicates that there might be a problem with your
security product.
Or,
b. Download the latest definitions from the
Windows Defender Security Intelligence site.
Note: The size of the definitions file
downloaded from the site can exceed 60 MB
and should not be used as a long-term
solution for updating definitions.
2. Run a full scan.
3. Restart the device and try again.
Message ERR_MP_BAD_CONFIGURATION
Message ERR_MP_QUARANTINE_FAILED
Possible reason This error indicates that Windows Defender Antivirus failed to
quarantine a threat.
Message ERR_MP_REBOOT_REQUIRED
0X80508023
Message ERR_MP_THREAT_NOT_FOUND
Possible reason This error indicates that the threat might no longer be
present on the media, or malware might be stopping you
from scanning your device.
Resolution Run the Microsoft Safety Scanner then update your security
software and try again.
Message ERR_MP_FULL_SCAN_REQUIRED
Possible reason This error indicates that a full system scan might be required.
Message ERR_MP_MANUAL_STEPS_REQUIRED
Possible reason This error indicates that manual steps are required to
complete threat removal.
Message ERR_MP_REMOVE_NOT_SUPPORTED
Possible reason This error indicates that removal inside the container type
might not be not supported.
Possible reason This error indicates that removal of low and medium threats
might be disabled.
Message ERROR_MP_RESCAN_REQUIRED
Message ERROR_MP_CALLISTO_REQUIRED
Resolution Run offline Windows Defender Antivirus. You can read about
how to do this in the offline Windows Defender Antivirus
article.
Message ERROR_MP_PLATFORM_OUTDATED
Possible reason This error indicates that Windows Defender Antivirus does
not support the current version of the platform and requires
a new version of the platform.
The following error codes are used during internal testing of Windows Defender Antivirus.
If you see these errors, you can try to update definitions and force a rescan directly on the endpoint.
0x80501001 ERROR_MP_ACTIONS_FAIL
ED
0x80501002 ERROR_MP_NOENGINE
0x80501003 ERROR_MP_ACTIVE_THRE
ATS
0x805011011 MP_ERROR_CODE_LUA_CA
NCELLED
0x80501101 ERROR_LUA_CANCELLATI
ON
0x80501102 MP_ERROR_CODE_ALREA
DY_SHUTDOWN
0x80501103 MP_ERROR_CODE_RDEVIC
E_S_ASYNC_CALL_PENDIN
G
0x80501104 MP_ERROR_CODE_CANCE
LLED
0x80501105 MP_ERROR_CODE_NO_TA
RGETOS
0x80501106 MP_ERROR_CODE_BAD_RE
GEXP
0x80501107 MP_ERROR_TEST_INDUCE
D_ERROR
0x80501108 MP_ERROR_SIG_BACKUP_
DISABLED
0x80508001 ERR_MP_BAD_INIT_MODU
LES
0x80508002 ERR_MP_BAD_DATABASE
0x80508004 ERR_MP_BAD_UFS
0x8050800C ERR_MP_BAD_INPUT_DAT
A
0x8050800D ERR_MP_BAD_GLOBAL_ST
ORAGE
0x8050800E ERR_MP_OBSOLETE
0x8050800F ERR_MP_NOT_SUPPORTE
D
0x80508011 ERR_MP_DUPLICATE_SCA
NID
0x80508012 ERR_MP_BAD_SCANID
0x80508013 ERR_MP_BAD_USERDB_VE
RSION
0x80508014 ERR_MP_RESTORE_FAILED
0x80508016 ERR_MP_BAD_ACTION
0x80508019 ERR_MP_NOT_FOUND
0x80509001 ERR_RELO_BAD_EHANDLE
0x80509003 ERR_RELO_KERNEL_NOT_L
OADED
0x8050A001 ERR_MP_BADDB_OPEN
0x8050A002 ERR_MP_BADDB_HEADER
0x8050A003 ERR_MP_BADDB_OLDENGI
NE
0x8050A004 ERR_MP_BADDB_CONTEN
T
0x8050A005 ERR_MP_BADDB_NOTSIG
NED
Related topics
Report on Windows Defender Antivirus protection
Windows Defender Antivirus in Windows 10
Security intelligence
4/5/2019 • 2 minutes to read • Edit Online
Here you will find information about different types of malware, safety tips on how you can protect your
organization, and resources for industry collaboration programs
Understand malware & other threats
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Keep up with the latest malware news and research. Check out our Windows security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
Understanding malware & other threats
4/8/2019 • 2 minutes to read • Edit Online
Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use
of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your
computer and ask for ransom, and more.
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch
attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or
extort payment from victims.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most
secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or
on the go. With Windows Defender Advanced Threat Protection (Windows Defender ATP ), businesses can stay
protected with next-generation protection and other security capabilities.
For good general tips, check out the prevent malware infection topic.
There are many types of malware, including:
Coin miners
Exploits and exploit kits
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
Keep up with the latest malware news and research. Check out our Windows security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
Prevent malware infection
4/8/2019 • 6 minutes to read • Edit Online
Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay
protected and minimize threats to your data and accounts.
Software solutions
Microsoft provides comprehensive security capabilities that help protect against threats. We recommend:
Automatic Microsoft updates keeps software up-to-date to get the latest protections.
Controlled folder access stops ransomware in its tracks by preventing unauthorized access to your
important files. Controlled folder access locks down folders, allowing only authorized apps to access files.
Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are
denied access.
Microsoft Edge browser protects against threats such as ransomware by preventing exploit kits from
running. By using Microsoft SmartScreen, Microsoft Edge blocks access to malicious websites.
Microsoft Exchange Online Protection (EOP ) offers enterprise-class reliability and protection against spam
and malware, while maintaining access to email during and after emergencies.
Microsoft Safety Scanner helps remove malicious software from computers. NOTE: This tool does not
replace your antimalware product.
Microsoft 365 includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources
power productivity while providing intelligent security across users, devices, and data.
Office 365 Advanced Threat Protection includes machine learning capabilities that block dangerous
emails, including millions of emails carrying ransomware downloaders.
OneDrive for Business can back up files, which you would then use to restore files in the event of an
infection.
Windows Defender Advanced Threat Protection provides comprehensive endpoint protection, detection,
and response capabilities to help prevent ransomware. In the event of a breach, Windows Defender ATP
alerts security operations teams about suspicious activities and automatically attempts to resolve the
problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website,
launching self-replicated copies, and deletion of volume shadow copies. Try Windows Defender ATP free
of charge.
Windows Hello for Business replaces passwords with strong two-factor authentication on your devices.
This authentication consists of a new type of user credential that is tied to a device and uses a biometric or
PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
Earlier than Windows 10 (not recommended)
Microsoft Security Essentials provides real-time protection for your home or small business device that
guards against viruses, spyware, and other malicious software.
We name the malware and unwanted software that we detect according to the Computer Antivirus Research
Organization (CARO ) malware naming scheme. The scheme uses the following format:
When our analysts research a particular threat, they will determine what each of the components of the name will
be.
Type
Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are
some of the most common types of malware.
Adware
Backdoor
Behavior
BrowserModifier
Constructor
DDoS
Exploit
Hacktool
Joke
Misleading
MonitoringTool
Program
PWS
Ransom
RemoteAccess
Rogue
SettingsModifier
SoftwareBundler
Spammer
Spoofer
Spyware
Tool
Trojan
TrojanClicker
TrojanDownloader
TrojanNotifier
TrojanProxy
TrojanSpy
VirTool
Virus
Worm
Platforms
Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work
on. The platform is also used to indicate programming languages and file formats.
Operating systems
AndroidOS: Android operating system
DOS: MS -DOS platform
EPOC: Psion devices
FreeBSD: FreeBSD platform
iPhoneOS: iPhone operating system
Linux: Linux platform
MacOS: MAC 9.x platform or earlier
MacOS_X: MacOS X or later
OS2: OS2 platform
Palm: Palm operating system
Solaris: System V -based Unix platforms
SunOS: Unix platforms 4.1.3 or lower
SymbOS: Symbian operating system
Unix: general Unix platforms
Win16: Win16 (3.1) platform
Win2K: Windows 2000 platform
Win32: Windows 32-bit platform
Win64: Windows 64-bit platform
Win95: Windows 95, 98 and ME platforms
Win98: Windows 98 platform only
WinCE: Windows CE platform
WinNT: WinNT
Scripting languages
ABAP: Advanced Business Application Programming scripts
ALisp: ALisp scripts
AmiPro: AmiPro script
ANSI: American National Standards Institute scripts
AppleScript: compiled Apple scripts
ASP: Active Server Pages scripts
AutoIt: AutoIT scripts
BAS: Basic scripts
BAT: Basic scripts
CorelScript: Corelscript scripts
HTA: HTML Application scripts
HTML: HTML Application scripts
INF: Install scripts
IRC: mIRC/pIRC scripts
Java: Java binaries (classes)
JS: Javascript scripts
LOGO: LOGO scripts
MPB: MapBasic scripts
MSH: Monad shell scripts
MSIL: .Net intermediate language scripts
Perl: Perl scripts
PHP: Hypertext Preprocessor scripts
Python: Python scripts
SAP: SAP platform scripts
SH: Shell scripts
VBA: Visual Basic for Applications scripts
VBS: Visual Basic scripts
WinBAT: Winbatch scripts
WinHlp: Windows Help scripts
WinREG: Windows registry scripts
Macros
A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
HE: macro scripting
O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
V5M: Visio5 macros
W1M: Word1Macro
W2M: Word2Macro
W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros
WM: Word 95 macros
X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros
XF: Excel formulas
XM: Excel 95 macros
Other file types
ASX: XML metafile of Windows Media .asf files
HC: HyperCard Apple scripts
MIME: MIME packets
Netware: Novell Netware files
QT: Quicktime files
SB: StarBasic (Staroffice XML ) files
SWF: Shockwave Flash files
TSQL: MS SQL server files
XML: XML files
Family
Grouping of malware based on common characteristics, including attribution to the same authors. Security
software providers sometimes use different names for the same malware family.
Variant letter
Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF"
would have been created after the detection for the variant ".AE".
Suffixes
Provides extra detail about the malware, including how it is used as part of a multicomponent threat. In the
example above, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T.
.dam: damaged malware
.dll: Dynamic Link Library component of a malware
.dr: dropper component of a malware
.gen: malware that is detected using a generic signature
.kit: virus constructor
.ldr: loader component of a malware
.pak: compressed malware
.plugin: plug-in component
.remnants: remnants of a virus
.worm: worm component of that malware
!bit: an internal category used to refer to some threats
!cl: an internal category used to refer to some threats
!dha: an internal category used to refer to some threats
!pfn: an internal category used to refer to some threats
!plock: an internal category used to refer to some threats
!rfn: an internal category used to refer to some threats
!rootkit: rootkit component of that malware
@m: worm mailers
@mm: mass mailer worm
Coin miners
4/8/2019 • 2 minutes to read • Edit Online
Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as
cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by
reconfiguring malware.
Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware
can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security
safeguards to infect your device.
What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a
backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms
is used broadly; it's also used to describe malware families that do rely on files in order to operate.
Given that attacks involve several stages for functionalities like execution, persistence, information theft, lateral
movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while
others may involve the filesystem in some form or another.
To shed light on this loaded term, we grouped fileless threats into different categories.
Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive.
However, macro malware uses this functionality to infect your device.
Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of
electronic communication that often look to be official communication from legitimate companies or individuals.
The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be
user names and passwords, credit card details, bank account information, or other credentials. Attackers can then
use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank
accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces.
There is a request for personal information such as social security numbers or bank or financial
information. Official communications won't generally request personal information from you in the form of
an email.
Items in the email address will be changed so that it is similar enough to a legitimate email address but
has added numbers or changed letters.
The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person
you rarely deal with, consider this email suspect.
The message or the attachment asks you to enable macros, adjust security settings, or install
applications. Normal emails will not ask you to do this.
The message contains errors. Legitimate corporate messages are less likely to have typographic or
grammatical errors or contain wrong information.
The sender address does not match the signature on the message itself. For example, an email is
purported to be from Mary of Contoso Corp, but the sender address is john@example.com.
There are multiple recipients in the “To” field and they appear to be random addresses. Corporate
messages are normally sent directly to individual recipients.
The greeting on the message itself does not personally address you. Apart from messages that
mistakenly address a different person, those that misuse your name or pull your name directly from your
email address tend to be malicious.
The website looks familiar but there are inconsistencies or things that are not quite right such as
outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in
websites.
The page that opens is not a live page but rather an image that is designed to look like the site you are
familiar with. A pop-up may appear that requests credentials.
If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
For more information, download and read this Microsoft e-book on preventing social engineering attacks,
especially in enterprise environments.
Software solutions for organizations
Microsoft Edge and Windows Defender Application Guard offer protection from the increasing threat of
targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website
is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby
preventing access to your enterprise data.
Microsoft Exchange Online Protection (EOP ) offers enterprise-class reliability and protection against spam
and malware, while maintaining access to email during and after emergencies. Using various layers of
filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international
spam, that will further enhance your protection services.
Use Office 365 Advanced Threat Protection (ATP ) to help protect your email, files, and online storage
against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint
Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection
against malicious links, it complements the security features of Exchange Online Protection to provide
better zero-day protection.
For more tips and software solutions, see prevent malware infection.
Ransomware is a type of malware that encrypts files and folders, preventing access to important files.
Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in
exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they
encrypted.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack
vectors, makes older platforms especially susceptible to ransomware attacks.
Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A
successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal
information and resources.
Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to
access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for
unnecessary technical support services that supposedly fix contrived device, platform, or software problems.
Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either
have to be downloaded manually or another malware needs to download and install them.
Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan
thinking that it is a legitimate app.
Unwanted software are programs that alter the Windows experience without your consent or control. This can take
the form of modified browsing experience, lack of control over downloads and installation, misleading messages,
or unauthorized changes to Windows settings.
A worm is a type of malware that can copy itself and often spreads through a network by exploiting security
vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking
sites, network shares, removable drives, and software vulnerabilities.
Microsoft aims to provide customers with the most delightful and productive Windows experience possible. To
help achieve that, we try our best to ensure our customers are safe and in control of their devices.
Microsoft gives you the information and tools you need when downloading, installing, and running software, as
well as tools that protect you when we know that something unsafe is happening. Microsoft does this by
identifying and analyzing software and online content against criteria described in this article.
You can participate in this process by submitting software for analysis. Our analysts and intelligent systems can
then help identify undesirable software and ensure they are covered by our security solutions.
Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly,
Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
Malware
Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more
granularly as malicious software or unwanted software.
Malicious software
Malicious software is an application or code that compromises user security. Malicious software might steal your
personal information, lock your PC until you pay a ransom, use your PC to send spam, or download other
malicious software. In general, malicious software tricks, cheats, or defrauds users, places users in vulnerable
states, or performs other malicious activities.
Microsoft classifies most malicious software into one of the following categories:
Backdoor: A type of malware that gives malicious hackers remote access to and control of your PC.
Downloader: A type of malware that downloads other malware onto your PC. It needs to connect to the
internet to download files.
Dropper: A type of malware that installs other malware files onto your PC.Unlike a downloader, a dropper
doesn’t need to connect to the internet to drop malicious files. The dropped files are typically embedded in
the dropper itself.
Exploit: A piece of code that uses software vulnerabilities to gain access to your PC and perform other
tasks, such as installing malware. See more information about exploits.
Hacktool: A type of tool that can be used to gain unauthorized access to your PC.
Macro virus: A type of malware that spreads through infected documents, such as Microsoft Word or Excel
documents. The virus is run when you open an infected document.
Obfuscator: A type of malware that hides its code and purpose, making it more difficult for security
software to detect or remove.
Password stealer: A type of malware that gathers your personal information, such as user names and
passwords. It often works along with a keylogger, which collects and sends information about the keys you
press and websites you visit.
Ransomware: A type of malware that encrypts your files or makes other modifications that can prevent
you from using your PC. It then displays a ransom note stating you must pay money, complete surveys, or
perform other actions before you can use your PC again. See more information about ransomware.
Rogue security software: Malware that pretends to be security software but doesn't provide any
protection. This type of malware usually displays alerts about nonexistent threats on your PC. It also tries to
convince you to pay for its services.
Trojan: A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't
spread by itself. Instead it tries to look legitimate, tricking users into downloading and installing it. Once
installed, trojans perform a variety of malicious activities, such as stealing personal information,
downloading other malware, or giving attackers access to your PC.
Trojan clicker: A type of trojan that automatically clicks buttons or similar controls on websites or
applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online
polls or other tracking systems and can even install applications on your PC.
Worm: A type of malware that spreads to other PCs. Worms can spread through email, instant messaging,
file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take
advantage of software vulnerabilities to propagate.
Unwanted software
Microsoft believes that you should have control over your Windows experience. Software running on Windows
should keep you in control of your PC through informed choices and accessible controls. Microsoft identifies
software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these
behaviors as "unwanted software".
Lack of choice
You must be notified about what is happening on your PC, including what software does and whether it is active.
Software that exhibits lack of choice might:
Fail to provide prominent notice about the behavior of the software and its purpose and intent.
Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
Install, reinstall, or remove software without your permission, interaction, or consent.
Install other software without a clear indication of its relationship to the primary software.
Circumvent user consent dialogs from the browser or operating system.
Falsely claim to be software from Microsoft.
Software must not mislead or coerce you into making decisions about your PC. This is considered behavior that
limits your choices. In addition to the previous list, software that exhibits lack of choice might:
Display exaggerated claims about your PC’s health.
Make misleading or inaccurate claims about files, registry entries, or other items on your PC.
Display claims in an alarming manner about your PC's health and require payment or certain actions in
exchange for fixing the purported issues.
Software that stores or transmits your activities or data must:
Give you notice and get consent to do so. Software should not include an option that configures it to hide
activities associated with storing or transmitting your data.
Lack of control
You must be able to control software on your computer. You must be able to start, stop, or otherwise revoke
authorization to software.
Software that exhibits lack of control might:
Prevent or limit you from viewing or modifying browser features or settings.
Open browser windows without authorization.
Redirect web traffic without giving notice and getting consent.
Modify or manipulate webpage content without your consent.
Software that changes your browsing experience must only use the browser's supported extensibility model for
installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models will be
considered non-extensible and should not be modified.
Installation and removal
You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain your
consent before installing, and it must provide a clear and straightforward way for you to install, uninstall, or
disable it.
Software that delivers poor installation experience might bundle or download other "unwanted software" as
classified by Microsoft.
Software that delivers poor removal experience might:
Present confusing or misleading prompts or pop-ups while being uninstalled.
Fail to use standard install/uninstall features, such as Add/Remove Programs.
Advertising and advertisements
Software that promotes a product or service outside of the software itself can interfere with your computing
experience. You should have clear choice and control when installing software that presents advertisements.
The advertisements that are presented by software must:
Include an obvious way for users to close the advertisement. The act of closing the advertisement must not
open another advertisement.
Include the name of the software that presented the advertisement.
The software that presents these advertisements must:
Provide a standard uninstall method for the software using the same name as shown in the advertisement it
presents.
Advertisements shown to you must:
Be distinguishable from website content.
Not mislead, deceive, or confuse.
Not contain malicious code.
Not invoke a file download.
Consumer opinion
Microsoft maintains a worldwide network of analysts and intelligence systems where you can submit software for
analysis. Your participation helps us identify new malware quickly. After analysis, Microsoft creates Security
intelligence for software that meets the described criteria. This Security intelligence identifies the software as
malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware
solutions.
Potentially unwanted application (PUA)
Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This optional
protection, available to enterprises, helps deliver more productive, performant, and delightful Windows
experiences.
PUAs are not considered malware.
Microsoft uses specific categories and the category definitions to classify software as a PUA.
Advertising software: Software that displays advertisements or promotions, or prompts the user to
complete surveys for other products or services in software other than itself. This includes software that
inserts advertisements to webpages.
Torrent software: Software that is used to create or download torrents or other files specifically used with
peer-to-peer file-sharing technologies.
Cryptomining software: Software that uses your computer resources to mine cryptocurrencies.
Bundling software: Software that offers to install other software that is not digitally signed by the same
entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in
this document.
Marketing software: Software that monitors and transmits the activities of the user to applications or
services other than itself for marketing research.
Evasion software: Software that actively tries to evade detection by security products, including software
that behaves differently in the presence of security products.
Poor industry reputation: Software that trusted security providers detect with their security products. The
security industry is dedicated to protecting customers and improving their experiences. Microsoft and other
organizations in the security industry continuously exchange knowledge about files we have analyzed to
provide users with the best possible protection.
Submit files for analysis
4/8/2019 • 3 minutes to read • Edit Online
If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for
analysis. This page has answers to some common questions about submitting a file for analysis.
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply
download it and run a scan to find malware and try to reverse changes made by identified threats.
Download Microsoft Safety Scanner (32-bit)
Download Microsoft Safety Scanner (64-bit)
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We
recommend that you always download the latest version of this tool before each scan.
NOTE: This tool does not replace your antimalware product. For real-time protection with automatic updates,
use Windows Defender Antivirus on Windows 10 and Windows 8 or Microsoft Security Essentials on
Windows 7. These antimalware products also provide powerful malware removal capabilities. If you are
having difficulties removing malware with these products, you can refer to our help on removing difficult
threats.
NOTE: Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon
on the desktop. Note where you saved this download.
System requirements
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech
Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows
Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the
Microsoft Lifecycle Policy.
Related resources
Troubleshooting Safety Scanner
Windows Defender Antivirus
Microsoft Security Essentials
Removing difficult threats
Submit file for malware analysis
Microsoft antimalware and threat protection solutions
Top scoring in industry tests
4/8/2019 • 5 minutes to read • Edit Online
Windows Defender Advanced Threat Protection (Windows Defender ATP ) technologies consistently achieve high
scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft
aims to be transparent about these test scores. This page summarizes the results and provides analysis.
Microsoft has several industry-wide collaboration programs with different objectives and requirements. Enrolling
in the right program can help you protect your customers, gain more insight into the current threat landscape, or
assist in disrupting the malware ecosystem.
The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software
providers, security service providers, antimalware testing organizations, and other organizations involved in
fighting cybercrime.
Members of the VIA program collaborate by exchanging technical information on malicious software with
Microsoft, with the goal of improving protection for Microsoft customers.
The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with
Windows.
MVI members will receive access to Windows APIs (such as those used by Windows Defender Antivirus), and
other technologies including IOAV, AMSI and Cloud Files, malware telemetry and samples, and invitations to
security related events and conferences.
MVI requires members to develop and own antimalware technology and to be present in the antimalware industry
community.
Join MVI
A request for membership is made by an individual as a representative of an organization that develops and
produces antimalware or antivirus technology.
Initial selection criteria
Your organization must meet the following eligibility requirements to qualify for the MVI program:
1. Offer an antimalware or antivirus product that is one of the following:
Your organization's own creation.
Developed by using an SDK (engine and other components) from another MVI Partner company and
your organization adds a custom UI and/or other functionality.
2. Have your own malware research team unless you build a product based on an SDK.
3. Be active and have a positive reputation in the antimalware industry. Your organization is:
Certified through independent testing by an industry standard organization such as ICSA Labs, West
Coast Labs, PCSL IT Consulting Institute, or SKD Labs.
Be active in the antimalware industry. For example, participate in industry conferences, be reviewed in an
industry standard report such as AV Comparatives, OPSWAT or Gartner.
4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
5. Be willing to sign a program license agreement.
6. Be willing to adhere to program requirements for antimalware apps. These requirements define the
behavior of antimalware apps necessary to ensure proper interaction with Windows.
7. Submit your app to Microsoft for periodic performance testing.
Apply now
If your organization meets these criteria and is interested in joining, apply for membership now. If you have
questions, contact us for more information.
Coordinated Malware Eradication
4/5/2019 • 2 minutes to read • Edit Online
Coordinated Malware Eradication (CME ) aims to bring organizations in cybersecurity and in other industries
together to change the game against malware. While the cybersecurity industry today is effective at disrupting
malware families through individual efforts, those disruptions rarely lead to eradication since malware authors
quickly adapt their tactics to survive.
CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against
malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective
communities, customers, and businesses.
Learn about the common questions we receive from software developers and get other developer resources such
as detection criteria and file submissions.
In this section
TOPIC DESCRIPTION
This page provides answers to common questions we receive from software developers. For general guidance
about submitting malware or incorrectly detected files, read the submission guide.
Concerned about the detection of your software? If you believe that your application or program has been
incorrectly detected by Microsoft security software, submit the relevant files for analysis.
Check out the following resources for information on how to submit and view submissions:
Submit files
View your submissions
Additional resources
Detection criteria
To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating
malicious or potentially harmful code.
Developer questions
Find more guidance about the file submission and detection dispute process in our FAQ for software developers.
Scan your software
Use Windows Defender Antivirus to check your software against the latest Security intelligence and cloud
protection from Microsoft.
FIPS 140 Validation
4/5/2019 • 166 minutes to read • Edit Online
On this page
Introduction
FIPS 140 Overview
Microsoft Product Validation (Information for Procurement Officers and Auditors)
Information for System Integrators
Information for Software Developers
FIPS 140 FAQ
Microsoft FIPS 140 Validated Cryptographic Modules
Cryptographic Algorithms
Updated: March 2018
Introduction
This document provides information on how Microsoft products and cryptographic modules comply with the U.S.
Federal government standard, Federal Information Processing Standard (FIPS ) 140 – Security Requirements for
Cryptographic Modules [FIPS 140].
Audience
This document is primarily focused on providing information for three parties:
Procurement Officer – Responsible for verifying that Microsoft products (or even third-party applications) are
either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module.
System Integrator – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS
140 validated cryptographic modules.
Software Developer – Responsible for building software products that utilize Microsoft FIPS 140 validated
cryptographic modules.
Document Map
This document is broken into seven major sections:
FIPS 140 Overview – Provides an overview of the FIPS 140 standard as well as provides some historical
information about the standard.
Microsoft Product Validation (Information for Procurement Officers and Auditors) – Provides information on how
Microsoft products are FIPS 140 validated.
Information for System Integrators – Describes how to configure and verify that Microsoft Products are being used
in a manner consistent with the product’s FIPS 140 Security Policy.
Information for Software Developers – Identifies how developers can leverage the Microsoft FIPS 140 validated
cryptographic modules.
FAQ – Frequently Asked Questions.
Microsoft FIPS 140 Validated Cryptographic Modules – Explains Microsoft cryptographic architecture and
identifies specific modules that are FIPS 140 validated.
Cryptographic Algorithms – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and
corresponding cryptographic algorithm validation certificates.
Other algorithms:
HMAC-MD5; MD5; DES;
Legacy CAPI KDF; MD2;
MD4; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #1133); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #2521);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#1281); SP800-135 -
Section 4.1.1, IKEv1
Section 4.1.2, IKEv2
Section 4.2, TLS (Cert.
#1278)
Kernel Mode 10.0.15063 #3094 #3094
Cryptographic Primitives
Library (cng.sys) FIPS Approved
algorithms: AES (Certs.
#4624 and #4626); CKG
(vendor affirmed); CVL
(Certs. #1278 and
#1281); DRBG (Cert.
#1555); DSA (Cert.
#1223); ECDSA (Cert.
#1133); HMAC (Cert.
#3061); KAS (Cert.
#127); KBKDF (Cert.
#140); KTS (AES Cert.
#4626; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #2521 and
#2523); SHS (Cert.
#3790); Triple-DES (Cert.
#2459)
Other algorithms:
HMAC-MD5; MD5;
NDRNG; DES; Legacy
CAPI KDF; MD2; MD4;
RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert.#1133); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert.#2521);
FIPS186-4 RSA; RSADP -
RSADP Primitive
(Cert.#1281)
Other algorithms:
HMAC-MD5; MD5; DES;
Legacy CAPI KDF; MD2;
MD4; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #922); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #888);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#887); SP800-135 -
Section 4.1.1, IKEv1
Section 4.1.2, IKEv2
Section 4.2, TLS (Cert.
#886)
Kernel Mode 10.0.14393 #2936 FIPS Approved
Cryptographic Primitives algorithms: AES (Cert.
Library (cng.sys) #4064); DRBG (Cert.
#1217); DSA (Cert.
#1098); ECDSA (Cert.
#911); HMAC (Cert.
#2651); KAS (Cert. #92);
KBKDF (Cert. #101); KTS
(AES Cert. #4062; key
wrapping; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #2192, #2193
and #2195); SHS (Cert.
#3347); Triple-DES (Cert.
#2227)
Other algorithms:
HMAC-MD5; MD5;
NDRNG; DES; Legacy
CAPI KDF; MD2; MD4;
RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #922); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #888);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#887)
Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
[4] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
[5] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
[6] Applies only to Home, Pro and Enterprise
[7] Applies only to Pro, Enterprise, Mobile and Surface Hub
[8] Applies only to Enterprise and Enterprise LTSB
W i n d o w s 1 0 (Ve r si o n 1 5 0 7)
Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
Other algorithms:
MD5#1168 and ); HMAC
(Cert. ); RSA (Cert. ); SHS
(Cert. )
W i n d o w s Vi st a SP 1
W i n d o w s Vi st a
W i n d o w s X P SP 3
W i n d o w s X P SP 2
W i n d o w s X P SP 1
W indow s XP
W i n d o w s 2 0 0 0 SP 3
Cryptographic Module Version (link to Security FIPS Certificate # Algorithms
Policy)
W i n d o w s 2 0 0 0 SP 2
W i n d o w s 2 0 0 0 SP 1
W indow s 2000
W in dow s 9 5 an d W in dow s 9 8
W i n d o w s N T 4 .0
Windows Server
W i n d o w s Se r v e r 2 0 1 6
W i n d o w s Se r v e r 2 0 1 2 R 2
[16] Does not apply to Azure StorSimple Virtual Array Windows Server 2012 R2
[17] Does not apply to Azure StorSimple Virtual Array Windows Server 2012 R2
Windows Server 2012
Validated Editions: Server, Storage Server
W i n d o w s Se r v e r 2 0 0 8 R 2
W i n d o w s Se r v e r 2 0 0 8
W i n d o w s Se r v e r 2 0 0 3 SP 2
W i n d o w s Se r v e r 2 0 0 3 SP 1
Enhanced DSS and Diffie- 5.2.3790.1830 [Service Pack 381 FIPS Approved
Hellman Cryptographic 1] algorithms: Triple-DES
Provider (DSSENH) (Certs. #199[1] and
#381[2]); SHA-1 (Certs.
#181[1] and #385[2]);
DSA (Certs. #95[1] and
#146[2]); RSA (Cert. #81)
Other algorithms: DES
(Cert. #229[1]); Diffie-
Hellman (key
agreement); RC2; RC4;
MD5; DES 40
[1] x86
[2] SP1 x86, x64, IA64
W i n d o w s Se r v e r 2 0 0 3
Other Products
W i n d o w s Em b e d d e d C o m p a c t 7 a n d W i n d o w s Em b e d d e d C o m p a c t 8
W i n d o w s C E 6 .0 a n d W i n d o w s Em b e d d e d C o m p a c t 7
Cryptographic Algorithms
The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each
algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation
Program (CAVP ) issued certificate.
Advanced Encryption Standard (AES )
AES Val#4897
CBC ( e/d; 128 , 192 , 256 ); Windows 10 Creators Update (version 1703) Pro,
Enterprise, Education Virtual TPM Implementations #4627
CFB128 ( e/d; 128 , 192 , 256 );
Version 10.0.15063
OFB ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Windows 10 Creators Update (version 1703) Home, Pro,
256 , 192 , 320 , 2048 ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
Cryptography Next Generation (CNG) Implementations
AES Val#4624 #4626
Version 10.0.15063
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Windows 10 Creators Update (version 1703) Home, Pro,
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Enterprise, Education, Windows 10 S, Windows 10 Mobile
Length(s): 16 ) BitLocker(R) Cryptographic Implementations #4625
AES Val#4624 Version 10.0.15063
ECB ( e/d; 128 , 192 , 256 ); Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
CBC ( e/d; 128 , 192 , 256 ); SymCrypt Cryptographic Implementations #4624
CFB8 ( e/d; 128 , 192 , 256 ); Version 10.0.15063
CFB128 ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 ,
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
CMAC (Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s)
Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ;
Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16
) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0
Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 ,
8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ;
96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Enhanced Cryptographic
Provider (RSAENH) #4434
CBC ( e/d; 128 , 192 , 256 );
Version 7.00.2872
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Enhanced Cryptographic
Provider (RSAENH) #4433
CBC ( e/d; 128 , 192 , 256 );
Version 8.00.6246
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #4431
CBC ( e/d; 128 , 192 , 256 );
Version 7.00.2872
CTR ( int only; 128 , 192 , 256 )
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #4430
CBC ( e/d; 128 , 192 , 256 );
Version 8.00.6246
CTR ( int only; 128 , 192 , 256 )
CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
CFB128 ( e/d; 128 , 192 , 256 ); Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
OFB ( e/d; 128 , 192 , 256 ); 10 Anniversary Update Virtual TPM Implementations
#4074
CTR ( int only; 128 , 192 , 256 )
Version 10.0.14393
ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , Server 2016, Windows Storage Server 2016; Microsoft
256 ); CTR ( int only; 128 , 192 , 256 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , and Lumia 650 w/ Windows 10 Mobile Anniversary
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): Update SymCrypt Cryptographic Implementations #4064
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
Version 10.0.14393
CMAC (Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s)
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg
Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS:
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024
, 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ;
IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows Server
2016, Windows Storage Server 2016; Microsoft Surface Book,
CBC ( e/d; 128 , 192 , 256 ); Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10
CFB8 ( e/d; 128 , 192 , 256 ); Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/
Windows 10 Mobile Anniversary Update RSA32 Algorithm
Implementations #4063
Version 10.0.14393
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Microsoft Windows 10 Anniversary Update, Windows
192 , 256 , 320 , 2048 ) Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
AES Val#4064 w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
Implementations #4062
Version 10.0.14393
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10 Anniversary Update, Windows
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Server 2016, Windows Storage Server 2016; Microsoft
Length(s): 16 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
AES Val#4064 and Lumia 650 w/ Windows 10 Mobile Anniversary
Update BitLocker® Cryptographic Implementations
#4061
Version 10.0.14393
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Microsoft Windows 10 November 2015 Update; Microsoft
256 , 192 , 320 , 2048 ) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
AES Val#3629 2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” Cryptography Next
Generation (CNG) Implementations #3652
Version 10.0.10586
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10 November 2015 Update; Microsoft
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Length(s): 16 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
AES Val#3629 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” BitLocker®
Cryptographic Implementations #3653
Version 10.0.10586
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 November 2015 Update; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
CBC ( e/d; 128 , 192 , 256 ); Pro 2, and Surface Pro w/ Windows 10 November 2015
CFB8 ( e/d; 128 , 192 , 256 ); Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
84” and Surface Hub 55” RSA32 Algorithm Implementations
#3630
Version 10.0.10586
ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 November 2015 Update; Microsoft
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
256 ); CTR ( int only; 128 , 192 , 256 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 950 and Microsoft Lumia 635; Windows 10 for Microsoft
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): Surface Hub 84” and Surface Hub 55” SymCrypt
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Cryptographic Implementations #3629
CMAC (Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Version 10.0.10586
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg
Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS:
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024
, 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ;
IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Microsoft Windows 10 Anniversary Update, Windows
256 , 192 , 320 , 2048 ) Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
AES Val#3497 w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
Implementations #3507
Version 10.0.10240
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10, Microsoft Surface Pro 3 with
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Windows 10, Microsoft Surface 3 with Windows 10,
Length(s): 16 ) Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 BitLocker® Cryptographic
AES Val#3497 Implementations #3498
Version 10.0.10240
ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
256 ); CTR ( int only; 128 , 192 , 256 ) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
10 SymCrypt Cryptographic Implementations #3497
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , Version 10.0.10240
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
CMAC(Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s)
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg
Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS:
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024
, 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ;
IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
10, Microsoft Surface 3 with Windows 10, Microsoft Surface
CBC ( e/d; 128 , 192 , 256 ); Pro 2 with Windows 10, Microsoft Surface Pro with Windows
CFB8 ( e/d; 128 , 192 , 256 ); 10 RSA32 Algorithm Implementations #3476
Version 10.0.10240
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 8.1, Microsoft Windows Server 2012
R2, Microsoft Windows Storage Server 2012 R2, Microsoft
CBC ( e/d; 128 , 192 , 256 ); Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
CFB8 ( e/d; 128 , 192 , 256 ); Microsoft Surface Pro with Windows 8.1, Microsoft Surface
2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry RSA32 Algorithm
Implementations #2853
Version 6.3.9600
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 8.1, Microsoft Windows Server 2012
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag R2, Microsoft Windows Storage Server 2012 R2, Microsoft
Length(s): 16 ) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Microsoft Surface Pro with Windows 8.1, Microsoft Surface
AES Val#2832 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry and Microsoft StorSimple 8100
BitLocker� Cryptographic Implementations #2848
Version 6.3.9600
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 Windows Storage Server 2012 R2, Microsoft Windows RT
, 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
CMAC (Generation/Verification ) (KS: 128; Block Size(s): Windows Phone 8.1, Microsoft Windows Embedded 8.1
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Industry and Microsoft StorSimple 8100 SymCrypt
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Cryptographic Implementations #2832
Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS:
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: Version 6.3.9600
2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 ,
1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8
, 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ;
96BitIV_Supported ;
OtherIVLen_Supported
GMAC_Supported
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - Windows 8, Windows RT, Windows Server 2012, Surface
0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 Cryptography Next Generation (CNG) Implementations #2216
14 16 )
AES Val#2197
CMAC (Generation/Verification ) (KS: 128; Block Size(s): ;
Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max:
16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block
Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min:
16 Max: 16 )
AES Val#2197
GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128
, 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024
, 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ;
96BitIV_Supported
GMAC_Supported
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Windows 8, Windows RT, Windows Server 2012, Surface
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
(Tag Length(s): 16 ) BitLocker® Cryptographic Implementations #2198
AES Val#2196
ECB ( e/d; 128 , 192 , 256 ); Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
CBC ( e/d; 128 , 192 , 256 ); Next Generation Symmetric Cryptographic Algorithms
CFB8 ( e/d; 128 , 192 , 256 ); Implementations (SYMCRYPT) #2197
ECB ( e/d; 128 , 192 , 256 ); Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
CBC ( e/d; 128 , 192 , 256 ); Symmetric Algorithm Implementations (RSA32) #2196
CFB8 ( e/d; 128 , 192 , 256 );
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , Windows Server 2008 R2 and SP1 CNG algorithms #1187
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Windows 7 Ultimate and SP1 CNG algorithms #1178
AES Val#1168
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows 7 Ultimate and SP1 and Windows Server 2008 R2
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 and SP1 BitLocker Algorithm Implementations #1177
13 (Tag Length(s): 4 6 8 14 16 )
AES Val#1168
ECB ( e/d; 128 , 192 , 256 ); Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #1168
CBC ( e/d; 128 , 192 , 256 );
CFB8 ( e/d; 128 , 192 , 256 );
GCM Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #1168 , vendor-
GMAC affirmed
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows Vista Ultimate SP1 and Windows Server 2008
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 BitLocker Algorithm Implementations #760
13 (Tag Length(s): 4 6 8 14 16 )
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , Windows Server 2008 CNG algorithms #757
2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Windows Vista Ultimate SP1 CNG algorithms #756
CBC ( e/d; 128 , 256 ); Windows Vista Ultimate BitLocker Drive Encryption #715
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows Vista Ultimate BitLocker Drive Encryption #424
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8
12 13 (Tag Length(s): 4 6 8 14 16 )
ECB ( e/d; 128 , 192 , 256 ); Windows Vista Ultimate SP1 and Windows Server 2008
Symmetric Algorithm Implementation #739
CBC ( e/d; 128 , 192 , 256 );
Windows Vista Symmetric Algorithm Implementation
CFB8 ( e/d; 128 , 192 , 256 ); #553
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact 7 Cryptographic Primitives
Library (bcrypt.dll) #2023
CBC ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact 7 Enhanced Cryptographic
Provider (RSAENH) #2024
CBC ( e/d; 128 , 192 , 256 );
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #818
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #781
Windows 2003 SP2 Enhanced Cryptographic Provider
(RSAENH) #548
Windows CE 6.0 and Windows CE 6.0 R2 and Windows
Mobile Enhanced Cryptographic Provider (RSAENH) #516
Windows CE and Windows Mobile 6, 6.1, and 6.5
Enhanced Cryptographic Provider (RSAENH) #507
Windows Server 2003 SP1 Enhanced Cryptographic
Provider (RSAENH) #290
Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider
(RSAENH) #224
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #80
Windows XP, SP1, and SP2 Enhanced Cryptographic
Provider (RSAENH) #33
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Pro,
BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] Enterprise, Education Virtual TPM Implementations #1556
Version 10.0.15063
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Home, Pro,
BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #1555
Version 10.0.15063
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] Provider (RSAENH) #1433
Version 7.00.2872
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] Provider (RSAENH) #1432
Version 8.00.6246
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] Library (bcrypt.dll) #1430
Version 7.00.2872
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] Library (bcrypt.dll) #1429
Version 8.00.6246
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows
BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
10 Anniversary Update Virtual TPM Implementations
#1222
Version 10.0.14393
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows
BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update SymCrypt Cryptographic Implementations #1217
Version 10.0.14393
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 November 2015 Update; Microsoft
BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub and Surface Hub SymCrypt Cryptographic
Implementations #955
Version 10.0.10586
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10, Microsoft Surface Pro 3 with
BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 SymCrypt Cryptographic
Implementations #868
Version 10.0.10240
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Storage Server 2012 R2, Microsoft Windows RT
BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry and Microsoft StorSimple 8100 SymCrypt
Cryptographic Implementations #489
Version 6.3.9600
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 8, Windows RT, Windows Server 2012, Surface
BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Next Generation Symmetric Cryptographic Algorithms
Implementations (SYMCRYPT) #258
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact 7 Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] Library (bcrypt.dll) #193
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 7 Ultimate and SP1 and Windows Server 2008 R2
BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] and SP1 RNG Library #23
L = 2048, N = 256
L = 3072, N = 256
Prerequisite: SHS #4010, DRBG #1731
FIPS186-2: PRIME; Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-
FIPS186-2: Hellman Cryptographic Provider #17
KEYGEN(Y):
SHS: SHA-1 (BYTE)
SIG(gen):
SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE)
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows 10 Creators Update (version 1703) Pro,
Val#3790 Enterprise, Education Virtual TPM Implementations #3062
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 10.0.15063
Val#3790
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790
HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Windows 10 Creators Update (version 1703) Home, Pro,
Val#3790 Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #3061
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790 Version 10.0.15063
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Enhanced Cryptographic
Val#3652 Provider (RSAENH) #2946
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 7.00.2872
Val#3652
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3652
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3652
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Enhanced Cryptographic
Val#3651 Provider (RSAENH) #2945
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 8.00.6246
Val#3651
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3651
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3651
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Cryptographic Primitives
Val# 3649 Library (bcrypt.dll) #2943
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 7.00.2872
Val# 3649
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val# 3649
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal# 3649
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Cryptographic Primitives
Val#3648 Library (bcrypt.dll) #2942
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 8.00.6246
Val#3648
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3648
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3648
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10 Anniversary Update, Windows
SHS Val# 3347 Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) 10 Anniversary Update Virtual TPM Implementations
SHS Val# 3347 #2661
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Version 10.0.14393
SHS Val# 3347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# Microsoft Windows 10 Anniversary Update, Windows
3347 Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# w/ Windows 10 Anniversary Update; Microsoft Lumia 950
3347 and Lumia 650 w/ Windows 10 Mobile Anniversary
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# Update SymCrypt Cryptographic Implementations #2651
3347 Version 10.0.14393
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#
3347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10 November 2015 Update; Microsoft
SHS Val# 3047 Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) 2015 Update; Windows 10 Mobile for Microsoft Lumia
SHS Val# 3047 950 and Microsoft Lumia 635; Windows 10 for Microsoft
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Surface Hub 84” and Surface Hub 55” SymCrypt
SHS Val# 3047 Cryptographic Implementations #2381
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) Version 10.0.10586
SHS Val# 3047
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10, Microsoft Surface Pro 3 with
SHSVal# 2886 Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Surface Pro with Windows 10 SymCrypt Cryptographic
SHSVal# 2886 Implementations #2233
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Version 10.0.10240
SHSVal# 2886
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal# 2886
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Storage Server 2012 R2, Microsoft Windows RT
SHS Val#2373 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2,
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
SHS Val#2373 Windows Phone 8.1, Microsoft Windows Embedded 8.1
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Industry and Microsoft StorSimple 8100 SymCrypt
SHS Val#2373 Cryptographic Implementations #1773
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) Version 6.3.9600
SHS Val#2373
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows CE and Windows Mobile, and Windows
Val#2764 Embedded Handheld Enhanced Cryptographic Provider
(RSAENH) #2122
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS
Val#2764 Version 5.2.29344
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#2764
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS
Val#2764
HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902 Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 BitLocker® Cryptographic Implementations #1347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows 8, Windows RT, Windows Server 2012, Surface
SHS#1902 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Enhanced Cryptographic Provider (RSAENH) #1346
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHS#1902
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS#1902
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS#1902
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
SHS#1903 Next Generation Symmetric Cryptographic Algorithms
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Implementations (SYMCRYPT) #1345
SHS#1903
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS#1903
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS#1903
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Embedded Compact 7 Cryptographic Primitives
SHSVal#1773 Library (bcrypt.dll) #1364
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#1773
Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS
) SHSVal#1773
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#1773
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Embedded Compact 7 Enhanced Cryptographic
SHSVal#1774 Provider (RSAENH) #1227
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#1774
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#1774
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#1774
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 R2 and SP1 CNG algorithms #686
SHSVal#1081
Windows 7 and SP1 CNG algorithms #677
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#1081 Windows Server 2008 R2 Enhanced Cryptographic
Provider (RSAENH) #687
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#1081 Windows 7 Enhanced Cryptographic Provider (RSAENH)
#673
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#1081
HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081 Windows 7 and SP1 and Windows Server 2008 R2 and SP1
BitLocker Algorithm Implementations #675
HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHSVal#816 (RSAENH) #452
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#816
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#816
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#816
HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753 Windows Vista Ultimate SP1 and Windows Server 2008
BitLocker Algorithm Implementations #415
HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 Enhanced Cryptographic Provider
SHSVal#753 (RSAENH) #408
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Windows Vista Enhanced Cryptographic Provider
SHSVal#753 (RSAENH) #407
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS
Val#753
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS Windows Vista Enhanced Cryptographic Provider (RSAENH)
)SHSVal#618 #297
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows XP Professional SP3 Kernel Mode Cryptographic
SHSVal#785 Module (fips.sys) #429
Windows XP, vendor-affirmed
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows XP Professional SP3 Enhanced Cryptographic
SHSVal#783 Provider (RSAENH) #428
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#783
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#783
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#783
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHSVal#613 (RSAENH) #289
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#613
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#613
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#613
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Kernel Mode Cryptographic
SHSVal#610 Module (fips.sys) #287
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 CNG algorithms #413
SHSVal#753
Windows Vista Ultimate SP1 CNG algorithms #412
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737 Windows Vista Ultimate BitLocker Drive Encryption #386
HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737
HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows Vista CNG algorithms #298
SHSVal#618
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile
SHSVal#589 Enhanced Cryptographic Provider (RSAENH) #267
HMAC-SHA256 ( Key Size Ranges Tested: KSBS
)SHSVal#589
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#589
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#589
HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5
SHSVal#578 Enhanced Cryptographic Provider (RSAENH) #260
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#578
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#578
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#578
HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495 Windows Vista BitLocker Drive Encryption #199
HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP1 Enhanced Cryptographic
SHSVal#364 Provider (RSAENH) #99
Windows XP, vendor-affirmed
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows CE 5.00 and Windows CE 5.01 Enhanced
SHSVal#305 Cryptographic Provider (RSAENH) #31
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#305
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#305
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#305
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Pro,
DPV KPG Full Validation Key Regeneration ) SCHEMES [ Enterprise, Education Virtual TPM Implementations #128
FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ] Version 10.0.15063
SHS Val#3790
DSA Val#1135
DRBG Val#1556
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Home, Pro,
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Enterprise, Education, Windows 10 S, Windows 10 Mobile
KARole(s): Initiator / Responder ) SymCrypt Cryptographic Implementations #127
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( Version 10.0.15063
No_KC < KARole(s): Initiator / Responder> ) ( FB:
SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#3790
DSA Val#1223
DRBG Val#1555
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation ) SCHEMES [
EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val#3790
ECDSA Val#1133
DRBG Val#1555
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Library (bcrypt.dll) #115
KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ] Version 7.00.2872
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC <
KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC
) ( FC: SHA256 HMAC ) ]
SHS Val# 3649
DSA Val#1188
DRBG Val#1430
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration ) SCHEMES [
EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Library (bcrypt.dll) #114
KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ] Version 8.00.6246
[ dhHybridOneFlow ( No_KC < KARole(s): Initiator /
Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256
HMAC ) ]
[ dhStatic ( No_KC < KARole(s): Initiator /
Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256
HMAC ) ]
SHS Val#3648
DSA Val#1187
DRBG Val#1429
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration ) SCHEMES [
EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val#3648
ECDSA Val#1072
DRBG Val#1429
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10 Anniversary Update, Windows
DPV KPG Full Validation Key Regeneration ) Server 2016, Windows Storage Server 2016; Microsoft
SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
Responder > < KDF: CONCAT > ) ( EC: P-256 10 Anniversary Update Virtual TPM Implementations #93
SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
Version 10.0.14393
SHS Val# 3347 ECDSA Val#920 DRBG Val#1222
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10 Anniversary Update, Windows
DPV KPG Partial Validation ) Server 2016, Windows Storage Server 2016; Microsoft
SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
( FB: SHA256 ) ( FC: SHA256 ) ] w/ Windows 10 Anniversary Update; Microsoft Lumia 950
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: and Lumia 650 w/ Windows 10 Mobile Anniversary
SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < Update Cryptography Next Generation (CNG)
KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC Implementations #92
) ( FC: SHA256 HMAC ) ]
Version 10.0.14393
SHS Val# 3347 DSA Val#1098 DRBG Val#1217
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration ) SCHEMES [
EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384
HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384
HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG
Val#1217 HMAC Val#2651
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10 November 2015 Update; Microsoft
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
KARole(s): Initiator / Responder ) Surface Pro 2, and Surface Pro w/ Windows 10 November
( FB: SHA256 ) ( FC: SHA256 ) ] 2015 Update; Windows 10 Mobile for Microsoft Lumia
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: 950 and Microsoft Lumia 635; Windows 10 for Microsoft
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < Surface Hub and Surface Hub Cryptography Next
KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC Generation (CNG) Implementations #72
) ( FC: SHA256 HMAC ) ]
Version 10.0.10586
SHS Val# 3047 DSA Val#1024 DRBG Val#955
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration ) SCHEMES [
EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384
HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384
HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val# 3047 ECDSA Val#760 DRBG Val#955
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10, Microsoft Surface Pro 3 with
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Windows 10, Microsoft Surface 3 with Windows 10,
KARole(s): Initiator / Responder ) Microsoft Surface Pro 2 with Windows 10, Microsoft
( FB: SHA256 ) ( FC: SHA256 ) ] Surface Pro with Windows 10 Cryptography Next
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: Generation (CNG) Implementations #64
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC <
KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC Version 10.0.10240
) ( FC: SHA256 HMAC ) ]
SHS Val# 2886 DSA Val#983 DRBG Val#868
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration ) SCHEMES [
EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384
HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384
HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val# 2886 ECDSA Val#706 DRBG Val#868
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Storage Server 2012 R2, Microsoft Windows RT
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
KARole(s): Initiator / Responder ) Surface Pro with Windows 8.1, Microsoft Surface 2,
( FB: SHA256 ) ( FC: SHA256 ) ] Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: Windows Phone 8.1, Microsoft Windows Embedded 8.1
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < Industry and Microsoft StorSimple 8100 Cryptography
KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC Next Generation Cryptographic Implementations #47
) ( FC: SHA256 HMAC ) ]
Version 6.3.9600
SHS Val#2373 DSA Val#855 DRBG Val#489
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration ) SCHEMES [
EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384
HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384
HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val#2373 ECDSA Val#505 DRBG Val#489
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 8, Windows RT, Windows Server 2012, Surface
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Windows RT, Surface Windows 8 Pro, and Windows Phone 8
KARole(s): Initiator / Responder ) Cryptography Next Generation (CNG) Implementations #36
( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA:
SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhStatic ( No_KC < KARole(s): Initiator /
Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256
HMAC ) ( FC: SHA256 HMAC ) ]
SHS #1903 DSA Val#687 DRBG #258
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration ) SCHEMES [
EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384
SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( Windows 10 Creators Update (version 1703) Pro,
[HMACSHA1] [HMACSHA256] [HMACSHA384] ) Enterprise, Education Virtual TPM Implementations #141
LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
Version 10.0.15063
KAS Val#128
DRBG Val#1556
MAC Val#3062
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Windows 10 Creators Update (version 1703) Home, Pro,
[CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] Enterprise, Education, Windows 10 S, Windows 10 Mobile
[HMACSHA256] [HMACSHA384] [HMACSHA512] ) Cryptography Next Generation (CNG) Implementations
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) #140
KAS Val#127 Version 10.0.15063
AES Val#4624
DRBG Val#1555
MAC Val#3061
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 Anniversary Update, Windows
[HMACSHA1] [HMACSHA256] [HMACSHA384] ) Server 2016, Windows Storage Server 2016; Microsoft
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
10 Anniversary Update Virtual TPM Implementations
KAS Val#93 DRBG Val#1222 MAC Val#2661 #102
Version 10.0.14393
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 Anniversary Update, Windows
[CMACAES128] [CMACAES192] [CMACAES256] Server 2016, Windows Storage Server 2016; Microsoft
[HMACSHA1] [HMACSHA256] [HMACSHA384] Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) w/ Windows 10 Anniversary Update; Microsoft Lumia 950
rlength( [32] ) ) and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 Implementations #101
Version 10.0.14393
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 November 2015 Update; Microsoft
[CMACAES128] [CMACAES192] [CMACAES256] Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
[HMACSHA1] [HMACSHA256] [HMACSHA384] Surface Pro 2, and Surface Pro w/ Windows 10 November
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) 2015 Update; Windows 10 Mobile for Microsoft Lumia
rlength( [32] ) ) 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” Cryptography Next
KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 Generation (CNG) Implementations #72
Version 10.0.10586
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10, Microsoft Surface Pro 3 with
[CMACAES128] [CMACAES192] [CMACAES256] Windows 10, Microsoft Surface 3 with Windows 10,
[HMACSHA1] [HMACSHA256] [HMACSHA384] Microsoft Surface Pro 2 with Windows 10, Microsoft
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) Surface Pro with Windows 10 Cryptography Next
rlength( [32] ) ) Generation (CNG) Implementations #66
KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 Version 10.0.10240
CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( Windows Storage Server 2012 R2, Microsoft Windows RT
[HMACSHA1] [HMACSHA256] [HMACSHA512] ) 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
DRBG Val#489 MAC Val#1773 Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry and Microsoft StorSimple 8100 Cryptography
Next Generation Cryptographic Implementations #30
Version 6.3.9600
CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( Windows 8, Windows RT, Windows Server 2012, Surface
[HMACSHA1] [HMACSHA256] [HMACSHA512] ) Windows RT, Surface Windows 8 Pro, and Windows Phone 8
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Cryptography Next Generation (CNG) Implementations #3
DRBG #258 HMAC Val#1345
FIPS 186-2 Windows 7 and SP1 and Windows Server 2008 R2 and
[ (x-Change Notice); (SHA-1) ] SP1 RNG Library #649
FIPS 186-2 General Purpose Windows Vista Ultimate SP1 and Windows Server 2008
[ (x-Change Notice); (SHA-1) ] RNG Implementation #435
Windows Vista RNG implementation #321
FIPS 186-2 General Purpose Windows Server 2003 SP2 Enhanced Cryptographic
[ (x-Change Notice); (SHA-1) ] Provider (RSAENH) #470
Windows XP Professional SP3 Kernel Mode Cryptographic
Module (fips.sys) #449
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #447
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #316
Windows Server 2003 SP2 Kernel Mode Cryptographic
Module (fips.sys) #313
RSA
SHA Val#2373
FIPS186-4: Windows 8, Windows RT, Windows Server 2012, Surface
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , Windows RT, Surface Windows 8 Pro, and Windows Phone 8
384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 )) Cryptography Next Generation (CNG) Implementations #1134
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA(
1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-
256 ))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 ))
(3072 SHA( 256 , 384 , 512 ))
Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
SHA #1903
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
RSA List Val#1134.
FIPS186-2: Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Generation Implementation #559
Values: 65537 DRBG: Val# 23
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#559.
FIPS186-2: Windows Vista SP1 and Windows Server 2008 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Generation Implementation #353
Values: 65537
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#353.
FIPS186-2: Windows Vista RSA key generation implementation #258
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey
Values: 65537 RNG: Val# 321
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#258.
SHA-1 (BYTE-only) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
SHA-256 (BYTE-only) 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
SHA-384 (BYTE-only) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
SHA-512 (BYTE-only) 10 SymCrypt Cryptographic Implementations #2886
Version 10.0.10240
SHA-1 (BYTE-only) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
SHA-256 (BYTE-only) 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
SHA-384 (BYTE-only) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
SHA-512 (BYTE-only) 10 RSA32 Algorithm Implementations #2871
Version 10.0.10240
SHA-1 (BYTE-only) Microsoft Windows 8.1, Microsoft Windows Server 2012 R2,
SHA-256 (BYTE-only) Microsoft Windows Storage Server 2012 R2, Microsoft
SHA-384 (BYTE-only) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
SHA-512 (BYTE-only) Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry RSA32 Algorithm Implementations #2396
Version 6.3.9600
SHA-1 (BYTE-only) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1,
SHA-256 (BYTE-only) Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro
SHA-384 (BYTE-only) with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro
SHA-512 (BYTE-only) 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1,
Microsoft Windows Embedded 8.1 Industry and Microsoft
StorSimple 8100 SymCrypt Cryptographic Implementations
#2373
Version 6.3.9600
SHA-1 (BYTE-only) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
SHA-256 (BYTE-only) 8 Next Generation Symmetric Cryptographic Algorithms
SHA-384 (BYTE-only) Implementations (SYMCRYPT) #1903
SHA-512 (BYTE-only) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
Implementation does not support zero-length (null) 8 Symmetric Algorithm Implementations (RSA32) #1902
messages.
SHA-1 (BYTE-only) Windows 7and SP1 and Windows Server 2008 R2 and SP1
SHA-256 (BYTE-only) Symmetric Algorithm Implementation #1081
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #816
SHA-1 (BYTE-only) Windows Vista SP1 and Windows Server 2008 Symmetric
SHA-256 (BYTE-only) Algorithm Implementation #753
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Vista Symmetric Algorithm Implementation
#618
Triple DES
TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; Windows 10 Creators Update (version 1703) Home, Pro,
TCFB64( KO 1 e/d, ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #2459
Version 10.0.15063
Version 10.0.14393
Version 10.0.10586
TECB( e/d; KO 1,2 ) ; Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
TCBC( e/d; KO 1,2 ) ; Next Generation Symmetric Cryptographic Algorithms
TCFB8( e/d; KO 1,2 ) ; Implementations (SYMCRYPT) #1387
TECB( e/d; KO 1,2 ) ; Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
TCBC( e/d; KO 1,2 ) ; Symmetric Algorithm Implementations (RSA32) #1386
TCFB8( e/d; KO 1,2 )
TECB( e/d; KO 1,2 ) ; Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #846
TCBC( e/d; KO 1,2 ) ;
TCFB8( e/d; KO 1,2 )
TECB( e/d; KO 1,2 ) ; Windows Vista SP1 and Windows Server 2008 Symmetric
Algorithm Implementation #656
TCBC( e/d; KO 1,2 ) ;
TCFB8( e/d; KO 1,2 )
Triple DES MAC Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
8 #1386, vendor-affirmed
Windows 7 and SP1 and Windows Server 2008 R2 and
SP1 #846, vendor-affirmed
TECB( e/d; KO 1,2 ) ; Windows Embedded Compact 7 Enhanced Cryptographic
Provider (RSAENH) #1308
TCBC( e/d; KO 1,2 )
Windows Embedded Compact 7 Cryptographic Primitives
Library (bcrypt.dll) #1307
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #691
Windows XP Professional SP3 Kernel Mode Cryptographic
Module (fips.sys) #677
Windows XP Professional SP3 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #676
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #675
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #544
Windows Server 2003 SP2 Enhanced DSS and Diffie-
Hellman Cryptographic Provider #543
Windows Server 2003 SP2 Kernel Mode Cryptographic
Module (fips.sys) #542
Windows CE 6.0 and Window CE 6.0 R2 and Windows
Mobile Enhanced Cryptographic Provider (RSAENH) #526
Windows CE and Windows Mobile 6 and Windows Mobile
6.1 and Windows Mobile 6.5 Enhanced Cryptographic
Provider (RSAENH) #517
Windows Server 2003 SP1 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #381
Windows Server 2003 SP1 Kernel Mode Cryptographic
Module (fips.sys) #370
Windows Server 2003 SP1 Enhanced Cryptographic
Provider (RSAENH) #365
Windows CE 5.00 and Windows CE 5.01 Enhanced
Cryptographic Provider (RSAENH) #315
Windows Server 2003 Kernel Mode Cryptographic Module
(fips.sys) #201
Windows Server 2003 Enhanced DSS and Diffie-Hellman
Cryptographic Provider (DSSENH) #199
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #192
Windows XP Microsoft Enhanced Cryptographic Provider
#81
Windows 2000 Microsoft Outlook Cryptographic Provider
(EXCHCSP.DLL) SR-1A (3821) #18
Crypto Driver for Windows 2000 (fips.sys) #16
References
[FIPS 140] - FIPS 140-2, Security Requirements for Cryptographic Modules
[FIPS FAQ ] - Cryptographic Module Validation Program (CMVP ) FAQ
[SP 800-57] - Recommendation for Key Management – Part 1: General (Revised)
[SP 800-131A] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key
Lengths
Additional Microsoft References
Enabling FIPS mode - http://support.microsoft.com/kb/811833
Cipher Suites in Schannel - http://msdn.microsoft.com/library/aa374757(VS.85).aspx
Common Criteria Certifications
4/8/2019 • 5 minutes to read • Edit Online
Microsoft is committed to optimizing the security of its products and services. As part of that commitment,
Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the
features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria
certifications of Microsoft Windows products.
Applies to
Windows 10, version 1703 and later
This library describes the Windows Security app, and provides information on configuring certain features,
including:
Showing and customizing contact information on the app and in notifications
Hiding notifications
In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall
apps.
In Windows 10, version 1803, the app has two new areas, Account protection and Device security.
NOTE
The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender
Security Center web portal console that is used to review and manage Windows Defender Advanced Threat Protection.
You can't uninstall the Windows Security app, but you can do one of the following:
Disable the interface on Windows Server 2016. See Windows Defender Antivirus on Windows Server 2016.
Hide all of the sections on client computers (see below ).
Disable Windows Defender Antivirus, if needed. See Enable and configure Windows Defender AV always-on
protection and monitoring.
You can find more information about each section, including options for configuring the sections - such as hiding
each of the sections - at the following topics:
Virus & threat protection, which has information and access to antivirus ransomware protection settings and
notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to
Microsoft OneDrive.
Account protection, which has information and access to sign-in and account protection settings.
Firewall & network protection, which has information and access to firewall settings, including Windows
Defender Firewall.
App & browser control, covering Windows Defender SmartScreen settings and Exploit protection mitigations.
Device security, which provides access to built-in device security settings.
Device performance & health, which has information about drivers, storage space, and general Windows
Update issues.
Family options, which includes access to parental controls along with tips and information for keeping kids safe
online.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
How the Windows Security app works with Windows security features
IMPORTANT
Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Servce),
which in turn utilizes the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about
the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender
Firewall, third-party firewalls, and other security protection.
These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable
Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party
antivirus product.
Windows Defender AV will be disabled automatically when a third-party antivirus product is installed and kept up to date.
Disabling the Windows Security Center service will not disable Windows Defender AV or Windows Defender Firewall.
WARNING
If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or
running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you
have installed on the device.
It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you
uninstall any third-party antivirus products you may have previously installed.
This will significantly lower the protection of your device and could lead to malware infection.
The Windows Security app operates as a separate app or process from each of the individual features, and will
display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
Disabling any of the individual features (through Group Policy or other management tools, such as System Center
Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The
Windows Security app itself will still run and show status for the other security features.
IMPORTANT
Individually disabling any of the services will not disable the other services or the Windows Security app.
For example, using a third-party antivirus will disable Windows Defender Antivirus. However, the Windows
Security app will still run, show its icon in the taskbar, and display information about the other features, such as
Windows Defender SmartScreen and Windows Defender Firewall.
Customize the Windows Security app for your
organization
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1709 and later
Audience
Enterprise security administrators
Manageability available with
Group Policy
You can add information about your organization in a contact card to the Windows Security app. This can include a
link to a support site, a phone number for a help desk, and an email address for email-based support.
This information will also be shown in some enterprise-specific notifications (including those for Windows
Defender Exploit Guard, the Block at first sight feature, and potentially unwanted applications.
Users can click on the displayed information to initiate a support request:
Clicking Call or the phone number will open Skype to start a call to the displayed number
Clicking Email or the email address will create a new email in the machine's default email app address to the
displayed email
Clicking Help portal or the website URL will open the machine's default web browser and go to the displayed
address
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of
Windows do not include these Group Policy settings.
IMPORTANT
You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you
do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and
notifications will not be customized.
Hide Windows Security app notifications
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1709 and later
Audience
Enterprise security administrators
Manageability available with
Group Policy
The Windows Security app is used by a number of Windows security features to provide notifications about the
health and security of the machine. These include notifications about firewalls, antivirus products, Windows
Defender SmartScreen, and others.
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status
updates, or if you want to hide all notifications to the employees in your organization.
There are two levels to hiding notifications:
1. Hide non-critical notifications, such as regular updates about the number of scans Windows Defender Antivirus
ran in the past week
2. Hide all notifications
If you set Hide all notifications to Enabled, changing the Hide non-critical notifications setting will have no
effect.
You can only use Group Policy to change these settings.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Notifications.
4. Open the Hide non-critical notifications setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Notifications.
4. Open the Hide all notifications setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
Manage Windows Security in Windows 10 in S mode
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10 in S mode, version 1803
Audience
Enterprise security administrators
Manageability available with
Microsoft Intune
Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode,
users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize
malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra
protections against phishing and malicious software.
The Windows Security interface is a little different in Windows 10 in S mode. The Virus & threat protection area
has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from
running on devices in your organization. In addition, devices running Windows 10 in S mode receive security
updates automatically.
For more information about Windows 10 in S mode, including how to switch out of S mode, see Windows 10
Pro/Enterprise in S mode.
Applies to
Windows 10, version 1703 and later
The Virus & threat protection section contains information and settings for antivirus protection from Windows
Defender Antivirus and third-party AV products.
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and
recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected
folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also
notifies users and provides recovery instructions in the event of a ransomware attack.
IT administrators and IT pros can get more information and documentation about configuration from the
following:
Windows Defender Antivirus in the Windows Security app
Windows Defender Antivirus documentation library
Protect important folders with Controlled folder access
Defend yourself from cybercrime with new Office 365 capabilities
Office 365 advanced protection
Ransomware detection and recovering your files
You can choose to hide the Virus & threat protection section or the Ransomware protection area from users
of the machine. This can be useful if you don't want employees in your organization to see or have access to user-
configured options for the features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Virus and threat protection.
4. Open the Hide the Virus and threat protection area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Virus and threat protection.
4. Open the Hide the Ransomware data recovery area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
Account protection
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1803 and later
The Account protection section contains information and settings for account protection and sign in. IT
administrators and IT pros can get more information and documentation about configuration from the following:
Microsoft Account
Windows Hello for Business
Lock your Windows 10 PC automatically when you step away from it
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees
in your organization to see or have access to user-configured options for the features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Account protection.
4. Open the Hide the Account protection area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Firewall and network protection
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1703 and later
The Firewall & network protection section contains information about the firewalls and network connections
used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT
administrators and IT pros can get configuration guidance from the Windows Defender Firewall with Advanced
Security documentation library.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if
you don't want employees in your organization to see or have access to user-configured options for the features
shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Firewall and network protection.
4. Open the Hide the Firewall and network protection area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
App and browser control
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1703 and later
The App and browser control section contains information and settings for Windows Defender SmartScreen. IT
administrators and IT pros can get configuration guidance from the Windows Defender SmartScreen
documentation library.
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You
can prevent users from modifying these specific options with Group Policy. IT administrators can get more
information at the Exploit protection topic in the Windows Defender Exploit Guard library.
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees
in your organization to see or have access to user-configured options for the features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > App and browser protection.
4. Open the Prevent users from modifying settings setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > App and browser protection.
4. Open the Hide the App and browser protection area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Device security
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1803 and later
The Device security section contains information and settings for built-in device security.
You can choose to hide the section from users of the machine. This can be useful if you don't want employees in
your organization to see or have access to user-configured options for the features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Device security.
4. Open the Hide the Device security area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Disable the Clear TPM button
If you don't want users to be able to click the Clear TPM button in the Windows Security app, you can disable it.
IMPORTANT
Requirements
You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Device security.
4. Open the Disable the Clear TPM button setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
Applies to
Windows 10, version 1703 and later
The Device performance & health section contains information about hardware, devices, and drivers related to
the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues
they are seeing, such as the configure the Load and unload device drivers security policy setting and how to deploy
drivers during Windows 10 deployment using System Center Configuration Manager.
The Windows 10 IT pro troubleshooting topic, and the main Windows 10 documentation library can also be
helpful for resolving issues.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if
you don't want employees in your organization to see or have access to user-configured options for the features
shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Device performance and health.
4. Open the Hide the Device performance and health area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Family options
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1703 and later
The Family options section contains links to settings and further information for parents of a Windows 10 PC. It
is not generally intended for enterprise or business environments.
Home users can learn more at the Help protection your family online in Windows Security topic at
support.microsoft.com
In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't
want employees in your organization to see or have access to this section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Family options.
4. Open the Hide the Family options area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Windows Defender SmartScreen
5/3/2019 • 3 minutes to read • Edit Online
Applies to:
Windows 10
Windows 10 Mobile
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as
phishing or malware websites, or if an employee tries to download potentially malicious files.
SmartScreen determines whether a site is potentially malicious by:
Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages,
SmartScreen shows a warning page, advising caution.
Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it
finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.
SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
Checking downloaded files against a list of reported malicious software sites and programs known to be
unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be
malicious.
Checking downloaded files against a list of files that are well known and downloaded by many Windows
users. If the file isn't on that list, SmartScreen shows a warning, advising caution.
NOTE
Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and
Windows SmartScreen when used outside of the browser.
EVENTID DESCRIPTION
Related topics
SmartScreen Frequently Asked Questions (FAQ )
Threat protection
Available Windows Defender SmartScreen Group Policy and mobile device management (MDM ) settings
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this
topic, see Contributing to TechNet content.
Available Windows Defender SmartScreen Group
Policy and mobile device management (MDM)
settings
4/5/2019 • 6 minutes to read • Edit Online
Applies to:
Windows 10
Windows 10 Mobile
Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM )
settings to help you manage your organization's computer settings. Based on how you set up Windows Defender
SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site
entirely.
See Windows 10 (and later) settings to protect devices using Intune for the controls you can use in Intune.
Windows 10, version 1703: At least Windows Server 2012, This policy setting turns on Windows
Administrative Templates\Windows Windows 8 or Windows RT Defender SmartScreen.
Components\Windows Defender If you enable this setting, it turns
SmartScreen\Explorer\Configure on Windows Defender SmartScreen
Windows Defender SmartScreen and your employees are unable to
Windows 10, Version 1607 and turn it off. Additionally, when
earlier: enabling this feature, you must also
Administrative Templates\Windows pick whether SmartScreen should
Components\File Warn your employees or Warn and
Explorer\Configure Windows prevent bypassing the message
SmartScreen (effectively blocking the employee
from the site).
If you disable this setting, it turns
off Windows Defender SmartScreen
and your employees are unable to
turn it on.
If you don't configure this setting,
your employees can decide whether
to use Windows Defender
SmartScreen.
Administrative Templates\Windows Windows 10, version 1703 This setting helps protect PCs by
Components\Windows Defender allowing users to install apps only from
SmartScreen\Explorer\Configure App the Microsoft Store. SmartScreen must
Install Control be enabled for this feature to work
properly.
If you enable this setting, your
employees can only install apps
from the Microsoft Store.
If you disable this setting, your
employees can install apps from
anywhere, including as a download
from the Internet.
If you don't configure this setting,
your employees can choose
whether they can install from
anywhere or only from Microsoft
Store.
Windows 10, version 1703: Microsoft Edge on Windows 10 or later This policy setting turns on Windows
Administrative Templates\Windows Defender SmartScreen.
Components\Windows Defender If you enable this setting, it turns
SmartScreen\Microsoft Edge\Configure on Windows Defender SmartScreen
Windows Defender SmartScreen and your employees are unable to
Windows 10, Version 1607 and turn it off.
earlier:
Administrative Templates\Windows If you disable this setting, it turns
Components\Microsoft off Windows Defender SmartScreen
Edge\Configure Windows and your employees are unable to
SmartScreen turn it on.
If you don't configure this setting,
your employees can decide whether
to use Windows Defender
SmartScreen.
Windows 10, version 1703: Microsoft Edge on Windows 10, version This policy setting stops employees
Administrative Templates\Windows 1511 or later from bypassing the Windows Defender
Components\Windows Defender SmartScreen warnings about potentially
SmartScreen\Microsoft Edge\Prevent malicious files.
bypassing Windows Defender If you enable this setting, it stops
SmartScreen prompts for files employees from bypassing the
Windows 10, Version 1511 and warning, stopping the file
1607: download.
Administrative Templates\Windows
Components\Microsoft If you disable or don't configure this
Edge\Prevent bypassing Windows setting, your employees can bypass
SmartScreen prompts for files the warnings and continue to
download potentially malicious files.
Windows 10, version 1703: Microsoft Edge on Windows 10, version This policy setting stops employees
Administrative Templates\Windows 1511 or later from bypassing the Windows Defender
Components\Windows Defender SmartScreen warnings about potentially
SmartScreen\Microsoft Edge\Prevent malicious sites.
bypassing Windows Defender If you enable this setting, it stops
SmartScreen prompts for sites employees from bypassing the
Windows 10, Version 1511 and warning, stopping them from going
1607: to the site.
Administrative Templates\Windows
Components\Microsoft If you disable or don't configure this
Edge\Prevent bypassing Windows setting, your employees can bypass
SmartScreen prompts for sites the warnings and continue to visit a
potentially malicious site.
Administrative Templates\Windows Internet Explorer 9 or later This policy setting prevents the
Components\Internet Explorer\Prevent employee from managing SmartScreen
managing SmartScreen Filter Filter.
If you enable this policy setting, the
employee isn't prompted to turn on
SmartScreen Filter. All website
addresses that are not on the filter's
allow list are sent automatically to
Microsoft without prompting the
employee.
If you disable or don't configure this
policy setting, the employee is
prompted to decide whether to
turn on SmartScreen Filter during
the first-run experience.
Administrative Templates\Windows Internet Explorer 8 or later This policy setting determines whether
Components\Internet Explorer\Prevent an employee can bypass warnings from
bypassing SmartScreen Filter warnings SmartScreen Filter.
If you enable this policy setting,
SmartScreen Filter warnings block
the employee.
If you disable or don't configure this
policy setting, the employee can
bypass SmartScreen Filter warnings.
Administrative Templates\Windows Internet Explorer 9 or later This policy setting determines whether
Components\Internet Explorer\Prevent the employee can bypass warnings from
bypassing SmartScreen Filter warnings SmartScreen Filter. SmartScreen Filter
about files that are not commonly warns the employee about executable
downloaded from the Internet files that Internet Explorer users do not
commonly download from the Internet.
If you enable this policy setting,
SmartScreen Filter warnings block
the employee.
If you disable or don't configure this
policy setting, the employee can
bypass SmartScreen Filter warnings.
MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings
support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft
Intune) and Windows 10 Mobile devices.
For SmartScreen Internet Explorer MDM policies, see Policy CSP - InternetExplorer.
PreventSmartScreenPromptOverride Windows 10, Version 1511 and later URI full path.
./Vendor/MSFT/Policy/Config/Br
owser/PreventSmartscreenProm
ptOverride
Data type. Integer
Allowed values:
0 . Employees can ignore
SmartScreen warnings.
1. Employees can't ignore
SmartScreen warnings.
PreventSmartScreenPromptOverrideFor Windows 10, Version 1511 and later URI full path.
Files ./Vendor/MSFT/Policy/Config/Br
owser/PreventSmartScreenProm
ptOverrideForFiles
Data type. Integer
Allowed values:
0 . Employees can ignore
SmartScreen warnings for
files.
1. Employees can't ignore
SmartScreen warnings for
files.
Administrative Templates\Windows Components\Microsoft Enable. Stops employees from ignoring warning messages
Edge\Prevent bypassing Windows Defender SmartScreen and continuing to a potentially malicious website.
prompts for sites
Administrative Templates\Windows Components\Microsoft Enable. Stops employees from ingnoring warning messages
Edge\Prevent bypassing Windows Defender SmartScreen and continuing to download potentially malicious files.
prompts for files
Administrative Templates\Windows Components\File Enable with the Warn and prevent bypass option. Stops
Explorer\Configure Windows Defender SmartScreen employees from ignoring warning messages about malicious
files downloaded from the Internet.
Related topics
Threat protection
Windows Defender SmartScreen overview
Available Group Policy and Mobile Device Management (MDM ) settings for Microsoft Edge
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this
topic, see Contributing to TechNet content.
Set up and use Windows Defender SmartScreen on
individual devices
4/5/2019 • 3 minutes to read • Edit Online
Applies to:
Windows 10, version 1703
Windows 10 Mobile
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as
phishing or malware websites, or if an employee tries to download potentially malicious files.
NOTE
If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears
as unavailable to the employee.
Related topics
Threat protection
Windows Defender SmartScreen overview
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this
topic, see Contributing to TechNet content.
Device Guard: Windows Defender Application
Control and virtualization-based protection of code
integrity
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to
"lock down" Windows systems so they operate with many of the properties of mobile devices. In this
configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature
called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through
the use of virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However,
when these two technologies are configured to work together, they present a very strong protection capability for
Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been
referred to as Windows Defender Device Guard.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other
solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early
in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in
user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by
digitally signing the policy. This would mean that changing the policy would require both administrative
privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker
with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the
application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a
vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is
significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would
otherwise have enough privilege to disable most system defenses and override the application control policies
enforced by configurable code integrity or any other application control solution.
Related topics
Windows Defender Application Control
Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard
Driver compatibility with Windows Defender Device Guard in Windows 10
Code integrity
Control the health of Windows 10-based devices
3/19/2019 • 61 minutes to read • Edit Online
Applies to
Windows 10
This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and
reporting the health of Windows 10-based devices.
Introduction
In Bring Your Own Device (BYOD ) scenarios, employees bring commercially available devices to access both work-
related resources and their personal data. Users want to use the device of their choice to access the organization’s
applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is
also known as the consumerization of IT.
Users want to have the best productivity experience when accessing corporate applications and working on
organization data from their devices. That means they will not tolerate being prompted to enter their work
credentials each time they access an application or a file server. From a security perspective, it also means that
users will manipulate corporate credentials and corporate data on unmanaged devices.
With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing
corporate services, internal resources, and cloud apps.
Even managed devices can be compromised and become harmful. Organizations need to detect when security has
been breached and react as early as possible in order to protect high-value assets.
As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and
also on detection and response capabilities.
Windows 10 is an important component of an end-to-end security solution that focuses not only on the
implementation of security preventive defenses, but adds device health attestation capabilities to the overall
security strategy.
A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn
behavior like the network location the user regularly connects from. Also, a modern approach must be able to
release sensitive content only if user devices are determined to be healthy and secure.
The following figure shows a solution built to assess device health from the cloud. The device authenticates the
user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential
information, the conditional access engine of the identity provider may elect to verify the security compliance of the
mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any
time or when mobile device management (MDM ) requests it.
Windows devices can be protected from low -level rootkits and bootkits by using low -level hardware technologies
such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification.
The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware,
which can perform faster and with more efficient input/output (I/O ) functions than older, software interrupt-driven
BIOS systems.
A device health attestation module can communicate measured boot data that is protected by a Trusted Platform
Module (TPM ) to a remote service. After the device successfully boots, boot process measurement data is sent to a
trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication
channel.
Remote health attestation service performs a series of checks on the measurements. It validates security related
data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage
security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health
encrypted blob back to the device.
An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the
security baseline and knows the level of compliance of the device with regular checks to see what software is
installed and what configuration is enforced, as well as determining the health status of the device.
An MDM solution asks the device to send device health information and forward the health encrypted blob to the
remote health attestation service. The remote health attestation service verifies device health data, checks that
MDM is communicating to the same device, and then issues a device health report back to the MDM solution.
An MDM solution evaluates the health assertions and, depending on the health rules belonging to the
organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that
information to the identity provider so the organization’s access control policy can be invoked to grant access.
Access to content is then authorized to the appropriate level of trust for whatever the health status and other
conditional elements indicate.
Depending on the requirements and the sensitivity of the managed asset, device health status can be combined
with user identity information when processing an access request. Access to content is then authorized to the
appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as
needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional
security authentication may need to be established by querying the user to answer a phone call before access is
granted.
Microsoft’s security investments in Windows 10
In Windows 10, there are three pillars of investments:
Secure identities. Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of
secure authentication by moving away from the use of passwords for authentication, both on the local system
as well as for services like on-premises resources and cloud resources.
Information protection. Microsoft is making investments to allow organizations to have better control over
who has access to important data and what they can do with that data. With Windows 10, organizations can
take advantage of policies that specify which applications are considered to be corporate applications and can
be trusted to access secure data.
Threat resistance. Microsoft is helping organizations to better secure enterprise assets against the threats of
malware and attacks by using security defenses relying on hardware.
Protect, control, and report on the security status of Windows 10-based devices
This section is an overview that describes different parts of the end-to-end security solution that helps protect
high-value assets and information from attackers and malware.
NUMBER PART OF THE SOLUTION DESCRIPTION
The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a
robust end-to-end-solution that provides validation of health and compliance of devices that access high-value
assets.
Windows 10 supports features to help prevent sophisticated low -level malware like rootkits and bootkits from
loading during the startup process:
Trusted Platform Module. A Trusted Platform Module (TPM ) is a hardware component that provides
unique security features.
Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based
on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health
attestation.
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG ).
At the time of this writing, there are two versions of TPM specification produced by TCG that are not
compatible with each other:
The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized
under ISO / IEC 11889 standard.
The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved
by the ISO/IEC Joint Technical Committee (JTC ) as ISO/IEC 11889:2015.
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the
keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more
information, see TPM requirements in Windows 10.
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent
and modern security features, Windows 10 supports only TPM 2.0.
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
Update crypto strength to meet modern security needs
Support for SHA-256 for PCRs
Support for HMAC command
Cryptographic algorithms flexibility to support government needs
TPM 1.2 is severely restricted in terms of what algorithms it can support
TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
Consistency across implementations
The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
TPM 2.0 standardizes much of this behavior
Secure Boot. Devices with UEFI firmware can be configured to load only trusted operating system
bootloaders. Secure Boot does not require a TPM.
The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture.
On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an
alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you
can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB.
Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which
allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default
on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot
files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD
store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully
boot into a usable operating system by using policies that are defined by the OEM at build time. Secure
Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the
Windows platform. Secure Boot protects the operating system boot process whether booting from local
hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE ). Secure Boot
protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot
components to confirm malicious activity did not compromise them. Secure Boot protection ends after the
Windows kernel file (ntoskrnl.exe) has been loaded.
Note: Secure Boot protects the platform until the Windows kernel is loaded. Then protections like
ELAM take over.
Secure Boot configuration policy. Extends Secure Boot functionality to critical Windows 10
configuration.
Examples of protected configuration information include protecting Disable Execute bit (NX option) or
ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and
configuration of the computer can be trusted after the boot process has completed. Secure Boot
configuration policy does this with UEFI policy. These signatures for these policies are signed in the same
way that operating system binaries are signed for use with Secure Boot.
The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public
keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the
KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall
be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying
a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10
kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers,
startup files, and the ELAM component. This step is important and protects the rest of the boot process by
verifying that all Windows boot components have integrity and can be trusted.
Early Launch Antimalware (ELAM ). ELAM tests all drivers before they load and prevents unapproved
drivers from loading.
Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit
that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a
previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus,
the antimalware component is the first third-party component to run and control the initialization of other
boot drivers until the Windows operating system is operational. When the system is started with a complete
runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and
applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the
operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a
simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not
trusted, Windows won’t load it.
Note: Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM;
it can be replaced with a third-party antimalware compatible solution. The name of the Windows
Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll
back any malicious changes made to the Windows Defender driver at the next reboot. This prevents
kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before
shutdown or reboot.
The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the
antimalware software to detect and block any attempts to tamper with the boot process by trying to load
unsigned or untrusted code.
The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on
drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also
measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be
signed by Microsoft and the associated certificate must contain the complementary EKU
(1.3.6.1.4.1.311.61.4.1).
Virtualization-based security (Hyper-V + Secure Kernel). Virtualization-based security is a completely
new enforced security boundary that allows you to protect critical parts of Windows 10.
Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate
domain credentials from the rest of the Windows operating system. For more information, refer to the
Virtualization-based security section.
Hypervisor-protected Code Integrity (HVCI ). Hypervisor-protected Code Integrity is a feature of Device
Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity
policy are allowed to run.
When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services.
HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware
solutions, by preventing malware from running early in the boot process, or after startup.
HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become
executable is through a Code Integrity verification. This means that kernel memory pages can never be
Writable and Executable (W+X) and executable code cannot be directly modified.
Note: Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security
must have compatible drivers. For additional information, please read the Driver compatibility with
Device Guard in Windows 10 blog post.
The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the
Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy.
Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the
Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to
modify or remove the current Code Integrity policy.
Credential Guard. Credential Guard protects corporate credentials with hardware-based credential
isolation.
In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by
malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally
prevents the current forms of the pass-the-hash (PtH) attack.
This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a
protected container where trusted code and secrets are isolated from the Windows kernel. That means that
even if the Windows kernel is compromised an attacker has no way to read and extract the data required to
initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no
longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the
memory.
Health attestation. The device’s firmware logs the boot process, and Windows 10 can send it to a trusted
server that can check and assess the device’s health.
Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware
components are made as they load during the boot process. Additionally, they are taken and measured
sequentially, not all at once. When these measurements are complete, their values are digitally signed and
stored securely in the TPM and cannot be changed unless the system is reset.
For more information, see Secured Boot and Measured Boot: Hardening Early Boot Components Against
Malware.
During each subsequent boot, the same components are measured, which allows comparison of the
measurements against an expected baseline. For additional security, the values measured by the TPM can be
signed and transmitted to a remote server, which can then perform the comparison. This process, called
remote device health attestation, allows the server to verify health status of the Windows device.
Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot
protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM
vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a
measurement does not work. But with conditional access control, health attestation will help to prevent
access to high-value assets.
Virtualization-based security
Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor
technology to enhance platform security. Virtualization-based security provides a secure execution environment to
run specific Windows trusted code (trustlet) and to protect sensitive data.
Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator
privileges. Note that virtualization-based security is not trying to protect against a physical attacker.
The following Windows 10 services are protected with virtualization-based security:
Credential Guard (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft
that happens by reading and dumping the content of lsass memory
Device Guard (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows
10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures
defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity
service runs alongside the kernel in a Windows hypervisor-protected container.
Other isolated services: for example, on Windows Server 2016, there is the vTPM feature that allows you to
have encrypted virtual machines (VMs) on servers.
Note: Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security
requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization
Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional,
but recommended.
Credential Guard
In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs
sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user
mode. This helps ensure that protected data is not stolen and reused on remote machines, which mitigates many
PtH-style attacks.
Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
The per-boot key is used for any in-memory credentials that do not require persistence. An example of such a
credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution
Center (KDC ) every time authentication occurs and is protected with a per-boot key.
The persistent key, or some derivative, is used to help protect items that are stored and reloaded after a
reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to
protect against remote modifications of the configuration. The use of a UEFI variable implies that physical
access is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then
spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of
LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode
support routines are ready before any authentication begins.
Device Guard
Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help
protect it from running untrusted software. In this configuration, the only applications allowed to run are those that
are trusted by the organization.
The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-
based security, a Hyper-V protected container that runs alongside regular Windows.
Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into
memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or
whether a system file has been modified by malicious software that is being run by a user account with
Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed.
Note: Independently of activation of Device Guard Policy, Windows 10 by default raises the bar for what runs
in the kernel. Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows
Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver
submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation
(“EV”) Code Signing Certificate.
With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on
x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines
what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts.
The system is then locked down to only run applications that the organization trusts.
Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and
applications. Device Guard can be configured using two rule actions - allow and deny:
Allow limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
Deny completes the allow trusted publisher approach by blocking the execution of a specific application.
At the time of this writing, and according to Microsoft’s latest research, more than 90 percent of malware is
unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block the vast
majority of malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or
disabled. Device Guard is a combination of hardware security features and software security features that, when
configured together, can lock down a computer to help ensure the most secure and resistant system possible.
There are three different parts that make up the Device Guard solution in Windows 10:
The first part is a base set of hardware security features introduced with the previous version of Windows.
TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows
you to control what the device is running when the systems start.
After the hardware security feature, there is the code integrity engine. In Windows 10, Code Integrity is now
fully configurable and now resides in Isolated user mode, a part of the memory that is protected by
virtualization-based security.
The last part of Device Guard is manageability. Code Integrity configuration is exposed through specific
Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
For more information on how to deploy Device Guard in an enterprise, see the Device Guard deployment guide.
Device Guard scenarios
As previously described, Device Guard is a powerful way to lock down systems. Device Guard is not intended to be
used broadly and it may not always be applicable, but there are some high-interest scenarios.
Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure
Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very
well-defined software that are expected to run and don’t change too frequently. It could also help protect
Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of
applications is not going to change on a daily basis.
SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing
attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can’t be considered a “silver
bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth
approach to security.
To protect high-value assets, SAWs are used to make secure connections to those assets.
Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool
like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is
very applicable. In that type of scenario, the organization has a good idea of the software that an average user is
running.
It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically
allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run
Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the
event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in
Audit mode, organizations can get rich data about drivers and applications that users install and run.
Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by
using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group
Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both
the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard
Code Integrity policy restricts what code can run on a device.
Note: Device Guard policy can be signed in Windows 10, which adds additional protection against
administrative users changing or removing this policy.
Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat
Device Guard.
When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers
tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of
the policy signed by the same signer or from a signer specified as part of the Device Guard policy into the
UpdateSigner section.
The importance of signing applications
On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run
without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
With Windows 10, organizations will make line-of-business (LOB ) apps available to members of the organization
through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the
public Microsoft Store. Microsoft Store signs and distributes Universal Windows apps and Classic Windows apps.
All apps downloaded from the Microsoft Store are signed.
In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a
tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best
practice, a lot of internal applications are not signed.
Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them
through a process to create additional signatures that can be distributed along with existing applications.
Why are antimalware and device management solutions still necessary?
Although allow -list mechanisms are extremely efficient at ensuring that only trusted applications can be run, they
cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a
known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting
vulnerabilities.
Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or
confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by
causing it to run malicious code without the user’s knowledge.
It’s common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in
user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document
editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the
operating system and kernel mode drivers that host them.
To combat these threats, patching is the single most effective control, with antimalware software forming
complementary layers of defense.
Most application software has no facility for updating itself, so even if the software vendor publishes an update that
fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains
vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities.
MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends
the management capabilities that have become available for MDMs. One key feature Microsoft has added to
Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered
devices.
Device health attestation
Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of
the chain of software used to boot the device.
For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a
remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with
other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove
to be healthy.
For more information on device health attestation, see the Detect an unhealthy Windows 10-based device section.
Hardware requirements
The following table details the hardware requirements for both virtualization-based security services and the health
attestation feature. For more information, see Minimum hardware requirements.
HARDWARE MOTIVATION
UEFI 2.3.1 or later firmware with Secure Boot enabled Required to support UEFI Secure Boot.
UEFI Secure Boot ensures that the device boots only
authorized code.
Additionally, Boot Integrity (Platform Secure Boot) must
be supported following the requirements in Hardware
Compatibility Specification for Systems for Windows 10
under the subsection:
“System.Fundamentals.Firmware.CS.UEFISecureBoot.Conn
ectedStandby”
Virtualization extensions, such as Intel VT-x, AMD-V, and Required to support virtualization-based security.
SLAT must be enabled
Note
Device Guard can be enabled without using
virtualization-based security.
IOMMU, such as Intel VT-d, AMD-Vi Support for the IOMMU in Windows 10 enhances system
resiliency against DMA attacks.
Trusted Platform Module (TPM) Required to support health attestation and necessary for
additional key protections for virtualization-based security.
TPM 2.0 is supported. Support for TPM 1.2 was added
beginning in Windows 10, version 1607 (RS1)
This section presented information about several closely related controls in Windows 10. The multi-layer defenses
and in-depth approach helps to eradicate low -level malware during boot sequence. Virtualization-based security is
a fundamental operating system architecture change that adds a new security boundary. Device Guard and
Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft
and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All
these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising
them.
Note: To use the health attestation feature of Windows 10, the device must be equipped with a discrete or
firmware TPM. There is no restriction on any particular edition of Windows 10.
Windows 10 supports health attestation scenarios by allowing applications access to the underlying health
attestation configuration service provider (CSP ) so that applications can request a health attestation token. The
measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the
current security status and detecting any changes, without having to trust the software running on the system.
In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is
present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code
running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control
which code is loaded during the boot sequence.
The antimalware software can search to determine whether the boot sequence contains any signs of malware, such
as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation
between the measurement component and the verification component.
Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs
during the boot process.
When starting a device equipped with TPM, a measurement of different components is performed. This includes
firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw
measurements are stored in the TPM PCR registers while the details of all events (executable path, authority
certification, and so on) are available in the TCG log.
The health attestation process works as follows:
1. Hardware boot components are measured.
2. Operating system boot components are measured.
3. If Device Guard is enabled, current Device Guard policy is measured.
4. Windows kernel is measured.
5. Antivirus software is started as the first kernel mode driver.
6. Boot start drivers are measured.
7. MDM server through the MDM agent issues a health check command by leveraging the Health Attestation
CSP.
8. Boot measurements are validated by the Health Attestation Service
Note: By default, the last 100 system boot logs and all associated resume logs are archived in the
%SystemRoot%\logs\measuredboot folder. The number of retained logs may be set with the registry
REG_DWORD value PlatformLogRetention under the
HKLM\SYSTEM\CurrentControlSet\Services\TPM key. A value of 0 will turn off log archival and a value
of 0xffffffff will keep all logs.
The following process describes how health boot measurements are sent to the health attestation service:
1. The client (a Windows 10-based device with TPM ) initiates the request with the remote device health attestation
service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-
provisioned in the client.
2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate
information.
3. The remote device heath attestation service then:
a. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not
revoked.
b. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
c. Parses the properties in the TCG log.
d. Issues the device health token that contains the health information, the AIK information, and the boot
counter information. The health token also contains valid issuance time. The device health token is
encrypted and signed, that means that the information is protected and only accessible to issuing health
attestation service.
4. The client stores the health encrypted blob in its local store. The device health token contains device health
status, a device ID (the Windows AIK), and the boot counter.
Note: Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted
Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a
signed certificate online from the manufacturer that has created the chip and then stores the signed certificate
in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you
must authorize the following URLs:
Note: Before the device can report its health using the TPM attestation functions, an AIK certificate must be
provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is
provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature
over the platform log state (and a monotonic counter value) at each boot by using the AIK.
The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM
for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be
used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for
limited, TPM -defined operations.
Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is
hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a
real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established
these facts, it will issue an AIK certificate to the Windows 10-based device.
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an
endorsement certificate. To accommodate those devices, Windows 10 allows the issuance of AIK
certificates without the presence of an endorsement certificate. Such AIK certificates are not issued by
Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the
device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for
Business without TPM.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the
attestation process. This information can be leveraged by a relying party to decide whether to reject devices that
are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to
not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an
endorsement certificate.
Storage root key
The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has
a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is
created when the ownership of the TPM is taken.
Platform Configuration Registers
The TPM contains a set of registers that are designed to provide a cryptographic representation of the software
and state of the system that booted. These registers are called Platform Configuration Registers (PCRs).
The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when
the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core
Root of Trust for Measurement (CRTM ) is executed from the boot, calculates the hash of the firmware, then stores
it by expanding the register PCR [0] and transfers execution to the firmware.
PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to
measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components
take the hash of the next component that is to be run and record the measurements in the PCRs. The initial
component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are
required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative
hash of the components that have been measured.
The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with
details of what has been measured, and the PCRs merely ensure that the log has not been tampered with. The logs
are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout
the boot process, a trace of the executable code and configuration data is created in the TCG log.
TPM provisioning
For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning
differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner
authorization data (ownerAuth) for the TPM being stored locally on the registry.
When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored ownerAuth
values by looking in the registry at the following location:
HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement
During the provisioning process, the device may need to be restarted.
Note that the Get-TpmEndorsementKeyInfo PowerShell cmdlet can be used with administrative privilege to get
information about the endorsement key and certificates of the TPM.
If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the
resulting ownerAuth value into the registry if the policy allows it will store the SRK public portion at the following
location: HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin\SRKPub
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is
performed, the resulting AIK public portion is stored in the registry at the following location:
HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\WindowsAIKPub
Note: For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard
URL: https://*.microsoftaik.azure.net
Note: Both device and MDM servers must have access to has.spserv.microsoft.com using the TCP protocol
on port 443 (HTTPS ).
Checking that a TPM attestation and the associated log are valid takes several steps:
1. First, the server must check that the reports are signed by trustworthy AIKs. This might be done by checking
that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is
a valid signature over PCR values.
3. Next the logs should be checked to ensure that they match the PCR values reported.
4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent known or
valid security configurations. For example, a simple check might be to see whether the measured early OS
components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is
up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to
determine whether or not the client should be granted access to a resource.
The Health Attestation Service provides the following information to an MDM solution about the health of the
device:
Secure Boot enablement
Boot and kernel debug enablement
BitLocker enablement
VSM enabled
Signed or unsigned Device Guard Code Integrity policy measurement
ELAM loaded
Safe Mode boot, DEP enablement, test signing enablement
Device TPM has been provisioned with a trusted endorsement certificate
For completeness of the measurements, see Health Attestation CSP.
The following table presents some key items that can be reported back to MDM depending on the type of
Windows 10-based device.
Note: The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the
quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for
validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet
health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution.
Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant
devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a
consequence for unhealthy devices like refusing access to high-value assets. That is the purpose of conditional
access control, which is detailed in the next section.
Control the security of a Windows 10-based device before access is
granted
Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right
resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and
systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before
giving access to email, but what if the device is infected with malware?
The remote device health attestation process uses measured boot data to verify the health status of the device. The
health of the device is then available for an MDM solution like Intune.
Note: For the latest information on Intune and Windows 10 features support, see the Microsoft Intune blog
and What's new in Microsoft Intune.
The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based
Intune MDM service.
An MDM solution can then leverage health state statements and take them to the next level by coupling with client
policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware
free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is
compliant.
Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This
feature is much needed for BYOD devices that need to access organizational resources.
Built-in support of MDM in Windows 10
Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage
Windows 10-based devices without requiring a separate agent.
Third-party MDM server support
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is
able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise
management tasks. For additional information, see Azure Active Directory integration with MDM.
Note: MDM servers do not need to create or download a client to manage Windows 10. For more
information, see Mobile device management.
The third-party MDM server will have the same consistent first-party user experience for enrollment, which also
provides simplicity for Windows 10 users.
Management of Windows Defender by third-party MDM
This management infrastructure makes it possible for IT pros to use MDM -capable products like Intune, to manage
health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that
aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar
with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that
currently only manage domain joined devices through Group Policy will find it easy to transition to managing
Windows 10-based devices by using MDM because many of the settings and actions are shared across both
mechanisms.
For more information on how to manage Windows 10 security and system settings with an MDM solution, see
Custom URI settings for Windows 10 devices.
Conditional access control
On most platforms, the Azure Active Directory (Azure AD ) device registration happens automatically during
enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by
any authorized Windows app that interacts with Azure AD ) the next time the client tries to access an Office 365
compatible workload.
If the device is not registered, the user will get a message with instructions on how to register (also known as
enrolling). If the device is not compliant, the user will get a different message that redirects them to the MDM web
portal where they can get more information on the compliance problem and how to resolve it.
Azure AD authenticates the user and the device, MDM manages the compliance and conditional access policies,
and the Health Attestation Service reports about the health of the device in an attested way.
Note Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy
based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the
Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud! blog post.
When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access
company applications and enforces conditional access policy to grant access to a service not only the first time the
user requests access, but every time the user requests to renew access.
The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the
compliance policy is not met at the time of request for renewal.
Depending on the type of email application that employees use to access Exchange online, the path to establish
secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange
Online, and Intune, are the same. The IT experience and end-user experience also are similar.
Clients that attempt to access Office 365 will be evaluated for the following properties:
Is the device managed by an MDM?
Is the device registered with Azure AD?
Is the device compliant?
To get to a compliant state, the Windows 10-based device needs to:
Enroll with an MDM solution.
Register with Azure AD.
Be compliant with the device policies set by the MDM solution.
Note: At the present time, conditional access policies are selectively enforced on users on iOS and Android
devices. For more information, see the Azure AD, Microsoft Intune and Windows 10 – Using the cloud to
modernize enterprise mobility! blog post.
Note: Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't
have an Azure AD Premium subscription, you can get a trial from the Microsoft Azure site.
For on-premises applications there are two options to enable conditional access control based on a device's
compliance state:
For on-premises applications that are published through the Azure AD Application Proxy, you can configure
conditional access control policies as you would for cloud applications. For more details, see the Azure AD
Conditional Access preview updated: Now supports On-Premises and Custom LOB apps blog post.
Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD.
ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT
pros will configure conditional access control policies in ADFS that use the device's compliance state reported
by a compatible MDM solution to secure on-premises applications.
Related topics
Protect derived domain credentials with Credential Guard
Device Guard deployment guide
Trusted Platform Module technology overview
Mitigate threats by using Windows 10 security
features
4/5/2019 • 31 minutes to read • Edit Online
Applies to:
Windows 10
This topic provides an overview of some of the software and firmware threats faced in the current security
landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related
types of protection offered by Microsoft, see Related topics.
SECTION CONTENTS
The security threat landscape Describes the current nature of the security threat landscape,
and outlines how Windows 10 is designed to mitigate
software exploits and similar threats.
Windows 10 mitigations that you can configure Provides tables of configurable threat mitigations with links to
more information. Product features such as Device Guard
appear in Table 1, and memory protection options such as
Data Execution Prevention appear in Table 2.
Mitigations that are built in to Windows 10 Provides descriptions of Windows 10 mitigations that require
no configuration—they are built into the operating system.
For example, heap protections and kernel pool protections are
built into Windows 10.
Understanding Windows 10 in relation to the Enhanced Describes how mitigations in the Enhanced Mitigation
Mitigation Experience Toolkit Experience Toolkit (EMET) correspond to features built into
Windows 10 and how to convert EMET settings into
mitigation policies for Windows 10.
This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections
work with other security defenses in Windows 10, as shown in the following illustration:
Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses
Windows Defender SmartScreen Windows Defender SmartScreen can check the reputation of a
helps prevent downloaded application by using a service that Microsoft
malicious applications maintains. The first time a user runs an app that originates
from being downloaded from the Internet (even if the user copied it from another PC),
SmartScreen checks to see if the app lacks a reputation or is
known to be malicious, and responds accordingly.
Enterprise certificate pinning Enterprise certificate pinning enables you to protect your
helps prevent internal domain names from chaining to unwanted certificates
man-in-the-middle attacks or to fraudulently issued certificates. With enterprise certificate
that leverage PKI pinning, you can “pin” (associate) an X.509 certificate and its
public key to its Certification Authority, either root or leaf.
Device Guard Device Guard includes a Code Integrity policy that you create;
helps keep a device a whitelist of trusted apps—the only apps allowed to run in
from running malware or your organization. Device Guard also includes a powerful
other untrusted apps system mitigation called hypervisor-protected code integrity
(HVCI), which leverages virtualization-based security (VBS) to
protect Windows’ kernel-mode code integrity validation
process. HVCI has specific hardware requirements, and works
with Code Integrity policies to help stop attacks even if they
gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and
Windows Server 2016.
Blocking of untrusted fonts Block Untrusted Fonts is a setting that allows you to prevent
helps prevent fonts users from loading fonts that are "untrusted" onto your
from being used in network, which can mitigate elevation-of-privilege attacks
elevation-of-privilege attacks associated with the parsing of font files. However, as of
Windows 10, version 1703, this mitigation is less important,
because font parsing is isolated in an AppContainer sandbox
(for a list describing this and other kernel pool protections, see
Kernel pool protections, later in this topic).
UEFI Secure Boot Unified Extensible Firmware Interface (UEFI) Secure Boot is a
helps protect security standard for firmware built in to PCs by
the platform from manufacturers beginning with Windows 8. It helps to protect
bootkits and rootkits the boot process and firmware against tampering, such as
from a physically present attacker or from forms of malware
that run early in the boot process or in kernel after startup.
Early Launch Antimalware (ELAM) Early Launch Antimalware (ELAM) is designed to enable the
helps protect antimalware solution to start before all non-Microsoft drivers
the platform from and apps. If malware modifies a boot-related driver, ELAM will
rootkits disguised as drivers detect the change, and Windows will prevent the driver from
starting, thus blocking driver-based rootkits.
Device Health Attestation Device Health Attestation (DHA) provides a way to confirm
helps prevent that devices attempting to connect to an organization's
compromised devices from network are in a healthy state, not compromised with
accessing an organization’s malware. When DHA has been configured, a device’s actual
assets boot data measurements can be checked against the expected
"healthy" boot data. If the check indicates a device is
unhealthy, the device can be prevented from accessing the
network.
Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth
understanding of these threats and mitigations and knowledge about how the operating system and applications
handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover
whether a given setting interferes with any applications that you use so that you can deploy settings that maximize
protection while still allowing apps to run correctly.
As an IT professional, you can ask application developers and software vendors to deliver applications that include
an additional protection called Control Flow Guard (CFG ). No configuration is needed in the operating system—
the protection is compiled into applications. More information can be found in Control Flow Guard.
Table 2 Configurable Windows 10 mitigations designed to help protect against memory exploits
MITIGATION AND CORRESPONDING THREAT DESCRIPTION
MITIGATION AND CORRESPONDING THREAT DESCRIPTION
Data Execution Prevention (DEP) Data Execution Prevention (DEP) is a system-level memory
helps prevent protection feature available in Windows operating systems.
exploitation of buffer overruns DEP enables the operating system to mark one or more pages
of memory as non-executable, which prevents code from
being run from that region of memory, to help prevent
exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such
as the default heap, stacks, and memory pools. Although
some applications have compatibility problems with DEP, the
vast majority of applications do not.
More information: Data Execution Prevention, later in this
topic.
SMB hardening for SYSVOL and NETLOGON shares Client connections to the Active Directory Domain Services
helps mitigate default SYSVOL and NETLOGON shares on domain controllers
man-in-the-middle attacks now require SMB signing and mutual authentication (such as
Kerberos).
Universal Windows apps protections Universal Windows apps are carefully screened before being
screen downloadable made available, and they run in an AppContainer sandbox
apps and run them in with limited privileges and capabilities.
an AppContainer sandbox
More information: Universal Windows apps protections, later
in this topic.
Heap protections Windows 10 includes protections for the heap, such as the use
help prevent of internal data structures which help protect against
exploitation of the heap corruption of memory used by the heap.
Kernel pool protections Windows 10 includes protections for the pool of memory used
help prevent by the kernel. For example, safe unlinking protects against
exploitation of pool memory pool overruns that are combined with unlinking operations
used by the kernel that can be used to create an attack.
Control Flow Guard Control Flow Guard (CFG) is a mitigation that requires no
helps mitigate exploits configuration within the operating system, but instead is built
that are based on into software when it’s compiled. It is built into Microsoft Edge,
flow between code locations IE11, and other areas in Windows 10. CFG can be built into
in memory applications written in C or C++, or applications compiled
using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt
to change the intended flow of code. If this occurs, CFG
terminates the application. You can request software vendors
to deliver Windows applications compiled with CFG enabled.
Protections built into Microsoft Edge (the browser) Windows 10 includes an entirely new browser, Microsoft Edge,
helps mitigate multiple designed with multiple security improvements.
threats
More information: Microsoft Edge and Internet Explorer 11,
later in this topic.
NOTE
The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group
Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening),
see Microsoft Knowledge Base article 3000483 and MS15-011 & MS15-014: Hardening Group Policy.
Protected Processes
Most security controls are designed to prevent the initial infection point. However, despite all the best preventative
controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on
malware that gets on the device. Protected Processes creates limits of this type.
With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those
that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes
are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected
Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can
be used by 3rd party anti-malware vendors, as described in Protecting Anti-Malware Services. This helps make the
system and antimalware solutions less susceptible to tampering by malware that does manage to get on the
system.
Universal Windows apps protections
When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter
malware because all apps go through a careful screening process before being made available in the store. Apps
that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure
that they meet organizational security requirements.
Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal
Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal
Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no
access to data unless the user explicitly grants the application permission.
In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the
minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage
the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the
exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and
publisher.
Windows heap protections
The heap is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to
improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part
of an attack.
Windows 10 has several important improvements to the security of the heap:
Heap metadata hardening for internal data structures that the heap uses, to improve protections against
memory corruption.
Heap allocation randomization, that is, the use of randomized locations and sizes for heap memory
allocations, which makes it more difficult for an attacker to predict the location of critical memory to
overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which
makes the allocation much less predictable.
Heap guard pages before and after blocks of memory, which work as tripwires. If an attacker attempts to
write past a block of memory (a common technique known as a buffer overflow ), the attacker will have to
overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and
Windows 10 responds by instantly terminating the app.
Kernel pool protections
The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory
(“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types
of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay
free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections,
such as integrity checks, that help protect the kernel pool against such attacks.
In addition to pool hardening, Windows 10 includes other kernel hardening features:
Kernel DEP and Kernel ASLR: Follow the same principles as Data Execution Prevention and Address
Space Layout Randomization, described earlier in this topic.
Font parsing in AppContainer: Isolates font parsing in an AppContainer sandbox.
Disabling of NT Virtual DOS Machine (NTVDM ): The old NTVDM kernel module (for running 16-bit
applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM
decreases protection against Null dereference and other exploits.)
Supervisor Mode Execution Prevention (SMEP ): Helps prevent the kernel (the “supervisor”) from
executing code in user pages, a common technique used by attackers for local kernel elevation of privilege
(EOP ). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN
support.
Safe unlinking: Helps protect against pool overruns that are combined with unlinking operations to create
an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to
all usage of LIST_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process
termination.
Memory reservations: The lowest 64 KB of process memory is reserved for the system. Apps are not
allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques
such as “NULL dereference” to overwrite critical system data structures in memory.
Control Flow Guard
When applications are loaded into memory, they are allocated space based on the size of the code, requested
memory, and other factors. When an application begins to execute code, it calls additional code located in other
memory addresses. The relationships between the code locations are well known—they are written in the code
itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the
opportunity to change the flow to meet their needs.
This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG ) feature. When a trusted
application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for
execution. If the location is not trusted, the application is immediately terminated as a potential security risk.
An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring
it when the application is compiled. Consider asking application developers and software vendors to deliver
trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications
written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a
Visual Studio 2015 project, see Control Flow Guard.
Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full
advantage of CFG.
Microsoft Edge and Internet Explorer 11
Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s
interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users
cannot perform at least part of their job without a browser, and many users are completely reliant on one. This
reality has made the browser the common pathway from which malicious hackers initiate their attacks.
All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two
common examples of this are Flash and Java extensions that enable their respective applications to run inside a
browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is
a priority.
Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways,
especially:
Smaller attack surface; no support for non-Microsoft binary extensions. Multiple browser
components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that
have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs),
ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default
through built-in extensions.
Runs 64-bit processes. A 64-bit PC running an older version of Windows often runs in 32-bit compatibility
mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only
64-bit processes, which are much more secure against exploits.
Includes Memory Garbage Collection (MemGC ). This helps protect against use-after-free (UAF ) issues.
Designed as a Universal Windows app. Microsoft Edge is inherently compartmentalized and runs in an
AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can
also take advantage of the same AppContainer technology through Enhanced Protect Mode. However,
because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range
of attacks than Microsoft Edge.
Simplifies security configuration tasks. Because Microsoft Edge uses a simplified application structure
and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge
default settings align with security best practices, which makes it more secure by default.
In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with
websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the
primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the
primary web browser because it provides compatibility with the modern web and the best possible security.
For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable
Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this
configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
Functions that software vendors can use to build mitigations into apps
Some of the protections available in Windows 10 are provided through functions that can be called from apps or
other software. Such software is less likely to provide openings for exploits. If you are working with a software
vendor, you can request that they include these security-oriented functions in the application. The following table
lists some types of mitigations and the corresponding security-oriented functions that can be used in apps.
NOTE
Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For
more information, see Control Flow Guard, earlier in this topic.
Child Process Restriction to restrict the ability to create child UpdateProcThreadAttribute function
processes [PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY]
Win32k System Call Disable Restriction to restrict ability to use SetProcessMitigationPolicy function
NTUser and GDI [ProcessSystemCallDisablePolicy]
Strict handle checks to raise immediate exception upon bad UpdateProcThreadAttribute function
handle reference [PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_
CHECKS_ALWAYS_ON]
Extension point disable to block the use of certain third-party UpdateProcThreadAttribute function
extension points [PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POI
NT_DISABLE_ALWAYS_ON]
Load Library Check (LoadLib) LoadLib and MemProt are supported in Windows 10, for all
applications that are written to use these functions. See Table
Memory Protection Check (MemProt) 4, earlier in this topic.
Null Page Mitigations for this threat are built into Windows 10, as
described in the “Memory reservations” item in Kernel pool
protections, earlier in this topic.
Heap Spray Windows 10 does not include mitigations that map specifically
to these EMET features because they have low impact in the
EAF current threat landscape, and do not significantly increase the
EAF+ difficulty of exploiting vulnerabilities. Microsoft remains
committed to monitoring the security environment as new
exploits appear and taking steps to harden the operating
system against them.
The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process,
or it can save all settings to an XML file.
To get the current settings on all running instances of notepad.exe:
To get the current settings for the running process with pid 1304:
To get the all process mitigation settings from the registry and save them to the xml file settings.xml:
The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file.
To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and
disable MandatoryASLR:
To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -
RegistryConfigFilePath settings.xml):
The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is:
Examples:
Convert EMET settings to Windows 10 settings: You can run ConvertTo-ProcessMitigationPolicy and
provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation
settings. For example:
Audit and modify the converted settings (the output file): Additional cmdlets let you apply, enumerate,
enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables
MandatoryASLR and DEPATL registry settings for Notepad:
Convert Attack surface reduction (ASR) settings to a Code Integrity policy file: If the input file
contains any settings for EMET’s Attack surface reduction (ASR ) mitigation, the converter will also create a
Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for
the Code Integrity policy, as described in Deploy Device Guard: deploy code integrity policies. This will
enable protections on Windows 10 equivalent to EMET’s ASR protections.
Convert Certificate Trust settings to enterprise certificate pinning rules: If you have an EMET
“Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to
convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling
that file as described in Enterprise Certificate Pinning. For example:
EMET-related products
Microsoft Consulting Services (MCS ) and Microsoft Support/Premier Field Engineering (PFE ) offer a range of
options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET
Enterprise Reporting Service (ERS ). For any enterprise customers who use such products today or who are
interested in similar capabilities, we recommend evaluating Windows Defender Advanced Threat Protection (ATP ).
Related topics
Security and Assurance in Windows Server 2016
Windows Defender Advanced Threat Protection (ATP ) - resources
Windows Defender Advanced Threat Protection (ATP ) - documentation
Exchange Online Advanced Threat Protection Service Description
Office 365 Advanced Threat Protection
Microsoft Malware Protection Center
Override Process Mitigation Options to help enforce
app-related security policies
3/19/2019 • 3 minutes to read • Edit Online
Applies to:
Windows 10, version 1607
Windows Server 2016
Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against
memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example,
malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation
Options can prevent the running of the malicious code.
IMPORTANT
We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with
your organization’s required apps.
The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types
are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can
configure additional protections. The types of process mitigations are:
Data Execution Prevention (DEP ) is a system-level memory protection feature that enables the operating
system to mark one or more pages of memory as non-executable, preventing code from being run from that
region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from
data pages such as the default heap, stacks, and memory pools. For more information, see Data Execution
Prevention.
Structured Exception Handling Overwrite Protection (SEHOP ) is designed to block exploits that use the
Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-
time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For
more information, see Structured Exception Handling Overwrite Protection.
Address Space Layout Randomization (ASLR) loads DLLs into random memory addresses at boot time to
mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected
to be loaded. For more information, see Address Space Layout Randomization. To find additional ASLR
protections in the table below, look for IMAGES or ASLR .
The following procedure describes how to use Group Policy to override individual Process Mitigation Options
settings.
To modify Process Mitigation Options
1. Open your Group Policy editor and go to the Administrative Templates\System\Mitigation
Options\Process Mitigation Options setting.
2. Click Enabled, and then in the Options area, click Show to open the Show Contents box, where you’ll be able
to add your apps and the appropriate bit flag values, as shown in the Setting the bit field and Example sections of
this topic.
Important
For each app you want to include, you must include:
Value name. The app file name, including the extension. For example, iexplore.exe.
Value. A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is
forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
Note
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
Setting the bit field
Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
Where the bit flags are read from right to left and are defined as:
Example
If you want to turn on the PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and
PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON settings, turn off the
PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF setting, and leave everything
else as the default values, you’d want to type a value of ???????????????0???????1???????1 .
Use Windows Event Forwarding to help with intrusion
detection
4/18/2019 • 25 minutes to read • Edit Online
Applies to
Windows 10
Windows Server
Learn about an approach to collect events from devices in your organization. This article talks about events in both
normal operations and when an intrusion is suspected.
Windows Event Forwarding (WEF ) reads any operational or administrative event log on a device in your
organization and forwards the events you choose to a Windows Event Collector (WEC ) server.
To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription
and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect
subscription only includes devices that have been added by you. The Suspect subscription collects additional events
to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios
as needed without impacting baseline operations.
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices
with online analytical capability, such as Security Event Manager (SEM ), while also sending events to a MapReduce
system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect
subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely
used for host forensic analysis.
An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner
and alert security staff at machine speed.
A MapReduce system has a longer retention time (years versus months for an SEM ), larger ingress ability
(hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and
trend analysis, pattern clustering analysis, or apply Machine Learning algorithms.
Here's an approximate scaling guide for WEF events:
Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF
implementation, including enabling of disabled event logs and setting channel permissions. For more info, see
Appendix C - Event channel settings (enable and channel access) methods. This is because WEF is a passive system
with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change
channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events.
Additionally, having event generation already occurring on a device allows for more complete event collection
building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF
subscription refresh cycles to make changes to what is being generated on the device. On modern devices,
enabling additional event channels and expanding the size of event log files has not resulted in noticeable
performance differences.
For the minimum recommended audit policy and registry system ACL settings, see Appendix A - Minimum
recommended minimum audit policy and Appendix B - Recommended minimum registry system ACL policy.
Note: These are only minimum values need to meet what the WEF subscription selects.
From a WEF subscription management perspective, the event queries provided should be used in two separate
subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the
targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should
have access to the Baseline subscription.
This means you would create two base subscriptions:
Baseline WEF subscription. Events collected from all hosts, this includes some role-specific events, which will
only be emitted by those machines.
Targeted WEF subscription. Events collected from a limited set of hosts due to unusual activity and/or
heightened awareness for those systems.
Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing
events” option should be set to true to allow collection of existing events from systems. By default, WEF
subscriptions will only forward events generated after the WEF subscription was received by the client.
In Appendix E – Annotated Baseline Subscription Event Query and Appendix F – Annotated Suspect Subscription
Event Query, the event query XML is included when creating WEF subscriptions. These are annotated for query
purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query.
Common WEF questions
This section addresses common questions from IT pros and customers.
Will the user notice if their machine is enabled for WEF or if WEF encounters an error?
The short answer is: No.
The longer answer is: The Eventlog-forwardingPlugin/Operational event channel logs the success, warning,
and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and
navigates to that channel, they will not notice WEF either through resource consumption or Graphical User
Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance
degradation. All success, warning, and failure events are logged to this operational event channel.
Is WEF Push or Pull?
A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment
with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are
configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the
subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are
to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the
subscription to access their event logs remotely (normally by adding the credential to the Event Log Readers
built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
Will WEF work over VPN or RAS?
WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog of
events when the connection to the WEF Collector is re-established.
How is client progress tracked?
The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source
for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent
to the device to use as a starting point to resume forwarding events. If a WEF client has no events to send, the WEF
client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value
can be individually configured for each subscription.
Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
Yes. WEF is transport agnostic and will work over IPv4 or IPv6.
Are WEF events encrypted? I see an HTTP/HTTPS option!
In a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with
NTLM as a fallback option, which can be disabled by using a GPO ). Only the WEF collector can decrypt the
connection. Additionally, the connection between WEF client and WEC server is mutually authenticated regardless
of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use Kerberos Only.
This authentication and encryption is performed regardless if HTTP or HTTPS is selected.
The HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based mutual
authentication is not an option. The SSL certificate and provisioned client certificates are used to provide mutual
authentication.
Do WEF Clients have a separate buffer for events?
The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost.
To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being
selected. For more info, see Appendix C – Event Channel Settings (enable and Channel Access) methods.
When the event log overwrites existing events (resulting in data loss if the device is not connected to the Event
Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an
indicator that there was a gap encountered in the event stream.
What format is used for forwarded events?
WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of
the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled
depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as
“Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx
file.) This is very compact and can more than double the event volume a single WEC server can accommodate.
A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility:
Normal This option ensures reliable delivery of events and does not
attempt to conserve bandwidth. It is the appropriate choice
unless you need tighter control over bandwidth usage or need
forwarded events delivered as quickly as possible. It uses pull
delivery mode, batches 5 items at a time and sets a batch
timeout of 15 minutes.
Minimize bandwidth This option ensures that the use of network bandwidth for
event delivery is strictly controlled. It is an appropriate choice
if you want to limit the frequency of network connections
made to deliver events. It uses push delivery mode and sets a
batch timeout of 6 hours. In addition, it uses a heartbeat
interval of 6 hours.
Minimize latency This option ensures that events are delivered with minimal
delay. It is an appropriate choice if you are collecting alerts or
critical events. It uses push delivery mode and sets a batch
timeout of 30 seconds.
For more info about delivery options, see Configure Advanced Subscription Settings.
The primary difference is in the latency which events are sent from the client. If none of the built-in options meet
your requirements you can set Custom event delivery options for a given subscription from an elevated command
prompt:
Subscription information
Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix.
These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll
(and remove) hosts on an as needed basis to the Targeted subscription.
Baseline subscription
While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions
should be allowed for unusual devices – a device performing complex developer related tasks can be expected to
create an unusually high volume of process create and AppLocker events.) This subscription does not require
special configuration on client devices to enable event channels or modify channel permissions.
The subscription is essentially a collection of query statements applied to the Event Log. This means that it is
modular in nature and a given query statement can be removed or changed without impacting other query
statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within
that query statement and are not to the entire subscription.
Baseline subscription requirements
To gain the most value out of the baseline subscription we recommend to have the following requirements set on
the device to ensure that the clients are already generating the required events to be forwarded off the system.
Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see
Appendix A – Minimum Recommended minimum Audit Policy. This ensures that the security event log is
generating the required events.
Apply at least an Audit-Only AppLocker policy to devices.
If you are already whitelisting or blacklisting events by using AppLocker, then this requirement is met.
AppLocker events contain extremely useful information, such as file hash and digital signature
information for executables and scripts.
Enable disabled event channels and set the minimum size for modern event files.
Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This
must be done by using a GPO. For more info, see Appendix C – Event Channel Settings (enable and Channel
Access) methods.
The annotated event query can be found in the following. For more info, see Appendix F – Annotated Suspect
Subscription Event Query.
Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given
anti-malware product easily if it writes to the Windows event log.
Security event log Process Create events.
AppLocker Process Create events (EXE, script, packaged App installation and execution).
Registry modification events. For more info, see Appendix B – Recommended minimum Registry System ACL
Policy.
OS startup and shutdown
Startup event include operating system version, service pack level, QFE version, and boot mode.
Service install
Includes what the name of the service, the image path, and who installed the service.
Certificate Authority audit events
This is only applicable on systems with the Certificate Authority role installed.
Logs certificate requests and responses.
User profile events
Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively
logging into a device but not wanting to leave a persistent profile behind.
Service start failure
Failure codes are localized, so you have to check the message DLL for values.
Network share access events
Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
System shutdown initiate requests
Find out what initiated the restart of a device.
User initiated interactive logoff event
Remote Desktop Services session connect, reconnect, or disconnect.
EMET events, if EMET is installed.
Event forwarding plugin events
For monitoring WEF subscription operations, particularly Partial Success events. This is useful for
diagnosing deployment issues.
Network share create and delete
Enables detection of unauthorized share creation. >Note: All shares are re-created when the device
starts.
Logon sessions
Logon success for interactive (local and Remote Interactive/Remote Desktop)
Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
Logon success for batch sessions
Logon session close, which are logoff events for non-network sessions.
Windows Error Reporting (Application crash events only)
This can help detect early signs of intruder not familiar with enterprise environment using targeted
malware.
Event log service events
Errors, start events, and stop events for the Windows Event Log service.
Event log cleared (including the Security Event Log)
This could indicate an intruder that are covering their tracks.
Special privileges assigned to new logon
This indicates that at the time of logon a user is either an Administrator or has the sufficient access to
make themselves Administrator.
Outbound Remote Desktop Services session attempts
Visibility into potential beachhead for intruder
System time changed
SMB Client (mapped drive connections)
Account credential validation
Local accounts or domain accounts on domain controllers
A user was added or removed from the local Administrators security group.
Crypto API private key accessed
Associated with signing objects using the locally stored private key.
Task Scheduler task creation and delete
Task Scheduler allows intruders to run code at specified times as LocalSystem.
Logon with explicit credentials
Detect credential use changes by intruders to access additional resources.
Smartcard card holder verification events
This detects when a smartcard is being used.
Suspect subscription
This adds some possible intruder-related activity to help analyst further refine their determinations about the state
of the device.
Logon session creation for network sessions
Enables time-series analysis of network graphs.
RADIUS and VPN events
Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment
with remote IP address connecting to the enterprise.
Crypto API X509 object and build chain events
Detects known bad certificate, CA, or sub-CA
Detects unusual process use of CAPI
Groups assigned to local logon
Gives visibility to groups which enable account wide access
Allows better planning for remediation efforts
Excludes well known, built-in system accounts.
Logon session exit
Specific for network logon sessions.
Client DNS lookup events
Returns what process performed a DNS query and the results returned from the DNS server.
Process exit
Enables checking for processes terminating unexpectedly.
Local credential validation or logon with explicit credentials
Generated when the local SAM is authoritative for the account credentials being authenticated.
Noisy on domain controllers
On client devices this is only generated when local accounts log on.
Registry modification audit events
Only when a registry value is being created, modified, or deleted.
Wireless 802.1x authentication
Detect wireless connection with a peer MAC address
Windows PowerShell logging
Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging
improvements for in-memory attacks using Windows PowerShell.
Includes Windows PowerShell remoting logging
User Mode Driver Framework “Driver Loaded” event
Can possibly detect a USB device loading multiple device drivers. For example, a USB_STOR device
loading the keyboard or network driver.
Applies to:
Windows 10
Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.
To help protect your company from attacks which may originate from untrusted or attacker controlled font files,
we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops
your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your
network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts
helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-
parsing process.
IMPORTANT
Your existing MitigationOptions values should be saved during your update. For example, if the current
value is 1000, your updated value should be 1000000001000.
NOTE
Because the FontType is Memory, there’s no associated FontPath.
NOTE
Because the FontType is File, there’s also an associated FontPath.
NOTE
In Audit mode, the problem is recorded, but the font isn’t blocked.
For example, if you want to exclude Microsoft Word processes, you’d use
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe .
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts
feature on, using the steps in the Turn on and use the Blocking Untrusted Fonts feature section of this topic.
Related content
Dropping the “Untrusted Font Blocking” setting
Security auditing
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Topics in this section are for IT professionals and describes the security auditing features in Windows and how
your organization can benefit from using these technologies to enhance the security and manageability of your
network.
Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As
part of your overall security strategy, you should determine the level of auditing that is appropriate for your
environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks
against resources that you have determined to be valuable in your risk assessment.
In this section
TOPIC DESCRIPTION
Basic security audit policies Before you implement auditing, you must decide on an
auditing policy. A basic audit policy specifies categories of
security-related events that you want to audit. When this
version of Windows is first installed, all auditing categories are
disabled. By enabling various auditing event categories, you
can implement an auditing policy that suits the security needs
of your organization.
Advanced security audit policies Advanced security audit policy settings are found in Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies and appear to overlap with basic security audit
policies, but they are recorded and applied differently.
Basic security audit policies
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of
security-related events that you want to audit. When this version of Windows is first installed, all auditing
categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that
suits the security needs of your organization.
The event categories that you can choose to audit are:
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory
service access category (for auditing objects on a domain controller), or the audit object access category (for
auditing objects on a member server or workstation). Once you have enabled the object access category, you can
specify the types of access you want to audit for each group or user.
In this section
TOPIC DESCRIPTION
Create a basic audit policy for an event category By defining auditing settings for specific event categories, you
can create an auditing policy that suits the security needs of
your organization. On devices that are joined to a domain,
auditing settings for the event categories are undefined by
default. On domain controllers, auditing is turned on by
default.
Apply a basic audit policy on a file or folder You can apply audit policies to individual files and folders on
your computer by setting the permission type to record
successful access attempts or failed access attempts in the
security log.
View the security event log The security log records each event as defined by the audit
policies you set on each object.
Basic security audit policy settings Basic security audit policy settings are found under Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy.
Create a basic audit policy for an event category
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
By defining auditing settings for specific event categories, you can create an auditing policy that suits the security
needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are
undefined by default. On domain controllers, auditing is turned on by default.
To complete this procedure, you must be logged on as a member of the built-in Administrators group.
To define or modify auditing policy settings for an event category for your local computer
1. Open the Local Security Policy snap-in (secpol.msc), and then click Local Policies.
2. Click Audit Policy.
3. In the results pane, double-click an event category that you want to change the auditing policy settings for.
4. Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.
To complete this procedure, you must be logged on as a member of the Domain Admins group.
To define or modify auditing policy settings for an event category for a domain or organizational unit,
when you are on a member server or on a workstation that is joined to a domain
1. Open the Group Policy Management Console (GPMC ).
2. In the console tree, double-click Group Policy objects in the forest and domain containing the Default
Domain Policy Group Policy object (GPO ) that you want to edit.
3. Right-click the Default Domain Policy GPO, and then click Edit.
4. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Audit
Policy.
5. In the results pane, double-click an event category that you want to change the auditing policy settings for.
6. If you are defining auditing policy settings for this event category for the first time, select the Define these
policy settings check box.
7. Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.
Additional considerations
To audit object access, enable auditing of the object access event category by following the steps above. Then,
enable auditing on the specific object.
After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view
these events.
The default auditing policy setting for domain controllers is No Auditing. This means that even if auditing is
enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing
policy to apply to domain controllers, you must modify this policy setting.
Apply a basic audit policy on a file or folder
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
You can apply audit policies to individual files and folders on your computer by setting the permission type to
record successful access attempts or failed access attempts in the security log. To complete this procedure, you
must be logged on as a member of the built-in Administrators group or you must have been granted the Manage
auditing and security log right.
To apply or modify auditing policy settings for a local file or folder
1. Right-click the file or folder that you want to audit, click Properties, and then click the Security tab.
2. Click Advanced.
3. In the Advanced Security Settings dialog box, click the Auditing tab, and then click Continue.
4. Do one of the following:
To set up auditing for a new user or group, click Add. Click Select a principal, type the name of the user
or group that you want, and then click OK.
To remove auditing for an existing group or user, click the group or user name, click Remove, click OK,
and then skip the rest of this procedure.
To view or change auditing for an existing group or user, click its name, and then click Edit.
5. In the Type box, indicate what actions you want to audit by selecting the appropriate check boxes:
To audit successful events, click Success.
To audit failure events, click Fail.
To audit all events, click All.
Important: Before setting up auditing for files and folders, you must enable object access auditing by defining
auditing policy settings for the object access event category. If you do not enable object access auditing, you
will receive an error message when you set up auditing for files and folders, and no files or folders will be
audited.
Additional considerations
After object access auditing is enabled, view the security log in Event Viewer to review the results of your
changes.
You can set up file and folder auditing only on NTFS drives.
Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the
amount of disk space that you want to devote to the security log. The maximum size for the security log is
defined in Event Viewer.
View the security event log
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
The security log records each event as defined by the audit policies you set on each object.
To view the security log
1. Open Event Viewer.
2. In the console tree, expand Windows Logs, and then click Security. The results pane lists individual security
events.
3. If you want to see more details about a specific event, in the results pane, click the event.
Basic security audit policy settings
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy.
In this section
TOPIC DESCRIPTION
Audit account logon events Determines whether to audit each instance of a user logging
on to or logging off from another device in which this device
is used to validate the account.
Audit directory service access Determines whether to audit the event of a user accessing an
Active Directory object that has its own system access control
list (SACL) specified.
Audit logon events Determines whether to audit each instance of a user logging
on to or logging off from a device.
Audit object access Determines whether to audit the event of a user accessing an
object--for example, a file, folder, registry key, printer, and so
forth--that has its own system access control list (SACL)
specified.
Audit process tracking Determines whether to audit detailed tracking information for
events such as program activation, process exit, handle
duplication, and indirect object access.
Audit system events Determines whether to audit when a user restarts or shuts
down the computer or when an event occurs that affects
either the system security or the security log.
Related topics
Basic security audit policy settings
Audit account logon events
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit each instance of a user logging on to or logging off from another device in which this
device is used to validate the account.
This security setting determines whether to audit each instance of a user logging on to or logging off from another
computer in which this computer is used to validate the account. Account logon events are generated when a
domain user account is authenticated on a domain controller. The event is logged in the domain controller's
security log. Logon events are generated when a local user is authenticated on a local computer. The event is
logged in the local security log. Account logoff events are not generated.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits
generate an audit entry when an account logon attempt fails. To set this value to No auditing, in the Properties
dialog box for this policy setting, select the Define these policy settings check box and clear the Success and
Failure check boxes.
Default: Success
677 A TGS ticket was not granted. This event is not generated in
Windows XP or in the Windows Server 2003 family.
Related topics
Basic security audit policy settings
Audit account management
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit each event of account management on a device.
Examples of account management events include:
A user account or group is created, changed, or deleted.
A user account is renamed, disabled, or enabled.
A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits
generate an audit entry when any account management event fails. To set this value to No auditing, in the
Properties dialog box for this policy setting, select the Define these policy settings check box and clear the
Success and Failure check boxes.
Default:
Success on domain controllers.
No auditing on member servers.
Related topics
Basic security audit policy settings
Audit directory service access
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit the event of a user accessing an Active Directory object that has its own system
access control list (SACL ) specified.
By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO ), and it
remains undefined for workstations and servers where it has no meaning.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that
has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an
Active Directory object that has a SACL specified. To set this value to No auditing, in the Properties dialog box
for this policy setting, select the Define these policy settings check box and clear the Success and Failure check
boxes.
Note: You can set a SACL on an Active Directory object by using the Security tab in that object's Properties
dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and
not to file system and registry objects.
Default:
Success on domain controllers.
Undefined for a member server.
Related topics
Basic security audit policy settings
Audit logon events
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit each instance of a user logging on to or logging off from a device.
Account logon events are generated on domain controllers for domain account activity and on local devices for
local account activity. If both account logon and logon audit policy categories are enabled, logons that use a
domain account generate a logon or logoff event on the workstation or server, and they generate an account logon
event on the domain controller. Additionally, interactive logons to a member server or workstation that use a
domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved
when a user logs on. For more info about account logon events, see Audit account logon events.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit
entry when a logon attempt fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
For information about advanced security policy settings for logon events, see the Logon/logoff section in
Advanced security audit policy settings.
530 Logon failure. A logon attempt was made user account tried
to log on outside of the allowed time.
533 Logon failure. A logon attempt was made by a user who is not
allowed to log on at this computer.
LOGON EVENTS DESCRIPTION
534 Logon failure. The user attempted to log on with a type that is
not allowed.
535 Logon failure. The password for the specified account has
expired.
537 Logon failure. The logon attempt failed for other reasons.
539 Logon failure. The account was locked out at the time the
logon attempt was made.
544 Main mode authentication failed because the peer did not
provide a valid certificate or the signature was not validated.
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon
type.
Related topics
Basic security audit policy settings
Audit object access
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key,
printer, and so forth--that has its own system access control list (SACL ) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a user successfully accesses an object that has an
appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access
an object that has a SACL specified.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.
Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog
box.
Default: No auditing.
800 One or more rows have been deleted from the certificate
database.
Related topics
Basic security audit policy settings
Audit policy change
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust
policies.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies,
or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment
policies, audit policies, or trust policies fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
Default:
Success on domain controllers.
No auditing on member servers.
805 The event log service read the security log configuration for a
session.
Related topics
Basic security audit policy settings
Audit privilege use
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit each instance of a user exercising a user right.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of
event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits
generate an audit entry when the exercise of a user right fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.
Default: No auditing.
Audits are not generated for use of the following user rights, even if success audits or failure audits are specified
for Audit privilege use. Enabling auditing of these user rights tend to generate many events in the security log
which may impede your computer's performance. To audit the following user rights, enable the
FullPrivilegeAuditing registry key.
Bypass traverse checking
Debug programs
Create a token object
Replace process level token
Generate security audits
Back up files and directories
Restore files and directories
Related topics
Basic security audit policy settings
Audit process tracking
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit detailed tracking information for events such as program activation, process exit,
handle duplication, and indirect object access.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits
generate an audit entry when the process being tracked fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.
Default: No auditing.
Related topics
Basic security audit policy settings
Audit system events
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that
affects either the system security or the security log.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit
entry when a logon attempt fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
Default:
Success on domain controllers.
No auditing on member servers.
515 A trusted logon process has registered with the Local Security
Authority.
Related topics
Basic security audit policy settings
Advanced security audit policies
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Advanced security audit policy settings are found in Security Settings\Advanced Audit Policy
Configuration\System Audit Policies and appear to overlap with basic security audit policies, but they are
recorded and applied differently. When you apply basic audit policy settings to the local computer by using the
Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy
settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies
can be controlled by using Group Policy.
In this section
TOPIC DESCRIPTION
Planning and deploying advanced security audit policies This topic for the IT professional explains the options that
security policy planners must consider and the tasks they
must complete to deploy an effective security audit policy in a
network that includes advanced security audit policies
Advanced security auditing FAQ This topic for the IT professional lists questions and answers
about understanding, deploying, and managing security audit
policies.
Using advanced security auditing options to monitor dynamic This guide explains the process of setting up advanced
access control objects security auditing capabilities that are made possible through
settings and events that were introduced in Windows 8 and
Windows Server 2012.
Advanced security audit policy settings This reference for IT professionals provides information about
the advanced audit policy settings that are available in
Windows and the audit events that they generate.
Planning and deploying advanced security audit
policies
4/5/2019 • 35 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional explains the options that security policy planners must consider and the tasks
they must complete to deploy an effective security audit policy in a network that includes advanced security audit
policies.
Organizations invest a large portion of their information technology budgets on security applications and services,
such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software
you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on
your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to
track the effectiveness of your defenses and identify attempts to circumvent them.
To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most
important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also
provide absolute proof that IT operations comply with corporate and regulatory requirements.
Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you
do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and
activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that
an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could
cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an
organization as vulnerable as not enough monitoring.
Here are some features that can help you focus your effort:
Advanced audit policy settings. You can apply and manage detailed audit policy settings through Group
Policy.
"Reason for access" auditing. You can specify and identify the permissions that were used to generate a
particular object access security event.
Global object access auditing. You can define system access control lists (SACLs) for an entire computer file
system or registry.
To deploy these features and plan an effective security auditing strategy, you need to:
Identify your most critical resources and the most important activities that need to be tracked.
Identify the audit settings that can be used to track these activities.
Assess the advantages and potential costs associated with each.
Test these settings to validate your choices.
Develop plans for deploying and managing your audit policy.
Important: Including auditing within your organization's security plan also makes it possible to budget your
resources on the areas where auditing can achieve the most positive results.
For additional details about how to complete each of these steps and how to prepare a detailed threat model,
download the IT Infrastructure Threat Modeling Guide.
Data and resources
For data and resource auditing, you need to identify the most important types of data and resources (such as
patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows
auditing can provide. Some of these data resources might already be monitored through auditing features in
products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows
auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed
previously, security auditing should focus on your most critical resources. You also must consider how much audit
data you will be able to manage.
You can record if these resources have high business impact, medium business impact, or low business impact, the
cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access
can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different
levels of risk to an organization.
Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss
in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to
also document this information.
The following table provides an example of a resource analysis for an organization.
SECURITY OR
ORGANIZATIONAL REGULATORY
RESOURCE CLASS WHERE STORED UNIT BUSINESS IMPACT REQUIREMENTS
Patient medical MedRec-2 Doctors and Nurses: High Strict legal and
records Read/Write on regulatory standards
Med/Rec-2
Lab Assistants: Write
only on MedRec-2
Accounting: Read only
on MedRec-2
Consumer health Web-Ext-1 Public Relations Web Low Public education and
information Content Creators: corporate image
Read/Write on Web-
Ext-1
Public: Read only on
Web-Ext-1
Users
Many organizations find it useful to classify the types of users they have and base permissions on this
classification. This same classification can help you identify which user activities should be the subject of security
auditing and the amount of audit data they will generate.
Organizations can create distinctions based on the type of rights and permissions needed by users to perform
their jobs. For example, under the classification Administrators, larger organizations might assign local
administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL
Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all
users in an organization or as few as a subset of the employees in a given department.
Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or
financial data may need to be audited to verify that you are complying with these requirements.
To effectively audit user activity, begin by listing the different types of users in your organization and the types of
data they need access to—in addition to the data they should not have access to.
Also, if external users can access any of your organization's data, be sure to identify them, including if they belong
to a business partner, customer, or general user, the data they have access to, and the permissions they have to
access that data.
The following table illustrates an analysis of users on a network. Although our example contains a single column
titled "Possible auditing considerations," you may want to create additional columns to differentiate between
different types of network activity, such as logon hours and permission use.
Account administrators User accounts and security groups Account administrators have full
privileges to create new user accounts,
reset passwords, and modify security
group memberships. We need a
mechanism to monitor these changes.
Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers
in an organization. These requirements can be based on:
If the computers are servers, desktop computers, or portable computers.
The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity
Manager.
Note: If the server applications (including Exchange Server and SQL Server) have audit settings. For
more information about auditing in Exchange Server, see the Exchange 2010 Security Guide. For more
information about auditing in SQL Server 2008, see Auditing (Database Engine). For SQL Server 2012,
see SQL Server Audit (Database Engine).
Note: The operating system version determines which auditing options are available and the volume of
audit event data.
Portable computers Windows Vista and Windows 7 Separate portable computer OUs by
department and (in some cases) by
location
Regulatory requirements
Many industries and locales have strict and specific requirements for network operations and how resources are
protected. In the health care and financial industries, for example, there are strict guidelines for who has access to
records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work
with your organization's legal department and other departments responsible for these requirements. Then
consider the security configuration and auditing options that can be used to comply with and verify compliance
with these regulations.
For more info, see the System Center Process Pack for IT GRC.
Important: Whether you apply advanced audit policies by using Group Policy or by using logon scripts,
do not use both the basic audit policy settings under Local Policies\Audit Policy and the advanced
settings under Security Settings\Advanced Audit Policy Configuration. Using both basic and
advanced audit policy settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit
policies, be sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or
later) to override audit policy category settings policy setting under Local Policies\Security
Options. This will prevent conflicts between similar settings by forcing basic security auditing to be
ignored.
The following are examples of how audit policies can be applied to an organization's OU structure:
Apply data activity settings to an OU that contains file servers. If your organization has servers that contain
particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more
precise audit policy to these servers.
Apply user activity audit policies to an OU that contains all computers in the organization. If your organization
places users in OUs based on the department they work in, consider configuring and applying more detailed
security permissions on critical resources that are accessed by employees who work in more sensitive areas,
such as network administrators or the legal department.
Apply network and system activity audit policies to OUs that contain the organization's most critical servers,
such as domain controllers, CAs, email servers, or database servers.
Important: Settings that are described in the Reference might also provide valuable information about activity
audited by another setting. For example, the settings used to monitor user activity and network activity have
obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have
huge implications for overall network status, and potentially for how well you are managing the activities of
users on the network.
Note: To audit user attempts to access all file system objects on a computer, use the Global Object
Access Auditing settings Registry (Global Object Access Auditing) or File System (Global Object Access
Auditing).
Object Access\Audit Handle Manipulation. This policy setting determines whether the operating system
generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs
generate these events, and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how SACLs are configured. When used together with the Audit
File System or Audit Registry policy settings, the Audit Handle Manipulation policy setting can
provide an administrator with useful "reason for access" audit data that details the precise permissions on
which the audit event is based. For example, if a file is configured as a Read-only resource but a user
attempts to save changes to the file, the audit event will log not only the event, but also the permissions that
were used (or attempted to be used) to save the file changes.
Global Object Access Auditing. A growing number of organizations are using security auditing to
comply with regulatory requirements that govern data security and privacy. But demonstrating that strict
controls are being enforced can be extremely difficult. To address this issue, the supported versions of
Windows include two Global Object Access Auditing policy settings, one for the registry and one for the
file system. When you configure these settings, they apply a global system access control SACL on all
objects of that class on a system, which cannot be overridden or circumvented.
Important: The Global Object Access Auditing policy settings must be configured and applied in
conjunction with the Audit File System and Audit Registry audit policy settings in the Object Access
category.
User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored
on a network, and the settings in this section focus on the users, including employees, partners, and customers,
who may try to access those resources.
In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available
to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that
they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on
a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate
activities. The following are a few important settings that you should evaluate to track user activity on your
network:
Account Logon\Audit Credential Validation. This is an extremely important policy setting because it enables
you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a
pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer
valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will
eventually be successful. These events occur on the computer that is authoritative for the credentials. For
domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
Detailed Tracking\Audit Process Creation and Detailed Tracking\Audit Process Termination. These policy
settings can enable you to monitor the applications that a user opens and closes on a computer.
DS Access\Audit Directory Service Access and DS Access\Audit Directory Service Changes. These policy
settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in
Active Directory Domain Services (AD DS ). Only domain administrators have permissions to modify AD DS
objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although
domain administrators should be among an organization's most trusted employees, the use of Audit
Directory Service Access and Audit Directory Service Changes settings allow you to monitor and verify
that only approved changes are made to AD DS. These audit events are logged only on domain controllers.
Logon/Logoff\Audit Account Lockout. Another common security scenario occurs when a user attempts to log
on with an account that has been locked out. It is important to identify these events and to determine whether
the attempt to use an account that has been locked out is malicious.
Logon/Logoff\Audit Logoff and Logon/Logoff\Audit Logon. Logon and logoff events are essential to
tracking user activity and detecting potential attacks. Logon events are related to the creation of logon
sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated
on the computer that was logged on to. For network logon, such as accessing a shared resource, events are
generated on the computer that hosts the resource that was accessed. Logoff events are generated when
logon sessions are terminated.
Note: There is no failure event for logoff activity because failed logoffs (such as when a system abruptly
shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example,
the computer can be turned off without a proper logoff and shutdown, and a logoff event is not
generated.
Logon/Logoff\Audit Special Logon. A special logon has administrator-equivalent rights and can be used to
elevate a process to a higher level. It is recommended to track these types of logons. For more information
about this feature, see article 947223 in the Microsoft Knowledge Base.
Object Access\Audit Certification Services. This policy setting allows you to track and monitor a wide variety of
activities on a computer that hosts Active Directory Certificate Services (AD CS ) role services to ensure that
only authorized users are performing or attempting to perform these tasks, and that only authorized or desired
tasks are being performed.
Object Access\Audit File System and Object Access\Audit File Share. These policy settings are described in the
previous section.
Object Access\Audit Handle Manipulation. This policy setting and its role in providing "reason for access" audit
data is described in the previous section.
Object Access\Audit Registry. Monitoring for changes to the registry is one of the most critical means that
an administrator has to ensure malicious users do not make changes to essential computer settings. Audit
events are only generated for objects that have configured SACLs, and only if the type of access that is
requested (such as Write, Read, or Modify) and the account making the request match the settings in the
SACL.
Important: On critical systems where all attempts to change registry settings need to be tracked, you
can combine the Audit Registry policy setting with the Global Object Access Auditing policy
settings to ensure that all attempts to modify registry settings on a computer are tracked.
Object Access\Audit SAM. The Security Accounts Manager (SAM ) is a database that is present on
computers running Windows that stores user accounts and security descriptors for users on the local
computer. Changes to user and group objects are tracked by the Account Management audit category.
However, user accounts with the proper user rights could potentially alter the files where the account and
password information is stored in the system, bypassing any Account Management events.
Privilege Use\Audit Sensitive Privilege Use. Privilege Use policy settings and audit events allow you to track
the use of certain rights on one or more systems. If you configure this policy setting, an audit event is
generated when sensitive rights requests are made.
Network activity
The following network activity policy settings allow you to monitor security-related issues that are not necessarily
covered in the data or user activity categories, but that can be equally important for network status and protection.
Account Management. The policy settings in this category can be used to track attempts to create, delete, or
modify user or computer accounts, security groups, or distribution groups. Monitoring these activities
complements the monitoring strategies you select in the user activity and data activity sections.
Account Logon\Audit Kerberos Authentication Service and Account Logon\Audit Kerberos Service Ticket
Operations. Audit policy settings in the Account Logon category monitor activities that relate to the use of
domain account credentials. These policy settings complement the policy settings in the Logon/Logoff
category. The Audit Kerberos Authentication Service policy setting allows you to monitor the status of
and potential threats to the Kerberos service. The Audit Kerberos Service Ticket Operations policy
setting allows you to monitor the use of Kerberos service tickets.
Note: Account Logon policy settings apply only to specific domain account activities, regardless of the
computer that is accessed, whereas Logon/Logoff policy settings apply to the computer that hosts the
resources being accessed.
Account Logon\Audit Other Account Logon Events. This policy setting can be used to track a number of
different network activities, including attempts to create Remote Desktop connections, wired network
connections, and wireless connections.
DS Access. Policy settings in this category allow you to monitor the AD DS role services, which provide
account data, validate logons, maintain network access permissions, and provide other services that are critical
to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the
configuration of a domain controller can help an organization maintain a secure and reliable network. In
addition, one of the key tasks performed by AD DS is the replication of data between domain controllers.
Logon/Logoff\Audit IPsec Extended Mode, Logon/Logoff\Audit IPsec Main Mode, and Logon/Logoff\Audit
IPsec Quick Mode. Many networks support large numbers of external users, including remote employees and
partners. Because these users are outside the organization's network boundaries, IPsec is often used to help
protect communications over the Internet by enabling network-level peer authentication, data origin
authentication, data integrity, data confidentiality (encryption), and protection against replay attacks. You can
use these settings to ensure that IPsec services are functioning properly.
Logon/Logoff\Audit Network Policy Server. Organizations that use RADIUS (IAS ) and Network Access
Protection (NAP ) to set and maintain security requirements for external users can use this policy setting to
monitor the effectiveness of these policies and to determine whether anyone is attempting to circumvent these
protections.
Policy Change. These policy settings and events allow you to track changes to important security policies on a
local computer or network. Because policies are typically established by administrators to help secure network
resources, any changes or attempts to change these policies can be an important aspect of security
management for a network.
Policy Change\Audit Audit Policy Change. This policy setting allows you to monitor changes to the audit policy.
If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit
policy settings so that their other activities on the network cannot be detected.
Policy Change\Audit Filtering Platform Policy Change. This policy setting can be used to monitor a large variety
of changes to an organization's IPsec policies.
Policy Change\Audit MPSSVC Rule-Level Policy Change. This policy setting determines if the operating
system generates audit events when changes are made to policy rules for the Microsoft Protection Service
(MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding
the security state of the computer and how well it is protected against network attacks.
Confirm operating system version compatibility
Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and
manage these settings. For more info, see Which editions of Windows support advanced audit policy
configuration.
The audit policy settings under Local Policies\Audit Policy overlap with audit policy settings under Security
Settings\Advanced Audit Policy Configuration. However, the advanced audit policy categories and
subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the
amount of audit data that is less important to your organization.
For example, Local Policies\Audit Policy contains a single setting called Audit account logon events. When this
setting is configured, it generates at least 10 types of audit events.
In comparison, the Account Logon category under Security Settings\Advanced Audit Policy Configuration
provides the following advanced settings, which allow you to focus your auditing:
Credential Validation
Kerberos Authentication Service
Kerberos Service Ticket Operations
Other Account Logon Events
These settings allow you to exercise much tighter control over which activities or events generate event data.
Some activities and events will be more important to your organization, so define the scope of your security audit
policy as narrowly as possible.
Success, failure, or both
Whichever event settings you include in your plan, you also have to decide whether you want to log an event when
the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the
answer will be based on the criticality of the event and the implications of the decision on event volume.
For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an
event only when an unsuccessful attempt to access data takes place, because this could be evidence of an
unauthorized or malicious user. And in this instance, logging successful attempts to access the server would
quickly fill the event log with benign events.
On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you
may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every
user who accessed the resource.
Applies to
Windows 10
This topic for the IT professional lists questions and answers about understanding, deploying, and managing
security audit policies.
What is Windows security auditing and why might I want to use it?
What is the difference between audit policies located in Local Policies\Audit Policy and audit policies located in
Advanced Audit Policy Configuration?
What is the interaction between basic audit policy settings and advanced audit policy settings?
How are audit settings merged by Group Policy?
What is the difference between an object DACL and an object SACL?
Why are audit policies applied on a per-computer basis rather than per user?
What are the differences in auditing functionality between versions of Windows?
Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000
Server?
What is the difference between success and failure events? Is something wrong if I get a failure audit?
How can I set an audit policy that affects all objects on a computer?
How do I figure out why someone was able to access a resource?
How do I know when changes are made to access control settings, by whom, and what the changes were?
How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
How can I monitor if changes are made to audit policy settings?
How can I minimize the number of events that are generated?
What are the best tools to model and manage audit policy?
Where can I find information about all the possible events that I might receive?
Where can I find more detailed information?
What is Windows security auditing and why might I want to use it?
Security auditing is a methodical examination and review of activities that may affect the security of a system. In
the Windows operating systems, security auditing is more narrowly defined as the features and services that
enable an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks.
Monitoring these events can provide valuable information to help administrators troubleshoot and investigate
security-related activities.
Important Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not
use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under
Security Settings\Advanced Audit Policy Configuration. Using both advanced and basic audit policy
settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be
sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override
audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts
between similar settings by forcing basic security auditing to be ignored.
SETTING CONFIGURED IN A
SETTING CONFIGURED IN AN DOMAIN GPO (LOWER RESULTING POLICY FOR THE
AUDITING SUBCATEGORY OU GPO (HIGHER PRIORITY) PRIORITY) TARGET COMPUTER
Why are audit policies applied on a per-computer basis rather than per
user?
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary
recipients of actions by clients including applications, other computers, and users. In a security breach, malicious
users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users
to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer
and the objects and resources on that computer.
In addition, because audit policy capabilities can vary between computers running different versions of Windows,
the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of
the user.
However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish
this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the
users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1.
This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The Object
Access\Audit File System audit policy setting applies to Accounting Server 1, but because it requires a
corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder
generates audit events.
How can I set an audit policy that affects all objects on a computer?
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a
system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing
are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have
to check every object to be sure that no changes have been made—even temporarily to a single SACL. Introduced
in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access
auditing policies for the entire file system or for the registry on a computer. The specified SACL is then
automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and
registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a
file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object
access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or
folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity
matches either the file or folder SACL or the global object access auditing policy.
How can I roll back security audit policies from the advanced audit
policy to the basic audit policy?
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you
subsequently change the advanced audit policy setting to Not configured, you need to complete the following
steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to Not configured.
2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
3. Reconfigure and apply the basic audit policy settings.
Unless you complete all of these steps, the basic audit policy settings will not be restored.
What are the best tools to model and manage audit policies?
The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and
Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies
in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be
used to plan and deploy security audit policies. On an individual computer, the Auditpol command-line tool can be
used to complete a number of important audit policy–related management tasks.
In addition, there are a number of computer management products, such as the Audit Collection Services in the
Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
Where can I find information about all the possible events that I might
receive?
Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit
events that are stored there (which can quickly number in the thousands) and by the structured information that is
included for each audit event. Additional information about these events, and the settings used to generate them,
can be obtained from the following resources:
Windows 8 and Windows Server 2012 Security Event Details
Security Audit Events for Windows 7 and Windows Server 2008 R2
Security Audit Events for Windows Server 2008 and Windows Vista
Advanced security audit policy settings
Applies to
Windows 10
Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows
Vista. There is no difference in security auditing support between 32-bit and 64-bit versions. Windows editions
that cannot join a domain, such as Windows 10 Home edition, do not have access to these features.
How to get a list of XML data name elements in
EventData
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
The Security log uses a manifest where you can get all of the event schema.
Run the following from an elevated PowerShell prompt:
The .events property is a collection of all of the events listed in the manifest on the local machine.
For each event, there is a .Template property for the XML template used for the event properties (if there are any).
For example:
PS C:\WINDOWS\system32> $SecEvents.events[100]
Id : 4734
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Group:
Security ID: %3
Group Name: %1
Group Domain: %2
Additional Information:
Privileges: %8
PS C:\WINDOWS\system32> $SecEvents.events[100].Template
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Group:
Security ID: %3
Group Name: %1
Group Domain: %2
Additional Information:
Privileges: %8
For the Subject: Security Id: text element, it will use the fourth element in the Template, SubjectUserSid.
For Additional Information Privileges:, it would use the eighth element PrivilegeList.
A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates
the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the
Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0,
1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating
events in the Security log. In any case, the Event Version where the Template is taken from should use the same
Event Version for the Description.
Using advanced security auditing options to monitor
dynamic access control objects
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
This guide explains the process of setting up advanced security auditing capabilities that are made possible
through settings and events that were introduced in Windows 8 and Windows Server 2012.
These procedures can be deployed with the advanced security auditing capabilities described in Deploy Security
Auditing with Central Audit Policies (Demonstration Steps).
In this guide
Domain administrators can create and deploy expression-based security audit policies by using file classification
information (resource attributes), user claims, and device claims to target specific users and resources to monitor
potentially significant activities on one or more computers. These policies can be deployed centrally by using
Group Policy, or directly on a computer, in a folder, or in individual files.
In this section
TOPIC DESCRIPTION
Monitor the central access policies that apply on a file server This topic for the IT professional describes how to monitor
changes to the central access policies that apply to a file
server when using advanced security auditing options to
monitor dynamic access control objects. Central access
policies are created on a domain controller and then applied
to file servers through Group Policy management.
Monitor the use of removable storage devices This topic for the IT professional describes how to monitor
attempts to use removable storage devices to access network
resources. It describes how to use advanced security auditing
options to monitor dynamic access control objects.
Monitor resource attribute definitions This topic for the IT professional describes how to monitor
changes to resource attribute definitions when you are using
advanced security auditing options to monitor dynamic
access control objects.
Monitor central access policy and rule definitions This topic for the IT professional describes how to monitor
changes to central access policy and central access rule
definitions when you use advanced security auditing options
to monitor dynamic access control objects.
Monitor user and device claims during sign-in This topic for the IT professional describes how to monitor
user and device claims that are associated with a user’s
security token when you are using advanced security auditing
options to monitor dynamic access control objects.
TOPIC DESCRIPTION
Monitor the resource attributes on files and folders This topic for the IT professional describes how to monitor
attempts to change settings to the resource attributes on files
when you are using advanced security auditing options to
monitor dynamic access control objects.
Monitor the central access policies associated with files and This topic for the IT professional describes how to monitor
folders changes to the central access policies that are associated with
files and folders when you are using advanced security
auditing options to monitor dynamic access control objects.
Monitor claim types This topic for the IT professional describes how to monitor
changes to claim types that are associated with dynamic
access control when you are using advanced security auditing
options.
Important: This procedure can be configured on computers running any of the supported Windows
operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic
access control deployment.
Related topics
Security auditing
Monitor the central access policies that apply on a file
server
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file
server when using advanced security auditing options to monitor dynamic access control objects. Central access
policies are created on a domain controller and then applied to file servers through Group Policy management.
Use the following procedures to configure and verify security auditing settings that are used to monitor changes to
the set of central access policies on a file server. The following procedures assume that you have configured and
deployed dynamic access control, including central access policies, and claims in your network. If you have not yet
deployed dynamic access control in your network, see Deploy a Central Access Policy (Demonstration Steps).
To configure settings to monitor changes to central access policies
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the flexible access Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit
Policy Configuration, double-click Policy Change, and then double-click Other Policy Change Events.
Note: This policy setting monitors policy changes that might not be captured otherwise, such as central
access policy changes or trusted platform module configuration changes.
5. Select the Configure the following audit events check box, select the Success check box (and the
Failure check box, if desired), and then click OK.
After you modify the central access policies on the domain controller, verify that the changes have been applied to
the file server and that the proper events are logged.
To verify changes to the central access policies
1. Sign in to your domain controller by using domain administrator credentials.
2. Open the Group Policy Management Console.
3. Right-click Default domain policy, and then click Edit.
4. Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.
5. Double-click Security Settings, right-click File system, and then click Manage CAPs.
6. In the wizard that appears, follow the instructions to add a new central access policy (CAP ), and then click OK.
7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the central
access policies you changed.
8. Press the Windows key + R, then type cmd to open a Command Prompt window.
Note: If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Yes.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
Monitor the use of removable storage devices
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access
network resources. It describes how to use advanced security auditing options to monitor dynamic access control
objects.
If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a
resource to a removable storage device.
Use the following procedures to monitor the use of removable storage devices and to verify that the devices are
being monitored.
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
Note: If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Yes.
Note: We do not recommend that you enable this category on a file server that hosts file shares on a
removable storage device. When Removable Storage Auditing is configured, any attempt to access the
removable storage device will generate an audit event.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
Monitor resource attribute definitions
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are
using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions
define the basic properties of resource attributes, such as what it means for a resource to be defined as “high
business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container.
Changes to these definitions could significantly change the protections that govern a resource, even if the resource
attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
For information about monitoring changes to the resource attributes that apply to files, see Monitor the resource
attributes on files and folders.
Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS
and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access
Control, including central access policies, claims, and other components, in your network. If you have not yet
deployed Dynamic Access Control in your network, see Deploy a Central Access Policy (Demonstration Steps).
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to central access policy and central access rule
definitions when you use advanced security auditing options to monitor dynamic access control objects. Central
access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is
important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule
definitions reside in Active Directory Domain Services (AD DS ), and they can be monitored just like any other
object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control
deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than
other network objects. However, it is important to monitor these objects for potential changes in security auditing
and to verify that policies are being enforced.
Use the following procedures to configure settings to monitor changes to central access policy and central access
rule definitions and to verify the changes. These procedures assume that you have configured and deployed
Dynamic Access Control, including central access policies, claims, and other components, in your network. If you
have not yet deployed Dynamic Access Control in your network, see Deploy a Central Access Policy
(Demonstration Steps).
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
To configure settings to monitor changes to central access policy and rule definitions
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the default domain controller Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, click Security Settings, expand Advanced Audit Policy
Configuration, expand System Audit Policies, click DS Access, and then double-click Audit directory
service changes.
5. Select the Configure the following audit events check box, select the Success check box (and the Failure
check box, if desired), and then click OK.
6. Close the Group Policy Management Editor.
7. Open the Active Directory Administrative Center.
8. Under Dynamic Access Control, right-click Central Access Policies, and then select Properties.
9. Click the Security tab, click Advanced to open the Advanced Security Settings dialog box, and then click the
Auditing tab.
10. Click Add, add a security auditing setting for the container, and then close all Security properties dialog boxes.
After you configure settings to monitor changes to central access policy and central access rule definitions, verify
that the changes are being monitored.
To verify that changes to central access policy and rule definitions are monitored
1. Sign in to your domain controller by using domain administrator credentials.
2. Open the Active Directory Administrative Center.
3. Under Dynamic Access Control, right-click Central Access Policies, and then click Properties.
4. Click the Security tab, click Advanced to open the Advanced Security Settings dialog box, and then click the
Auditing tab.
5. Click Add, add a security auditing setting for the container, and then close all Security properties dialog boxes.
6. In the Central Access Policies container, add a new central access policy (or select one that exists), click
Properties in the Tasks pane, and then change one or more attributes.
7. Click OK, and then close the Active Directory Administrative Center.
8. In Server Manager, click Tools, and then click Event Viewer.
9. Expand Windows Logs, and then click Security. Verify that event 4819 appears in the security log.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
Monitor user and device claims during sign-in
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s
security token when you are using advanced security auditing options to monitor dynamic access control objects.
Device claims are associated with the system that is used to access resources that are protected with Dynamic
Access Control. User claims are attributes that are associated with a user. User claims and device claims are
included in the user’s security token used at sign-on. For example, information about Department, Company,
Project, or Security clearances might be included in the token.
Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and
to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control,
including central access policies, claims, and other components, in your network. If you have not yet deployed
Dynamic Access Control in your network, see Deploy a Central Access Policy (Demonstration Steps).
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
3. From a client computer, connect to a file share on the file server as a user who has access permissions to the
file server.
4. On the file server, open Event Viewer, expand Windows Logs, and select the Security log. Look for event
4626, and confirm that it contains information about user claims and device claims.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
Monitor the resource attributes on files and folders
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes
on files when you are using advanced security auditing options to monitor dynamic access control objects.
If your organization has a carefully thought out authorization configuration for resources, changes to these
resource attributes can create potential security risks. Examples include:
Changing files that have been marked as high business value to low business value.
Changing the Retention attribute of files that have been marked for retention.
Changing the Department attribute of files that are marked as belonging to a particular department.
Use the following procedures to configure settings to monitor changes to resource attributes on files and folders.
These procedures assume that have configured and deployed central access policies in your network. For more
information about how to configure and deploy central access policies, see Dynamic Access Control: Scenario
Overview .
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to the central access policies that are
associated with files and folders when you are using advanced security auditing options to monitor dynamic access
control objects.
This security audit policy and the event that it records are generated when the central access policy that is
associated with a file or folder is changed. This security audit policy is useful when an administrator wants to
monitor potential changes on some, but not all, files and folders on a file server.
For info about monitoring potential central access policy changes for an entire file server, see Monitor the central
access policies that apply on a file server.
Use the following procedures to configure settings to monitor central access policies that are associated with files.
These procedures assume that you have configured and deployed Dynamic Access Control in your network. For
more information about how to configure and deploy Dynamic Access Control, see Dynamic Access Control:
Scenario Overview.
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
To configure settings to monitor central access policies associated with files or folders
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the flexible access Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy
Configuration, double-click Policy Change, and then double-click Audit Authorization Policy Change.
5. Select the Configure the following audit events check box, select the Success check box (and the Failure
check box, if desired), and then click OK.
6. Enable auditing for a file or folder as described in the following procedure.
To enable auditing for a file or folder
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that
you want to audit.
2. Right-click the file or folder, click Properties, and then click the Security tab.
3. Click Advanced, click the Auditing tab, and then click Continue.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and
then click Yes.
4. Click Add, click Select a principal, type a user name or group name in the format contoso\user1, and
then click OK.
5. In the Auditing Entry for dialog box, select the permissions that you want to audit, such as Full Control or
Delete.
6. Click OK four times to complete the configuration of the object SACL.
7. Open a File Explorer window and select or create a file or folder to audit.
8. Open an elevated command prompt, and run the following command:
gpupdate /force
After you configure settings to monitor changes to the central access policies that are associated with files and
folders, verify that the changes are being monitored.
To verify that changes to central access policies associated with files and folders are monitored
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that
you want to audit.
2. Open a File Explorer window and select the file or folder that you configured for auditing in the previous
procedure.
3. Right-click the file or folder, click Properties, click the Security tab, and then click Advanced.
4. Click the Central Policy tab, click Change, and select a different central access policy (if one is available) or
select No Central Access Policy, and then click OK twice.
Note: You must select a setting that is different than your original setting to generate the audit event.
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic
access control when you are using advanced security auditing options.
Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes
such as the departments in an organization or the levels of security clearance that apply to classes of users. You can
use security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures
assume that you have configured and deployed Dynamic Access Control, including central access policies, claims,
and other components, in your network. If you have not yet deployed Dynamic Access Control in your network,
see Deploy a Central Access Policy (Demonstration Steps).
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
Applies to
Windows 10
This reference for IT professionals provides information about the advanced audit policy settings that are
available in Windows and the audit events that they generate.
The security audit policy settings under Security Settings\Advanced Audit Policy Configuration can help
your organization audit compliance with important business-related and security-related rules by tracking
precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file.
The correct system access control list (SACL ) is applied to every file and folder or registry key on a computer
or file share as a verifiable safeguard against undetected access.
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local
computer or by using Group Policy.
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can
exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive
number of log entries. In addition, because security audit policies can be applied by using domain Group Policy
Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative
simplicity. Audit policy settings under Security Settings\Advanced Audit Policy Configuration are available
in the following categories:
Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a
domain controller or on a local Security Accounts Manager (SAM ). Unlike Logon and Logoff policy settings and
events, which track attempts to access a particular computer, settings and events in this category focus on the
account database that is used. This category includes the following subcategories:
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Logon/Logoff Events
Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts
and groups. This category includes the following subcategories:
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Detailed Tracking
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual
applications and users on that computer, and to understand how a computer is being used. This category includes
the following subcategories:
Audit DPAPI Activity
Audit PNP activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in
Active Directory Domain Services (AD DS ). These audit events are logged only on domain controllers. This
category includes the following subcategories:
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer
interactively or over a network. These events are particularly useful for tracking user activity and identifying
potential attacks on network resources. This category includes the following subcategories:
Audit Account Lockout
Audit User/Device Claims
Audit IPsec Extended Mode
Audit Group Membership
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of
objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object,
you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For
example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory
needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify
that the proper SACLs are set on all inherited objects. To address this issue, see Global Object Access Auditing.
This category includes the following subcategories:
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging
Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or
network. Because policies are typically established by administrators to help secure network resources,
monitoring changes or attempts to change these policies can be an important aspect of security management for
a network. This category includes the following subcategories:
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security
policy settings and audit events allow you to track the use of certain permissions on one or more systems. This
category includes the following subcategories:
Audit Non-Sensitive Privilege Use
Audit Sensitive Privilege Use
Audit Other Privilege Use Events
System
System security policy settings and audit events allow you to track system-level changes to a computer that are
not included in other categories and that have potential security implications. This category includes the following
subcategories:
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Note: If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting
SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is
derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that
an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing
policy.
Applies to
Windows 10
Windows Server 2016
Audit Credential Validation determines whether the operating system generates audit events on credentials that
are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
For domain accounts, the domain controller is authoritative.
For local accounts, the local computer is authoritative.
Event volume:
High on domain controllers.
Low on member servers and workstations.
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of
the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the
domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on
separate computers from Logon and Logoff events.
The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for
domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts,
to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4774(S, F ): An account was mapped for logon.
4775(F ): An account could not be mapped for logon.
4776(S, F ): The computer attempted to validate the credentials for an account.
4777(F ): The domain controller failed to validate the credentials for an account.
4774(S, F): An account was mapped for logon.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Success events do not appear to occur. Failure event has been reported.
Subcategory: Audit Credential Validation
Event Schema:
An account was mapped for logon.
Authentication Package:Schannel
Account UPN:<Acccount>@<Domain>
Mapped Name:<Account>
Required Server Roles: no information.
Minimum OS Version: no information.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
It appears that this event never occurs.
Subcategory: Audit Credential Validation
Event Schema:
An account could not be mapped for logon.
Authentication Package:%1
Account Name:%2
Required Server Roles: no information.
Minimum OS Version: no information.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Credential Validation
Event Description:
This event generates every time that a
credential validation occurs using NTLM
authentication.
This event occurs only on the computer that
is authoritative for the provided credentials.
For domain accounts, the domain controller
is authoritative. For local accounts, the local
computer is authoritative.
It shows successful and unsuccessful
credential validation attempts.
It shows only the computer name (Source Workstation) from which the authentication attempt was performed
(authentication source). For example, if you authenticate from CLIENT-1 to SERVER -1 using a domain account
you will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER -1)
is not presented in this event.
If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to
“0x0”.
The main advantage of this event is that on domain controllers you can see all authentication attempts for domain
accounts when NTLM authentication was used.
For monitoring local account logon attempts, it is better to use event “4624: An account was successfully logged
on” because it contains more details and is more informative.
This event also generates when a workstation unlock event occurs.
This event does not generate when a domain account logs on locally to a domain controller.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-07-25T04:38:11.003163100Z" />
<EventRecordID>165437</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="Workstation">WIN81</Data>
<Data Name="Status">0xc0000234</Data>
</EventData>
</Event>
Note Authentication package is a DLL that encapsulates the authentication logic used to determine
whether to permit a user to log on. Local Security Authority (LSA) authenticates a user logon by sending the
request to an authentication package. The authentication package then examines the logon information and
either authenticates or rejects the user logon attempt.
Logon Account [Type = UnicodeString]: the name of the account that had its credentials validated by the
Authentication Package. Can be user name, computer account name or well-known security principal
account name. Examples:
User example: dadmin
Computer account example: WIN81$
Local System account example: Local
Local Service account example: Local Service
Source Workstation [Type = UnicodeString]: the name of the computer from which the logon attempt
originated.
Error Code [Type = HexInt32]: contains error code for Failure events. For Success events this parameter
has “0x0” value. The table below contains most common error codes for this event:
ERROR CODE DESCRIPTION
0xC0000064 The username you typed does not exist. Bad username.
0xc0000371 The local account store does not contain secret material for
the specified account.
0x0 No errors.
High-value accounts: You might have high-value domain or Monitor this event with the “Logon Account” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Logon Account” value (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours. To monitor activity of specific user accounts outside of
working hours, monitor the appropriate Logon Account +
Source Workstation pairs.
TYPE OF MONITORING REQUIRED RECOMMENDATION
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Logon Account” that should
or guest accounts, or other accounts that should never be never be used.
used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Logon Account” for accounts that are outside the
corresponding to particular events. whitelist.
Restricted-use computers: You might have certain Monitor the target Source Workstation for credential
computers from which certain people (accounts) should not validation requests from the “Logon Account” that you are
log on. concerned about.
Account naming conventions: Your organization might have Monitor “Logon Account” for names that don’t comply with
specific naming conventions for account names. naming conventions.
If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that
local logon will always use NTLM authentication if an account logs on to a device where its user account is
stored.
You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget
that local logon will always use NTLM authentication if the account logs on to a device where its user
account is stored.
If a local account should be used only locally (for example, network logon or terminal services logon is not
allowed), you need to monitor for all events where Source Workstation and Computer (where the event
was generated and where the credentials are stored) have different values.
Consider tracking the following errors for the reasons listed:
User logon with misspelled or bad user account For example, N events in the last N minutes can be an
indicator of an account enumeration attack, especially relevant
for highly critical accounts.
User logon with misspelled or bad password For example, N events in the last N minutes can be an
indicator of a brute-force password attack, especially relevant
for highly critical accounts.
User logon outside authorized hours Can indicate a compromised account; especially relevant for
highly critical accounts.
User logon from unauthorized workstation Can indicate a compromised account; especially relevant for
highly critical accounts.
User logon to account disabled by administrator For example, N events in last N minutes can be an indicator of
an account compromise attempt, especially relevant for highly
critical accounts.
User logon with expired account Can indicate an account compromise attempt; especially
relevant for highly critical accounts.
User logon with account locked Can indicate a brute-force password attack; especially relevant
for highly critical accounts.
4777(F): The domain controller failed to validate the
credentials for an account.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4776
failure event is generated instead.
Subcategory: Audit Credential Validation
Audit Kerberos Authentication Service
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication
ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
Event volume: High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed
Pre-Authentications, due to wrong user password or when the user’s password has expired.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4768(S, F ): A Kerberos authentication ticket (TGT) was requested.
4771(F ): Kerberos pre-authentication failed.
4772(F ): A Kerberos authentication ticket request failed.
4768(S, F): A Kerberos authentication ticket (TGT)
was requested.
4/5/2019 • 26 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos
Authentication Service
Event Description:
This event generates every
time Key Distribution Center
issues a Kerberos Ticket
Granting Ticket (TGT).
This event generates only on
domain controllers.
If TGT issue fails then you will
see Failure event with Result
Code field not equal to “0x0”.
This event doesn't generate
for Result Codes: 0x10, 0x17
and 0x18. Event “4771:
Kerberos pre-authentication
failed.” generates instead.
Note For
recommendations, see
Security Monitoring
Recommendations for this
event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.074535600Z" />
<EventRecordID>166747</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49273</Data>
<Data Name="CertIssuerName">contoso-DC01-CA-1</Data>
<Data Name="CertSerialNumber">1D0000000D292FBE3C6CDDAFA200020000000D</Data>
<Data Name="CertThumbprint">564DFAEE99C71D62ABC553E695BD8DBC46669413</Data>
</EventData>
</Event>
Note A Kerberos Realm is a set of managed nodes that share the same Kerberos database. The Kerberos
database resides on the Kerberos master computer system, which should be kept in a physically secure room.
Active Directory domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.
User ID [Type = SID ]: SID of account for which (TGT) ticket was requested. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source
data in the event.
For example: CONTOSO\dadmin or CONTOSO\WIN81$.
NULL SID – this value shows in 4768 Failure events.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Service Information:
Service Name [Type = UnicodeString]: the name of the service in the Kerberos Realm to which TGT
request was sent. Typically has value “krbtgt” for TGT requests, which means Ticket Granting Ticket
issuing service.
For Failure events Service Name typically has the following format: krbtgt/REALM_NAME. For
example: krbtgt/CONTOSO.
Service ID [Type = SID ]: SID of the service account in the Kerberos Realm to which TGT request was sent.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
resolved, you will see the source data in the event.
Domain controllers have a specific service account ( krbtgt) that is used by the Key Distribution Center
(KDC ) service to issue Kerberos tickets. It has a built-in, pre-defined SID: S -1-5-
21-DOMAIN_IDENTIFIER -502.
NULL SID – this value shows in 4768 Failure events.
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGT request was
received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff:IPv4_address.
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGT request
connection).
0 for local (localhost) requests.
Additional information:
Ticket Options [Type = HexInt32]: this is a set of different ticket flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable,
Canonicalize, Renewable-ok.
Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.
0 Reserved -
16-25 Unused -
BIT FLAG NAME DESCRIPTION
28 Enc-tkt-in-skey No information.
29 Unused -
Result Code [Type = HexInt32]: hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue
error codes.” contains the list of the most common error codes for this event.
0x6 KDC_ERR_C_PRINCIPAL_UN Client not found in Kerberos The username doesn’t exist.
KNOWN database
0x7 KDC_ERR_S_PRINCIPAL_UN Server not found in This error can occur if the
KNOWN Kerberos database domain controller cannot
find the server’s name in
Active Directory. This error is
similar to
KDC_ERR_C_PRINCIPAL_UN
KNOWN except that it
occurs when the server
name cannot be found.
0x9 KDC_ERR_NULL_KEY The client or server has a No master key was found
null key (master key) for client or server. Usually it
means that administrator
should reset the password
on the account.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES
0xA KDC_ERR_CANNOT_POSTD Ticket (TGT) not eligible for This error can occur if a
ATE postdating client requests postdating of
a Kerberos ticket. Postdating
is the act of requesting that
a ticket’s start time be set
into the future.
It also can occur if there is a
time difference between the
client and the KDC.
0xC KDC_ERR_POLICY Requested start time is later This error is usually the
than end time result of logon restrictions in
place on a user’s account.
For example workstation
restriction, smart card
authentication requirement
or logon time restriction.
0xE KDC_ERR_ETYPE_NOTSUPP KDC has no support for In general, this error occurs
encryption type when the KDC or a client
receives a packet that it
cannot decrypt.
0xF KDC_ERR_SUMTYPE_NOSUP KDC has no support for The KDC, server, or client
P checksum type receives a packet for which it
does not have a key of the
appropriate encryption type.
The result is that the
computer is unable to
decrypt the ticket.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES
0x10 KDC_ERR_PADATA_TYPE_N KDC has no support for Smart card logon is being
OSUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be located.
This can happen because
the wrong certification
authority (CA) is being
queried or the proper CA
cannot be contacted.
It can also happen when a
domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.
0x14 KDC_ERR_TGT_REVOKED TGT has been revoked Since the remote KDC may
change its PKCROSS key
while there are PKCROSS
tickets still active, it
SHOULD cache the old
PKCROSS keys until the last
issued PKCROSS ticket
expires. Otherwise, the
remote KDC will respond to
a client with a KRB-ERROR
message of type
KDC_ERR_TGT_REVOKED.
See RFC1510 for more
details.
0x20 KRB_AP_ERR_TKT_EXPIRED The ticket has expired The smaller the value for the
“Maximum lifetime for user
ticket” Kerberos policy
setting, the more likely it is
that this error will occur.
Because ticket renewal is
automatic, you should not
have to do anything if you
get this message.
0x21 KRB_AP_ERR_TKT_NYV The ticket is not yet valid The ticket presented to the
server is not yet valid (in
relationship to the server
time). The most probable
cause is that the clocks on
the KDC and the client are
not synchronized.
If cross-realm Kerberos
authentication is being
attempted, then you should
verify time synchronization
between the KDC in the
target realm and the KDC in
the client realm, as well.
0x23 KRB_AP_ERR_NOT_US The ticket is not for us The server has received a
ticket that was meant for a
different realm.
0x25 KRB_AP_ERR_SKEW The clock skew is too great This error is logged if a client
computer sends a
timestamp whose value
differs from that of the
server’s timestamp by more
than the number of minutes
found in the “Maximum
tolerance for computer clock
synchronization” setting in
Kerberos policy.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES
0x3E KDC_ERR_CLIENT_NOT_TRU The client trust failed or is This typically happens when
STED not implemented user’s smart-card certificate
is revoked or the root
Certification Authority that
issued the smart card
certificate (in a chain) is not
trusted by the domain
controller.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES
0x3F KDC_ERR_KDC_NOT_TRUSTE The KDC server trust failed The trustedCertifiers field
D or could not be verified contains a list of certification
authorities trusted by the
client, in the case that the
client does not possess the
KDC's public key certificate.
If the KDC has no certificate
signed by any of the
trustedCertifiers, then it
returns an error of type
KDC_ERR_KDC_NOT_TRUSTE
D. See RFC1510 for more
details.
Ticket Encryption Type [Type = HexInt32]: the cryptographic suite that was used for issued TGT.
Pre-Authentication Type [Type = UnicodeString]: the code number of pre-Authentication type which was
used in TGT request.
Certificate Information:
Certificate Issuer Name [Type = UnicodeString]: the name of the Certification Authority that issued the
smart card certificate. Populated in Issued by field in certificate.
Certificate Serial Number [Type = UnicodeString]: smart card certificate’s serial number. Can be found
in Serial number field in the certificate.
Certificate Thumbprint [Type = UnicodeString]: smart card certificate’s thumbprint. Can be found in
Thumbprint field in the certificate.
High-value accounts: You might have high-value domain or Monitor this event with the “User ID” that corresponds to
local accounts for which you need to monitor each action. the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “User ID” (with other information) to monitor how or when a
malicious actions. For example, you might need to monitor particular account is being used.
for use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “User ID” that corresponds to
or guest accounts, or other accounts that should never be the accounts that should never be used.
used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “User ID” for accounts that are outside the whitelist.
corresponding to particular events.
External accounts: You might be monitoring accounts from Monitor this event for the “Supplied Realm Name”
another domain, or “external” accounts that are not allowed corresponding to another domain or “external” location.
to perform certain actions (represented by certain specific
events).
Account naming conventions: Your organization might Monitor “User ID” for names that don’t comply with naming
have specific naming conventions for account names. conventions.
You can track all 4768 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be used only from known list of IP addresses, track all Client
Address values for this Account Name in 4768 events. If Client Address is not from the whitelist,
generate the alert.
All Client Address = ::1 means local authentication. If you know the list of accounts which should log on
to the domain controllers, then you need to monitor for all possible violations, where Client Address = ::1
and Account Name is not allowed to log on to any domain controller.
All 4768 events with Client Port field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Also consider monitoring the fields shown in the following table, to discover the issues listed:
Certificate Issuer Name Certification authority name is not from your PKI
infrastructure.
Certificate Issuer Name Certification authority name is not authorized to issue smart
card authentication certificates.
Pre-Authentication Type Value is not 15 when account must use a smart card for
authentication. For more information, see Table 5. Kerberos
Pre-Authentication types.
Pre-Authentication Type Value is not 138 when Kerberos Armoring is enabled for all
Kerberos communications in the organization. For more
information, see Table 5. Kerberos Pre-Authentication types.
Ticket Encryption Type Value is 0x1 or 0x3, which means the DES algorithm was
used. DES should not be in use, because of low security and
known vulnerabilities. It is disabled by default starting from
Windows 7 and Windows Server 2008 R2. For more
information, see Table 4. Kerberos encryption types.
Ticket Encryption Type Starting with Windows Vista and Windows Server 2008,
monitor for values other than 0x11 and 0x12. These are the
expected values, starting with these operating systems, and
represent AES-family algorithms. For more information, see
Table 4. Kerberos encryption types.
Result Code 0x6 (The username doesn't exist), if you see, for example N
events in last N minutes. This can be an indicator of account
enumeration attack, especially for highly critical accounts.
Result Code 0x7 (Server not found in Kerberos database). This error can
occur if the domain controller cannot find the server's name
in Active Directory.
Result Code 0x8 (Multiple principal entries in KDC database). This will help
you to find duplicate SPNs faster.
Result Code 0x9 (The client or server has a null key (master key)). This
error can help you to identify problems with Kerberos
authentication faster.
Result Code 0xA (Ticket (TGT) not eligible for postdating). Microsoft
systems should not request postdated tickets. These events
could help identify anomaly activity.
Result Code 0xC (Requested start time is later than end time), if you see,
for example N events in last N minutes. This can be an
indicator of an account compromise attempt, especially for
highly critical accounts.
FIELD ISSUE TO DISCOVER
Result Code 0xE (KDC has no support for encryption type). In general,
this error occurs when the KDC or a client receives a packet
that it cannot decrypt. Monitor for these events because this
should not happen in a standard Active Directory
environment.
Result Code 0xF (KDC has no support for checksum type). Monitor for
these events because this should not happen in a standard
Active Directory environment.
Result Code 0x12 (Client's credentials have been revoked), if you see, for
example N events in last N minutes. This can be an indicator
of anomaly activity or brute-force attack, especially for highly
critical accounts.
Result Code 0x22 (The request is a replay). This error indicates that a
specific authenticator showed up twice—the KDC has
detected that this session ticket duplicates one that it has
already received. It could be a sign of attack attempt.
Result Code 0x29 (Message stream modified and checksum didn't match).
The authentication data was encrypted with the wrong key
for the intended server. The authentication data was modified
in transit by a hardware or software error, or by an attacker.
Monitor for these events because this should not happen in a
standard Active Directory environment.
Result Code 0x3C (Generic error). This error can help you more quickly
identify problems with Kerberos authentication.
Result Code 0x3E (The client trust failed or is not implemented). This error
helps you identify logon attempts with revoked certificates
and the situations when the root Certification Authority that
issued the smart card certificate (through a chain) is not
trusted by a domain controller.
Result Code 0x3F, 0x40, 0x41 errors. These errors can help you more
quickly identify smart-card related problems with Kerberos
authentication.
4771(F): Kerberos pre-authentication failed.
4/5/2019 • 10 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos
Authentication Service
Event Description:
This event generates every time the
Key Distribution Center fails to issue a
Kerberos Ticket Granting Ticket (TGT).
This can occur when a domain
controller doesn’t have a certificate
installed for smart card authentication
(for example, with a “Domain
Controller” or “Domain Controller
Authentication” template), the user’s
password has expired, or the wrong
password was provided.
This event generates only on domain
controllers.
This event is not generated if “Do not
require Kerberos preauthentication”
option is set for the account.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:10:21.495462300Z" />
<EventRecordID>166708</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt/CONTOSO.LOCAL</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x10</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49254</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used
as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
For more information about SIDs, see Security identifiers.
Account Name: [Type = UnicodeString]: the name of account, for which (TGT) ticket was requested.
Computer account name ends with $ character.
User account example: dadmin
Computer account example: WIN81$
Service Information:
Service Name [Type = UnicodeString]: the name of the service in the Kerberos Realm to which TGT
request was sent. Typically has one of the following formats:
krbtgt/DOMAIN_NETBIOS_NAME. Example: krbtgt/CONTOSO
krbtgt/DOMAIN_FULL_NAME. Example: krbtgt/CONTOSO.LOCAL
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGT request was
received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff:IPv4_address.
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGT request
connection).
0 for local (localhost) requests.
Additional Information:
Ticket Options: [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable,
Canonicalize, Renewable-ok.
Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.
0 Reserved -
16-25 Unused -
28 Enc-tkt-in-skey No information.
29 Unused -
BIT FLAG NAME DESCRIPTION
Failure Code [Type = HexInt32]: hexadecimal failure code of failed TGT issue operation. The table below
contains the list of the most common error codes for this event:
0x10 KDC_ERR_PADATA_TYPE_N KDC has no support for Smart card logon is being
OSUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be
located. This can happen
because the wrong
certification authority (CA) is
being queried or the proper
CA cannot be contacted in
order to get Domain
Controller or Domain
Controller Authentication
certificates for the domain
controller.
It can also happen when a
domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).
Pre-Authentication Type [Type = UnicodeString]: the code of pre-Authentication type which was used in
TGT request.
Table 5. Kerberos Pre-Authentication types.
TYPE TYPE NAME DESCRIPTION
Certificate Information:
Certificate Issuer Name [Type = UnicodeString]: the name of Certification Authority which issued
smart card certificate. Populated in Issued by field in certificate. Always empty for 4771 events.
Certificate Serial Number [Type = UnicodeString]: smart card certificate’s serial number. Can be found
in Serial number field in the certificate. Always empty for 4771 events.
Certificate Thumbprint [Type = UnicodeString]: smart card certificate’s thumbprint. Can be found in
Thumbprint field in the certificate. Always empty for 4771 events.
High-value accounts: You might have high-value domain Monitor this event with the “Security ID” that corresponds
or local accounts for which you need to monitor each action. to the high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator account, domain
administrators, service accounts, domain controller accounts
and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use
requirements for detecting anomalies or monitoring the “Security ID” (with other information) to monitor how
potential malicious actions. For example, you might need to or when a particular account is being used.
monitor for use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Security ID” that corresponds
or guest accounts, or other accounts that should never be to the accounts that should never be used.
used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Security ID” for accounts that are outside the whitelist.
corresponding to particular events.
Account naming conventions: Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
You can track all 4771 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be used only from known list of IP addresses, track all Client
Address values for this Account Name in 4771 events. If Client Address is not from the whitelist,
generate the alert.
All Client Address = ::1 means local authentication. If you know the list of accounts which should log on
to the domain controllers, then you need to monitor for all possible violations, where Client Address =
::1 and Account Name is not allowed to log on to any domain controller.
All 4771 events with Client Port field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Also monitor the fields shown in the following table, to discover the issues listed:
Pre-Authentication Type Value is not 15 when account must use a smart card for
authentication. For more information, see Table 5. Kerberos
Pre-Authentication types.
Pre-Authentication Type Value is not 138 when Kerberos Armoring is enabled for all
Kerberos communications in the organization. For more
information, see Table 5. Kerberos Pre-Authentication types.
Result Code 0x10 (KDC has no support for PADATA type (pre-
authentication data)). This error can help you to more quickly
identify smart-card related problems with Kerberos
authentication.
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4768
failure event is generated instead.
Subcategory: Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit
events for Kerberos service ticket requests.
Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network
resource. Kerberos service ticket operation audit events can be used to track user activity.
Event volume: Very High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGSs and failed TGS requests.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
IF - We
recommend
Success auditing,
because you will
see all Kerberos
Service Ticket
requests (TGS
requests), which
are part of
service use and
access requests
by specific
accounts. Also,
you can see the
IP address from
which this
account
requested TGS,
when TGS was
requested, which
encryption type
was used, and so
on. For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
We recommend
Failure auditing,
because you will
see all failed
requests and be
able to
investigate the
reason for failure.
You will also be
able to detect
Kerberos issues
or possible attack
attempts.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos
Service Ticket Operations
Event Description:
This event generates every time Key
Distribution Center gets a Kerberos
Ticket Granting Service (TGS ) ticket
request.
This event generates only on domain
controllers.
If TGS issue fails then you will see
Failure event with Failure Code
field not equal to “0x0”.
You will typically see many Failure
events with Failure Code “0x20”,
which simply means that a TGS
ticket has expired. These are
informational messages and have
little to no security relevance.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4769</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.043256100Z" />
<EventRecordID>166746</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin@CONTOSO.LOCAL</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="ServiceName">WIN2008R2$</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-2102</Data>
<Data Name="TicketOptions">0x40810000</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49272</Data>
<Data Name="Status">0x0</Data>
<Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data>
<Data Name="TransmittedServices">-</Data>
</EventData>
</Event>
Note Although this field is in the UPN format, this is not the attribute value of
"UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built
from the user SamAccountName and the Active Directory domain name.
This parameter in this event is optional and can be empty in some cases.
Account Domain [Type = UnicodeString]: the name of the Kerberos Realm that Account Name belongs
to. This can appear in a variety of formats, including the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
This parameter in this event is optional and can be empty in some cases.
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event (on a domain controller) with
other events (on the target computer for which the TGS was issued) that can contain the same Logon
GUID. These events are “4624: An account was successfully logged on”, “4648(S ): A logon was attempted
using explicit credentials” and “4964(S ): Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Service Information:
Service Name [Type = UnicodeString]: the name of the account or computer for which the TGS ticket was
requested.
This parameter in this event is optional and can be empty in some cases.
Service ID [Type = SID ]: SID of the account or computer object for which the TGS ticket was requested.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
resolved, you will see the source data in the event.
NULL SID – this value shows in Failure events.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGS request was
received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff:IPv4_address.
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGS request
connection).
0 for local (localhost) requests.
Additional information:
Ticket Options: [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable,
Canonicalize, Renewable-ok.
Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.
0 Reserved -
16-25 Unused -
BIT FLAG NAME DESCRIPTION
28 Enc-tkt-in-skey No information.
29 Unused -
Ticket Encryption Type: [Type = HexInt32]: the cryptographic suite that was used for issued TGS.
TYPE TYPE NAME DESCRIPTION
Failure Code [Type = HexInt32]: hexadecimal result code of TGS issue operation. The table below contains
the list of the most common error codes for this event:
0x6 KDC_ERR_C_PRINCIPAL_UN Client not found in Kerberos The username doesn’t exist.
KNOWN database
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES
0x7 KDC_ERR_S_PRINCIPAL_UN Server not found in This error can occur if the
KNOWN Kerberos database domain controller cannot
find the server’s name in
Active Directory. This error is
similar to
KDC_ERR_C_PRINCIPAL_UN
KNOWN except that it
occurs when the server
name cannot be found.
0x9 KDC_ERR_NULL_KEY The client or server has a No master key was found
null key (master key) for client or server. Usually it
means that administrator
should reset the password
on the account.
0xA KDC_ERR_CANNOT_POSTD Ticket (TGT) not eligible for This error can occur if a
ATE postdating client requests postdating of
a Kerberos ticket. Postdating
is the act of requesting that
a ticket’s start time be set
into the future.
It also can occur if there is a
time difference between the
client and the KDC.
0xC KDC_ERR_POLICY Requested start time is later This error is usually the
than end time result of logon restrictions in
place on a user’s account.
For example workstation
restriction, smart card
authentication requirement
or logon time restriction.
0xE KDC_ERR_ETYPE_NOTSUPP KDC has no support for In general, this error occurs
encryption type when the KDC or a client
receives a packet that it
cannot decrypt.
0xF KDC_ERR_SUMTYPE_NOSUP KDC has no support for The KDC, server, or client
P checksum type receives a packet for which it
does not have a key of the
appropriate encryption type.
The result is that the
computer is unable to
decrypt the ticket.
0x10 KDC_ERR_PADATA_TYPE_N KDC has no support for Smart card logon is being
OSUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be located.
This can happen because the
wrong certification authority
(CA) is being queried or the
proper CA cannot be
contacted.
It can also happen when a
domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.
0x14 KDC_ERR_TGT_REVOKED TGT has been revoked Since the remote KDC may
change its PKCROSS key
while there are PKCROSS
tickets still active, it SHOULD
cache the old PKCROSS keys
until the last issued
PKCROSS ticket expires.
Otherwise, the remote KDC
will respond to a client with
a KRB-ERROR message of
type
KDC_ERR_TGT_REVOKED.
See RFC1510 for more
details.
0x1B KDC_ERR_MUST_USE_USER2 Server principal valid for This error occurs because
USER user2user only the service is missing an
SPN.
0x20 KRB_AP_ERR_TKT_EXPIRED The ticket has expired The smaller the value for the
“Maximum lifetime for user
ticket” Kerberos policy
setting, the more likely it is
that this error will occur.
Because ticket renewal is
automatic, you should not
have to do anything if you
get this message.
0x21 KRB_AP_ERR_TKT_NYV The ticket is not yet valid The ticket presented to the
server is not yet valid (in
relationship to the server
time). The most probable
cause is that the clocks on
the KDC and the client are
not synchronized.
If cross-realm Kerberos
authentication is being
attempted, then you should
verify time synchronization
between the KDC in the
target realm and the KDC in
the client realm, as well.
0x23 KRB_AP_ERR_NOT_US The ticket is not for us The server has received a
ticket that was meant for a
different realm.
0x25 KRB_AP_ERR_SKEW The clock skew is too great This error is logged if a client
computer sends a
timestamp whose value
differs from that of the
server’s timestamp by more
than the number of minutes
found in the “Maximum
tolerance for computer clock
synchronization” setting in
Kerberos policy.
0x3E KDC_ERR_CLIENT_NOT_TRU The client trust failed or is This typically happens when
STED not implemented user’s smart-card certificate
is revoked or the root
Certification Authority that
issued the smart card
certificate (in a chain) is not
trusted by the domain
controller.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES
0x3F KDC_ERR_KDC_NOT_TRUSTE The KDC server trust failed The trustedCertifiers field
D or could not be verified contains a list of certification
authorities trusted by the
client, in the case that the
client does not possess the
KDC's public key certificate.
If the KDC has no certificate
signed by any of the
trustedCertifiers, then it
returns an error of type
KDC_ERR_KDC_NOT_TRUSTE
D. See RFC1510 for more
details.
Transited Services [Type = UnicodeString]: this field contains list of SPNs which were requested if Kerberos
delegation was used.
Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.
High-value accounts: You might have high-value domain or Monitor this event with the “Account Information\Account
local accounts for which you need to monitor each action. Name” that corresponds to the high-value account or
Examples of high-value accounts are database administrators, accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Account Information\Account Name” (with other
malicious actions. For example, you might need to monitor information) to monitor how or when a particular account is
for use of an account outside of working hours. being used.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Account Information\Account
or guest accounts, or other accounts that should never be Name” that corresponds to the accounts that should never
used. be used.
External accounts: You might be monitoring accounts from Monitor this event for the “Account Information\Account
another domain, or “external” accounts that are not allowed Domain” corresponding to another domain or “external”
to perform certain actions (represented by certain specific location.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Account Information\Account
people (accounts) should not typically perform any actions. Name” that you are concerned about.
Account naming conventions: Your organization might Monitor “User ID” for names that don’t comply with naming
have specific naming conventions for account names. conventions.
If you know that Account Name should never request any tickets for (that is, never get access to) a
particular computer account or service account, monitor for 4769 events with the corresponding Account
Name and Service ID fields.
You can track all 4769 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be able to request tickets (should be used) only from a known
whitelist of IP addresses, track all Client Address values for this Account Name in 4769 events. If Client
Address is not from your whitelist of IP addresses, generate the alert.
All Client Address = ::1 means local TGS requests, which means that the Account Name logged on to a
domain controller before making the TGS request. If you have a whitelist of accounts allowed to log on to
domain controllers, monitor events with Client Address = ::1 and any Account Name outside the
whitelist.
All 4769 events with Client Port field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Monitor for a Ticket Encryption Type of 0x1 or 0x3, which means the DES algorithm was used. DES
should not be in use, because of low security and known vulnerabilities. It is disabled by default starting
from Windows 7 and Windows Server 2008 R2.
Starting with Windows Vista and Windows Server 2008, monitor for a Ticket Encryption Type other
than 0x11 and 0x12. These are the expected values, starting with these operating systems, and represent
AES -family algorithms.
If you have a list of important Failure Codes, monitor for these codes.
4770(S): A Kerberos service ticket was renewed.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos Service Ticket
Operations
Event Description:
This event generates for every Ticket Granting
Service (TGS ) ticket renewal.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4770</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T03:26:23.466552900Z" />
<EventRecordID>166481</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">WIN2008R2$@CONTOSO.LOCAL</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data>
<Data Name="TicketOptions">0x2</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49964</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGS renewal request
was received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff:IPv4_address.
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGS renewal request
connection).
0 for local (localhost) requests.
Additional information:
Ticket Options: [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize,
Renewable-ok.
Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.
0 Reserved -
16-25 Unused -
28 Enc-tkt-in-skey No information.
29 Unused -
Ticket Encryption Type: [Type = HexInt32]: the cryptographic suite that was used in renewed TGS.
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4769
failure event is generated instead.
Subcategory: Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
General Subcategory Information:
This auditing subcategory does not contain any events. It is intended for future use.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Applies to
Windows 10
Windows Server 2016
Audit Application Group Management generates events for actions related to application groups, such as group
creation, modification, addition or removal of group member and some other actions.
Application groups are used by Authorization Manager.
Audit Application Group Management subcategory is out of scope of this document, because Authorization
Manager is very rarely in use and it is deprecated starting from Windows Server 2012.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Applies to
Windows 10
Windows Server 2016
Audit Computer Account Management determines whether the operating system generates audit events when a
computer account is created, changed, or deleted.
This policy setting is useful for tracking account-related changes to computers that are members of a domain.
Event volume: Low on domain controllers.
This subcategory allows you to audit events generated by changes to computer accounts such as when a
computer account is created, changed, or deleted.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4741(S ): A computer account was created.
4742(S ): A computer account was changed.
4743(S ): A computer account was deleted.
4741(S): A computer account was created.
4/5/2019 • 25 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Computer Account
Management
Event Description:
This event generates every time a new
computer object is created.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4741</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-12T18:41:39.201898100Z" />
<EventRecordID>170254</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1096" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">WIN81$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xc88b2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">WIN81$</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">8/12/2015 11:41:39 AM</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">515</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x80</Data>
<Data Name="UserAccountControl">%%2087</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1793</Data>
<Data Name="DnsHostName">Win81.contoso.local</Data>
<Data Name="ServicePrincipalNames">HOST/Win81.contoso.local RestrictedKrbHost/Win81.contoso.local HOST/WIN81
RestrictedKrbHost/WIN81</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Computer Account:
Security ID [Type = SID ]: SID of created computer account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was created. For example:
WIN81$
Account Domain [Type = UnicodeString]: domain name of created computer account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Attributes:
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName
attribute of new computer object. For example: WIN81$.
Display Name [Type = UnicodeString]: the value of displayName attribute of new computer object. It is a
name displayed in the address book for a particular account (typically – user account). This is usually the
combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and
typically is not set. You can change this attribute by using Active Directory Users and Computers, or through
a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. This parameter
contains the value of userPrincipalName attribute of new computer object. For computer objects, it is
optional, and typically is not set. You can change this attribute by using Active Directory Users and
Computers, or through a script, for example. This parameter might not be captured in the event, and in that
case appears as “-”.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and specifies
a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form
\\Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new computer
object. For computer objects, it is optional, and typically is not set. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. This parameter might not be
captured in the event, and in that case appears as “-”.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. This parameter contains the value of homeDrive attribute of new computer object. For
computer objects, it is optional, and typically is not set. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. This parameter might not be captured in
the event, and in that case appears as “-”.
Script Path [Type = UnicodeString]: specifies the path of the account's logon script. This parameter contains
the value of scriptPath attribute of new computer object. For computer objects, it is optional, and typically is
not set. You can change this attribute by using Active Directory Users and Computers, or through a script,
for example. This parameter might not be captured in the event, and in that case appears as “-”.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new
computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by
using Active Directory Users and Computers, or through a script, for example. This parameter might not be
captured in the event, and in that case appears as “-”.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. This parameter contains the value of
userWorkstations attribute of new computer object. For computer objects, it is optional, and typically is not
set. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. This parameter might not be captured in the event, and in that case appears as “-”.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. For manually
created computer account, using Active Directory Users and Computers snap-in, this field typically has value
“<never>”. For computer account created during standard domain join procedure this field will contains
time when computer object was created, because password creates during domain join procedure. For
example: 8/12/2015 11:41:39 AM. This parameter contains the value of pwdLastSet attribute of new
computer object.
Account Expires [Type = UnicodeString]: the date when the account expires. This parameter contains the
value of accountExpires attribute of new computer object. For computer objects, it is optional, and typically
is not set. You can change this attribute by using Active Directory Users and Computers, or through a script,
for example. This parameter might not be captured in the event, and in that case appears as “-”.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of computer’s object primary group.
Note Relative identifier (RID ) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID ) that uniquely identifies an account or group within a
domain.
Typically, Primary Group field for new computer accounts has the following values:
516 (Domain Controllers) – for domain controllers.
521 (Read-only Domain Controllers) – for read-only domain controllers (RODC ).
515 (Domain Computers) – for member servers and workstations.
See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the
value of primaryGroupID attribute of new computer object.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present delegated
credentials. Can be changed using Active Directory Users and Computers management console in Delegation
tab of computer account. Typically it is set to “-“ for new computer objects. This parameter contains the value of
AllowedToDelegateTo attribute of new computer object. See description of AllowedToDelegateTo field for
“4742: A computer account was changed” event for more details.
Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might
use for authentication. For example, an SPN always includes the name of the host computer on which the
service instance is running, so a service instance might register an SPN for each name or alias of its host.
Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. Old UAC value always “0x0” for new
computer accounts. This parameter contains the previous value of userAccountControl attribute of
computer object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. This parameter contains the value of
userAccountControl attribute of new computer object.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to
the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. For new computer accounts, when the object for this account was
created, the userAccountControl value was considered to be “0x0”, and then it was changed from “0x0” to
the real value for the account's userAccountControl attribute. See possible values in the table below. In the
“User Account Control field text” column, you can see the text that will be displayed in the User Account
Control field in 4741 event.
USE_DES_KEY_ONLY 0x200000 2097152 Restrict this principal 'Use DES Key Only' -
to use only Data Disabled
Encryption Standard 'Use DES Key Only' -
(DES) encryption Enabled
types for keys.
Can be set using “Use
Kerberos DES
encryption types for
this account”
checkbox.
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of computer’s account properties, then you will see <value
changed, but not displayed> in this field in “4742(S ): A computer account was changed.” This parameter
might not be captured in the event, and in that case appears as “-”.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the
value of sIDHistory attribute of new computer object. This parameter might not be captured in the event,
and in that case appears as “-”.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. The value
of logonHours attribute of new computer object. For computer objects, it is optional, and typically is not set.
You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. You will see <value not set> value for new created computer accounts in event 4741.
DNS Host Name [Type = UnicodeString]: name of computer account as registered in DNS. The value of
dNSHostName attribute of new computer object. For manually created computer account objects this field
has value “-“.
Service Principal Names [Type = UnicodeString]: The list of SPNs, registered for computer account. For
new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of
servicePrincipalName attribute of new computer object. For manually created computer objects it is
typically equals “-“. This is an example of Service Principal Names field for new domain joined
workstation:
HOST/Win81.contoso.local
RestrictedKrbHost/Win81.contoso.local
HOST/WIN81
RestrictedKrbHost/WIN81
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If your information security monitoring policy requires you to monitor computer account creation, monitor
this event.
Consider whether to track the following fields and values:
SAM Account Name: empty or - This field must contain the computer account name. If it is
empty or -, it might indicate an anomaly.
Display Name is not - Typically these fields are - for new computer accounts. Other
User Principal Name is not - values might indicate an anomaly and should be monitored.
Home Directory is not -
Home Drive is not -
Script Path is not -
Profile Path is not -
User Workstations is not -
AllowedToDelegateTo is not -
Password Last Set is <never> This typically means this is a manually created computer
account, which you might need to monitor.
FIELD AND VALUE TO TRACK REASON TO TRACK
Account Expires is not <never> Typically this field is <never> for new computer accounts.
Other values might indicate an anomaly and should be
monitored.
Primary Group ID is any value other than 515. Typically, the Primary Group ID value is one of the following:
516 for domain controllers
521 for read only domain controllers (RODCs)
515 for servers and workstations (domain computers)
If the Primary Group ID is 516 or 521, it is a new domain
controller or RODC, and the event should be monitored.
If the value is not 516, 521, or 515, it is not a typical value and
should be monitored.
Old UAC Value is not 0x0 Typically this field is 0x0 for new computer accounts. Other
values might indicate an anomaly and should be monitored.
SID History is not - This field will always be set to - unless the account was
migrated from another domain.
Logon Hours value other than <value not set> This should always be <value not set> for new computer
accounts.
'Encrypted Text Password Allowed' – Enabled Should not be set for computer accounts. By default, it will not
be set, and it cannot be set in the account properties in Active
Directory Users and Computers.
'Server Trust Account' – Enabled Should be enabled only for domain controllers.
'Don't Expire Password' – Enabled Should not be enabled for new computer accounts, because
the password automatically changes every 30 days by default.
For computer accounts, this flag cannot be set in the account
properties in Active Directory Users and Computers.
'Smartcard Required' – Enabled Should not be enabled for new computer accounts.
'Trusted For Delegation' – Enabled Should not be enabled for new member servers and
workstations. It is enabled by default for new domain
controllers.
'Not Delegated' – Enabled Should not be enabled for new computer accounts.
'Use DES Key Only' – Enabled Should not be enabled for new computer accounts. For
computer accounts, it cannot be set in the account properties
in Active Directory Users and Computers.
'Don't Require Preauth' – Enabled Should not be enabled for new computer accounts. For
computer accounts, it cannot be set in the account properties
in Active Directory Users and Computers.
'Trusted To Authenticate For Delegation' – Enabled Should not be enabled for new computer accounts by default.
4742(S): A computer account was changed.
4/5/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Computer Account
Management
Event Description:
This event generates every time a computer
object is changed.
This event generates only on domain
controllers.
You might see the same values for
Subject\Security ID and Computer
Account That Was Changed\Security ID in
this event. This usually happens when you
reboot a computer after adding it to the
domain (the change takes effect after the
reboot).
For each change, a separate 4742 event will be
generated.
Some changes do not invoke a 4742 event, for
example, changes made using Active Directory
Users and Computers management console in
Managed By tab in computer account
properties.
You might see this event without any changes
inside, that is, where all Changed Attributes
apear as “-“. This usually happens when a
change is made to an attribute that is not listed
in the event. In this case there is no way to
determine which attribute was changed. For
example, this would happen if you change the
Description of a group object using the Active Directory Users and Computers administrative console. Also, if the
discretionary access control list (DACL ) is changed, a 4742 event will generate, but all attributes will be “-“.
Important: If you manually change any user-related setting or attribute, for example if you set the
SMARTCARD_REQUIRED flag in userAccountControl for the computer account, then the sAMAccountType
of the computer account will be changed to NORMAL_USER_ACCOUNT and you will get “4738: A user account
was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user
account. For NORMAL_USER_ACCOUNT you will always get events from Audit User Account Management
subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer
objects.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4742</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T02:35:01.252397000Z" />
<EventRecordID>171754</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ComputerAccountChange">-</Data>
<Data Name="TargetUserName">WIN81$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x2e80c</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">%%1793</Data>
<Data Name="OldUacValue">0x80</Data>
<Data Name="NewUacValue">0x2080</Data>
<Data Name="UserAccountControl">%%2093</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
<Data Name="DnsHostName">-</Data>
<Data Name="ServicePrincipalNames">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Computer Account That Was Changed:
Security ID [Type = SID ]: SID of changed computer account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was changed. For
example: WIN81$
Account Domain [Type = UnicodeString]: domain name of changed computer account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Changed Attributes:
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). If the value of sAMAccountName
attribute of computer object was changed, you will see the new value here. For example: WIN8$.
Display Name [Type = UnicodeString]: it is a name displayed in the address book for a particular account
(typically – user account). This is usually the combination of the user's first name, middle initial, and last
name. For computer objects, it is optional, and typically is not set. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. If the value of displayName
attribute of computer object was changed, you will see the new value here.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. If the value of
userPrincipalName attribute of computer object was changed, you will see the new value here. For
computer objects, it is optional, and typically is not set. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and
specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the
form \\Server\Share\Directory. If the value of homeDirectory attribute of computer object was changed,
you will see the new value here. For computer objects, it is optional, and typically is not set. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. If the value of homeDrive attribute of computer object was changed, you will see the new
value here. For computer objects, it is optional, and typically is not set. You can change this attribute by
using Active Directory Users and Computers, or through a script, for example.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. If the value of
scriptPath attribute of computer object was changed, you will see the new value here. For computer
objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. If the value of profilePath attribute of computer object was changed,
you will see the new value here. For computer objects, it is optional, and typically is not set. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. If the value of userWorkstations attribute of
computer object was changed, you will see the new value here. For computer objects, it is optional, and
typically is not set. You can change this attribute by using Active Directory Users and Computers, or
through a script, for example.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. If the value of
pwdLastSet attribute of computer object was changed, you will see the new value here. For example:
8/12/2015 11:41:39 AM. This value will be changed, for example, after manual computer account reset
action or automatically every 30 days by default for computer objects.
Account Expires [Type = UnicodeString]: the date when the account expires. If the value of
accountExpires attribute of computer object was changed, you will see the new value here. For computer
objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of computer’s object primary group.
Note Relative identifier (RID ) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID ) that uniquely identifies an account or group within a
domain.
This field will contain some value if computer’s object primary group was changed. You can change computer’s
primary group using Active Directory Users and Computers management console in the Member Of tab of
computer object properties. You will see a RID of new primary group as a field value. For example, 515 (Domain
Computers) for workstations, is a default primary group.
Typical Primary Group values for computer accounts:
516 (Domain Controllers) – for domain controllers.
521 (Read-only Domain Controllers) – read-only domain controllers (RODC ).
515 (Domain Computers) – servers and workstations.
See this article https://support.microsoft.com/kb/243330 for more information. If the value of
primaryGroupID attribute of computer object was changed, you will see the new value here.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present
delegated credentials. Can be changed using Active Directory Users and Computers management console
in Delegation tab of computer account. If the SPNs list on Delegation tab of a computer account was
changed, you will see the new SPNs list in AllowedToDelegateTo field (note that you will see the new list
instead of changes) of this event. This is an example of AllowedToDelegateTo:
dcom/WIN2012
dcom/WIN2012.contoso.local
If the value of msDS -AllowedToDelegateTo attribute of computer object was changed, you will
see the new value here.
The value can be <value not set>, for example, if delegation was disabled.
Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.
Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. This parameter contains the previous value of
userAccountControl attribute of computer object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. If the value of userAccountControl attribute
of computer object was changed, you will see the new value here.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on
to the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account
UAC flags.”. In the “User Account Control field text” column, you can see text that will be displayed in the User
Account Control field in 4742 event.
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of computer’s account properties, then you will see <value
changed, but not displayed> in this field.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of sIDHistory
attribute of computer object was changed, you will see the new value here.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. If the
value of logonHours attribute of computer object was changed, you will see the new value here. For
computer objects, it is optional, and typically is not set. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example.
DNS Host Name [Type = UnicodeString]: name of computer account as registered in DNS. If the value of
dNSHostName attribute of computer object was changed, you will see the new value here.
Service Principal Names [Type = UnicodeString]: The list of SPNs, registered for computer account. If
the SPN list of a computer account changed, you will see the new SPN list in Service Principal Names
field (note that you will see the new list instead of changes). If the value of servicePrincipalName attribute
of computer object was changed, you will see the new value here.
Here is an example of Service Principal Names field for new domain joined workstation in event 4742 on
domain controller, after workstation reboots:
HOST/Win81.contoso.local
RestrictedKrbHost/Win81.contoso.local
HOST/WIN81
RestrictedKrbHost/WIN81
TERMSRV/Win81.contoso.local
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Security Monitoring Recommendations
For 4742(S ): A computer account was changed.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical domain computer accounts (database servers, domain controllers, administration
workstations, and so on) for which you need to monitor each change, monitor this event with the
“Computer Account That Was Changed\Security ID” that corresponds to the high-value account or
accounts.
If you have computer accounts for which any change in the services list on the Delegation tab should be
monitored, monitor this event when AllowedToDelegateTo is not -. This value means the services list was
changed.
Consider whether to track the following fields and values:
Display Name is not - Typically these fields are - for computer accounts. Other
User Principal Name is not - values might indicate an anomaly and should be monitored.
Home Directory is not -
Home Drive is not -
Script Path is not -
Profile Path is not -
User Workstations is not -
Account Expires is not -
Logon Hours is not -
Password Last Set changes occur more often than usual Changes that are more frequent than the default (typically
once a month) might indicate an anomaly or attack.
Primary Group ID is not 516, 521, or 515 Typically, the Primary Group ID value is one of the following:
516 for domain controllers
521 for read only domain controllers (RODCs)
515 for servers and workstations (domain computers)
Other values should be monitored.
For computer accounts for which the services list (on the If AllowedToDelegateTo is marked <value not set> on
Delegation tab) should not be empty: computers that previously had a services list (on the
AllowedToDelegateTo is marked **<value not set> ** Delegation tab), it means the list was cleared.
SID History is not - This field will always be set to - unless the account was
migrated from another domain.
'Password Not Required' – Enabled Should not be set for computer accounts. Computer accounts
typically require a password by default, except manually
created computer objects.
'Encrypted Text Password Allowed' – Enabled Should not be set for computer accounts. By default, it will not
be set, and it cannot be set in the account properties in Active
Directory Users and Computers.
USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG
'Server Trust Account' – Enabled Should be enabled only for domain controllers.
'Server Trust Account' – Disabled Should not be disabled for domain controllers.
'Don't Expire Password' – Enabled Should not be enabled for computer accounts, because the
password automatically changes every 30 days by default. For
computer accounts, this flag cannot be set in the account
properties in Active Directory Users and Computers.
'Trusted For Delegation' – Enabled Means that Kerberos Constraint or Unconstraint delegation
was enabled for the computer account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.
'Trusted For Delegation' – Disabled Means that Kerberos Constraint or Unconstraint delegation
was disabled for the computer account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which
delegation is critical and should not be disabled, monitor this
for those accounts.
'Trusted To Authenticate For Delegation' – Enabled Means that Protocol Transition delegation was enabled for the
computer account. We recommend monitoring this to
discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
'Trusted To Authenticate For Delegation' – Disabled Means that Protocol Transition delegation was disabled for
the computer account. We recommend monitoring this to
discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which
delegation is critical and should not be disabled, monitor this
for those accounts.
'Not Delegated' – Enabled Means that Account is sensitive and cannot be delegated
was selected for the computer account. For computer
accounts, this flag cannot be set using the graphical interface.
We recommend monitoring this to discover whether it is an
approved action (done by an administrator), a mistake, or a
malicious action.
'Use DES Key Only' – Enabled Should not be enabled for computer accounts. For computer
accounts, it cannot be set in the account properties in Active
Directory Users and Computers.
'Don't Require Preauth' - Enabled Should not be enabled for computer accounts. For computer
accounts, it cannot be set in the account properties in Active
Directory Users and Computers.
4743(S): A computer account was deleted.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Computer
Account Management
Event Description:
This event generates every time a
computer object is deleted.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4743</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T15:57:08.104214100Z" />
<EventRecordID>172103</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">COMPUTERACCOUNT$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6118</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Computer:
Security ID [Type = SID ]: SID of deleted computer account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was deleted. For example:
WIN81$
Account Domain [Type = UnicodeString]: domain name of deleted computer account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical domain computer accounts (database servers, domain controllers, administration
workstations, and so on) for which you need to monitor each action (especially deletion), monitor this event with
the “Target Computer\Security ID” or “Target Computer\Account Name” that corresponds to the high-
value account or accounts.
Audit Distribution Group Management
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Distribution Group Management determines whether the operating system generates audit events for
specific distribution-group management tasks.
This subcategory generates events only on domain controllers.
Event volume: Low on domain controllers.
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
Distribution group is created, changed, or deleted.
Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “4764: A group’s type was changed.”
“Audit Security Group Management” subcategory success auditing must be enabled.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain IF No IF No IF - Typically
Controller actions related to
distribution
groups have low
security
relevance, much
more important
to monitor
Security Group
changes. But if
you want to
monitor for
critical
distribution
groups changes,
such as member
was added to
internal critical
distribution
group
(executives,
administrative
group, for
example), you
need to enable
this subcategory
for Success
auditing.
Typically volume
of these events is
low on domain
controllers.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4749(S ): A security-disabled global group was created.
4750(S ): A security-disabled global group was changed.
4751(S ): A member was added to a security-disabled global group.
4752(S ): A member was removed from a security-disabled global group.
4753(S ): A security-disabled global group was deleted.
4759(S ): A security-disabled universal group was created. See event “4749: A security-disabled global group
was created.” Event 4759 is the same, but it is generated for a universal distribution group instead of a global
distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4760(S ): A security-disabled universal group was changed. See event “4750: A security-disabled global
group was changed.” Event 4760 is the same, but it is generated for a universal distribution group instead of a
global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4761(S ): A member was added to a security-disabled universal group. See event “4751: A member was
added to a security-disabled global group.” Event 4761 is the same, but it is generated for a universal distribution
group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type
of group is the only difference.
4762(S ): A member was removed from a security-disabled universal group. See event “4752: A member
was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a universal
distribution group instead of a global distribution group. All event fields, XML, and recommendations are the
same. The type of group is the only difference.
4763(S ): A security-disabled universal group was deleted. See event “4753: A security-disabled global group
was deleted.” Event 4763 is the same, but it is generated for a universal distribution group instead of a global
distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4744(S ): A security-disabled local group was created. See event “4749: A security-disabled global group was
created.” Event 4744 is the same, but it is generated for a local distribution group instead of a global distribution
group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4745(S ): A security-disabled local group was changed. See event “4750: A security-disabled global group
was changed.” Event 4745 is the same, but it is generated for a local distribution group instead of a global
distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4746(S ): A member was added to a security-disabled local group. See event “4751: A member was added to
a security-disabled global group.” Event 4746 is the same, but it is generated for a local distribution group instead
of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the
only difference.
4747(S ): A member was removed from a security-disabled local group. See event “4752: A member was
removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a local
distribution group instead of a global distribution group. All event fields, XML, and recommendations are the
same. The type of group is the only difference.
4748(S ): A security-disabled local group was deleted. See event “4753: A security-disabled global group was
deleted.” Event 4748 is the same, but it is generated for a local distribution group instead of a global distribution
group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4749(S): A security-disabled global group was
created.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time a new
security-disabled (distribution) global group
was created.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4749</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T16:16:35.568878700Z" />
<EventRecordID>172181</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDesk</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">ServiceDesk</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of created group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was created. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of created group. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Attributes:
SAM Account Name [Type = UnicodeString]: This is a name of new group used to support clients and
servers from previous versions of Windows (pre-Windows 2000 logon name). The value of
sAMAccountName attribute of new group object. For example: ServiceDesk
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the
value of sIDHistory attribute of new group object. This parameter might not be captured in the event, and
in that case appears as “-”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor each time a new distribution group is created, to see who created the group and
when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
4750(S): A security-disabled global group was
changed.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time security-
disabled (distribution) global group is
changed.
This event generates only on domain
controllers.
Some changes do not invoke a 4750 event, for
example, changes made using the Active
Directory Users and Computers management
console in Managed By tab in group account
properties.
If you change the name of the group (SAM
Account Name), you also get “4781: The name
of an account was changed” if “Audit User
Account Management” subcategory success
auditing is enabled.
If you change the group type, you get a change event from the new group type auditing subcategory instead of
4750. If you need to monitor for group type changes, it is better to monitor for “4764: A group’s type was
changed.” These events are generated for any group type when group type is changed. “Audit Security Group
Management” subcategory success auditing must be enabled.
From 4750 event you can get information about changes of sAMAccountName and sIDHistory attributes or
you will see that something changed, but will not be able to see what exactly changed.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4750</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T16:38:37.902710700Z" />
<EventRecordID>172188</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDeskMain</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">ServiceDeskMain</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of changed group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Note Sometimes you can see the Group\Security ID field contains an old group name in Event Viewer (as
you can see in the event example). That happens because Event Viewer caches names for SIDs that it has
already resolved for the current session.
Note Security ID field has the same value as new group name (Changed Attributes>SAM Account
Name). That is happens because event is generated after name was changed and SID resolves to the new
name. It is always better to use SID instead of group names for queries or filtering of events, because you will
know for sure that this the right object you are looking for or want to monitor.
Group Name [Type = UnicodeString]: the name of the group that was changed. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of changed group. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Changed Attributes:
SAM Account Name [Type = UnicodeString]: This is a new name of changed group used to support
clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of
sAMAccountName attribute of group object was changed, you will see the new value here. For example:
ServiceDesk.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of sIDHistory
attribute of group object was changed, you will see the new value here.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical distribution groups in the organization, and need to specifically monitor these
groups for any change, monitor events with the “Group\Group Name” values that correspond to the
critical distribution groups.
If you need to monitor each time a member is added to a distribution group, to see who added the member
and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if
needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
4751(S): A member was added to a security-disabled
global group.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time a new
member was added to a security-disabled
(distribution) global group.
This event generates only on domain
controllers.
For every added member you will get separate
4751 event.
You will typically see “4750: A security-
disabled global group was changed.” event
without any changes in it prior to 4751 event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4751</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-15T00:01:10.821144700Z" />
<EventRecordID>172221</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “add member to the
group” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that
might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member:
Security ID [Type = SID ]: SID of account that was added to the group. Event Viewer automatically tries to
resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For
example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some well-known security principals, such
as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Group:
Security ID [Type = SID ]: SID of the group to which new member was added. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data
in the event.
Group Name [Type = UnicodeString]: the name of the group to which new member was added. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of the group to which new member was added.
Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Security Monitoring Recommendations
For 4751(S ): A member was added to a security-disabled global group.
Addition of members to distribution groups: You might If you need to monitor each time a member is added to a
need to monitor the addition of members to distribution distribution group, to see who added the member and when,
groups. monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.
High-value distribution groups: You might have a list of Monitor this event with the “Group\Group Name” values
critical distribution groups in the organization, and need to that correspond to the high-value distribution groups.
specifically monitor these groups for the addition of new
members (or for other changes).
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts that
used. should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should not typically perform any actions. concerned about.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
4752(S): A member was removed from a security-
disabled global group.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time member was
removed from the security-disabled
(distribution) global group.
This event generates only on domain
controllers.
For every removed member you will get
separate 4752 event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4752</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-15T00:20:57.315863900Z" />
<EventRecordID>172229</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “remove member
from the group” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member:
Security ID [Type = SID ]: SID of account that was removed from the group. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data
in the event.
Account Name [Type = UnicodeString]: distinguished name of account that was removed from the group.
For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some well-known security principals,
such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Group:
Security ID [Type = SID ]: SID of the group from which the member was removed. Event Viewer
automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the
source data in the event.
Group Name [Type = UnicodeString]: the name of the group from which the member was removed. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of the group from which the member was removed.
Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Removal of members from distribution groups: You If you need to monitor each time a member is removed from
might need to monitor the removal of members from a distribution group, to see who removed the member and
distribution groups. when, monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.
High-value distribution groups: You might have a list of Monitor this event with the “Group\Group Name” values
critical distribution groups in the organization, and need to that correspond to the high-value distribution groups.
specifically monitor these groups for the removal of members
(or for other changes).
Distribution groups with required members: You might Monitor this event with the “Group\Group Name” that
need to ensure that for certain distribution groups, particular corresponds to the group of interest, and the
members are never removed. “Member\Security ID” of the members who should not be
removed.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts that
used. should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should not typically perform any actions. concerned about.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
4753(S): A security-disabled global group was
deleted.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time security-
disabled (distribution) global group is deleted.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4753</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-15T00:59:33.621155200Z" />
<EventRecordID>172230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1504" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of deleted group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was deleted. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of deleted group. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical distribution groups in the organization, and need to specifically monitor these
groups for any change, especially group deletion, monitor events with the “Group\Group Name” values
that correspond to the critical distribution groups.
If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor
this event. Typically, this event is used as an informational event, to be reviewed if needed.
Audit Other Account Management Events
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Other Account Management Events determines whether the operating system generates user account
management audit events.
Event volume: Typically Low on all types of computers.
This subcategory allows you to audit next events:
The password hash of a user account was accessed. This happens during an Active Directory Management
Tool password migration.
The Password Policy Checking API was called. Password Policy Checking API allows an application to check
password compliance against an application-provided account database or single account and verify that
passwords meet the complexity, aging, minimum length, and history reuse requirements of a password
policy.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4782(S ): The password hash of an account was accessed.
4793(S ): The Password Policy Checking API was called.
4782(S): The password hash of an account was
accessed.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Account
Management Events
Event Description:
This event generates on domain controllers
during password migration of an account
using Active Directory Migration Toolkit.
Typically “Subject\Security ID” is the
SYSTEM account.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4782</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13829</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T21:23:46.435367800Z" />
<EventRecordID>174829</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1232" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Andrei</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested hash migration operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For ANONYMOUS LOGON you will see NT AUTHORITY value for this field.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Account Name [Type = UnicodeString]: the name of the account for which the password hash was
migrated. For example: ServiceDesk
User account example: Andrei
Computer account example: DC01$
Account Domain [Type = UnicodeString]: domain name of the account for which the password hash was
migrated. Formats vary, and include the following:
Domain NETBIOS name example: FABRIKAM
Lowercase full domain name: fabrikam.local
Uppercase full domain name: FABRIKAM.LOCAL
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Account
Management Events
Event Description:
This event generates each time the Password
Policy Checking API is called.
The Password Policy Checking API allows an
application to check password compliance
against an application-provided account
database or single account and verify that
passwords meet the complexity, aging,
minimum length, and history reuse
requirements of a password policy.
This event, for example, generates during
Directory Services Restore Mode (DSRM )
account password reset procedure to check
new DSRM password.
This event generates on the computer where Password Policy Checking API was called.
Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many
4793 events on a SQL Server.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4793</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13829</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:37:46.322424300Z" />
<EventRecordID>172342</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested Password Policy Checking
API operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Additional Information:
Caller Workstation [Type = UnicodeString]: name of the computer from which the Password Policy
Checking API was called. Typically, this is the same computer where this event was generated, for example,
DC01. Computer name here does not contain $ symbol at the end. It also can be an IP address or the DNS
name of the computer.
Provided Account Name (unauthenticated) [Type = UnicodeString]: the name of account, which
password was provided/requested for validation. This parameter might not be captured in the event, and in
that case appears as “-”.
Status Code [Type = HexInt32]: typically has “0x0” value. Status code is “0x0”, no matter meets password
domain Password Policy or not.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when Password Policy Checking
APIs were invoked, and who invoked them. The Provided Account Name does not always have a value—
sometimes it’s not really possible to determine for which account the password policy check was performed.
Audit Security Group Management
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Security Group Management determines whether the operating system generates audit events when
specific security group management tasks are performed.
Event volume: Low.
This subcategory allows you to audit events generated by changes to security groups such as the following:
Security group is created, changed, or deleted.
Member is added or removed from a security group.
Group type is changed.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time a new
security-enabled (security) local group was
created.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4731</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T01:01:50.646049700Z" />
<EventRecordID>174849</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">AccountOperators</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Group:
Security ID [Type = SID ]: SID of created group. Event Viewer automatically tries to resolve SIDs and
show the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was created. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the created group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Attributes:
SAM Account Name [Type = UnicodeString]: This is a name of new group used to support clients and
servers from previous versions of Windows (pre-Windows 2000 logon name). The value of
sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply
a name of new group.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains
the value of sIDHistory attribute of new group object. This parameter might not be captured in the event,
and in that case appears as “-”. For local groups it is not applicable and always has “-“ value.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor each time a new security group is created, to see who created the group and when,
monitor this event.
If you need to monitor the creation of local security groups on different servers, and you use Windows
Event Forwarding to collect events in a central location, check “New Group\Group Domain.” It should
not be the name of the domain, but instead should be the computer name.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
4732(S): A member was added to a security-enabled
local group.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time a new
member was added to a security-enabled
(security) local group.
This event generates on domain
controllers, member servers, and
workstations.
For every added member you will get
separate 4732 event.
You will typically see “4735: A security-
enabled local group was changed.” event
without any changes in it prior to 4732
event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4732</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T03:02:38.563110400Z" />
<EventRecordID>174856</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=eadmin,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “add member to the
group” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member:
Security ID [Type = SID ]: SID of account that was added to the group. Event Viewer automatically tries to
resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For
example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value,
even if new member is a domain account. For some well-known security principals, such as LOCAL
SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Group:
Security ID [Type = SID ]: SID of the group to which new member was added. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data
in the event.
Group Name [Type = UnicodeString]: the name of the group to which new member was added. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the group to which the new
member was added. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Addition of members to local or domain security If you need to monitor each time a member is added to a
groups: You might need to monitor the addition of members local or domain security group, to see who added the
to local or domain security groups. member and when, monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.
High-value local or domain security groups: You might Monitor this event with the “Group\Group Name” values
have a list of critical local or domain security groups in the that correspond to the high-value local or domain security
organization, and need to specifically monitor these groups groups.
for the addition of new members (or for other changes).
Examples of critical local or domain groups are built-in local
administrators group, domain admins, enterprise admins, and
so on.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts that
used. should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed corresponding to accounts from another domain or “external”
to perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should not typically perform any actions. concerned about.
TYPE OF MONITORING REQUIRED RECOMMENDATION
Account naming conventions: Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
Mismatch between type of account (user or computer) Monitor the type of account added to the group to see if it
and the group it was added to: You might want to monitor matches what the group is intended for.
to ensure that a computer account was not added to a group
intended for users, or a user account was not added to a
group intended for computers.
4733(S): A member was removed from a security-
enabled local group.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time member
was removed from security-enabled
(security) local group.
This event generates on domain
controllers, member servers, and
workstations.
For every removed member you will get
separate 4733 event.
You will typically see “4735: A security-
enabled local group was changed.” event
without any changes in it prior to 4733
event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4733</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T16:51:00.376806500Z" />
<EventRecordID>175037</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35e38</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “remove member
from the group” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member:
Security ID [Type = SID ]: SID of account that was removed from the group. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data
in the event.
Account Name [Type = UnicodeString]: distinguished name of account that was removed from the group.
For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“
value, even if removed member is a domain account. For some well-known security principals, such as
LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Group:
Security ID [Type = SID ]: SID of the group from which the member was removed. Event Viewer
automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see
the source data in the event.
Group Name [Type = UnicodeString]: the name of the group from which the member was removed. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the group from which the member
was removed. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs, for
example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Removal of members from local or domain security If you need to monitor each time a member is removed from
groups: You might need to monitor the removal of members a local or domain security group, to see who added the
from local or domain security groups. member and when, monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.
High-value local or domain security groups: You might Monitor this event with the “Group\Group Name” values
have a list of critical local or domain security groups in the that correspond to the high-value local or domain security
organization, and need to specifically monitor these groups groups.
for the removal of members (or for other changes).
Examples of critical local or domain groups are built-in local
administrators group, domain admins, enterprise admins, and
so on.
Local or domain security groups with required Monitor this event with the “Group\Group Name” that
members: You might need to ensure that for certain local or corresponds to the group of interest, and the
domain security groups, particular members are never “Member\Security ID” of the members who should not be
removed. removed.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts that
used. should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed corresponding to accounts from another domain or “external”
to perform certain actions (represented by certain specific accounts.
events).
TYPE OF MONITORING REQUIRED RECOMMENDATION
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should not typically perform any actions. concerned about.
Account naming conventions: Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
4734(S): A security-enabled local group was deleted.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time security-
enabled (security) local group is deleted.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4734</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T18:23:42.426245700Z" />
<EventRecordID>175039</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1072" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35e38</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of deleted group. Event Viewer automatically tries to resolve SIDs and
show the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was deleted. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the deleted group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical local or domain security groups in the organization, and need to specifically
monitor these groups for any change, especially group deletion, monitor events with the “Group\Group
Name” values that correspond to the critical local or domain security groups. Examples of critical local or
domain groups are built-in local administrators group, domain admins, enterprise admins, and so on.
If you need to monitor each time a local or domain security group is deleted, to see who deleted it and
when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
4735(S): A security-enabled local group was
changed.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time a security-
enabled (security) local group is changed.
This event generates on domain controllers,
member servers, and workstations.
Some changes do not invoke a 4735 event,
for example, changes made using Active
Directory Users and Computers management
console in Managed By tab in group
account properties.
If you change the name of the group (SAM
Account Name), you also get “4781: The
name of an account was changed” if “Audit
User Account Management” subcategory
success auditing is enabled.
If you change the group type, you get a
change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group
type changes, it is better to monitor for “4764: A group’s type was changed.” These events are generated for any
group type when group type is changed. “Audit Security Group Management” subcategory success auditing must
be enabled.
From 4735 event you can get information about changes of sAMAccountName and sIDHistory attributes or
you will see that something changed, but will not be able to see what exactly changed.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4735</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T02:00:45.537440000Z" />
<EventRecordID>174850</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators\_NEW</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">AccountOperators\_NEW</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of changed group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Note Sometimes you can see the Group\Security ID field contains an old group name in Event Viewer (as
you can see in the event example). That happens because Event Viewer caches names for SIDs that it has
already resolved for the current session.
Note Security ID field has the same value as new group name (Changed Attributes>SAM Account
Name). That is happens because event is generated after name was changed and SID resolves to the new
name. It is always better to use SID instead of group names for queries or filtering of events, because you will
know for sure that this the right object you are looking for or want to monitor.
Group Name [Type = UnicodeString]: the name of the group that was changed. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the changed group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Changed Attributes:
You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This
usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way
to determine which attribute was changed. For example, this would happen if you change the Description of a
group object using the Active Directory Users and Computers administrative console. Also, if the discretionary
access control list (DACL ) is changed, a 4735 event will generate, but all attributes will be “-“.
SAM Account Name [Type = UnicodeString]: This is a new name of changed group used to support
clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of
sAMAccountName attribute of group object was changed, you will see the new value here. For example:
ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created
and becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of
sIDHistory attribute of group object was changed, you will see the new value here. For local groups it is
not applicable and always has “-“ value.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as
“-”. See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.
If you have a list of critical local or domain security groups in the organization, and need to specifically
monitor these groups for any change, monitor events with the “Group\Group Name” values that
correspond to the critical local or domain security groups.
If you need to monitor each time a member is added to a local or domain security group, to see who added
the member and when, monitor this event. Typically, this event is used as an informational event, to be
reviewed if needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
4764(S): A group’s type was changed.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Security Group
Management
Event Description:
This event generates
every time group’s type
is changed.
This event generates for
both security and
distribution groups.
This event generates
only on domain
controllers.
Note For
recommendations, see
Security Monitoring
Recommendations for
this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4764</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T00:25:33.459568000Z" />
<EventRecordID>175221</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1072" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="GroupTypeChange">Security Enabled Local Group Changed to Security Disabled Local Group.</Data>
<Data Name="TargetUserName">CompanyAuditors</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6608</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38200</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change group type”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Change Type [Type = UnicodeString]: contains three parts: “<Param1> Changed To <Param2>.”. These two
parameters can have the following values (they cannot have the same value at the same time):
Security Disabled Local Group
Security Disabled Universal Group
Security Disabled Global Group
Security Enabled Local Group
Security Enabled Universal Group
Security Enabled Global Group
Group:
Security ID [Type = SID ]: SID of changed group. Event Viewer automatically tries to resolve SIDs and
show the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group, which type was changed. For example:
ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the changed group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical local or domain groups in the organization, and need to specifically monitor
these groups for any change, especially group type change, monitor events with the “Group\Group
Name” values that correspond to the critical distribution groups. Examples of critical local or domain
groups are built-in local administrators group, domain admins, enterprise admins, critical distribution
groups, and so on.
If you need to monitor each time any group’s type is changed, to see who changed it and when, monitor
this event. Typically, this event is used as an informational event, to be reviewed if needed.
4799(S): A security-enabled local group membership
was enumerated.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates when a process
enumerates the members of a security-enabled
local group on the computer or device.
This event doesn't generate when group
members were enumerated using Active
Directory Users and Computers snap-in.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4799</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T03:50:23.625407600Z" />
<EventRecordID>685</EventRecordID>
<Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" />
<Execution ProcessID="744" ThreadID="188" />
<Channel>Security</Channel>
<Computer>WIN10-1.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x72d9d</Data>
<Data Name="CallerProcessId">0xc80</Data>
<Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enumerate security-
enabled local group members” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of the group which members were enumerated. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Group Name [Type = UnicodeString]: the name of the group which members were enumerated.
Group Domain [Type = UnicodeString]: group’s domain or computer name. Formats vary, and
include the following:
For Builtin groups this field has “Builtin” value.
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this group belongs, for
example: “Win81”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enumerated the members of the
group. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has
been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical local security groups in the organization, and need to specifically monitor these
groups for any access (in this case, enumeration of group membership), monitor events with the
“Group\Group Name” values that correspond to the critical local security groups. Examples of critical local
groups are built-in local administrators, built-in backup operators, and so on.
If you need to monitor each time the membership is enumerated for a local or domain security group, to see
who enumerated the membership and when, monitor this event. Typically, this event is used as an
informational event, to be reviewed if needed.
Audit User Account Management
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit User Account Management determines whether the operating system generates audit events when
specific user account management tasks are performed.
Event volume: Low.
This policy setting allows you to audit changes to user accounts. Events include the following:
A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
A user account’s password is set or changed.
A security identifier (SID ) is added to the SID History of a user account, or fails to be added.
The Directory Services Restore Mode password is configured.
Permissions on administrative user accounts are changed.
A user's local group membership was enumerated.
Credential Manager credentials are backed up or restored.
Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer
accounts.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a new user
object is created.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4720</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.759912000Z" />
<EventRecordID>175408</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">ksmith</Data>
<Data Name="DisplayName">Ken Smith</Data>
<Data Name="UserPrincipalName">ksmith@contoso.local</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">%%1794</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">513</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x15</Data>
<Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1793</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create user account”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Account:
Security ID [Type = SID ]: SID of created user account. Event Viewer automatically tries to resolve SIDs and
show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the user account that was created. For example:
dadmin.
Account Domain [Type = UnicodeString]: domain name of created user account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local accounts, this field will contain the name of the computer to which this new account
belongs, for example: “Win81”.
Attributes:
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName
attribute of new user object. For example: ksmith. For local account this field contains the name of new user
account.
Display Name [Type = UnicodeString]: the value of displayName attribute of new user object. It is a
name displayed in the address book for a particular account .This is usually the combination of the user's
first name, middle initial, and last name. For example, Ken Smith. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. Local accounts contain Full Name
attribute in this field, but for new local accounts this field typically has value “<value not set>”.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. This parameter
contains the value of userPrincipalName attribute of new user object. For example, ksmith@contoso.local.
For local users this field is not applicable and has value “-“. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and specifies
a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form
\\Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new user
object. For new local accounts this field typically has value “<value not set>”. You can change this attribute
by using Active Directory Users and Computers, or through a script, for example. This parameter might not
be captured in the event, and in that case appears as “-”.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. This parameter contains the value of homeDrive attribute of new user object. You can
change this attribute by using Active Directory Users and Computers, or through a script, for example. This
parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this
field typically has value “<value not set>”.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. This parameter
contains the value of scriptPath attribute of new user object. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. This parameter might not be captured in
the event, and in that case appears as “-”. For new local accounts this field typically has value “<value not
set>”.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new user
object. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. This parameter might not be captured in the event, and in that case appears as “-”. For new local
accounts this field typically has value “<value not set>”.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a user object. This parameter contains the value of userWorkstations
attribute of new user object. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. This parameter might not be captured in the event, and in that case appears
as “-”. For local users this field is not applicable and typically has value “<value not set>”.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. For manually
created user account, using Active Directory Users and Computers snap-in, this field typically has value
“<never>”. This parameter contains the value of pwdLastSet attribute of new user object.
Account Expires [Type = UnicodeString]: the date when the account expires. This parameter contains the
value of accountExpires attribute of new user object. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. This parameter might not be captured in
the event, and in that case appears as “-”. For manually created local and domain user accounts this field
typically has value “<never>”.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of user’s object primary group.
Note Relative identifier (RID ) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID ) that uniquely identifies an account or group within a
domain.
Typically, Primary Group field for new user accounts has the following values:
513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the
value of primaryGroupID attribute of new user object.
Allowed To Delegate To [Type = UnicodeString]: the list of SPNs to which this account can present delegated
credentials. Can be changed using Active Directory Users and Computers management console in Delegation
tab of user account, if this account has at least one SPN registered. This parameter contains the value of
AllowedToDelegateTo attribute of new user object. For local user accounts this field is not applicable and
typically has value “-“. For new domain user accounts it is typically has value “-“. See description of
AllowedToDelegateTo field for “4738(S ): A user account was changed.” event for more details.
Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might
use for authentication. For example, an SPN always includes the name of the host computer on which the
service instance is running, so a service instance might register an SPN for each name or alias of its host.
Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. Old UAC value always “0x0” for new user accounts. This
parameter contains the previous value of userAccountControl attribute of user object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. This parameter contains the value of userAccountControl
attribute of new user object.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to
the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. For new user accounts, when the object for this account was created,
the userAccountControl value was considered to be “0x0”, and then it was changed from “0x0” to the real
value for the account's userAccountControl attribute. See possible values in the table below. In the “User
Account Control field text” column, you can see the text that will be displayed in the User Account Control
field in 4720 event.
USE_DES_KEY_ONLY 0x200000 2097152 Restrict this principal 'Use DES Key Only' -
to use only Data Disabled
Encryption Standard 'Use DES Key Only' -
(DES) encryption Enabled
types for keys.
Can be set using “Use
Kerberos DES
encryption types for
this account”
checkbox.
For new, manually created, domain or local user accounts typical flags are:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' – Enabled
After new user creation event you will typically see couple of “4738: A user account was changed.” events
with new flags:
'Password Not Required' – Disabled
Account Enabled
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of user’s account properties, then you will see <value
changed, but not displayed> in this field in “4738: A user account was changed.” This parameter might
not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has
value “<value not set>”.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the
value of sIDHistory attribute of new user object. This parameter might not be captured in the event, and in
that case appears as “-”.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. The value
of logonHours attribute of new user object. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example. You will typically see “<value not set>” value for new
manually created user accounts in event 4720. For new local accounts this field is not applicable and
typically has value “All”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
SAM Account Name is empty or - This field must contain the user account name. If it is empty or
-, it might indicate an anomaly.
User Principal Name is empty or - Typically this field should not be empty for new user accounts.
If it is empty or -, it might indicate an anomaly.
Home Directory is not - Typically these fields are - for new user accounts. Other values
Home Drive is not - might indicate an anomaly and should be monitored.
Script Path is not - For local accounts these fields should display <value not
Profile Path is not - set>.
User Workstations is not -
Password Last Set is <never> This typically means this is a manually created user account,
which you might need to monitor.
Password Last Set is a time in the future This might indicate an anomaly.
Account Expires is not <never> Typically this field is <never> for new user accounts. Other
values might indicate an anomaly and should be monitored.
Primary Group ID is not 513 Typically, the Primary Group value is 513 for domain and
local users. Other values should be monitored.
Allowed To Delegate To is not - Typically this field is - for new user accounts. Other values
might indicate an anomaly and should be monitored.
FIELD AND VALUE TO TRACK REASON TO TRACK
Old UAC Value is not 0x0 Typically this field is 0x0 for new user accounts. Other values
might indicate an anomaly and should be monitored.
SID History is not - This field will always be set to - unless the account was
migrated from another domain.
Logon Hours value other than <value not set> or** “All”** This should always be <value not set> for new domain user
accounts, and “All” for new local user accounts.
'Encrypted Text Password Allowed' – Enabled By default, these flags should not be enabled for new user
'Smartcard Required' – Enabled accounts created with the “Active Directory Users and
'Not Delegated' – Enabled Computers” snap-in.
'Use DES Key Only' – Enabled
'Don't Require Preauth' – Enabled
'Trusted To Authenticate For Delegation' – Enabled
'Server Trust Account' – Enabled Should never be enabled for user accounts. Applies only to
domain controller (computer) accounts.
'Don't Expire Password' – Enabled Should be monitored for critical accounts, or all accounts if
your organization does not allow this flag. By default, this flag
should not be enabled for new user accounts created with the
“Active Directory Users and Computers” snap-in.
'Trusted For Delegation' – Enabled By default, this flag should not be enabled for new user
accounts created with the “Active Directory Users and
Computers” snap-in. It is enabled by default only for new
domain controllers.
4722(S): A user account was enabled.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time user or
computer object is enabled.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on domain controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4722</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T23:55:11.038308600Z" />
<EventRecordID>175716</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enable account”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was enabled. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was enabled.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4722 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts that should never be enabled, you can monitor all 4722 events with
the “Target Account\Security ID” fields that correspond to the accounts.
We recommend monitoring all 4722 events for local accounts, because these accounts usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4723(S, F): An attempt was made to change an
account's password.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a user
attempts to change his or her password.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For domain accounts, a Failure event
generates if new password fails to meet the
password policy.
For local accounts, a Failure event generates if
new password fails to meet the password
policy or old password is wrong.
For domain accounts if old password was
wrong, then “4771: Kerberos pre-
authentication failed” or “4776: The computer attempted to validate the credentials for an account” will be
generated on domain controller if specific subcategories were enabled on it.
Typically you will see 4723 events with the same Subject\Security ID and Target Account\Security ID fields,
which is normal behavior.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4723</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T01:32:51.494558000Z" />
<EventRecordID>175722</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x1a9b76</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to change Target’s
Account password.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account: account for which the password change was requested.
Security ID [Type = SID ]: SID of account for which the password change was requested. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see
the source data in the event.
Account Name [Type = UnicodeString]: the name of the account for which the password change was
requested.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local user account for which you need to monitor every password
change attempt, monitor all 4723 events with the “Target Account\Security ID” that corresponds to the
account.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4723 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts for which the password should never be changed, you can monitor all
4723 events with the “Target Account\Security ID” that corresponds to the account.
4724(S, F): An attempt was made to reset an
account's password.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time an account
attempted to reset the password for another
account.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For domain accounts, a Failure event
generates if the new password fails to meet
the password policy.
A Failure event does NOT generate if user gets
“Access Denied” while doing the password
reset procedure.
This event also generates if a computer account reset procedure was performed.
For local accounts, a Failure event generates if the new password fails to meet the local password policy.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4724</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T01:58:21.725864900Z" />
<EventRecordID>175740</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">User1</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1107</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to reset Target’s
Account password.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account: account for which password reset was requested.
Security ID [Type = SID ]: SID of account for which password reset was requested. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see
the source data in the event.
Account Name [Type = UnicodeString]: the name of the account for which password reset was requested.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local user account for which you need to monitor every password reset
attempt, monitor all 4724 events with the “Target Account\Security ID” that corresponds to the account.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4724 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts for which the password should never be reset, you can monitor all
4724 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4724 events for local accounts, because their passwords usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4725(S): A user account was disabled.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time user or
computer object is disabled.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on domain controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4725</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T23:55:07.657358900Z" />
<EventRecordID>175714</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “disable account”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was disabled. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was disabled.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4725 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts that should never be disabled (for example, service accounts), you can
monitor all 4725 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4725 events for local accounts, because these accounts usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4726(S): A user account was deleted.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time user object
was deleted.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4726</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T00:52:25.104613800Z" />
<EventRecordID>175720</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete user account”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was deleted. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was deleted.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local account for which you need to monitor every change (or deletion),
monitor all 4726 events with the “Target Account\Security ID” that corresponds to the account.
If you have a domain or local account that should never be deleted (for example, service accounts), monitor
all 4726 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4726 events for local accounts, because these accounts typically are not
deleted often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4738(S): A user account was changed.
4/5/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time user object is
changed.
This event generates on domain controllers,
member servers, and workstations.
For each change, a separate 4738 event will
be generated.
You might see this event without any changes
inside, that is, where all Changed Attributes
apear as “-“. This usually happens when a
change is made to an attribute that is not
listed in the event. In this case there is no way
to determine which attribute was changed.
For example, if the discretionary access
control list (DACL ) is changed, a 4738 event
will generate, but all attributes will be “-“.
Some changes do not invoke a 4738 event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Dummy">-</Data>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change user
account” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was changed. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was changed.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Changed Attributes:
If attribute was not changed it will have “–“ value.
Unfortunately, for local accounts, all fields, except changed attributes, will have previous values populated. Also,
the User Account Control field will have values only if it was modified. Changed attributes will have new values,
but it is hard to understand which attribute was really changed.
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). If the value of sAMAccountName
attribute of user object was changed, you will see the new value here. For example: ladmin. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Display Name [Type = UnicodeString]: it is a name, displayed in the address book for a particular account.
This is usually the combination of the user's first name, middle initial, and last name. You can change this
attribute by using Active Directory Users and Computers, or through a script, for example. If the value of
displayName attribute of user object was changed, you will see the new value here. For local accounts,
this field always has some value—if the account's attribute was not changed it will contain the current value
of the attribute.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. If the value of
userPrincipalName attribute of user object was changed, you will see the new value here. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example. For local
accounts, this field is not applicable and always has “-“ value.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and
specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the
form \\Server\Share\Directory. If the value of homeDirectory attribute of user object was changed, you
will see the new value here. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. For local accounts, this field always has some value—if the account's
attribute was not changed it will contain the current value of the attribute.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. If the value of homeDrive attribute of user object was changed, you will see the new value
here. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. For local accounts, this field always has some value—if the account's attribute was not changed it
will contain the current value of the attribute.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. If the value of
scriptPath attribute of user object was changed, you will see the new value here. You can change this
attribute by using Active Directory Users and Computers, or through a script, for example. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null
string, a local absolute path, or a UNC path. If the value of profilePath attribute of user object was
changed, you will see the new value here. You can change this attribute by using Active Directory Users and
Computers, or through a script, for example. For local accounts, this field always has some value—if the
account's attribute was not changed it will contain the current value of the attribute.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. If the value of userWorkstations attribute of user
object was changed, you will see the new value here. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. For local accounts, this field is not
applicable and always appears as “<value not set>.“
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. If the value of
pwdLastSet attribute of user object was changed, you will see the new value here. For example: 8/12/2015
11:41:39 AM. This value will be changed, for example, after manual user account password reset. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Account Expires [Type = UnicodeString]: the date when the account expires. If the value of
accountExpires attribute of user object was changed, you will see the new value here. . For example,
“9/21/2015 12:00:00 AM”. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. For local accounts, this field always has some value—if the account's
attribute was not changed it will contain the current value of the attribute.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of user’s object primary group.
Note Relative identifier (RID ) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID ) that uniquely identifies an account or group within a
domain.
This field will contain some value if user’s object primary group was changed. You can change user’s primary
group using Active Directory Users and Computers management console in the Member Of tab of user object
properties. You will see a RID of new primary group as a field value. For example, RID 513 (Domain Users) is a
default primary group for users.
Typical Primary Group values for user accounts:
513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
See this article https://support.microsoft.com/kb/243330 for more information. If the value of
primaryGroupID attribute of user object was changed, you will see the new value here.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present
delegated credentials. Can be changed using Active Directory Users and Computers management console
in Delegation tab of user account, if at least one SPN is registered for user account. If the SPNs list on
Delegation tab of a user account was changed, you will see the new SPNs list in AllowedToDelegateTo
field (note that you will see the new list instead of changes) of this event. This is an example of
AllowedToDelegateTo:
dcom/WIN2012
dcom/WIN2012.contoso.local
If the value of msDS -AllowedToDelegateTo attribute of user object was changed, you will see the
new value here.
The value can be “<value not set>”, for example, if delegation was disabled.
For local accounts, this field is not applicable and always has “-“ value.
Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.
Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. This parameter contains the previous value of
userAccountControl attribute of user object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. If the value of userAccountControl attribute of user object
was changed, you will see the new value here.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on
to the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl
attribute. You will see a line of text for each change. See possible values in here: “Table 7. User’s or
Computer’s account UAC flags.”. In the “User Account Control field text” column, you can see the text that
will be displayed in the User Account Control field in 4738 event.
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of user’s account properties, then you will see <value
changed, but not displayed> in this field. For local accounts, this field is not applicable and always has
“<value not set>“ value.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of sIDHistory
attribute of user object was changed, you will see the new value here.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. If the
value of logonHours attribute of user object was changed, you will see the new value here. You can
change this attribute by using Active Directory Users and Computers, or through a script, for example.
Here is an example of this field:
Sunday 12:00 AM - 7:00 PM
Sunday 9:00 PM -Monday 1:00 PM
Monday 2:00 PM -Tuesday 6:00 PM
Tuesday 8:00 PM -Wednesday 10:00 AM
For local accounts this field is not applicable and typically has value “All”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as
“-”. See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Display Name We recommend monitoring all changes for these fields for
User Principal Name critical domain and local accounts.
Home Directory
Home Drive
Script Path
Profile Path
User Workstations
Password Last Set
Account Expires
Primary Group ID
Logon Hours
Primary Group ID is not 513 Typically, the Primary Group value is 513 for domain and
local users. Other values should be monitored.
For user accounts for which the services list (on the If AllowedToDelegateTo is marked <value not set> on
Delegation tab) should not be empty: user accounts that previously had a services list (on the
AllowedToDelegateTo is marked **<value not set> ** Delegation tab), it means the list was cleared.
SID History is not - This field will always be set to - unless the account was
migrated from another domain.
'Password Not Required' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account.
'Encrypted Text Password Allowed' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account.
USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG
'Server Trust Account' – Enabled Should never be enabled for user accounts. Applies only to
domain controller (computer) accounts.
'Don't Expire Password' – Enabled Should be monitored for critical accounts, or all accounts if
your organization does not allow this flag.
'Password Not Required' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”
'Encrypted Text Password Allowed' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”
'Don't Expire Password' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”
'Smartcard Required' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”
'Trusted For Delegation' – Enabled Means that Kerberos Constraint or Unconstraint delegation
was enabled for the user account. We recommend monitoring
this to discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
'Trusted For Delegation' – Disabled Means that Kerberos Constraint or Unconstraint delegation
was disabled for the user account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is
critical and should not be disabled, monitor this for those
accounts.
'Trusted To Authenticate For Delegation' – Enabled Means that Protocol Transition delegation was enabled for
the user account. We recommend monitoring this to discover
whether it is an approved action (done by an administrator), a
mistake, or a malicious action.
'Trusted To Authenticate For Delegation' – Disabled Means that Protocol Transition delegation was disabled for
the user account. We recommend monitoring this to discover
whether it is an approved action (done by an administrator), a
mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is
critical and should not be disabled, monitor this for those
accounts.
'Not Delegated' – Enabled Means that Account is sensitive and cannot be delegated
was checked for the user account. We recommend monitoring
this to discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG
'Not Delegated' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.” Means that Account is sensitive and
cannot be delegated was unchecked for the user account.
We recommend monitoring this to discover whether it is an
approved action (done by an administrator), a mistake, or a
malicious action.
'Use DES Key Only' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account’s Kerberos authentication.
'Don't Require Preauth' – Enabled Should not be enabled for user accounts because it weakens
security for the account’s Kerberos authentication.
'Use DES Key Only' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”
'Don't Require Preauth' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”
4740(S): A user account was locked out.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a user
account is locked out.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4740</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T22:06:08.576887500Z" />
<EventRecordID>175703</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">WIN81</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the lockout operation.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Account That Was Locked Out:
Security ID [Type = SID ]: SID of account that was locked out. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was locked out.
Additional Information:
Caller Computer Name [Type = UnicodeString]: the name of computer account from which logon attempt
was received and after which target account was locked out. For example: WIN81.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
If you have high-value domain or local accounts (for example, domain administrator accounts) for which
you need to monitor every lockout, monitor all 4740 events with the “Account That Was Locked Out
\Security ID” values that correspond to the accounts.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4740 events with the “Account That Was Locked Out \Security ID” that corresponds to the account.
If the user account “Account That Was Locked Out\Security ID” should not be used (for authentication
attempts) from the Additional Information\Caller Computer Name, then trigger an alert.
Monitor for all 4740 events where Additional Information\Caller Computer Name is not from your
domain. However, be aware that even if the computer is not in your domain you will get the computer
name instead of an IP address in the 4740 event.
4765(S): SID History was added to an account.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event generates when SID History was added to an account.
See more information about SID History here: https://technet.microsoft.com/library/cc779590(v=ws.10).aspx.
There is no example of this event in this document.
Subcategory: Audit User Account Management
Event Schema:
SID History was added to an account.
Subject:
Security ID:%6
Account Name:%7
Account Domain:%8
Logon ID:%9
Target Account:
Security ID:%5
Account Name:%3
Account Domain:%4
Source Account:
Security ID:%2
Account Name:%1
Additional Information:
Privileges:%10
SID List:%11
Applies to
Windows 10
Windows Server 2016
This event generates when an attempt to add SID History to an account failed.
See more information about SID History here: https://technet.microsoft.com/library/cc779590(v=ws.10).aspx.
There is no example of this event in this document.
Subcategory: Audit User Account Management
Event Schema:
An attempt to add SID History to an account failed.
Subject:
Security ID:-
Account Name:%5
Account Domain:%6
Logon ID:%7
Target Account:
Security ID:%4
Account Name:%2
Account Domain:%3
Source Account:
Account Name:%1
Additional Information:
Privileges:%8
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a user account
is unlocked.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4767</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T22:31:01.871931700Z" />
<EventRecordID>175705</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the unlock operation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the unlock operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was unlocked. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was unlocked.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Security Monitoring Recommendations
For 4767(S ): A user account was unlocked.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Applies to
Windows 10
Windows Server 2016
Every hour, the domain controller that holds the primary domain controller (PDC ) Flexible Single Master
Operation (FSMO ) role compares the ACL on all security principal accounts (users, groups, and machine accounts)
present for its domain in Active Directory and that are in administrative or security-sensitive groups and which
have AdminCount attribute = 1 against the ACL on the AdminSDHolder object. If the ACL on the principal account
differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the
ACL on the AdminSDHolder object and this event is generated.
For some reason, this event doesn’t generate on some OS versions.
Subcategory: Audit User Account Management
Event Schema:
The ACL was set on accounts which are members of administrators groups.
Subject:
Security ID:%4
Account Name:%5
Account Domain:%6
Logon ID:%7
Target Account:
Security ID:%3
Account Name:%1
Account Domain:%2
Additional Information:
Privileges:%8
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a user or
computer account name (sAMAccountName
attribute) is changed.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on domain controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4781</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T02:41:09.737420900Z" />
<EventRecordID>175754</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OldTargetUserName">Admin</Data>
<Data Name="NewTargetUserName">MainAdmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6117</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the “change account
name” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account on which the name was changed. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Old Account Name [Type = UnicodeString]: old name of target account.
New Account Name [Type = UnicodeString]: new name of target account.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high-value user or computer accounts (or local user accounts) for which you need to monitor each
change to the accounts, monitor this event with the “Target Account\Security ID” that corresponds to the
high-value accounts.
4794(S, F): An attempt was made to set the Directory
Services Restore Mode administrator password.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time Directory
Services Restore Mode (DSRM ) administrator
password is changed.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4794</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" />
<EventRecordID>172348</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to set Directory
Services Restore Mode administrator password.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Additional Information:
Caller Workstation [Type = UnicodeString]: the name of computer account from which Directory Services
Restore Mode (DSRM ) administrator password change request was received. For example: “DC01”. If the
change request was sent locally (from the same server) this field will have the same name as the computer
account.
Status Code [Type = HexInt32]: for Success events it has “0x0” value.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account Management
Event Description:
This event generates when a process
enumerates a user's security-enabled local
groups on a computer or device.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4798</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T04:14:17.436787700Z" />
<EventRecordID>691</EventRecordID>
<Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" />
<Execution ProcessID="744" ThreadID="3928" />
<Channel>Security</Channel>
<Computer>WIN10-1.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN10-1</Data>
<Data Name="TargetSid">S-1-5-21-1694160624-234216347-2203645164-500</Data>
<Data Name="SubjectUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x72d9d</Data>
<Data Name="CallerProcessId">0xc80</Data>
<Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enumerate user's
security-enabled local groups” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
User:
Security ID [Type = SID ]: SID of the account whose groups were enumerated. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Account Name [Type = UnicodeString]: the name of the account whose groups were enumerated.
Account Domain [Type = UnicodeString]: group’s domain or computer name. Formats vary, and include
the following:
For a local group, this field will contain the name of the computer to which this group belongs, for
example: “Win81”.
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enumerated the members of the
group. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has
been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high value domain or local accounts for which you need to monitor each enumeration of their
group membership, or any access attempt, monitor events with the “Subject\Security ID” that
corresponds to the high value account or accounts.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
5376(S): Credential Manager credentials were backed
up.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time the user
(Subject) successfully backs up the credential
manager database.
Typically this can be done by clicking “Back up
Credentials” in Credential Manager in the
Control Panel.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5376</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T03:28:02.200404700Z" />
<EventRecordID>175779</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d7c</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the backup operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Every 5376 event should be recorded for all local and domain accounts, because this action (back up Credential
Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity.
5377(S): Credential Manager credentials were
restored from a backup.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time the user
(Subject) successfully restores the credential
manager database.
Typically this can be done by clicking “Restore
Credentials” in Credential Manager in the
Control Panel.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5377</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T03:35:47.523266300Z" />
<EventRecordID>175780</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1236" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d7c</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the restore operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Every 5377 event should be recorded for all local and domain accounts, because this action (restore Credential
Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or
malicious activity.
Audit DPAPI Activity
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit DPAPI Activity determines whether the operating system generates audit events when encryption or
decryption calls are made into the data protection application interface (DPAPI).
Event volume: Low.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4692(S, F ): Backup of data protection master key was attempted.
4693(S, F ): Recovery of data protection master key was attempted.
4694(S, F ): Protection of auditable protected data was attempted.
4695(S, F ): Unprotection of auditable protected data was attempted.
4692(S, F): Backup of data protection master key was
attempted.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit DPAPI Activity
Event Description:
This event generates every time that a backup
is attempted for the DPAPI Master Key.
When a computer is a member of a domain,
DPAPI has a backup mechanism to allow
unprotection of the data. When a Master Key is
generated, DPAPI communicates with a
domain controller. Domain controllers have a
domain-wide public/private key pair, associated
solely with DPAPI. The local DPAPI client gets
the domain controller public key from a
domain controller by using a mutually
authenticated and privacy protected RPC call.
The client encrypts the Master Key with the
domain controller public key. It then stores this backup Master Key along with the Master Key protected by the
user's password.
Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s
master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys
are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain
recovery key.
This event also generates every time a new DPAPI Master Key is generated, for example.
This event generates on domain controllers, member servers, and workstations.
Failure event generates when a Master Key backup operation fails for some reason.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4692</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13314</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-25T01:59:14.573672700Z" />
<EventRecordID>176964</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="540" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30c08</Data>
<Data Name="MasterKeyId">16cfaea0-dbe3-4d92-9523-d494edb546bc</Data>
<Data Name="RecoveryServer" />
<Data Name="RecoveryKeyId">806a0350-aeb1-4c56-91f9-ef16cf759291</Data>
<Data Name="FailureReason">0x0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested backup operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Key Information:
Key Identifier [Type = UnicodeString]: unique identifier of a master key which backup was created. The
Master Key is used, with some additional data, to generate an actual symmetric session key to
encrypt\decrypt the data using DPAPI. All of user's Master Keys are located in user profile ->
%APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is it’s
ID.
Recovery Server [Type = UnicodeString]: the name (typically – DNS name) of the computer that you
contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain
controller. This parameter might not be captured in the event, and in that case will be empty.
Recovery Key ID [Type = UnicodeString]: unique identifier of a recovery key. The recovery key is
generated when a user chooses to create a Password Reset Disk (PRD ) from the user's Control Panel or
when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the
recovery key. In this field you will see unique Recovery key ID which was used for Master key backup
operation.
For Failure events this field is typically empty.
Status Information:
Status Code [Type = HexInt32]: hexadecimal unique status code of performed operation. For Success events
this field is typically “0x0”. To see the meaning of status code you need to convert it to decimal value and us
“net helpmsg STATUS_CODE” command to see the description for specific STATUS_CODE. Here is an
example of “net helpmsg” command output for status code 0x3A:
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
4693(S, F): Recovery of data protection master key
was attempted.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit DPAPI Activity
Event Description:
This event generates every time that recovery
is attempted for a DPAPI Master Key.
While unprotecting data, if DPAPI cannot use
the Master Key protected by the user's
password, it sends the backup Master Key to a
domain controller by using a mutually
authenticated and privacy protected RPC call.
The domain controller then decrypts the
Master Key with its private key and sends it
back to the client by using the same protected
RPC call. This protected RPC call is used to
ensure that no one listening on the network
can get the Master Key.
This event generates on domain controllers,
member servers, and workstations.
Failure event generates when a Master Key restore operation fails for some reason.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4693</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13314</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T06:25:14.589407700Z" />
<EventRecordID>175809</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1340" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d7c</Data>
<Data Name="MasterKeyId">0445c766-75f0-4de7-82ad-d9d97aad59f6</Data>
<Data Name="RecoveryReason">0x5c005c</Data>
<Data Name="RecoveryServer">DC01.contoso.local</Data>
<Data Name="RecoveryKeyId" />
<Data Name="FailureId">0x380000</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “recover” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Key Information:
Key Identifier [Type = UnicodeString]: unique identifier of a master key which was recovered. The Master
Key is used, with some additional data, to generate an actual symmetric session key to encrypt\decrypt the
data using DPAPI. All of user's Master Keys are located in user profile ->
%APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is it’s
ID.
Recovery Server [Type = UnicodeString]: the name (typically – DNS name) of the computer that you
contacted to recover your Master Key. For domain joined machines, it’s typically a name of a domain
controller.
Note In this event Recovery Server field contains information from Recovery Reason field.
Recovery Key ID [Type = UnicodeString]: unique identifier of a recovery key. The recovery key is
generated when a user chooses to create a Password Reset Disk (PRD ) from the user's Control Panel or
when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the
recovery key. In this field you will see unique Recovery key ID which was used for Master key recovery
operation. This parameter might not be captured in the event, and in that case will be empty.
Recovery Reason [Type = HexInt32]: hexadecimal code of recovery reason.
Note In this event Recovery Reason field contains information from Recovery Server field.
Status Information:
Status Code [Type = HexInt32]: hexadecimal unique status code. For Success events this field is typically
“0x380000”.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
4694(S, F): Protection of auditable protected data was
attempted.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event generates if DPAPI CryptProtectData() function was used with CRYPTPROTECT_AUDIT flag
(dwFlags) enabled.
There is no example of this event in this document.
Subcategory: Audit DPAPI Activity
Event Schema:
Protection of auditable protected data was attempted.
Subject:
Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4
Protected Data:
Data Description:%6
Key Identifier:%5
Protected Data Flags:%7
Protection Algorithms:%8
Status Information:
Status Code:%9
Applies to
Windows 10
Windows Server 2016
This event generates if DPAPI CryptUnprotectData() function was used to unprotect “auditable” data that was
encrypted using CryptProtectData() function with CRYPTPROTECT_AUDIT flag (dwFlags) enabled.
There is no example of this event in this document.
Subcategory: Audit DPAPI Activity
Event Schema:
Unprotection of auditable protected data was attempted.
Subject:
Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4
Protected Data:
Data Description:%6
Key Identifier:%5
Protected Data Flags:%7
Protection Algorithms:%8
Status Information:
Status Code:%9
Applies to
Windows 10
Windows Server 2016
Audit PNP Activity determines when Plug and Play detects an external device.
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine
where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
Event volume: Varies, depending on how the computer is used. Typically Low.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
6416(S ): A new external device was recognized by the System
6419(S ): A request was made to disable a device
6420(S ): A device was disabled.
6421(S ): A request was made to enable a device.
6422(S ): A device was enabled.
6423(S ): The installation of this device is forbidden by system policy.
6424(S ): The installation of this device was allowed, after having previously been forbidden by policy.
6416(S): A new external device was recognized by the
System.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time a new external
device is recognized by a system.
This event generates, for example, when a new
external device is connected or enabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6416</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-13T18:20:16.818569900Z" />
<EventRecordID>436</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="308" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">SCSI\\Disk&Ven\_Seagate&Prod\_Expansion\\000000</Data>
<Data Name="DeviceDescription">Seagate Expansion SCSI Disk Device</Data>
<Data Name="ClassId">{4D36E967-E325-11CE-BFC1-08002BE10318}</Data>
<Data Name="ClassName">DiskDrive</Data>
<Data Name="VendorIds">SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_0636
SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_ SCSI\\DiskSeagate\_ SCSI\\Seagate\_Expansion\_\_\_\_\_\_\_0
Seagate\_Expansion\_\_\_\_\_\_\_0 GenDisk</Data>
<Data Name="CompatibleIds">SCSI\\Disk SCSI\\RAW</Data>
<Data Name="LocationInformation">Bus Number 0, Target Id 0, LUN 0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that registered the new device.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString] [Version 1]: “Device instance path” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString] [Version 1]: “Device description” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString] [Version 1]: “Class” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Vendor IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
You can use this event to track the events and event information shown in the following table by using the
listed fields:
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
when someone made a request to
disable a device.
This event doesn’t mean that device
was disabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6419</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:23:26.789591400Z" />
<EventRecordID>483</EventRecordID>
<Correlation />
<Execution ProcessID="2192" ThreadID="1392" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-2695983153-1310895815-1903476278-1001</Data>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data>
<Data Name="SubjectLogonId">0x3fcc7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made the request.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
You can use this event to track the events and event information shown in the following table by using the listed
fields:
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
specific device was disabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6420</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:23:29.137398300Z" />
<EventRecordID>484</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="88" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that disabled the device.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
You can use this event to track the events and event information shown in the following table by using the listed
fields:
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
when someone made a request to
enable a device.
This event doesn’t mean that device
was enabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6421</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:37:50.034918700Z" />
<EventRecordID>485</EventRecordID>
<Correlation />
<Execution ProcessID="2192" ThreadID="1392" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-2695983153-1310895815-1903476278-1001</Data>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data>
<Data Name="SubjectLogonId">0x3fcc7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made the request.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
You can use this event to track the events and event information shown in the following table by using the listed
fields:
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
specific device was enabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6422</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:37:50.036050900Z" />
<EventRecordID>486</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="408" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that enabled the device.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
You can use this event to track the events and event information shown in the following table by using the
listed fields:
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
installation of this device is
forbidden by system policy.
Device installation restriction group
policies are located here:
\Computer
Configuration\Administrative
Templates\System\Device
Installation\Device Installation
Restrictions. If one of the policies
restricts installation of a specific
device, this event will be generated.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6423</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:49:34.647975900Z" />
<EventRecordID>488</EventRecordID>
<Correlation />
<Execution ProcessID="828" ThreadID="1924" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">USB\\VID\_04F3&PID\_012D\\7&1E3A8971&0&2</Data>
<Data Name="DeviceDescription">Touchscreen</Data>
<Data Name="ClassId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="ClassName" />
<Data Name="HardwareIds">USB\\VID\_04F3&PID\_012D&REV\_0013 USB\\VID\_04F3&PID\_012D</Data>
<Data Name="CompatibleIds">USB\\Class\_03&SubClass\_00&Prot\_00 USB\\Class\_03&SubClass\_00
USB\\Class\_03</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that forbids the device installation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you want to track device installation policy violations then you need to track every event of this type.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
You can use this event to track the policy violations and related information shown in the following table by
using the listed fields:
Applies to
Windows 10
Windows Server 2016
This event occurs rarely, and in some situations may be difficult to reproduce.
Subcategory: Audit PNP Activity
Required Server Roles: None.
Minimum OS Version: Windows 10 [Version 1511].
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Audit Process Creation determines whether the operating system generates audit events when a process is
created (starts).
These audit events can help you track user activity and understand how a computer is being used. Information
includes the name of the program or the user that created the process.
Event volume: Low to Medium, depending on system usage.
This subcategory allows you to audit events generated when a process is created or starts. The name of the
application and user that created the process is also audited.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4688(S ): A new process has been created.
4696(S ): A primary token was assigned to process.
4688(S): A new process has been created.
4/5/2019 • 9 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Process Creation
Event Description:
This event generates every time a new
process starts.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="CommandLine" />
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>
Account Name [Type = UnicodeString]: the name of the account that requested the “create
process” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS
LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully
logged on.”
Target Subject [Version 2]:
Note This event includes the principal of the process creator, but this is not always sufficient if the
target context is different from the creator context. In that situation, the subject specified in the process
termination event does not match the subject in the process creation event even though both events
refer to the same process ID. Therefore, in addition to including the creator of the process, we will also
include the target principal when the creator and target do not share the same logon.
Security ID [Type = SID ] [Version 2]: SID of target account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee
(security principal). Each account has a unique SID that is issued by an authority, such as an Active
Directory domain controller, and stored in a security database. Each time a user logs on, the system
retrieves the SID for that user from the database and places it in the access token for that user. The
system uses the SID in the access token to identify the user in all subsequent interactions with
Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever
be used again to identify another user or group. For more information about SIDs, see Security
identifiers.
Account Name [Type = UnicodeString] [Version 2]: the name of the target account.
Account Domain [Type = UnicodeString] [Version 2]: target account’s domain or computer name.
Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS
LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64] [Version 2]: hexadecimal value that can help you correlate this event
with recent events that might contain the same Logon ID, for example, “4624: An account was
successfully logged on.”
Process Information:
New Process ID [Type = Pointer]: hexadecimal Process ID of the new process. Process ID (PID ) is a
number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
New Process Name [Type = UnicodeString]: full path and the name of the executable for the new
process.
Token Elevation Type [Type = UnicodeString]**: **
TokenElevationTypeDefault (1): Type 1 is a full token with no privileges removed or
groups disabled. A full token is only used if User Account Control is disabled or if the user is
the built-in Administrator account (for which UAC disabled by default), service account or
local system account.
TokenElevationTypeFull (2): Type 2 is an elevated token with no privileges removed or
groups disabled. An elevated token is used when User Account Control is enabled and the
user chooses to start the program using Run as administrator. An elevated token is also used
when an application is configured to always require administrative privilege or to always
require maximum privilege, and the user is a member of the Administrators group.
TokenElevationTypeLimited (3): Type 3 is a limited token with administrative privileges
removed and administrative groups disabled. The limited token is used when User Account
Control is enabled, the application does not require administrative privilege, and the user does
not choose to start the program using Run as administrator.
Mandatory Label [Version 2] [Type = SID ]: SID of integrity label which was assigned to the new
process. Can have one of the following values:
Creator Process ID [Type = Pointer]: hexadecimal Process ID of the process which ran the new process.
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID.
Creator Process Name [Version 2] [Type = UnicodeString]: full path and the name of the
executable for the process.
Process Command Line [Version 1, 2] [Type = UnicodeString]: contains the name of executable
and arguments which were passed to it. You must enable “Administrative Templates\System\Audit
Process Creation\Include command line in process creation events” group policy to include
command line in process creation events:
By default Process Command Line field is empty.
High-value accounts: You might have high-value Monitor all events with the “Creator Subject\Security
domain or local accounts for which you need to monitor ID” or “Target Subject\Security ID” that corresponds to
each action. the high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator account,
domain administrators, service accounts, domain
controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use
requirements for detecting anomalies or monitoring the “Creator Subject\Security ID” or “Target
potential malicious actions. For example, you might need Subject\Security ID” (with other information) to monitor
to monitor for use of an account outside of working how or when a particular account is being used.
hours.
Non-active accounts: You might have non-active, Monitor all events with the “Creator Subject\Security
disabled, or guest accounts, or other accounts that should ID” or “Target Subject\Security ID” that corresponds to
never be used. the accounts that should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action,
accounts that are the only ones allowed to perform review the “Creator Subject\Security ID” and “Target
actions corresponding to particular events. Subject\Security ID” for accounts that are outside the
whitelist.
Accounts of different types: You might want to ensure If this event corresponds to an action you want to
that certain actions are performed only by certain account monitor for certain account types, review the “Creator
types, for example, local or domain account, machine or Subject\Security ID” or “Target Subject\Security ID”
user account, vendor or employee account, and so on. to see whether the account type is as expected.
TYPE OF MONITORING REQUIRED RECOMMENDATION
External accounts: You might be monitoring accounts Monitor the specific events for the “Creator
from another domain, or “external” accounts that are not Subject\Security ID” or “Target Subject\Security ID”
allowed to perform certain actions (represented by certain corresponding to accounts from another domain or
specific events). “external” accounts.
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Creator Subject\Security ID”
people (accounts) should not typically perform any or “Target Subject\Security ID” that you are concerned
actions. about.
Account naming conventions: Your organization might Monitor “Creator Subject\Security ID” or “Target
have specific naming conventions for account names. Subject\Security ID” for names that don’t comply with
naming conventions.
If you have a pre-defined “New Process Name” or “Creator Process Name” for the process
reported in this event, monitor all events with “New Process Name” or “Creator Process Name”
not equal to your defined value.
You can monitor to see if “New Process Name” or “Creator Process Name” is not in a standard
folder (for example, not in System32 or Program Files) or is in a restricted folder (for example,
Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example
“mimikatz” or “cain.exe”), check for these substrings in “New Process Name” or “Creator
Process Name.”
It can be unusual for a process to run using a local account in either Creator Subject\Security ID
or in Target Subject\Security ID.
Monitor for Token Elevation Type with value TokenElevationTypeDefault (1) when
Subject\Security ID lists a real user account, for example when Account Name doesn’t contain
the $ symbol. Typically this means that UAC is disabled for this account for some reason.
Monitor for Token Elevation Type with value TokenElevationTypeDefault (2) on standard
workstations, when Subject\Security ID lists a real user account, for example when Account
Name doesn’t contain the $ symbol. This means that a user ran a program using administrative
privileges.
You can also monitor for Token Elevation Type with value TokenElevationTypeDefault (2) on
standard workstations, when a computer object was used to run the process, but that computer
object is not the same computer where the event occurs.
If you need to monitor all new processes with a specific Mandatory Label, for example S -1-16-20480
(Protected process), check the “Mandatory Label” in this event.
4696(S): A primary token was assigned to process.
4/5/2019 • 7 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Process Creation
Event Description:
This event generates every time a process runs
using the non-current access token, for example,
UAC elevated token, RUN AS different user
actions, scheduled task with defined user,
services, and so on.
IMPORTANT: this event is deprecated starting
from Windows 7 and Windows 2008 R2.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4696</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-25T21:33:42.401Z" />
<EventRecordID>561</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="88" />
<Channel>Security</Channel>
<Computer>Win2008.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN2008$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x1c8c5</Data>
<Data Name="TargetProcessId">0xf40</Data>
<Data Name="TargetProcessName">C:\\Windows\\System32\\WerFault.exe</Data>
<Data Name="ProcessId">0x698</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>
Required Server Roles: this event is deprecated starting from Windows 7 and Windows 2008 R2.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “assign token to process” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “assign token to
process” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which started the new process with the
new security token. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process which ran
the new process with new security token.
Target Process:
Target Process ID [Type = Pointer]: hexadecimal Process ID of the new process with new security token. If you
convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has
been created” Process Information\New Process ID.
Target Process Name [Type = UnicodeString]: full path and the name of the executable for the new process.
New Token Information:
Security ID [Type = SID ]: SID of account through which the security token will be assigned to the new process.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you
will see the source data in the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account through which the security token will be
assigned to the new process.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” or “New
local accounts for which you need to monitor each action. Token Information\Security ID” that corresponds to the
Examples of high-value accounts are database administrators, high-value account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” or “New Token
malicious actions. For example, you might need to monitor for Information\Security ID” (with other information) to
use of an account outside of working hours. monitor how or when a particular account is being used.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or “New
or guest accounts, or other accounts that should never be Token Information\Security ID” that corresponds to the
used. accounts that should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” and “New Token
corresponding to particular events. Information\Security ID” for accounts that are outside the
whitelist.
TYPE OF MONITORING REQUIRED RECOMMENDATION
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” or
for example, local or domain account, machine or user “New Token Information\Security ID” to see whether the
account, vendor or employee account, and so on. account type is as expected.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Security ID” or “New
another domain, or “external” accounts that are not allowed to Token Information\Security ID” corresponding to accounts
perform certain actions (represented by certain specific from another domain or “external” accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” or “New
people (accounts) should not typically perform any actions. Token Information\Security ID” that you are concerned
about.
Account naming conventions: Your organization might have Monitor “Subject\Security ID” or “New Token
specific naming conventions for account names. Information\Security ID” for names that don’t comply with
naming conventions.
If you have a pre-defined “Process Name” or “Target Process Name” for the process reported in this
event, monitor all events with “Process Name” or “Target Process Name” not equal to your defined value.
You can monitor to see if “Process Name” or “Target Process Name” is not in a standard folder (for
example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet
Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name” or “Target Process Name”.
It can be uncommon if process runs using local account.
Audit Process Termination
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Process Termination determines whether the operating system generates audit events when process has
exited.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
This policy setting can help you track user activity and understand how the computer is used.
Event volume: Low to Medium, depending on system usage.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain No No IF No IF - This
Controller subcategory
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Workstation No No IF No IF - This
subcategory
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4689(S ): A process has exited.
4689(S): A process has exited.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Process Termination
Event Description:
This event generates every time a process has
exited.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “terminate process” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “terminate process”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the ended/terminated process. Process ID (PID ) is a
number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688(S ): A new
process has been created” New Process ID on this computer.
Process Name [Type = UnicodeString]: full path and the executable name of the exited/terminated process.
Exit Status [Type = HexInt32]: hexadecimal exit code of exited/terminated process. This exit code is unique
for every application, check application documentation for more details. The exit code value for a process
reflects the specific convention implemented by the application developer for that process.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If you have a critical processes list for the computer, with the requirement that these processes must always
run and not stop, you can monitor Process Name field in 4689 events for these process names.
Audit RPC Events
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit RPC Events determines whether the operating system generates audit events when inbound remote
procedure call (RPC ) connections are made.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
5712(S ): A Remote Procedure Call (RPC ) was attempted.
5712(S): A Remote Procedure Call (RPC) was
attempted.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
It appears that this event never occurs.
Subcategory: Audit RPC Events
Event Schema:
A Remote Procedure Call (RPC ) was attempted.
Subject:
SID:%1
Name:%2
Account Domain:%3
LogonId:%4
Process Information:
PID:%5 Name:%6
Network Information:
Remote IP Address:%7
Remote Port:%8
RPC Attributes:
Interface UUID:%9
Protocol Sequence:%10
Authentication Service:%11
Authentication Level:%12
Applies to
Windows 10
Windows Server 2016
Audit Detailed Directory Service Replication determines whether the operating system generates audit events
that contain detailed tracking information about data that is replicated between domain controllers.
This audit subcategory can be useful to diagnose replication issues.
Event volume: These events can create a very high volume of event data on domain controllers.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4928(S, F ): An Active Directory replica source naming context was established.
4929(S, F ): An Active Directory replica source naming context was removed.
4930(S, F ): An Active Directory replica source naming context was modified.
4931(S, F ): An Active Directory replica destination naming context was modified.
4934(S ): Attributes of an Active Directory object were replicated.
4935(F ): Replication failure begins.
4936(S ): Replication failure ends.
4937(S ): A lingering object was removed from a replica.
4928(S, F): An Active Directory replica source naming
context was established.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory Service
Replication
Event Description:
This event generates every time a new Active
Directory replica source naming context is
established.
Failure event generates if an error occurs
(Status Code != 0).
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4928</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T19:15:30.067319300Z" />
<EventRecordID>227065</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="1236" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceAddr">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data>
<Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data>
<Data Name="Options">368</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>
Note The Directory Replication Agent (DRA ) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Source Address [Type = UnicodeString]: DNS record of the server from which information or an update
was received.
Naming Context [Type = UnicodeString]: naming context to replicate.
Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.
Status Code [Type = UInt32]: if there are no issues or errors, the status code will be 0. If an error happened,
you will receive Failure event and Status Code will not be equal to “0”. You can check error code meaning
here: https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory
Service Replication
Event Description:
This event generates every time Active
Directory replica source naming context
was removed.
Failure event generates if an error
occurs (Status Code != 0).
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4929</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T18:54:50.446211200Z" />
<EventRecordID>227013</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="2636" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">-</Data>
<Data Name="SourceAddr">2d361dd6-fc22-4d9d-b876-ec582b836458.\_msdcs.contoso.local</Data>
<Data Name="NamingContext">DC=contoso,DC=local</Data>
<Data Name="Options">16640</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>
Note The Directory Replication Agent (DRA ) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Source Address [Type = UnicodeString]: DNS record of the server from which the “remove” request was
received.
Naming Context [Type = UnicodeString]: naming context which was removed.
Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory Service
Replication
Event Description:
This event generates every time Active
Directory replica source naming context was
modified.
Failure event generates if an error occurs
(Status Code != 0).
It is not possible to understand what exactly
was modified from this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4930</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T18:56:51.474057400Z" />
<EventRecordID>1564</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="1280" />
<Channel>Security</Channel>
<Computer>Win2012r2.corp.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">-</Data>
<Data Name="SourceAddr">edf0bef9-1f73-4df3-8991-f6ec2d4ef3ae</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="Options">0</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>
Note The Directory Replication Agent (DRA ) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name. Typically equals
“-“ for this event.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Source Address [Type = UnicodeString]: DNS record of computer from which the modification request
was received.
Naming Context [Type = UnicodeString]: naming context which was modified.
Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory
Service Replication
Event Description:
This event generates every time Active
Directory replica destination naming
context was modified.
Failure event generates if an error
occurs (Status Code != 0).
It is not possible to understand what
exactly was modified from this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4931</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T19:02:41.563619400Z" />
<EventRecordID>227058</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="2936" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceAddr">-</Data>
<Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data>
<Data Name="Options">23</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>
Note The Directory Replication Agent (DRA ) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Destination Address [Type = UnicodeString]: DNS record of computer to which the modification request
was sent.
Naming Context [Type = UnicodeString]: naming context which was modified.
Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.
Applies to
Windows 10
Windows Server 2016
This event generates when attributes of an Active Directory object were replicated.
There is no example of this event in this document.
Subcategory: Audit Detailed Directory Service Replication
Event Schema:
Attributes of an Active Directory object were replicated.
Session ID:%1
Object:%2
Attribute:%3
Type of change:%4
New Value:%5
USN:%6
Status Code:%7
Required Server Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory Service
Replication
Event Description:
This event generates when Active Directory
replication failure begins.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4935</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T18:54:48.758149800Z" />
<EventRecordID>1552</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>Win2012r2.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ReplicationEvent">1</Data>
<Data Name="AuditStatusCode">8419</Data>
</EventData>
</Event>
Applies to
Windows 10
Windows Server 2016
This event generates when Active Directory replication failure ends.
There is no example of this event in this document.
Subcategory: Audit Detailed Directory Service Replication
Event Schema:
Replication failure ends.
Replication Event:%1
Audit Status Code:%2
Replication Status Code:%3
Required Server Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
This event generates when a lingering object was removed from a replica.
There is no example of this event in this document.
Subcategory: Audit Detailed Directory Service Replication
Event Schema:
A lingering object was removed from a replica.
Destination DRA:%1
Source DRA:%2
Object:%3
Options:%4
Status Code:%5
Required Server Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Audit Directory Service Access determines whether the operating system generates audit events when an Active
Directory Domain Services (AD DS ) object is accessed.
Event volume: High on servers running AD DS role services.
This subcategory allows you to audit when an Active Directory Domain Services (AD DS ) object is accessed. It
also generates Failure events if access was not granted.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4662(S, F ): An operation was performed on an object.
4661(S, F ): A handle to an object was requested.
4662(S, F): An operation was performed on an
object.
4/5/2019 • 7 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Access
Event Description:
This event generates every time when
an operation was performed on an
Active Directory object.
This event generates only if appropriate
SACL was set for Active Directory
object and performed operation meets
this SACL.
If operation failed then Failure event
will be generated.
You will get one 4662 for each
operation type which was performed.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" />
<EventRecordID>407230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “DS” value for this event.
Object Type [Type = UnicodeString]: type or class of the object that was accessed. Some of the common
Active Directory object types and classes are:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of Object Type open Active Directory Schema snap-in (see how to enable
this snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Object Name [Type = UnicodeString]: distinguished name of the object that was accessed.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate
this event with other events that might contain the same Handle ID, for example, “4661: A handle to an object
was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Operation:
Operation Type [Type = UnicodeString]: the type of operation which was performed on an object.
Typically has “Object Access” value for this event.
Accesses [Type = UnicodeString]: the type of access used for the operation. See “Table 9. Active Directory
Access Codes and Rights.” for more information.
Access Mask [Type = HexInt32]: hexadecimal mask for the type of access used for the operation. See
“Table 9. Active Directory Access Codes and Rights.” for more information.
Properties [Type = UnicodeString]: first part is the type of access that was used. Typically has the same
value as Accesses field.
Second part is a tree of GUID values of Active Directory classes or property sets, for which operation was
performed.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (Rights-GUID field),
“property set name” and details here: https://msdn.microsoft.com/library/ms683990(v=vs.85).aspx.
Here is an example of decoding of Properties field:
PROPERTIES TRANSLATION
{bf967a86-0de6-11d0-a285-00aa003049e2} Computer
{91e647de-d96f-4b70-9557-d63ff4f3ccd8} Private-Information property set
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05} ms-PKI-RoamingTimeStamp
{b3f93023-9239-4f7c-b99c-6745d87adbc2} ms-PKI-DPAPIMasterKeys
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} ms-PKI-AccountCredentials
Additional Information:
Parameter 1 [Type = UnicodeString]: there is no information about this field in this document.
Parameter 2 [Type = UnicodeString]: there is no information about this field in this document.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor operations attempts to specific Active Directory classes, monitor for Object Type
field with specific class name. For example, we recommend that you monitor all operations attempts to
domainDNS class.
If you need to monitor operations attempts to specific Active Directory objects, monitor for Object Name
field with specific object name. For example, we recommend that you monitor all operations attempts to
“CN=AdminSDHolder,CN=System,DC=domain,DC=com” object.
Some access types are more important to monitor, for example:
Write Property
Control Access
DELETE
WRITE_DAC
WRITE_OWNER
You can decide to monitor these (or one of these) access types for specific Active Directory objects.
To do so, monitor for Accesses field with specific access type.
If you need to monitor operations attempts to specific Active Directory properties, monitor for Properties
field with specific property GUID.
Do not forget that Failure attempts are also very important to audit. Decide where you want to monitor
Failure attempts based on previous recommendations.
4661(S, F): A handle to an object was requested.
4/5/2019 • 12 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Directory Service Access
and Audit SAM
Event Description:
This event indicates that a handle was
requested for either an Active Directory object
or a Security Account Manager (SAM ) object.
If access was declined, then Failure event is
generated.
This event generates only if Success auditing is
enabled for the Audit Handle Manipulation
subcategory.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}
</Data>
</EventData>
</Event>
Required Server Roles: For an Active Directory object, the domain controller role is required. For a SAM object,
there is no required role.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security Account Manager” value for this event.
Object Type [Type = UnicodeString]: the type or class of the object that was accessed. The following list
contains possible values for this field:
SAM_ALIAS - a local group.
SAM_GROUP - a group that is not a local group.
SAM_USER - a user account.
SAM_DOMAIN - a domain. For Active Directory events, this is the typical value.
SAM_SERVER - a computer account.
Object Name [Type = UnicodeString]: the name of an object for which access was requested. Depends on
Object Type. This event can have the following format:
SAM_ALIAS – SID of the group.
SAM_GROUP - SID of the group.
SAM_USER - SID of the account.
SAM_DOMAIN – distinguished name of the accessed object.
SAM_SERVER - distinguished name of the accessed object.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate
this event with other events that might contain the same Handle ID, for example, “4662: An operation was
performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested the handle. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same the Transaction ID, such as “4660(S ): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. See “Table 13. File access codes.” for more information about
file access rights. For information about SAM object access right use https://technet.microsoft.com/ or other
informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed. See
“Table 13. File access codes.” for more information about file access rights. For information about SAM
object access right use https://technet.microsoft.com/ or other informational resources.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used
during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event,
and in that case appears as “-”. See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Properties [Type = UnicodeString]: depends on Object Type. This field can be empty or contain the list of
the object properties that were accessed. See more detailed information in “4661: A handle to an object was
requested” from Audit SAM subcategory.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types.
Security Monitoring Recommendations
For 4661(S, F ): A handle to an object was requested.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
You can get almost the same information from “4662: An operation was performed on an object.” There are no
additional recommendations for this event in this document.
Audit Directory Service Changes
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Directory Service Changes determines whether the operating system generates audit events when changes
are made to objects in Active Directory Domain Services (AD DS ).
Auditing of directory service objects can provide information about the old and new properties of the objects that
were changed.
Audit events are generated only for objects with configured system access control lists (SACLs), and only when
they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit
events to be generated due to settings on the object class in the schema.
This subcategory only logs events on domain controllers.
Event volume: High on domain controllers.
This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or
deleted.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
5136(S ): A directory service object was modified.
5137(S ): A directory service object was created.
5138(S ): A directory service object was undeleted.
5139(S ): A directory service object was moved.
5141(S ): A directory service object was deleted.
5136(S): A directory service object was modified.
4/5/2019 • 7 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Changes
Event Description:
This event generates every time an Active
Directory object is modified.
To generate this event, the modified object
must have an appropriate entry in SACL: the
“Write” action auditing for specific attributes.
For a change operation you will typically see
two 5136 events for one action, with different
Operation\Type fields: “Value Deleted” and
then “Value Added”. “Value Deleted” event
typically contains previous value and “Value
Added” event contains new value.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" />
<EventRecordID>410204</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4020" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data>
<Data Name="ObjectClass">user</Data>
<Data Name="AttributeLDAPDisplayName">userAccountControl</Data>
<Data Name="AttributeSyntaxOID">2.5.5.9</Data>
<Data Name="AttributeValue">512</Data>
<Data Name="OperationType">%%14675</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “modify object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of the Active Directory domain where the modified object is
located.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was modified.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was modified. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Attribute:
LDAP Display Name [Type = UnicodeString]: the object attribute that was modified.
Note LDAP Display Name is the name used by LDAP clients, such as the ADSI LDAP provider, to read and
write the attribute by using the LDAP protocol.
Syntax (OID ) [Type = UnicodeString]: The syntax for an attribute defines the storage representation, byte
ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a
number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax.
The syntaxes are not represented as objects in the schema, but they are programmed to be understood by
Active Directory. The allowable syntaxes in Active Directory are predefined.
Value [Type = UnicodeString]: the value which was added or deleted, depending on the Operation\Type field.
Operation:
Type [Type = UnicodeString]: type of performed operation.
Value Added – new value added.
Value Deleted – value deleted (typically “Value Deleted” is a part of change operation).
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5137: A directory service object was
created.” and “5139: A directory service object was moved.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor modifications to specific Active Directory objects, monitor for DN field with specific
object name. For example, we recommend that you monitor all modifications to
“CN=AdminSDHolder,CN=System,DC=domain,DC=com” object.
If you need to monitor modifications to specific Active Directory classes, monitor for Class field with specific
class name. For example, we recommend that you monitor all modifications to domainDNS class.
If you need to monitor modifications to specific Active Directory attributes, monitor for LDAP Display
Name field with specific attribute name.
It is better to monitor Operation\Type = Value Added events, because you will see the new value of
attribute. At the same time you can correlate to previous Operation\Type = Value Deleted event with the
same Correlation ID to see the previous value.
5137(S): A directory service object was created.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Changes
Event Description:
This event generates every time an Active
Directory object is created.
This event only generates if the parent object
has a particular entry in its SACL: the
“Create” action, auditing for specific classes or
objects. An example is the “Create Computer
objects” action auditing for the organizational
unit.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5137</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T18:36:26.048167500Z" />
<EventRecordID>410737</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3156" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{4EAD68FF-7229-42A4-8C73-AAB57169858B}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">cn=Win2000,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{41D5F7AF-64A2-4985-9A4B-70DAAFC7CCE6}</Data>
<Data Name="ObjectClass">computer</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory domain, where new object is created.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was created.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was created. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5136: A directory service object was
modified.” and “5139: A directory service object was moved.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor creation of Active Directory objects with specific classes, monitor for Class field with
specific class name. For example, we recommend that you monitor all new group policy objects creations:
groupPolicyContainer class.
You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to
get 5137. There is no reason to audit all creation events for all types of Active Directory objects; find the
most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only
(user, computer, group, etc.).
5138(S): A directory service object was undeleted.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5138</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-02T04:34:20.611082300Z" />
<EventRecordID>229336</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="544" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{3E2B5ECF-4C35-4C3F-8D82-B8D6F477D846}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3be49</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="OldObjectDN">CN=Andrei\\0ADEL:53511188-bc98-4995-9d78-2d40143c9711,CN=Deleted
Objects,DC=contoso,DC=local</Data>
<Data Name="NewObjectDN">CN=Andrei,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{53511188-BC98-4995-9D78-2D40143C9711}</Data>
<Data Name="ObjectClass">user</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: name of account that requested that the object be undeleted or
restored.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory domain, where the object was undeleted.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
Old DN [Type = UnicodeString]: Old distinguished name of undeleted object. It will points to Active Directory
Recycle Bin folder, in case if it was restored from it.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
New DN [Type = UnicodeString]: New distinguished name of undeleted object. The Active Directory
container to which the object was restored.
GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was undeleted. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5137: A directory service object was
created.” and “5139: A directory service object was moved.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes,
monitor for Class field with specific class name.
It may be a good idea to monitor all undelete events, because the operation is not performed very often.
Confirm that there is a reason for the object to be undeleted.
5139(S): A directory service object was moved.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Changes
Event Description:
This event generates every time an
Active Directory object is moved.
This event only generates if the
destination object has a particular
entry in its SACL: the “Create” action,
auditing for specific classes or objects.
An example is the “Create Computer
objects” action, auditing for the
organizational unit.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5139</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T06:26:07.019116600Z" />
<EventRecordID>409532</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{67A42C05-A70D-4348-AF19-E883CB1FCA9C}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="OldObjectDN">CN=NewUser,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="NewObjectDN">CN=NewUser,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{06713960-9CC3-4B5D-A594-35883A04F934}</Data>
<Data Name="ObjectClass">user</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “move object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory domain, where the object was moved.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
Old DN [Type = UnicodeString]: Old distinguished name of moved object.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
New DN [Type = UnicodeString]: New distinguished name of moved object. The Active Directory
container to which the object was moved.
GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was moved. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5137: A directory service object was
created.” and “5141: A directory service object was deleted.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor movement of Active Directory objects with specific classes, monitor for Class field
with specific class name.
You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to
get 5139. There is no reason to audit all movement events for all types of Active Directory objects, you
need to find the most important locations (organizational units, folders, etc.) and monitor for movement of
specific classes only to these locations (user, computer, group, etc.).
5141(S): A directory service object was deleted.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Changes
Event Description:
This event generates every time an Active
Directory object is deleted.
This event only generates if the deleted object
has a particular entry in its SACL: the
“Delete” action, auditing for specific objects.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5141</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T18:48:06.792762900Z" />
<EventRecordID>411118</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{C8A9000C-C618-4EE9-87FF-F852C0564F18}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=WIN2003,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{CA15B875-AFB1-4E5A-86B2-96E61DE09110}</Data>
<Data Name="ObjectClass">computer</Data>
<Data Name="TreeDelete">%%14679</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory domain, where the object was deleted.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was deleted.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object. For deleted objects GUID will be resolved to
new destination of object, for example: OU=My\0ADEL:cc94c0d7-dd53-4061-9791-
e53478dbbc3b,CN=Deleted Objects,DC=contoso,DC=local.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was deleted. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Tree Delete [Type = UnicodeString]:
Yes – “Delete Subtree” operation was performed. It happens, for example, if “Use Delete Subtree
server control” check box was checked during delete operation using Active Directory Users and
Computers management console.
No – delete operation was performed without “Delete Subtree” server control.
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5137: A directory service object was
created.” and “5139: A directory service object was moved.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor deletion of Active Directory objects with specific classes, monitor for Class field with
specific class name. For example, we recommend that you monitor for group policy objects deletions:
groupPolicyContainer class.
If you need to monitor deletion of specific Active Directory objects, monitor for DN field with specific object
name. For example, if you have critical Active Directory objects which should not be deleted, monitor for
their deletion.
Audit Directory Service Replication
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Directory Service Replication determines whether the operating system generates audit events when
replication between two domain controllers begins and ends.
Event volume: Medium on domain controllers.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4932(S ): Synchronization of a replica of an Active Directory naming context has begun.
4933(S, F ): Synchronization of a replica of an Active Directory naming context has ended.
4932(S): Synchronization of a replica of an Active
Directory naming context has begun.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4932</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14082</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-02T02:06:03.814642100Z" />
<EventRecordID>413689</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="276" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="Options">2147483733</Data>
<Data Name="SessionID">48</Data>
<Data Name="StartUSN">20869</Data>
</EventData>
</Event>
Note The Directory Replication Agent (DRA ) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Note Active Directory replication does not depend on time to determine what changes need to be
propagated. It relies instead on the use of update sequence numbers (USNs) that are assigned by a counter
that is local to each domain controller. Because these USN counters are local, it is easy to ensure that they are
reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare
a USN assigned on one domain controller to a USN assigned on a different domain controller. The replication
system is designed with this restriction in mind.
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4933</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14082</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-01T20:58:28.854735700Z" />
<EventRecordID>413644</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="2288" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="Options">2147483733</Data>
<Data Name="SessionID">40</Data>
<Data Name="EndUSN">20869</Data>
<Data Name="StatusCode">1722</Data>
</EventData>
</Event>
Note The Directory Replication Agent (DRA ) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that
are relevant when replicating changes to directory partitions. The DRA sends a replication request to the
partners of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Note Active Directory replication does not depend on time to determine what changes need to be
propagated. It relies instead on the use of update sequence numbers (USNs) that are assigned by a counter
that is local to each domain controller. Because these USN counters are local, it is easy to ensure that they are
reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare
a USN assigned on one domain controller to a USN assigned on a different domain controller. The replication
system is designed with this restriction in mind.
Status Code [Type = UInt32]: if there are no issues or errors, the status code will be “0”. If an error happened,
you will receive Failure event and Status Code will not be equal to “0”. You can check error code meaning here:
https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx
Applies to
Windows 10
Windows Server 2016
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an
account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer
because the account is locked out.
Account lockout events are essential for understanding user activity and detecting potential attacks.
Event volume: Low.
This subcategory failure logon attempts, when account was already locked out.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4625(F ): An account failed to log on.
4625(F): An account failed to log on.
4/5/2019 • 13 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Account Lockout and
Audit Logon
Event Description:
This event generates if an account logon
attempt failed when the account was already
locked out. It also generates for a logon
attempt after which the account was locked out.
It generates on the computer where logon
attempt was made, for example, if logon
attempt was made on user’s workstation, then
event will be logged on this workstation.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that reported information about logon
failure.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon Type [Type = UInt32]: the type of logon which was performed. “Table 11. Windows Logon Types” contains
the list of possible values for this field.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Failure Information:
Failure Reason [Type = UnicodeString]: textual explanation of Status field value. For this event it typically
has “Account locked out” value.
Status [Type = HexInt32]: the reason why logon failed. For this event it typically has “0xC0000234” value.
The most common status codes are listed in “Table 12. Windows logon status codes.”
0XC00000DC Indicates the Sam Server was in the wrong state to perform
the desired operation.
0XC0000133 Clocks between DC and other computer too far out of sync
0XC000015B The user has not been granted the requested logon type (aka
logon right) at this machine
0XC0000192 An attempt was made to logon, but the Netlogon service was
not started.
0XC0000413 Logon Failure: The machine you are logging onto is protected
by an authentication firewall. The specified account is not
allowed to authenticate to the machine.
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the logon
attempt. See event “4611: A trusted logon process has been registered with the Local Security Authority”
description for more information.
Authentication Package [Type = UnicodeString]: The name of the authentication package which was used
for the logon authentication process. Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded at
runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local
Security Authority” (typically for NTLM ) or “4622: A security package has been loaded by the Local Security
Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with
the package name. The most common authentication packages are:
NTLM – NTLM -family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols.
Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the
authentication or the calling application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted
services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a
Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service
ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on
behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package
(NTLM -family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM”.
Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit
length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not applicable
for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate
authentication package.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If Subject\Account Name is a name of service account or user account, it may be useful to investigate
whether that account is allowed (or expected) to request logon for Account For Which Logon
Failed\Security ID.
To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon Type
4-Batch or 5-Service is used by a member of a domain administrative group), monitor Logon Type in this
event.
If you have a high-value domain or local account for which you need to monitor every lockout, monitor all
4625 events with the “Subject\Security ID” that corresponds to the account.
We recommend monitoring all 4625 events for local accounts, because these accounts typically should not
be locked out. This is especially relevant for critical servers, administrative workstations, and other high value
assets.
We recommend monitoring all 4625 events for service accounts, because these accounts should not be
locked out or prevented from functioning. This is especially relevant for critical servers, administrative
workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
If the “Account For Which Logon Failed \Security ID” should never be used to log on from the
specific Network Information\Workstation Name.
If a specific account, such as a service account, should only be used from your internal IP address list
(or some other list of IP addresses). In this case, you can monitor for Network Information\Source
Network Address and compare the network address with your list of IP addresses.
If a particular version of NTLM is always used in your organization. In this case, you can use this
event to monitor Package Name (NTLM only), for example, to find events where Package Name
(NTLM only) does not equal NTLM V2.
If NTLM is not used in your organization, or should not be used by a specific account (New
Logon\Security ID ). In this case, monitor for all events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128,
because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
If Logon Process is not from a trusted logon processes list.
Monitor for all events with the fields and values in the following table:
Failure Information\Status or 0XC000015B – “The user has not been granted the requested
Failure Information\Sub Status logon type (aka logon right) at this machine”.
Failure Information\Status or 0XC0000192 – “An attempt was made to logon, but the
Failure Information\Sub Status Netlogon service was not started”.
This is typically not a security issue but it can be an
infrastructure or availability issue.
Failure Information\Status or 0XC0000413 – “Logon Failure: The machine you are logging
Failure Information\Sub Status onto is protected by an authentication firewall. The specified
account is not allowed to authenticate to the machine”.
Audit User/Device Claims
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token.
Events in this subcategory are generated on the computer on which a logon session is created. For an interactive
logon, the security audit event is generated on the computer that the user logged on to.
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the
computer hosting the resource.
Important: Audit Logon subcategory must also be enabled in order to get events from this subcategory.
Event volume:
Low on a client computer.
Medium on a domain controller or network servers.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4626(S ): User/Device claims information.
4626(S): User/Device claims information.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
User/Device Claims
Event Description:
This event generates for new
account logons and contains
user/device claims which were
associated with a new logon
session.
This event does not generate if
the user/device doesn’t have
claims.
For computer account logons
you will also see device claims
listed in the “User Claims” field.
You will typically get “4624: An
account was successfully logged
on” and after it a 4626 event
with the same information in
Subject, Logon Type and New
Logon sections.
This event generates on the
computer to which the logon
was performed (target
computer). For example, for
Interactive logons it will be the
same computer.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4626</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12553</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T00:12:02.243396300Z" />
<EventRecordID>232648</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x136f7b</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="UserClaims">ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "dadmin" ad://ext/Department:88d16a8edaa8c66b
<%%1818> : "IT"</Data>
<Data Name="DeviceClaims">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that reported information about claims.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon Type [Type = UInt32]: the type of logon which was performed. The table below contains the list of possible
values for this field:
New Logon:
Security ID [Type = SID ]: SID of account for which logon was performed. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account for which logon was performed.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Event in sequence [Type = UInt32]: If is there is not enough space in one event to put all claims, you will see “1
of N” in this field and additional events will be generated. Typically this field has “1 of 1” value.
User Claims [Type = UnicodeString]: list of user claims for new logon session. This field contains user claims if
user account was logged in and device claims if computer account was logged in. Here is an example how to parse
the entrance of this field:
ad://ext/cn:88d2b96fdb2b4c49 <String> : “dadmin”
cn – claim display name.
88d2b96fdb2b4c49 – unique claim ID.
<String> - claim type.
“dadmin” – claim value.
Device Claims [Type = UnicodeString]: list of device claims for new logon session. For user accounts this field
typically has “-“ value. For computer accounts this field has device claims listed.
Applies to
Windows 10
Windows Server 2016
Audit Group Membership enables you to audit group memberships when they are enumerated on the client
computer.
This policy allows you to audit the group membership information in the user's logon token. Events in this
subcategory are generated on the computer on which a logon session is created.
For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a
network logon, such as accessing a shared folder on the network, the security audit event is generated on the
computer hosting the resource.
You must also enable the Audit Logon subcategory.
Multiple events are generated if the group membership information cannot fit in a single security audit event
Event volume:
Low on a client computer.
Medium on a domain controller or network servers.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4627(S ): Group membership information.
4627(S): Group membership information.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Group Membership
Event Description:
This event generates with “4624(S ): An account was successfully logged on” and shows the list of groups that the
logged-on account belongs to.
You must also enable the Success audit for Audit Logon subcategory to get this event.
Multiple events are generated if the group membership information cannot fit in a single security audit event.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4627</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12554</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T03:51:25.843673000Z" />
<EventRecordID>3081</EventRecordID>
<Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" />
<Execution ProcessID="736" ThreadID="808" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x569860</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="GroupMembership">%{S-1-5-21-1377283216-344919071-3415362939-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-
5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1377283216-344919071-3415362939-512} %
{S-1-5-21-1377283216-344919071-3415362939-572} %{S-1-5-64-10} %{S-1-16-12288}</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that reported information about
successful logon or invokes it.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4672(S ): Special privileges assigned to new logon.”
Logon Type [Type = UInt32]: the type of logon which was performed. The table below contains the list of possible
values for this field:
New Logon:
Security ID [Type = SID ]: SID of account for which logon was performed. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account for which logon was performed.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4672(S ): Special privileges assigned to new logon.”
Event in sequence [Type = UInt32]: If is there is not enough space in one event to put all groups, you will see “1
of N” in this field and additional events will be generated. Typically this field has “1 of 1” value.
Group Membership [Type = UnicodeString]: the list of group SIDs which logged account belongs to (member of).
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you
will see the source data in the event.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this action is reported by the NULL SID account, so we recommend reporting all events with
“Subject\Security ID” not equal “NULL SID”.
If you need to track that a member of a specific group logged on to a computer, check the “Group
Membership” field.
Audit IPsec Extended Mode
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE ) and
Authenticated Internet Protocol (AuthIP ) during Extended Mode negotiations.
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used
for IPsec Extended Mode troubleshooting.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.
Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.
Applies to
Windows 10
Windows Server 2016
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE ) and
Authenticated Internet Protocol (AuthIP ) during Main Mode negotiations.
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for
IPsec Main Mode troubleshooting.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.
Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.
Applies to
Windows 10
Windows Server 2016
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE ) and
Authenticated Internet Protocol (AuthIP ) during Quick Mode negotiations.
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for
IPsec Quick Mode troubleshooting.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.
Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.
Applies to
Windows 10
Windows Server 2016
Audit Logoff determines whether the operating system generates audit events when logon sessions are
terminated.
These events occur on the computer that was accessed. In the case of an interactive logon, these events are
generated on the computer that was logged on to.
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down)
do not generate an audit record.
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not
100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this
case, a logoff event is not generated.
Event volume: High.
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on
the computer that was accessed. For an interactive logoff the security audit event is generated on the computer
that the user account logged on to.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4634(S ): An account was logged off.
4647(S ): User initiated logoff.
4634(S): An account was logged off.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Logoff
Event Description:
This event shows that logon session was
terminated and no longer exists.
The main difference between “4647: User
initiated logoff.” and 4634 event is that 4647
event is generated when logoff procedure was
initiated by specific account using logoff
function, and 4634 event shows that session
was terminated and no longer exists.
4647 is more typical for Interactive and
RemoteInteractive logon types when user
was logged off using standard methods. You
will typically see both 4647 and 4634 events
when logoff procedure was initiated by user.
It may be positively correlated with a “4624: An account was successfully logged on.” event using the Logon ID
value. Logon IDs are only unique between reboots on the same computer.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T02:27:57.877205900Z" />
<EventRecordID>230019</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="832" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-90-1</Data>
<Data Name="TargetUserName">DWM-1</Data>
<Data Name="TargetDomainName">Window Manager</Data>
<Data Name="TargetLogonId">0x1a0992</Data>
<Data Name="LogonType">2</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that was logged off.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon Type [Type = UInt32]: the type of logon which was used. The table below contains the list of possible
values for this field:
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If a particular Logon Type should not be used by a particular account (for example if Logon Type 4-Batch or
5-Service is used by a member of a domain administrative group), monitor this event for such actions.
4647(S): User initiated logoff.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Logoff
Event Description:
This event is generated when a logoff is
initiated. No further user-initiated activity can
occur. This event can be interpreted as a logoff
event.
The main difference with “4634(S ): An account
was logged off.” event is that 4647 event is
generated when logoff procedure was initiated
by specific account using logoff function, and
4634 event shows that session was terminated
and no longer exists.
4647 is more typical for Interactive and
RemoteInteractive logon types when user
was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure
was initiated by user.
It may be positively correlated with a “4624: An account was successfully logged on.” event using the Logon ID
value. Logon IDs are only unique between reboots on the same computer.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4647</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T03:08:39.126890800Z" />
<EventRecordID>230200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3864" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x29b379</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “logoff” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Audit Logon
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Logon determines whether the operating system generates audit events when a user attempts to log on
to a computer.
These events are related to the creation of logon sessions and occur on the computer that was accessed. For an
interactive logon, events are generated on the computer that was logged on to. For a network logon, such as
accessing a share, events are generated on the computer that hosts the resource that was accessed.
The following events are recorded:
Logon success and failure.
Logon attempts by using explicit credentials. This event is generated when a process attempts to log on
an account by explicitly specifying that account's credentials. This most commonly occurs in batch
configurations such as scheduled tasks, or when using the RunAs command.
Security identifiers (SIDs) are filtered.
Logon events are essential to tracking user activity and detecting potential attacks.
Event volume:
Low on a client computer.
Medium on a domain controllers or network servers.
Events List:
4624(S ): An account was successfully logged on.
4625(F ): An account failed to log on.
4648(S ): A logon was attempted using explicit credentials.
4675(S ): SIDs were filtered.
4624(S): An account was successfully
logged on.
4/5/2019 • 14 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-
A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z" />
<EventRecordID>211</EventRecordID>
<Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}" />
<Execution ProcessID="716" ThreadID="760" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
<Data Name="TargetLogonId">0x8dcdc</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x44c</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
Account Name [Type = UnicodeString]: the name of the account for which
logon was performed.
Account Domain [Type = UnicodeString]: subject’s domain or computer
name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or
ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer
or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate
this event with recent events that might contain the same Logon ID, for
example, “4672(S ): Special privileges assigned to new logon.”
Linked Logon ID [Version 2] [Type = HexInt64]: A hexadecimal value of the
paired logon session. If there is no other logon session associated with this
logon session, then the value is “0x0”.
Network Account Name [Version 2] [Type = UnicodeString]: User name that
will be used for outbound (network) connections. Valid only for
NewCredentials logon type.
If not NewCredentials logon, then this will be a "-" string.
Network Account Domain [Version 2] [Type = UnicodeString]: Domain for
the user that will be used for outbound (network) connections. Valid only for
NewCredentials logon type.
If not NewCredentials logon, then this will be a "-" string.
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event
with another event that can contain the same Logon GUID, “4769(S, F ): A
Kerberos service ticket was requested event on a domain controller.
It also can be used for correlation between a 4624 event and several other
events (on the same computer) that can contain the same Logon GUID,
“4648(S ): A logon was attempted using explicit credentials” and “4964(S ):
Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as
“{00000000-0000-0000-0000-000000000000}”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that
attempted the logon. Process ID (PID ) is a number used by the operating
system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the
values in Task Manager.
You can also correlate this process ID with a process ID in other events, for
example, “4688: A new process has been created” Process Information\New
Process ID.
Process Name [Type = UnicodeString]: full path and the name of the
executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon
attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine
from which logon attempt was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source port which was used for logon
attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process
that was used for the logon. See event “4611: A trusted logon process has been
registered with the Local Security Authority” description for more information.
Authentication Package [Type = UnicodeString]: The name of the
authentication package which was used for the logon authentication process.
Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key.
Other packages can be loaded at runtime. When a new package is loaded a
“4610: An authentication package has been loaded by the Local Security
Authority” (typically for NTLM ) or “4622: A security package has been loaded
by the Local Security Authority” (typically for Kerberos) event is logged to
indicate that a new package has been loaded along with the package name. The
most common authentication packages are:
NTLM – NTLM -family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos
and NTLM protocols. Negotiate selects Kerberos unless it cannot be
used by one of the systems involved in the authentication or the calling
application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of
transmitted services. Transmitted services are populated if the logon was a
result of a S4U (Service For User) logon process. S4U is a Microsoft extension
to the Kerberos Protocol to allow an application service to obtain a Kerberos
service ticket on behalf of a user – most commonly done by a front-end
website to access an internal resource on behalf of a user. For more
information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN
Manager sub-package (NTLM -family protocol name) that was used during
logon. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM”.
Key Length [Type = UInt32]: the length of NTLM Session Security key.
Typically it has 128 bit or 56 bit length. This parameter is always 0 if
“Authentication Package” = “Kerberos”, because it is not applicable for
Kerberos protocol. This field will also have “0” value if Kerberos was negotiated
using Negotiate authentication package.
High-value accounts: You might have high- Monitor this event with the “New
value domain or local accounts for which you Logon\Security ID” that corresponds to the
need to monitor each action. high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator
account, domain administrators, service
accounts, domain controller accounts and so
on.
TYPE OF MONITORING REQUIRED RECOMMENDATION
Anomalies or malicious actions: You might When you monitor for anomalies or malicious
have specific requirements for detecting actions, use the “New Logon\Security ID”
anomalies or monitoring potential malicious (with other information) to monitor how or
actions. For example, you might need to when a particular account is being used.
monitor for use of an account outside of
working hours.
Non-active accounts: You might have non- Monitor this event with the “New
active, disabled, or guest accounts, or other Logon\Security ID” that corresponds to the
accounts that should never be used. accounts that should never be used.
Account whitelist: You might have a specific If this event corresponds to a “whitelist-only”
whitelist of accounts that are the only ones action, review the “New Logon\Security ID”
allowed to perform actions corresponding to for accounts that are outside the whitelist.
particular events.
Accounts of different types: You might If this event corresponds to an action you
want to ensure that certain actions are want to monitor for certain account types,
performed only by certain account types, for review the “New Logon\Security ID” to see
example, local or domain account, machine or whether the account type is as expected.
user account, vendor or employee account,
and so on.
External accounts: You might be monitoring Monitor this event for the “Subject\Account
accounts from another domain, or “external” Domain” corresponding to accounts from
accounts that are not allowed to perform another domain or “external” accounts.
certain actions (represented by certain specific
events).
Restricted-use computers or devices: You Monitor the target Computer: (or other
might have certain computers, machines, or target device) for actions performed by the
devices on which certain people (accounts) “New Logon\Security ID” that you are
should not typically perform any actions. concerned about.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Account Lockout and
Audit Logon
Event Description:
This event generates if an account logon
attempt failed when the account was already
locked out. It also generates for a logon
attempt after which the account was locked
out.
It generates on the computer where logon
attempt was made, for example, if logon
attempt was made on user’s workstation,
then event will be logged on this workstation.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that reported information about logon
failure.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon Type [Type = UInt32]: the type of logon which was performed. “Table 11. Windows Logon Types”
contains the list of possible values for this field.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Failure Information:
Failure Reason [Type = UnicodeString]: textual explanation of Status field value. For this event it typically
has “Account locked out” value.
Status [Type = HexInt32]: the reason why logon failed. For this event it typically has “0xC0000234” value.
The most common status codes are listed in “Table 12. Windows logon status codes.”
0XC00000DC Indicates the Sam Server was in the wrong state to perform
the desired operation.
0XC0000133 Clocks between DC and other computer too far out of sync
0XC000015B The user has not been granted the requested logon type (aka
logon right) at this machine
0XC0000413 Logon Failure: The machine you are logging onto is protected
by an authentication firewall. The specified account is not
allowed to authenticate to the machine.
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the
logon attempt. See event “4611: A trusted logon process has been registered with the Local Security
Authority” description for more information.
Authentication Package [Type = UnicodeString]: The name of the authentication package which was
used for the logon authentication process. Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded
at runtime. When a new package is loaded a “4610: An authentication package has been loaded by the
Local Security Authority” (typically for NTLM ) or “4622: A security package has been loaded by the Local
Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded
along with the package name. The most common authentication packages are:
NTLM – NTLM -family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols.
Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the
authentication or the calling application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted
services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a
Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service
ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on
behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package
(NTLM -family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM”.
Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit
length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not
applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using
Negotiate authentication package.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If Subject\Account Name is a name of service account or user account, it may be useful to investigate
whether that account is allowed (or expected) to request logon for Account For Which Logon
Failed\Security ID.
To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon
Type 4-Batch or 5-Service is used by a member of a domain administrative group), monitor Logon Type
in this event.
If you have a high-value domain or local account for which you need to monitor every lockout, monitor all
4625 events with the “Subject\Security ID” that corresponds to the account.
We recommend monitoring all 4625 events for local accounts, because these accounts typically should not
be locked out. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
We recommend monitoring all 4625 events for service accounts, because these accounts should not be
locked out or prevented from functioning. This is especially relevant for critical servers, administrative
workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
If the “Account For Which Logon Failed \Security ID” should never be used to log on from the
specific Network Information\Workstation Name.
If a specific account, such as a service account, should only be used from your internal IP address
list (or some other list of IP addresses). In this case, you can monitor for Network
Information\Source Network Address and compare the network address with your list of IP
addresses.
If a particular version of NTLM is always used in your organization. In this case, you can use this
event to monitor Package Name (NTLM only), for example, to find events where Package
Name (NTLM only) does not equal NTLM V2.
If NTLM is not used in your organization, or should not be used by a specific account (New
Logon\Security ID ). In this case, monitor for all events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128,
because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
If Logon Process is not from a trusted logon processes list.
Monitor for all events with the fields and values in the following table:
Failure Information\Status or 0XC000015B – “The user has not been granted the requested
Failure Information\Sub Status logon type (aka logon right) at this machine”.
Failure Information\Status or 0XC0000192 – “An attempt was made to logon, but the
Failure Information\Sub Status Netlogon service was not started”.
This is typically not a security issue but it can be an
infrastructure or availability issue.
Failure Information\Status or 0XC0000413 – “Logon Failure: The machine you are logging
Failure Information\Sub Status onto is protected by an authentication firewall. The specified
account is not allowed to authenticate to the machine”.
4648(S): A logon was attempted using explicit
credentials.
4/5/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Logon
Event Description:
This event is generated when a process
attempts an account logon by explicitly
specifying that account’s credentials.
This most commonly occurs in batch-
type configurations such as scheduled
tasks, or when using the “RUNAS”
command.
It is also a routine event which
periodically occurs during normal
operating system activity.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4648</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T02:54:50.771459000Z" />
<EventRecordID>233200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1116" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31844</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonGuid">{0887F1E4-39EA-D53C-804F-31D568A06274}</Data>
<Data Name="TargetServerName">localhost</Data>
<Data Name="TargetInfo">localhost</Data>
<Data Name="ProcessId">0x368</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the new logon session
with explicit credentials.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID, “4769(S, F ): A Kerberos service ticket was requested event on a domain
controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer)
that can contain the same Logon GUID, “4624(S ): An account was successfully logged on” and “4964(S ):
Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Target Server:
Target Server Name [Type = UnicodeString]: the name of the server on which the new process was run.
Has “localhost” value if the process was run locally.
Additional Information [Type = UnicodeString]: there is no detailed information about this field in this
document.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which was run using explicit
credentials. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.
High-value accounts: You might have high value domain or Monitor this event with the “Subject\Security ID” or
local accounts for which you need to monitor each action. “Account Whose Credentials Were Used\Security ID” that
Examples of high value accounts are database administrators, correspond to the high value account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” and “Account Whose Credentials
malicious actions. For example, you might need to monitor for Were Used\Security ID” (with other information) to monitor
use of an account outside of working hours. how or when a particular account is being used.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or
or guest accounts, or other accounts that should never be “Account Whose Credentials Were Used\Security ID” that
used. correspond to the accounts that should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are allowed to perform actions corresponding the “Subject\Security ID” and “Account Whose
to particular events. Credentials Were Used\Security ID” for accounts that are
outside the whitelist.
External accounts: You might be monitoring accounts from Monitor for the “Subject\Account Domain” or “Account
another domain, or “external” accounts that are not allowed Whose Credentials Were Used\Security ID” corresponding
to perform the action corresponding to this event. to accounts from another domain or “external” accounts.
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” or “Account
people (accounts) should not typically perform any actions. Whose Credentials Were Used\Security ID” that you are
concerned about.
For example, you might monitor to ensure that “Account
Whose Credentials Were Used\Security ID” is not used to
log on to a certain computer.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” and “Account Whose
specific naming conventions for account names. Credentials Were Used\Security ID” for names that don’t
comply with naming conventions.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If Subject\Security ID should not know or use credentials for Account Whose Credentials Were
Used\Account Name, monitor this event.
If credentials for Account Whose Credentials Were Used\Account Name should not be used from
Network Information\Network Address, monitor this event.
Check that Network Information\Network Address is from internal IP address list. For example, if you
know that a specific account (for example, a service account) should be used only from specific IP
addresses, you can monitor for all events where Network Information\Network Address is not one of
the allowed IP addresses.
4675(S): SIDs were filtered.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event generates when SIDs were filtered for specific Active Directory trust.
See more information about SID filtering here: https://technet.microsoft.com/library/cc772633(v=ws.10).aspx.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Security ID:%1
Account Name:%2
Account Domain:%3
Trust Information:
Trust Direction:%4
Trust Attributes:%5
Trust Type:%6
TDO Domain SID:%7
Filtered SIDs:%8
Applies to
Windows 10
Windows Server 2016
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS ) and Network Access
Protection (NAP ) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine,
Lock, and Unlock.
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
This subcategory generates events only if NAS or IAS role is installed on the server.
NAP events can be used to help understand the overall health of the network.
Event volume: Medium to High on servers that are running Network Policy Server (NPS ).
Role-specific subcategories are outside the scope of this document.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain IF IF IF IF IF – if a server
Controller has the Network
Policy Server
(NPS) role
installed and you
need to monitor
access requests
and other NPS-
related events,
enable this
subcategory.
Applies to
Windows 10
Windows Server 2016
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff
events.
These other logon or logoff events include:
A Remote Desktop session connects or disconnects.
A workstation is locked or unlocked.
A screen saver is invoked or dismissed.
A replay attack is detected. This event indicates that a Kerberos request was received twice with identical
information. This condition could also be caused by network misconfiguration.
A user is granted access to a wireless network. It can be either a user account or the computer account.
A user is granted access to a wired 802.1x network. It can be either a user account or the computer
account.
Logon events are essential to understanding user activity and detecting potential attacks.
Event volume: Low.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4649(S ): A replay attack was detected.
4778(S ): A session was reconnected to a Window Station.
4779(S ): A session was disconnected from a Window Station.
4800(S ): The workstation was locked.
4801(S ): The workstation was unlocked.
4802(S ): The screen saver was invoked.
4803(S ): The screen saver was dismissed.
5378(F ): The requested credentials delegation was disallowed by policy.
5632(S ): A request was made to authenticate to a wireless network.
5633(S ): A request was made to authenticate to a wired network.
4649(S): A replay attack was detected.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event generates on domain controllers when KRB_AP_ERR_REPEAT Kerberos response was sent to the
client.
Domain controllers cache information from recently received tickets. If the server name, client name, time, and
microsecond fields from the Authenticator match recently seen entries in the cache, it will return
KRB_AP_ERR_REPEAT. You can read more about this in RFC -1510. One potential cause for this is a misconfigured
network device between the client and server that could send the same packet(s) repeatedly.
There is no example of this event in this document.
Subcategory: Audit Other Logon/Logoff Events
Event Schema:
A replay attack was detected.
Subject:
Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4
Account Name:%5
Account Domain:%6
Process Information:
Process ID:%12
Process Name:%13
Network Information:
Workstation Name:%10
Request Type:%7
Logon Process:%8
Authentication Package:%9
Transited Services:%11
This event indicates that a Kerberos replay attack was detected - a request was received twice with identical
information. This condition could be caused by network misconfiguration."
Required Server Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a user reconnects
to an existing Terminal Services session, or
when a user switches to an existing desktop
using Fast User Switching.
This event also generates when user
reconnects to virtual host Hyper-V Enhanced
Session, for example.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4778</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:05:29.743867200Z" />
<EventRecordID>237651</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="2212" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="AccountName">ladmin</Data>
<Data Name="AccountDomain">CONTOSO</Data>
<Data Name="LogonID">0x1e01f6</Data>
<Data Name="SessionName">RDP-Tcp\#6</Data>
<Data Name="ClientName">WIN81</Data>
<Data Name="ClientAddress">10.0.0.100</Data>
</EventData>
</Event>
Additional Information:
Client Name [Type = UnicodeString]: computer name from which the user was reconnected. Has
“Unknown” value for console session.
Client Address [Type = UnicodeString]: IP address of the computer from which the user was reconnected.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Has “LOCAL” value for console session.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Account Name” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Account Name” (with other information) to
malicious actions. For example, you might need to monitor for monitor how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Account Name” that
or guest accounts, or other accounts that should never be corresponds to the accounts that should never be used.
used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Account Name” for accounts that are outside
corresponding to particular events. the whitelist.
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Account Name”
for example, local or domain account, machine or user to see whether the account type is as expected.
account, vendor or employee account, and so on.
TYPE OF MONITORING REQUIRED RECOMMENDATION
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Account Name” that you
people (accounts) should not typically perform any actions. are concerned about.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with
Session Name = Console.
If Remote Desktop Connections are not allowed for specific users (Subject\Account Name) or disabled on
some computers, then monitor for Session Name = RDP -Tcp# (substring).
If a specific computer or device (Client Name or Client Address) should never connect to this computer
(Computer), monitor for any event with that Client Name or Client Address.
Check that Additional Information\Client Address is from internal IP addresses list.
4779(S): A session was disconnected from a Window
Station.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a user
disconnects from an existing Terminal Services
session, or when a user switches away from an
existing desktop using Fast User Switching.
This event also generated when user
disconnects from virtual host Hyper-V
Enhanced Session, for example.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4779</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:04:41.044489800Z" />
<EventRecordID>237646</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="AccountName">ladmin</Data>
<Data Name="AccountDomain">CONTOSO</Data>
<Data Name="LogonID">0x1e01f6</Data>
<Data Name="SessionName">RDP-Tcp\#3</Data>
<Data Name="ClientName">WIN81</Data>
<Data Name="ClientAddress">10.0.0.100</Data>
</EventData>
</Event>
Additional Information:
Client Name [Type = UnicodeString]: machine name from which the session was disconnected. Has
“Unknown” value for console session.
Client Address [Type = UnicodeString]: IP address of the computer from which the session was
disconnected.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Has “LOCAL” value for console session.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Account Name” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Account Name” (with other information) to
malicious actions. For example, you might need to monitor for monitor how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Account Name” that
or guest accounts, or other accounts that should never be corresponds to the accounts that should never be used.
used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Account Name” for accounts that are outside
corresponding to particular events. the whitelist.
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Account Name”
for example, local or domain account, machine or user to see whether the account type is as expected.
account, vendor or employee account, and so on.
TYPE OF MONITORING REQUIRED RECOMMENDATION
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Account Name” that you
people (accounts) should not typically perform any actions. are concerned about.
For example, you might have computers to which connections If you have a target Computer: (or other target device) to
should not be made from certain accounts or addresses. which connections should not be made from certain accounts
or addresses, monitor this event for the corresponding Client
Name or Client Address.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with
Session Name = Console.
If Remote Desktop Connections are not allowed for specific users (Subject\Account Name) or disabled on
some computers, then monitor for Session Name = RDP -Tcp# (substring).
To ensure that connections are made only from your internal IP address list, monitor the Additional
Information\Client Address in this event.
4800(S): The workstation was locked.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a workstation
was locked.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4800</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:47:02.430644500Z" />
<EventRecordID>237655</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="2568" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “lock workstation”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of locked session. You can see the list of current session IDs using
“query session” command in command prompt. Example of output (see ID column):
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when a machine was locked, and
which account was used to lock it.
4801(S): The workstation was unlocked.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when workstation was
unlocked.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4801</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:47:05.886096400Z" />
<EventRecordID>237657</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="4540" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “unlock workstation”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of unlocked session. You can see the list of current session IDs using
“query session” command in command prompt. Example of output (see ID column):
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when a machine was unlocked, and
which account was used to unlock it.
4802(S): The screen saver was invoked.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when screen saver was
invoked.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4802</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T00:16:32.377883700Z" />
<EventRecordID>237662</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="1676" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “invoke screensaver”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of a session for which screen saver was invoked. You can see the list
of current session IDs using “query session” command in command prompt. Example of output (see ID
column):
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when a screen saver was invoked on
a machine, and which account invoked it.
4803(S): The screen saver was dismissed.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when screen saver was
dismissed.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4803</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T00:19:09.576094500Z" />
<EventRecordID>237663</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “dismiss screensaver”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of a session for which screen saver was dismissed. You can see the
list of current session IDs using “query session” command in command prompt. Example of output (see ID
column):
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when a screen saver was dismissed
on a machine, and which account dismissed it.
5378(F): The requested credentials delegation was
disallowed by policy.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event generates requested CredSSP
credentials delegation was disallowed by
CredSSP delegation policy.
It typically occurs when CredSSP delegation
for WinRM double-hop session was not set
properly.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5378</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-11-11T03:23:48.502346900Z" />
<EventRecordID>1198733</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4308" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x2b1e04</Data>
<Data Name="Package">CREDSSP</Data>
<Data Name="UserUPN">dadmin@contoso</Data>
<Data Name="TargetServer">WSMAN/dc01.contoso.local</Data>
<Data Name="CredType">%%8098</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested credentials delegation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Credential Delegation Information:
Security Package [Type = UnicodeString]: the name of Security Package which was used. Always
CREDSSP for this event.
User's UPN [Type = UnicodeString]: UPN of the account for which delegation was requested.
Target Server [Type = UnicodeString]: SPN of the target service for which delegation was requested.
Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might
use for authentication. For example, an SPN always includes the name of the host computer on which the
service instance is running, so a service instance might register an SPN for each name or alias of its host.
Credential Type [Type = UnicodeString]: types of credentials which were presented for delegation:
Default credentials The credentials obtained when the user first logs on to
Windows.
Fresh credentials The credentials that the user is prompted for when executing
an application.
Saved credentials The credentials that are saved using Credential Manager.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have defined CredSSP delegation policy, then this event will show you policy violations. We
recommend collecting these events and investigating every policy violation.
This event also can be used for CredSSP delegation troubleshooting.
5632(S, F): A request was made to authenticate to a
wireless network.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff Events
Event Description:
This event generates when 802.1x authentication
attempt was made for wireless network.
It typically generates when network adapter
connects to new wireless network.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5632</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-10T23:10:34.052054800Z" />
<EventRecordID>44113845</EventRecordID>
<Correlation />
<Execution ProcessID="712" ThreadID="4176" />
<Channel>Security</Channel>
<Computer>XXXXXXX.redmond.corp.microsoft.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="SSID">Nokia</Data>
<Data Name="Identity">host/XXXXXXXX.redmond.corp.microsoft.com</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="PeerMac">18:64:72:F3:33:91</Data>
<Data Name="LocalMac">02:1A:C5:14:59:C9</Data>
<Data Name="IntfGuid">{2BB33827-6BB6-48DB-8DE6-DB9E0B9F9C9B}</Data>
<Data Name="ReasonCode">0x0</Data>
<Data Name="ReasonText">The operation was successful.</Data>
<Data Name="ErrorCode">0x0</Data>
<Data Name="EAPReasonCode">0x0</Data>
<Data Name="EapRootCauseString" />
<Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>
Note User principal name (UPN ) format is used to specify an Internet-style name, such as
UserName@Example.Microsoft.com.
Account Name [Type = UnicodeString]: the name of the account for which 802.1x authentication request
was made.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Network Information:
Name (SSID ) [Type = UnicodeString]: SSID of the wireless network to which authentication request was sent.
Note A service set identifier (SSID ) is a sequence of characters that uniquely names a wireless local area
network (WLAN ). An SSID is sometimes referred to as a "network name." This name allows stations to connect
to the desired network when multiple independent networks operate in the same physical area.
Interface GUID [Type = GUID ]: GUID of the network interface which was used for authentication request.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other
Logon/Logoff Events
Event Description:
This event generates when 802.1x
authentication attempt was made
for wired network.
It typically generates when network
adapter connects to new wired
network.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5633</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-11T01:26:59.679232500Z" />
<EventRecordID>1198715</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="2920" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="InterfaceName">Microsoft Hyper-V Network Adapter</Data>
<Data Name="Identity">-</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="ReasonCode">0x70003</Data>
<Data Name="ReasonText">The network does not support authentication</Data>
<Data Name="ErrorCode">0x0</Data>
</EventData>
</Event>
Note User principal name (UPN ) format is used to specify an Internet-style name, such as
UserName@Example.Microsoft.com.
Account Name [Type = UnicodeString]: the name of the account for which 802.1x authentication request
was made.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Interface:
Name [Type = UnicodeString]: the name (description) of network interface which was used for authentication
request. You can get the list of all available network adapters using “ipconfig /all” command. See “Description”
row for every network adapter:
Additional Information:
Reason Code [Type = UnicodeString]: contains Reason Text (explanation of Reason Code) and Reason Code
for wired authentication results. See more information about reason codes for wired authentication here:
https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx,
https://technet.microsoft.com/library/cc727747(v=ws.10).aspx.
Error Code [Type = HexInt32]: unique EAP error code.
Applies to
Windows 10
Windows Server 2016
Audit Special Logon determines whether the operating system generates audit events under special sign on (or
log on) circumstances.
This subcategory allows you to audit events generated by special logons such as the following:
The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to
elevate a process to a higher level.
A logon by a member of a Special Group. Special Groups enable you to audit events generated when a
member of a certain group has logged on to your network. You can configure a list of group security
identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the
subcategory is enabled, an event is logged.
Event volume:
Low on a client computer.
Medium on a domain controllers or network servers.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4964(S ): Special groups have been assigned to a new logon.
4672(S ): Special privileges assigned to new logon.
4964(S): Special groups have been assigned to a new
logon.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Special Logon
Event Description:
This event occurs when an account that is a
member of any defined Special Group logs in.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4964</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T02:25:16.236443300Z" />
<EventRecordID>238923</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="5008" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xd972e</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x139faf</Data>
<Data Name="TargetLogonGuid">{B03B6192-09AE-E77F-DD10-2DC430766040}</Data>
<Data Name="SidList">%{S-1-5-21-3457937927-2839227994-823803824-512}</Data>
</EventData>
</Event>
Note Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups
feature lets the administrator find out when a member of a certain group logs on to the computer. The Special
Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested logon for New Logon
account.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID, “4769(S, F ): A Kerberos service ticket was requested event on a domain
controller.
It also can be used for correlation between a 4964 event and several other events (on the same computer)
that can contain the same Logon GUID, “4648(S ): A logon was attempted using explicit credentials” and
“4624(S ): An account was successfully logged on.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
New Logon:
Security ID [Type = SID ]: SID of account that performed the logon. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: the name of the account that performed the logon.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID, “4769(S, F ): A Kerberos service ticket was requested event on a domain
controller.
It also can be used for correlation between a 4964 event and several other events (on the same computer)
that can contain the same Logon GUID, “4648(S ): A logon was attempted using explicit credentials” and
“4624(S ): An account was successfully logged on.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Special Groups Assigned [Type = UnicodeString]: the list of special group SIDs, which New
Logon\Security ID is a member of.
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4672</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T01:10:57.091809600Z" />
<EventRecordID>237692</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x671101</Data>
<Data Name="PrivilegeList">SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege
SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege
SeImpersonatePrivilege</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account to which special privileges were
assigned.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Privileges [Type = UnicodeString]: the list of sensitive privileges, assigned to the new logon. The following table
contains the list of possible privileges for this event:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values
that the holder may legitimately assign
as the owner of an object.
With this privilege, the user can take
ownership of any securable object in
the system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Monitor for this event where “Subject\Security ID” is not one of these well-known security principals:
LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “Subject\Security ID” is not an
administrative account that is expected to have the listed Privileges.
If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for
example, SeDebugPrivilege), use this event to monitor for those “Privileges.”
If you are required to monitor any of the sensitive privileges in the Event Description for this event, search for
those specific privileges in the event.
Audit Application Generated
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Application Generated generates events for actions related to Authorization Manager applications.
Audit Application Generated subcategory is out of scope of this document, because Authorization Manager is very
rarely in use and it is deprecated starting from Windows Server 2012.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4665: An attempt was made to create an application client context.
4666: An application attempted an operation.
4667: An application client context was deleted.
4668: An application was initialized.
Audit Certification Services
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Certification Services determines whether the operating system generates events when Active Directory
Certificate Services (AD CS ) operations are performed.
Examples of AD CS operations include:
AD CS starts, shuts down, is backed up, or is restored.
Certificate revocation list (CRL )-related tasks are performed.
Certificates are requested, issued, or revoked.
Certificate manager settings for AD CS are changed.
The configuration and properties of the certification authority (CA) are changed.
AD CS templates are modified.
Certificates are imported.
A CA certificate is published to Active Directory Domain Services.
Security permissions for AD CS role services are modified.
Keys are archived, imported, or retrieved.
The OCSP Responder Service is started or stopped.
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
Event volume: Low to medium on servers that provide AD CS role services.
Role-specific subcategories are outside the scope of this document.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain IF IF IF IF IF – if a server
Controller has the Active
Directory
Certificate
Services (AD CS)
role installed and
you need to
monitor AD CS
related events,
enable this
subcategory.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Applies to
Windows 10
Windows Server 2016
Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting
only records one event for any connection established between a client and file share. Detailed File Share audit
events include detailed information about the permissions or other criteria used to grant or deny access.
There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all
shared files and folders on the system is audited.
Event volume:
High on file servers.
High on domain controllers because of SYSVOL network access required by Group Policy.
Low on member servers and workstations.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
5145(S, F ): A network share object was checked to see whether client can be granted desired access.
5145(S, F): A network share object was checked to see
whether client can be granted desired access.
4/5/2019 • 9 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Detailed File Share
Event Description:
This event generates every
time network share object
(file or folder) was
accessed.
Important: Failure events
are generated only when
access is denied at the file
share level. No events are
generated if access was
denied on the file system
(NTFS ) level.
Note For
recommendations, see
Security Monitoring
Recommendations for
this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:
(A;;FA;;;WD)</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested access to network share
object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Network Information:
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File” for this event.
The following table contains the list of the most common Object Types:
Source Address [Type = UnicodeString]: source IP address from which access was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source TCP or UDP port which was used from remote or local
machine to request the access.
0 for local access attempts.
Share Information:
Share Name [Type = UnicodeString]: the name of accessed network share. The format is:
\\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS ) path for accessed share. The format is: \\??
\PATH. Can be empty, for example for Share Name: \\*\IPC$.
Relative Target Name [Type = UnicodeString]: relative name of the accessed target file or folder. This file-
path is relative to the network share. If access was requested for the share itself, then this field appears as “\”.
Access Request Information:
Access Mask [Type = HexInt32]: the sum of hexadecimal values of requested access rights. See “Table 13.
File access codes.” for different hexadecimal values for access rights.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type.
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
a directory object, the right to read the
corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
object, the right to create a file in the
directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
Access Check Results [Type = UnicodeString]: the list of access check results. The format of the result is:
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below.
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Monitor this event if the Network Information\Source Address is not from your internal IP range.
Monitor this event if the Network Information\Source Address should not be able to connect with the
specific computer (Computer:).
If you have critical files or folders on specific network shares, for which you need to monitor access attempts
(Success and Failure), monitor for specific Share Information\Share Name and Share
Information\Relative Target Name.
If you have domain or local accounts that should only be able to access a specific list of shared files or
folders, you can monitor for access attempts outside the allowed list.
We recommend that you monitor for these Access Request Information\Accesses rights (especially for
Failure):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
Audit File Share
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access
attempts. Also, it shows failed SMB SPN checks.
There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all
shares on the system will be audited.
Combined with File System auditing, File Share auditing enables you to track what content was accessed, the
source (IP address and port) of the request, and the user account that was used for the access.
Event volume:
High on file servers.
High on domain controllers because of SYSVOL network access required by Group Policy.
Low on member servers and workstations.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
5140(S, F ): A network share object was accessed.
5142(S ): A network share object was added.
5143(S ): A network share object was modified.
5144(S ): A network share object was deleted.
5168(F ): SPN check for SMB/SMB2 failed.
5140(S, F): A network share object was accessed.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File Share
Event Description:
This event generates every time network share
object was accessed.
This event generates once per session, when
first access attempt was made.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5140</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" />
<EventRecordID>268495</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="772" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x541f35</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">10.0.0.100</Data>
<Data Name="IpPort">49212</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="AccessList">%%4416</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested access to network share
object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Network Information:
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File” for this event.
The following table contains the list of the most common Object Types:
Source Address [Type = UnicodeString]: source IP address from which access was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source TCP or UDP port which was used from remote or local
machine to request the access.
0 for local access attempts.
Share Information:
Share Name [Type = UnicodeString]: the name of accessed network share. The format is:
\\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS ) path for accessed share. The format is: \\??
\PATH. Can be empty, for example for Share Name: \\*\IPC$.
Access Request Information:
Access Mask [Type = HexInt32]: the sum of hexadecimal values of requested access rights. See “Table 13.
File access codes.” for different hexadecimal values for access rights. Has always “0x1” value for this event.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. Has always “ReadData (or ListDirectory)” value for this
event.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high-value computers for which you need to monitor all access to all shares or specific shares
(“Share Name”), monitor this event. For example, you could monitor share C$ on domain controllers.
Monitor this event if the Network Information\Source Address is not from your internal IP range.
Monitor this event if the Network Information\Source Address should not be able to connect with the
specific computer (Computer:).
If you need to monitor access attempts to local shares from a specific IP address (“Network
Information\Source Address”), use this event.
If you need to monitor for specific Access Types (for example, ReadData or WriteData), for all or specific
shares (“Share Name”), monitor this event for the “Access Type.”
5142(S): A network share object was added.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File Share
Event Description:
This event generates every time network share
object was added.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5142</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:27:01.206646900Z" />
<EventRecordID>268462</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4304" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d12</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">C:\\Documents</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “add network share
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Share Information:
Share Name [Type = UnicodeString]: the name of the added share object. The format is:
\\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS ) path for the added share object. The format is:
\\??\PATH.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high-value computers for which you need to monitor creation of new file shares, monitor this
event. For example, you could monitor domain controllers.
We recommend checking “Share Path”, because it should not point to system directories, such as
C:\Windows or C:\, or to critical local folders which contain private or high value information.
5143(S): A network share object was modified.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5143</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:42:56.743298600Z" />
<EventRecordID>268483</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d12</Data>
<Data Name="ObjectType">Directory</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">C:\\Documents</Data>
<Data Name="OldRemark">N/A</Data>
<Data Name="NewRemark">N/A</Data>
<Data Name="OldMaxUsers">0xffffffff</Data>
<Data Name="NewMaxUsers">0xffffffff</Data>
<Data Name="OldShareFlags">0x800</Data>
<Data Name="NewShareFlags">0x800</Data>
<Data Name="OldSD">O:S-1-5-21-3457937927-2839227994-823803824-1104G:DAD:(A;OICI;FA;;;BA)(A;OICI;FA;;;WD)
</Data>
<Data Name="NewSD">O:BAG:DAD:(D;;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICI;FA;;;WD)
(A;OICI;FA;;;BA)</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “modify network share
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Share Information:
Object Type [Type = UnicodeString]: The type of an object that was modified. Always “Directory” for this
event.
The following table contains the list of the most common Object Types:
Share Name [Type = UnicodeString]: the name of the modified share object. The format is:
\\*\SHARE_NAME
Share Path [Type = UnicodeString]: the full system (NTFS ) path for the added share object. The format is:
\\??\PATH. Can be empty, for example for Share Name: \\*\IPC$.
Old Remark [Type = UnicodeString]: the old value of network share “Comments:” field. Has “N/A” value if
it is not set.
New Remark [Type = UnicodeString]: the new value of network share “Comments:” field. Has “N/A” value
if it is not set.
Old MaxUsers [Type = HexInt32]: old hexadecimal value of “Limit the number of simultaneous user
to:” field. Has “0xFFFFFFFF” value if the number of connections is unlimited.
New Maxusers [Type = HexInt32]: new hexadecimal value of “Limit the number of simultaneous user
to:” field. Has “0xFFFFFFFF” value if the number of connections is unlimited.
Old ShareFlags [Type = HexInt32]: old hexadecimal value of “Offline Settings” caching settings window
flags.
New ShareFlags [Type = HexInt32]: new hexadecimal value of “Offline Settings” caching settings window
flags.
Old SD [Type = UnicodeString]: the old Security Descriptor Definition Language (SDDL ) value for network
share security descriptor.
New SD [Type = UnicodeString]: the new Security Descriptor Definition Language (SDDL ) value for
network share security descriptor.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high-value computers for which you need to monitor all modifications to all shares or specific
shares (“Share Name”), monitor this event. For example, you could monitor all changes to the SYSVOL share
on domain controllers.
5144(S): A network share object was deleted.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File Share
Event Description:
This event generates every time a network
share object is deleted.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5144</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:17:14.820551800Z" />
<EventRecordID>268368</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4656" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d12</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">C:\\Documents</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete network share
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Share Information:
Share Name [Type = UnicodeString]: the name of the deleted share object. The format is:
\\*\SHARE_NAME
Share Path [Type = UnicodeString]: the full system (NTFS ) path for the deleted share object. The format is:
\\??\PATH.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical network shares for which you need to monitor all changes (especially, the deletion of that
share), monitor for specific “Share Information\Share Name”.
If you have high-value computers for which you need to monitor all changes (especially, deletion of file
shares), monitor for all 5144 events on these computers. For example, you could monitor file shares on
domain controllers.
5168(F): SPN check for SMB/SMB2 failed.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File
Share
Event Description:
This event generates when
SMB SPN check fails.
It often happens because of
NTLMv1 or LM protocols
usage from client side when
“Microsoft Network Server:
Server SPN target name
validation level” group policy
set to “Require from client”
on server side. SPN only
sent to server when
NTLMv2 or Kerberos
protocols are used, and after
that SPN can be validated.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5168</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T17:53:40.294859800Z" />
<EventRecordID>268946</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="80" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xd0cd4</Data>
<Data Name="SpnName">N/A</Data>
<Data Name="ErrorCode">0xc0000022</Data>
<Data Name="ServerNames">CONTOSO;contoso.local;DC01.contoso.local;DC01;LocalHost;</Data>
<Data Name="ConfiguredNames">N/A</Data>
<Data Name="IpAddresses">127.0.0.1;::1;10.0.0.10;;fe80::31ea:6c3c:f40d:1973;;fe80::5efe:10.0.0.10;</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account for which SPN check operation was
failed.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
SPN:
SPN Name [Type = UnicodeString]: SPN which was used to access the server. If SPN was not provided, then
the value will be “N/A”.
Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might
use for authentication. For example, an SPN always includes the name of the host computer on which the
service instance is running, so a service instance might register an SPN for each name or alias of its host.
Error Code [Type = HexInt32]: hexadecimal error code, for example “0xC0000022” =
STATUS_ACCESS_DENIED. You can find description for all SMB error codes here:
https://msdn.microsoft.com/library/ee441884.aspx.
Server Information:
Server Names [Type = UnicodeString]: information about possible server names to use to access the target
server (NETBIOS, DNS, localhost, etc.).
Configured Names [Type = UnicodeString]: information about the names which were provided for
validation. If no information was provided the value will be “N/A”.
IP Addresses [Type = UnicodeString]: information about possible IP addresses to use to access the target
server (IPv4, IPv6).
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
We recommend monitoring for any 5168 event, because it can be a sign of a configuration issue or a malicious
authentication attempt.
Audit File System
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit File System determines whether the operating system generates audit events when users attempt to
access file system objects.
Audit events are generated only for objects that have configured system access control lists (SACLs), and only
if the type of access requested (such as Write, Read, or Modify) and the account making the request match the
settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file
system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a file system object that has a matching SACL.
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra
monitoring.
Event volume: Varies, depending on how file system SACLs are configured.
No audit events are generated for the default file system SACLs.
This subcategory allows you to audit user attempts to access file system objects, file system object deletion
and permissions change operations and hard link creation actions.
Only one event, “4658: The handle to an object was closed,” depends on the Audit Handle Manipulation
subcategory (Success auditing must be enabled). All other events generate without any additional
configuration.
Domain IF IF IF IF We strongly
Controller recommend that
you develop a
File System
Security
Monitoring
policy and define
appropriate
SACLs for file
system objects
for different
operating
system
templates and
roles. Do not
enable this
subcategory if
you have not
planned how to
use and analyze
the collected
information. It is
also important
to delete non-
effective, excess
SACLs.
Otherwise the
auditing log will
be overloaded
with useless
information.
Failure events
can show you
unsuccessful
attempts to
access specific
file system
objects.
Consider
enabling this
subcategory for
critical
computers first,
after you
develop a File
System Security
Monitoring
policy for them.
Member Server IF IF IF IF
Workstation IF IF IF IF
Events List:
4656(S, F ): A handle to an object was requested.
4658(S ): The handle to an object was closed.
4660(S ): An object was deleted.
4663(S ): An attempt was made to access an object.
4664(S ): An attempt was made to create a hard link.
4985(S ): The state of a transaction has changed.
5051(-): A file was virtualized.
4670(S ): Permissions on an object were changed.
4656(S, F): A handle to an object was requested.
4/5/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or
registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the operation
was performed. To see that the operation was performed, check “4663(S ): An attempt was made to access an
object.”
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4660(S ): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID. These
access rights depend on Object Type. The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.
HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during
the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that
case appears as “-”. See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor
all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for
example, only write actions), monitor for all 4656 events with the corresponding Access Request
Information\Accesses values.
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events
with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request Information\Accesses
rights (especially for Failure events):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4658(S): The handle to an object was closed.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Handle Manipulation, Audit Kernel Object,
Audit Registry, and Audit Removable Storage
Event Description:
This event generates when the handle to an
object is closed. The object could be a file
system, kernel, or registry object, or a file
system object on removable storage or a
device.
This event generates only if Success auditing is
enabled for Audit Handle Manipulation
subcategory.
Typically this event is needed if you need to
know how long the handle to the object was
open. Otherwise, it might not have any security
relevance.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s handle”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested that the handle be
closed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
4660(S): An object was deleted.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel
Object, and Audit Registry
Event Description:
This event generates when an object was
deleted. The object could be a file system,
kernel, or registry object.
This event generates only if “Delete" auditing is
set in object’s SACL.
This event doesn’t contain the name of the
deleted object (only the Handle ID ). It is better
to use “4663(S ): An attempt was made to
access an object” with DELETE access to track
object deletion.
The advantage of this event is that it’s
generated only during real delete operations. In
contrast, “4663(S ): An attempt was made to
access an object” also generates during other
actions, such as object renaming.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID (PID )
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an object
was requested.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Security Monitoring Recommendations
For 4660(S ): An object was deleted.
This event doesn’t contains the name of deleted object (only Handle ID ). It is better to use “4663(S ): An
attempt was made to access an object.” events with DELETE access to track object deletion actions.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
4663(S): An attempt was made to access an object.
4/5/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System,
Audit Kernel Object, Audit Registry,
and Audit Removable Storage
Event Description:
This event indicates that a specific
operation was performed on an
object. The object could be a file
system, kernel, or registry object, or
a file system object on removable
storage or a device.
This event generates only if object’s
SACL has required ACE to handle
specific access right use.
The main difference with “4656: A
handle to an object was requested.”
event is that 4663 shows that
access right was used instead of
just requested and 4663 doesn’t
have Failure events.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can be used for
correlation with other events, for example with Handle ID field in “4656(S, F ): A handle to an object was
requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID. These
access rights depend on Object Type. The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.
HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical file system objects for which you need to monitor all access attempts, monitor this event
for Object Name.
If you have critical file system objects for which you need to monitor certain access attempts (for example,
write actions), monitor this event for Object Name in relation to Access Request Information\Accesses.
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes.
If Object Name is a sensitive or critical registry key for which you need to monitor specific access attempts
(for example, only write actions), monitor for all 4663 events with the corresponding Access Request
Information\Accesses.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
For file system objects, we recommend that you monitor for these Access Request Information\Accesses
rights:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4664(S): An attempt was made to create a hard link.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File System
Event Description:
This event generates when an NTFS hard link
was successfully created.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4664</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-21T23:50:26.871375900Z" />
<EventRecordID>276680</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2624" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="FileName">C:\\notepad.exe</Data>
<Data Name="LinkName">C:\\Docs\\My.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to create the hard link. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to create the hard
link.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Link Information:
File Name [Type = UnicodeString]: the name of a file or folder that new hard link refers to.
Link Name [Type = UnicodeString]: full path name with new hard link file name.
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4660(S ): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Non Sensitive Privilege Use, Audit Other
Privilege Use Events, and Audit Sensitive
Privilege Use
Event Description:
This is an informational event from file
system Transaction Manager.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4985</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-19T00:00:40.099093300Z" />
<EventRecordID>274277</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TransactionId">{17EF5E21-5E2C-11E5-810F-00155D987005}</Data>
<Data Name="NewState">52</Data>
<Data Name="ResourceManager">{5F5ED427-FCCA-11E3-BD73-B54AB417B853}</Data>
<Data Name="ProcessId">0x370</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that changed the state of the transaction.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Transaction Information:
RM Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an object was
requested.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
New State [Type = UInt32]: identifier of the new state of the transaction.
Resource Manager [Type = GUID ]: unique GUID -Identifier of the Resource Manager which associated
with this transaction.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the state of the
transaction was changed. Process ID (PID ) is a number used by the operating system to uniquely identify an
active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Applies to
Windows 10
Windows Server 2016
This event should be generated when file was virtualized using LUAFV.
This event occurs very rarely during standard LUAFV file virtualization.
There is no example of this event in this document.
Subcategory: Audit File System
Event Schema:
A file was virtualized.
Subject:
Security ID:%1%
Account Name:%2
Account Domain:%3
Logon ID:%4
Object:
File Name:%5
Virtual File Name:%6
Process Information:
Process ID:%7
Process Name%8
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Registry, Audit Authentication Policy Change,
and Audit Authorization Policy Change
Event Description:
This event generates when the permissions for
an object are changed. The object could be a
file system, registry, or security token object.
This event does not generate if the SACL
(Auditing ACL ) was changed.
Before this event can generate, certain ACEs
might need to be set in the object’s SACL. For
example, for a file system object, it generates
only if “Change Permissions" and/or "Take
Ownership” are set in the object’s SACL. For a
registry key, it generates only if “Write DAC"
and/or "Write Owner” are set in the object’s
SACL.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4670</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" />
<EventRecordID>269529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-
3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)
(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change object’s
permissions” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
permissions were changed. For example, for a file, the path would be included. For Token objects, this field
typically equals “-“.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the permissions were
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Permissions Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the object.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If you have critical registry objects for which you need to monitor all modifications (especially permissions
changes and owner changes), monitor for the specific Object\Object Name.
If you have high-value computers for which you need to monitor all changes for all or specific objects (for
example, file system or registry objects), monitor for all 4670 events on these computers. For example, you
could monitor the ntds.dit file on domain controllers.
Audit Filtering Platform Connection
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Filtering Platform Connection determines whether the operating system generates audit events when
connections are allowed or blocked by the Windows Filtering Platform.
Windows Filtering Platform (WFP ) enables independent software vendors (ISVs) to filter and modify TCP/IP
packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter
remote procedure calls (RPCs).
This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked
and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming
connections applications.
Event volume: High.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
5031(F ): The Windows Firewall Service blocked an application from accepting incoming connections on
the network.
5150(-): The Windows Filtering Platform blocked a packet.
5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
5154(S ): The Windows Filtering Platform has permitted an application or service to listen on a port for
incoming connections.
5155(F ): The Windows Filtering Platform has blocked an application or service from listening on a port for
incoming connections.
5156(S ): The Windows Filtering Platform has permitted a connection.
5157(F ): The Windows Filtering Platform has blocked a connection.
5158(S ): The Windows Filtering Platform has permitted a bind to a local port.
5159(F ): The Windows Filtering Platform has blocked a bind to a local port.
5031(F): The Windows Firewall Service blocked an
application from accepting incoming connections on
the network.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates when an application was
blocked from accepting incoming connections
on the network by Windows Filtering Platform.
If you don’t have any firewall rules (Allow or
Deny) in Windows Firewall for specific
applications, you will get this event from
Windows Filtering Platform layer, because by
default this layer is denying any incoming
connections.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5031</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T03:46:36.634473000Z" />
<EventRecordID>304373</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="2976" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Profiles">Domain</Data>
<Data Name="Application">C:\\documents\\listener.exe</Data>
</EventData>
</Event>
Applies to
Windows 10
Windows Server 2016
This event is logged if the Windows Filtering Platform MAC filter blocked a packet.
There is no example of this event in this document.
Subcategory: Audit Filtering Platform Connection
Event Schema:
The Windows Filtering Platform has blocked a packet.
Network Information:
Direction:%1
Source Address:%2
Destination Address:%3
EtherType:%4
MediaType:%5
InterfaceType:%6
VlanTag:%7
Filter Information:
Applies to
Windows 10
Windows Server 2016
This event is logged if a more restrictive Windows Filtering Platform MAC filter has blocked a packet.
There is no example of this event in this document.
Subcategory: Audit Filtering Platform Connection
Event Schema:
A more restrictive Windows Filtering Platform filter has blocked a packet.
Network Information:
Direction:%1
Source Address:%2
Destination Address:%3
EtherType:%4
MediaType:%5
InterfaceType:%6
VlanTag:%7
Filter Information:
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates every time
Windows Filtering Platform permits an
application or service to listen on a port.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5154</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T02:04:25.757462900Z" />
<EventRecordID>287929</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3968" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4152</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">4444</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14609</Data>
<Data Name="LayerRTID">40</Data>
</EventData>
</Event>
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:
Network Information:
Source Address [Type = UnicodeString]: local IP address on which application requested to listen on the
port.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: source TCP\UDP port number which was requested for listening by
application.
Protocol [Type = UInt32]: protocol number. For example:
6 – TCP.
17 – UDP.
More information about possible values for this field:
https://technet.microsoft.com/library/cc959827.aspx.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allows application to listen on the specific port.
By default Windows firewall won't prevent a port from being listened by an application and if this
application doesn’t match any filters you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Security Monitoring Recommendations
For 5154(S ): The Windows Filtering Platform has permitted an application or service to listen on a port for
incoming connections.
If you have a “whitelist” of applications that are associated with certain operating systems or server roles,
and that are expected to listen on specific ports, monitor this event for “Application Name” and other
relevant information.
If a certain application is allowed to listen only on specific port numbers, monitor this event for
“Application Name” and “Network Information\Source Port.”
If a certain application is allowed to listen only on a specific IP address, monitor this event for “Application
Name” and “Network Information\Source Address.”
If a certain application is allowed to use only TCP or UDP protocols, monitor this event for “Application
Name” and the protocol number in “Network Information\Protocol.”
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
Typically this event has an informational purpose.
5155(F): The Windows Filtering Platform has blocked
an application or service from listening on a port for
incoming connections.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
By default Windows firewall won't prevent a port from being listened by an application. In the other word,
Windows system will not generate Event 5155 by itself.
You can add your own filters using the WFP APIs to block listen to reproduce this event:
https://msdn.microsoft.com/library/aa364046(v=vs.85).aspx.
There is no event example in this document.
Subcategory: Audit Filtering Platform Connection
Event Schema:
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming
connections.
Application Information:
Process ID:%1
Application Name:%2
Network Information:
Source Address:%3
Source Port:%4
Protocol:%5
Filter Information:
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates when Windows
Filtering Platform has allowed a
connection.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5156</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T05:24:22.622090200Z" />
<EventRecordID>308129</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3712" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessID">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.0.0.10</Data>
<Data Name="SourcePort">3333</Data>
<Data Name="DestAddress">10.0.0.100</Data>
<Data Name="DestPort">49278</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">70201</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>
Network Information:
Direction [Type = UnicodeString]: direction of allowed connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: local IP address on which application received the connection.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number on which application received the connection.
Destination Address [Type = UnicodeString]: IP address from which connection was received or initiated.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Destination Port [Type = UnicodeString]: port number which was used from remote machine to initiate
connection.
Protocol [Type = UInt32]: number of protocol which was used.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allowed the connection.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Security Monitoring Recommendations
For 5156(S ): The Windows Filtering Platform has permitted a connection.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
Check that “Source Address” is one of the addresses assigned to the computer.
If the computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5156 events where “Destination Address” is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address.”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5156 events with that
“Source Port.”
Monitor for all connections with a “Protocol Number” that is not typical for this device or compter, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Port,” monitor for any other “Destination Port.”
5157(F): The Windows Filtering Platform has blocked
a connection.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates when Windows
Filtering Platform has blocked a
connection.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5157</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T03:46:51.662750400Z" />
<EventRecordID>304390</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessID">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.0.0.10</Data>
<Data Name="SourcePort">3333</Data>
<Data Name="DestAddress">10.0.0.100</Data>
<Data Name="DestPort">49218</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">110398</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>
Network Information:
Direction [Type = UnicodeString]: direction of blocked connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: local IP address on which application received the connection.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number on which application received the connection.
Destination Address [Type = UnicodeString]: IP address from which connection was received or initiated.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Destination Port [Type = UnicodeString]: port number which was used from remote machine to initiate
connection.
Protocol [Type = UInt32]: number of protocol which was used.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocked the connection.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result
of this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Security Monitoring Recommendations
For 5157(F ): The Windows Filtering Platform has blocked a connection.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
Check that “Source Address” is one of the addresses assigned to the computer.
If the` computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5157 events where “Destination Address” is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address.”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5157 events with that
“Source Port.”
Monitor for all connections with a “Protocol Number” that is not typical for this device or compter, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Port,” monitor for any other “Destination Port.”
5158(S): The Windows Filtering Platform has
permitted a bind to a local port.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates every time
Windows Filtering Platform permits an
application or service to bind to a local
port.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5158</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T05:24:03.376171200Z" />
<EventRecordID>308122</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3712" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">3333</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14608</Data>
<Data Name="LayerRTID">36</Data>
</EventData>
</Event>
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:
Network Information:
Source Address [Type = UnicodeString]: local IP address on which application was bind the port.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number which application was bind.
Protocol [Type = UInt32]: number of protocol which was used.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allows application to bind the port. By default
Windows firewall won't prevent a port from being binded by an application and if this application doesn’t
match any filters you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event is logged if the Windows
Filtering Platform has blocked a bind to a
local port.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5159</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-19T07:36:55.955388300Z" />
<EventRecordID>44097</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="6480" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">7924</Data>
<Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">5555</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">84614</Data>
<Data Name="LayerName">%%14608</Data>
<Data Name="LayerRTID">36</Data>
</EventData>
</Event>
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:
Network Information:
Source Address [Type = UnicodeString]: the local IP address of the computer running the application.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: the port number used by the application.
Protocol [Type = UInt32]: the protocol number being used.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocks the application from binding to the port.
By default, Windows firewall won't prevent a port from binding by an application, and if this application
doesn’t match any filters, you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As a result of this command, filters.xml file will be generated. You need to open this file
and find the specific substring with the required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Applies to
Windows 10
Windows Server 2016
Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when
packets are dropped by the Windows Filtering Platform.
Windows Filtering Platform (WFP ) enables independent software vendors (ISVs) to filter and modify TCP/IP
packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter
remote procedure calls (RPCs).
A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to
computers on your network.
Event volume: High.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
5152(F ): The Windows Filtering Platform blocked a packet.
5153(S ): A more restrictive Windows Filtering Platform filter has blocked a packet.
5152(F): The Windows Filtering Platform blocked a
packet.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Packet Drop
Event Description:
This event generates when Windows
Filtering Platform has blocked a
network packet.
This event is generated for every
received network packet.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5152</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12809</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T16:52:37.274367300Z" />
<EventRecordID>321323</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4456" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.0.0.100</Data>
<Data Name="SourcePort">49278</Data>
<Data Name="DestAddress">10.0.0.10</Data>
<Data Name="DestPort">3333</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
</EventData>
</Event>
Network Information:
Direction [Type = UnicodeString]: direction of blocked connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: local IP address on which application received the packet.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number on which application received the packet.
Destination Address [Type = UnicodeString]: IP address from which packet was received or initiated.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Destination Port [Type = UnicodeString]: port number which was used from remote machine to send the
packet.
Protocol [Type = UInt32]: number of protocol which was used.
SERVICE PROTOCOL NUMBER
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocked the packet.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Security Monitoring Recommendations
For 5152(F ): The Windows Filtering Platform blocked a packet.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
Check that Source Address is one of the addresses assigned to the computer.
If the computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5152 events where Destination Address is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address.”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5152 events with that
“Source Port.”
Monitor for all connections with a “Protocol Number” that is not typical for this device or compter, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Port,” monitor for any other “Destination Port.”
5153(S): A more restrictive Windows Filtering Platform
filter has blocked a packet.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
There is no example of this event in this document.
Subcategory: Audit Filtering Platform Packet Drop
Event Schema:
A more restrictive Windows Filtering Platform filter has blocked a packet.
Application Information:
Process ID:%1
Application Name:%2
Network Information:
Source Address:%3
Source Port:%4
Protocol:%5
Filter Information:
Applies to
Windows 10
Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in Audit File
System, Audit Kernel Object, Audit Registry, Audit Removable Storage and Audit SAM subcategories, and shows
object’s handle duplication and close actions.
Event volume: High.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain No No No No Typically,
Controller information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or
Failure auditing,
unless you know
exactly what you
need to monitor
in Object’s
Handles level.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Workstation No No No No Typically,
information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or
Failure auditing,
unless you know
exactly what you
need to monitor
in Object’s
Handles level.
Events List:
4658(S ): The handle to an object was closed.
4690(S ): An attempt was made to duplicate a handle to an object.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Handle Manipulation
Event Description:
This event generates if an attempt was made to
duplicate a handle to an object.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4690</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12807</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T00:17:41.755998800Z" />
<EventRecordID>338632</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="1100" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="SourceHandleId">0x438</Data>
<Data Name="SourceProcessId">0x674</Data>
<Data Name="TargetHandleId">0xd9c</Data>
<Data Name="TargetProcessId">0x4</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to duplicate a
handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Source Handle Information:
Source Handle ID [Type = Pointer]: hexadecimal value of a handle which was duplicated. This field can
help you correlate this event with other events, for example “4663: An attempt was made to access an
object” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage or Audit SAM
subcategories.
Source Process ID [Type = Pointer]: hexadecimal Process ID of the process which opened the Source
Handle ID before it was duplicated. Process ID (PID ) is a number used by the operating system to uniquely
identify an active process. To see the PID for a specific process you can, for example, use Task Manager
(Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
New Handle Information:
Target Handle ID [Type = Pointer]: hexadecimal value of the new handle (the copy of Source Handle ID ).
This field can help you correlate this event with other events, for example “4663: An attempt was made to
access an object” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage or
Audit SAM subcategories.
Target Process ID [Type = Pointer]: hexadecimal Process ID of the process which opened the Target
Handle ID. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID field.
Security Monitoring Recommendations
For 4690(S ): An attempt was made to duplicate a handle to an object.
Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
Audit Kernel Object
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Kernel Object determines whether the operating system generates audit events when users attempt to
access the system kernel, which includes mutexes and semaphores.
Only kernel objects with a matching system access control list (SACL ) generate security audit events. The audits
generated are usually useful only to developers.
Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options
are enabled.
The “Audit: Audit the access of global system objects” policy setting controls the default SACL of kernel objects.
Event volume: High.
Events List:
4656(S, F ): A handle to an object was requested.
4658(S ): The handle to an object was closed.
4660(S ): An object was deleted.
4663(S ): An attempt was made to access an object.
4656(S, F): A handle to an object was requested.
4/5/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or
registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the operation
was performed. To see that the operation was performed, check “4663(S ): An attempt was made to access an
object.”
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4660(S ): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID. These
access rights depend on Object Type. The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.
HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during
the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that
case appears as “-”. See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor
all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for
example, only write actions), monitor for all 4656 events with the corresponding Access Request
Information\Accesses values.
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events
with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request Information\Accesses
rights (especially for Failure events):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4658(S): The handle to an object was closed.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Handle Manipulation, Audit Kernel Object,
Audit Registry, and Audit Removable Storage
Event Description:
This event generates when the handle to an
object is closed. The object could be a file
system, kernel, or registry object, or a file
system object on removable storage or a
device.
This event generates only if Success auditing is
enabled for Audit Handle Manipulation
subcategory.
Typically this event is needed if you need to
know how long the handle to the object was
open. Otherwise, it might not have any security
relevance.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s handle”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested that the handle be
closed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
4660(S): An object was deleted.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel
Object, and Audit Registry
Event Description:
This event generates when an object was
deleted. The object could be a file system,
kernel, or registry object.
This event generates only if “Delete" auditing is
set in object’s SACL.
This event doesn’t contain the name of the
deleted object (only the Handle ID ). It is better
to use “4663(S ): An attempt was made to
access an object” with DELETE access to track
object deletion.
The advantage of this event is that it’s
generated only during real delete operations. In
contrast, “4663(S ): An attempt was made to
access an object” also generates during other
actions, such as object renaming.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID (PID )
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an object
was requested.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Security Monitoring Recommendations
For 4660(S ): An object was deleted.
This event doesn’t contains the name of deleted object (only Handle ID ). It is better to use “4663(S ): An
attempt was made to access an object.” events with DELETE access to track object deletion actions.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
4663(S): An attempt was made to access an object.
4/5/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System,
Audit Kernel Object, Audit Registry,
and Audit Removable Storage
Event Description:
This event indicates that a specific
operation was performed on an
object. The object could be a file
system, kernel, or registry object, or
a file system object on removable
storage or a device.
This event generates only if object’s
SACL has required ACE to handle
specific access right use.
The main difference with “4656: A
handle to an object was requested.”
event is that 4663 shows that
access right was used instead of
just requested and 4663 doesn’t
have Failure events.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can be used for
correlation with other events, for example with Handle ID field in “4656(S, F ): A handle to an object was
requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID. These
access rights depend on Object Type. The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.
HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical file system objects for which you need to monitor all access attempts, monitor this event
for Object Name.
If you have critical file system objects for which you need to monitor certain access attempts (for example,
write actions), monitor this event for Object Name in relation to Access Request Information\Accesses.
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes.
If Object Name is a sensitive or critical registry key for which you need to monitor specific access attempts
(for example, only write actions), monitor for all 4663 events with the corresponding Access Request
Information\Accesses.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
For file system objects, we recommend that you monitor for these Access Request Information\Accesses
rights:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
Audit Other Object Access Events
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and
indirect object access requests.
Event volume: Low.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4671(-): An application attempted to access a blocked ordinal through the TBS.
4691(S ): Indirect access to an object was requested.
5148(F ): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode;
packets associated with this attack will be discarded.
5149(F ): The DoS attack has subsided and normal processing is being resumed.
4698(S ): A scheduled task was created.
4699(S ): A scheduled task was deleted.
4700(S ): A scheduled task was enabled.
4701(S ): A scheduled task was disabled.
4702(S ): A scheduled task was updated.
5888(S ): An object in the COM+ Catalog was modified.
5889(S ): An object was deleted from the COM+ Catalog.
5890(S ): An object was added to the COM+ Catalog.
4671(-): An application attempted to access a blocked
ordinal through the TBS.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
Subcategory: Audit Other Object Access Events
4691(S): Indirect access to an object was requested.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access
Events
Event Description:
This event indicates that indirect access to
an object was requested.
These events are generated for ALPC
Ports access request actions.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4691</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T01:03:49.834912100Z" />
<EventRecordID>344382</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2928" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36509</Data>
<Data Name="ObjectType">ALPC Port</Data>
<Data Name="ObjectName">\\Sessions\\2\\Windows\\DwmApiPort</Data>
<Data Name="AccessList">%%4464</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="ProcessId">0xe60</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested an access to the object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Type [Type = UnicodeString]: The type of an object for which access was requested.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: full path and name of the object for which access was requested.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. “Table 13. File access codes.” contains information about the
most common access rights for file system objects. For information about ALPC ports access rights, use
https://technet.microsoft.com/ or other informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed. See
“Table 13. File access codes.” for more information about file access rights. For information about ALPC
ports access rights, use https://technet.microsoft.com/ or other informational resources.
Applies to
Windows 10
Windows Server 2016
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack
starts or was detected.
There is no example of this event in this document.
Subcategory: Audit Other Object Access Events
Event Schema:
The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with
this attack will be discarded.
Network Information:
Type:%1
Applies to
Windows 10
Windows Server 2016
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack
ended.
There is no example of this event in this document.
Subcategory: Audit Other Object Access Events
Event Schema:
The DoS attack has subsided and normal processing is being resumed.
Network Information:
Type:%1
Packets Discarded:%2
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time a new scheduled task is
created.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:03:06.944522200Z" />
<EventRecordID>344740</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create scheduled task”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: new scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:
Task Content [Type = UnicodeString]: the XML content of the new task. For more information about the XML
format for scheduled tasks, see “XML Task Definition Format.”
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
We recommend monitoring all scheduled task creation events, especially on critical computers or devices.
Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
Monitor for new tasks located in the Task Scheduler Library root node, that is, where Task Name looks
like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located in the Task
Scheduler Library root node.
In the new task, if the Task Content: XML contains <LogonType>Password</LogonType> value, trigger
an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in
Credential Manager in cleartext format, and can be extracted using Administrative privileges.
4699(S): A scheduled task was deleted.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time a scheduled task was
deleted.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4699</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:13:30.044244500Z" />
<EventRecordID>344827</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\My</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-08-
25T13:56:10.5315552</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>Password</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Windows\\notepad.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete scheduled task”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: deleted scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:
Task Content [Type = UnicodeString]: the XML of the deleted task. Here “XML Task Definition Format” you
can read more about the XML format for scheduled tasks.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
We recommend monitoring all scheduled task deletion events, especially on critical computers or devices.
Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
However, this event does not often happen.
Monitor for deleted tasks located in the Task Scheduler Library root node, that is, where Task Name looks
like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located in the Task
Scheduler Library root node. Deletion of such tasks can be a sign of malicious activity.
If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for
4699 events with the corresponding Task Name.
4700(S): A scheduled task was enabled.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time a scheduled task is
enabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4700</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:32:47.606423000Z" />
<EventRecordID>344861</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="756" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enable scheduled
task” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: enabled scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:
Task Content [Type = UnicodeString]: the XML of the enabled task. Here “XML Task Definition Format” you
can read more about the XML format for scheduled tasks.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled,
monitor for 4700 events with the corresponding Task Name.
4701(S): A scheduled task was disabled.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time a scheduled task is
disabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4701</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:32:45.844066600Z" />
<EventRecordID>344860</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4364" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>false</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enable scheduled
task” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: disabled scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:
Task Content [Type = UnicodeString]: the XML of the disabled task. Here “XML Task Definition Format” you
can read more about the XML format for scheduled tasks.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for 4701
events with the corresponding Task Name.
4702(S): A scheduled task was updated.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time scheduled task was
updated/changed.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4702</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T03:00:59.343820000Z" />
<EventRecordID>344863</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="596" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>HighestAvailable</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change/update
scheduled task” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: updated/changed scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:
Task New Content [Type = UnicodeString]: the new XML for the updated task. Here “XML Task Definition
Format” you can read more about the XML format for scheduled tasks.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Monitor for updated scheduled tasks located in the Task Scheduler Library root node, that is, where Task
Name looks like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located
in the Task Scheduler Library root node.
In the updated scheduled task, if the Task Content: XML contains
<LogonType>Password</LogonType> value, trigger an alert. In this case, the password for the account
that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can
be extracted using Administrative privileges.
5888(S): An object in the COM+ Catalog was
modified.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access
Events
Event Description:
This event generates when the object in
COM+ Catalog was modified.
For some reason this event belongs to Audit
System Integrity subcategory, but generation
of this event enables in this subcategory.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5888</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T20:37:22.400120200Z" />
<EventRecordID>344994</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1352" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Applications</Data>
<Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID =
{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data>
<Data Name="ModifiedObjectProperties">Name = 'COMApp' -> 'COMApp-New' cCOL\_SecurityDescriptor = '<Opaque>' ->
'<Opaque>'</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “modify/change
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection in which the object was
modified. Here is the list of possible collection values with descriptions:
COLLECTION DESCRIPTION
PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.
SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent collection.
TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.
TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions collection.
UsersInPartitionRole Contains an object for each user in the partition role to which
the collection is related.
COLLECTION DESCRIPTION
UsersInRole Contains an object for each user in the role to which the
collection is related.
Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the modified
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method is
called on an object of this collection.
AppPartitionID - A GUID representing the application partition ID.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Object Properties Modified [Type = UnicodeString]: the list of object’s (Object Name) properties which
were modified.
The items have the following format: Property_Name = ‘OLD_VALUE’ -> ‘NEW_VALUE’
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a specific COM+ object for which you need to monitor all modifications, monitor all 5888 events
with the corresponding Object Name.
5889(S): An object was deleted from the COM+
Catalog.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access
Events
Event Description:
This event generates when the object in the
COM+ Catalog was deleted.
For some reason this event belongs to
Audit System Integrity subcategory, but
generation of this event enables in this
subcategory.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5889</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T20:44:42.948569400Z" />
<EventRecordID>344998</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4756" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Applications</Data>
<Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID =
{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data>
<Data Name="ObjectProperties">Name = COMApp-New ApplicationProxyServerName = ProcessType = 2 CommandLine =
ServiceName = <null> RunAsUserType = 1 Identity = Interactive User Description = IsSystem = N Authentication =
4 ShutdownAfter = 3 RunForever = N Password = \*\*\*\*\*\*\*\* Activation = Local Changeable = Y Deleteable = Y
CreatedBy = AccessChecksLevel = 1 ApplicationAccessChecksEnabled = 1 cCOL\_SecurityDescriptor = <Opaque>
ImpersonationLevel = 3 AuthenticationCapability = 64 CRMEnabled = 0 3GigSupportEnabled = 0 QueuingEnabled = 0
QueueListenerEnabled = N EventsEnabled = 1 ProcessFlags = 0 ThreadMax = 0 ApplicationProxy = 0 CRMLogFile =
DumpEnabled = 0 DumpOnException = 0 DumpOnFailfast = 0 MaxDumpCount = 5 DumpPath =
%systemroot%\\system32\\com\\dmp IsEnabled = 1 AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}
ConcurrentApps = 1 RecycleLifetimeLimit = 0 RecycleCallLimit = 0 RecycleActivationLimit = 0 RecycleMemoryLimit
= 0 RecycleExpirationTimeout = 15 QCListenerMaxThreads = 0 QCAuthenticateMsgs = 0 ApplicationDirectory =
SRPTrustLevel = 262144 SRPEnabled = 0 SoapActivated = 0 SoapVRoot = SoapMailTo = SoapBaseUrl = Replicable =
1</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection in which COM+ object was
deleted. Here is the list of possible collection values with descriptions:
COLLECTION DESCRIPTION
PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.
SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent collection.
TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.
COLLECTION DESCRIPTION
TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions collection.
UsersInPartitionRole Contains an object for each user in the partition role to which
the collection is related.
UsersInRole Contains an object for each user in the role to which the
collection is related.
Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the deleted
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method is
called on an object of this collection.
AppPartitionID - A GUID representing the application partition ID.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Object Details [Type = UnicodeString]: the list of deleted object’s (Object Name) properties.
The items have the following format: Property_Name = VALUE
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a specific COM+ object for which you need to monitor all modifications (especially delete
operations), monitor all 5889 events with the corresponding Object Name.
5890(S): An object was added to the COM+ Catalog.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access
Events
Event Description:
This event generates when new object was
added to the COM+ Catalog.
For some reason this event belongs to Audit
System Integrity subcategory, but generation
of this event enables in this subcategory.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5890</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T19:45:04.239886800Z" />
<EventRecordID>344980</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="2856" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Roles</Data>
<Data Name="ObjectIdentifyingProperties">ApplId = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} Name =
CreatorOwner</Data>
<Data Name="ObjectProperties">Description =</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “add object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection to which the new object
was added. Here is the list of possible collection values with descriptions:
COLLECTION DESCRIPTION
PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.
SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent collection.
TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.
TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions collection.
UsersInPartitionRole Contains an object for each user in the partition role to which
the collection is related.
COLLECTION DESCRIPTION
UsersInRole Contains an object for each user in the role to which the
collection is related.
Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the new
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method
is called on an object of this collection.
AppPartitionID - A GUID representing the application partition ID.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Object Details [Type = UnicodeString]: the list of new object’s (Object Name) properties.
The items have the following format: Property_Name = VALUE
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor for creation of new COM+ objects within specific COM+ collection, monitor all 5890
events with the corresponding COM+ Catalog Collection field value.
Audit Registry
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only
for objects that have system access control lists (SACLs) specified, and only if the type of access requested,
such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a
registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a registry object that has a matching SACL.
Event volume: Low to Medium, depending on how registry SACLs are configured.
Domain IF IF IF IF We strongly
Controller recommend that
you develop a
Registry Objects
Security
Monitoring
policy and define
appropriate
SACLs for
registry objects
for different
operating
system
templates and
roles. Do not
enable this
subcategory if
you have not
planned how to
use and analyze
the collected
information. It is
also important
to delete non-
effective, excess
SACLs.
Otherwise the
auditing log will
be overloaded
with useless
information.
Failure events
can show you
unsuccessful
attempts to
access specific
registry objects.
Consider
enabling this
subcategory for
critical
computers first,
after you
develop a
Registry Objects
Security
Monitoring
policy for them.
Member Server IF IF IF IF
Workstation IF IF IF IF
Events List:
4663(S ): An attempt was made to access an object.
4656(S, F ): A handle to an object was requested.
4658(S ): The handle to an object was closed.
4660(S ): An object was deleted.
4657(S ): A registry value was modified.
5039(-): A registry key was virtualized.
4670(S ): Permissions on an object were changed.
4663(S): An attempt was made to access an
object.
4/5/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File
System, Audit Kernel Object,
Audit Registry, and Audit
Removable Storage
Event Description:
This event indicates that a
specific operation was
performed on an object. The
object could be a file system,
kernel, or registry object, or a
file system object on
removable storage or a
device.
This event generates only if
object’s SACL has required
ACE to handle specific access
right use.
The main difference with
“4656: A handle to an object
was requested.” event is that
4663 shows that access right
was used instead of just
requested and 4663 doesn’t have Failure events.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory
domain controller, and stored in a security database. Each time a user logs on, the system retrieves the
SID for that user from the database and places it in the access token for that user. The system uses the
SID in the access token to identify the user in all subsequent interactions with Windows security. When a
SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify
another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an
object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS
LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully logged
on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for
which access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can be used
for correlation with other events, for example with Handle ID field in “4656(S, F ): A handle to an
object was requested.” This parameter might not be captured in the event, and in that case appears as
“0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For
some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;
("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process
ID (PID ) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID.
These access rights depend on Object Type. The following table contains information about the most
common access rights for file system objects. Access rights for registry objects are often similar to file
system objects, but the table contains a few notes about how they vary.
HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data.
(For registry objects, this is “Query For a directory object, the right to
key value.”) read the corresponding directory
data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.
If you have critical file system objects for which you need to monitor all access attempts, monitor this
event for Object Name.
If you have critical file system objects for which you need to monitor certain access attempts (for
example, write actions), monitor this event for Object Name in relation to Access Request
Information\Accesses.
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes.
If Object Name is a sensitive or critical registry key for which you need to monitor specific access
attempts (for example, only write actions), monitor for all 4663 events with the corresponding Access
Request Information\Accesses.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events
with “Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32
or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Process Name.”
For file system objects, we recommend that you monitor for these Access Request
Information\Accesses rights:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4656(S, F): A handle to an object was requested.
4/5/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel,
or registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access
rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the
operation was performed. To see that the operation was performed, check “4663(S ): An attempt was made to
access an object.”
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory
domain controller, and stored in a security database. Each time a user logs on, the system retrieves the
SID for that user from the database and places it in the access token for that user. The system uses the
SID in the access token to identify the user in all subsequent interactions with Windows security. When a
SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify
another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an
object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS
LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully logged
on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for
which access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ):
An attempt was made to access an object.” This parameter might not be captured in the event, and in
that case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For
some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;
("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this
event with other events that might contain the same Transaction ID, such as “4660(S ): An object was
deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-
0000-0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to
identify resources, activities or instances.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. The following table contains information about the most
common access rights for file system objects. Access rights for registry objects are often similar to file
system objects, but the table contains a few notes about how they vary.
HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data.
(For registry objects, this is “Query For a directory object, the right to
key value.”) read the corresponding directory
data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For
more information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used
during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event,
and in that case appears as “-”. See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts Required to mark user and computer
to be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set
the Trusted for Delegation setting
on a user or computer object.
The user or object that is granted this
privilege must have write access to
the account control flags on the user
or computer object. A server process
running on a computer (or under a
user context) that is trusted for
delegation can access resources on
another computer using the
delegated credentials of a client, as
long as the account of the client does
not have the Account cannot be
delegated account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota
assigned to a process.
With this privilege, the user can
change the maximum memory that
can be consumed by a process.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel
mode. This user right does not apply
to Plug and Play device drivers.
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create
a computer account.
This privilege is valid only on domain
controllers.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to
read all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can
change the time and date on the
internal clock of the computer. Users
that are assigned this user right can
affect the appearance of event logs. If
the system time is changed, events
that are logged will reflect this new
time, not the actual time that the
events occurred.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same
local resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's
internal clock.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only
specific Object Types.
Security Monitoring Recommendations
For 4656(S, F ): A handle to an object was requested.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
For other types of objects, the following recommendations apply.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events
with “Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32
or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Process Name.”
If Object Name is a sensitive or critical object for which you need to monitor any access attempt,
monitor all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts
(for example, only write actions), monitor for all 4656 events with the corresponding Access Request
Information\Accesses values.
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656
events with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request
Information\Accesses rights (especially for Failure events):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4658(S): The handle to an object was closed.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Handle Manipulation, Audit Kernel Object,
Audit Registry, and Audit Removable Storage
Event Description:
This event generates when the handle to an
object is closed. The object could be a file
system, kernel, or registry object, or a file
system object on removable storage or a
device.
This event generates only if Success auditing
is enabled for Audit Handle Manipulation
subcategory.
Typically this event is needed if you need to
know how long the handle to the object was
open. Otherwise, it might not have any
security relevance.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s
handle” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested that the handle be
closed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.
Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
4660(S): An object was deleted.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Kernel Object, and Audit Registry
Event Description:
This event generates when an object was
deleted. The object could be a file system,
kernel, or registry object.
This event generates only if “Delete" auditing
is set in object’s SACL.
This event doesn’t contain the name of the
deleted object (only the Handle ID ). It is
better to use “4663(S ): An attempt was made
to access an object” with DELETE access to
track object deletion.
The advantage of this event is that it’s
generated only during real delete operations.
In contrast, “4663(S ): An attempt was made
to access an object” also generates during
other actions, such as object renaming.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this
event with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an
object was requested.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Security Monitoring Recommendations
For 4660(S ): An object was deleted.
This event doesn’t contains the name of deleted object (only Handle ID ). It is better to use “4663(S ): An
attempt was made to access an object.” events with DELETE access to track object deletion actions.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need
to monitor at the Kernel objects level.
4657(S): A registry value was modified.
4/5/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Registry
Event Description:
This event generates when a registry key
value was modified. It doesn’t generate when
a registry key was modified.
This event generates only if “Set Value"
auditing is set in registry key’s SACL.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4657</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12801</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-24T01:28:43.639634100Z" />
<EventRecordID>744725</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4824" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="ObjectName">\\REGISTRY\\MACHINE</Data>
<Data Name="ObjectValueName">Name\_New</Data>
<Data Name="HandleId">0x54</Data>
<Data Name="OperationType">%%1905</Data>
<Data Name="OldValueType">%%1873</Data>
<Data Name="OldValue" />
<Data Name="NewValueType">%%1873</Data>
<Data Name="NewValue">Andrei</Data>
<Data Name="ProcessId">0xce4</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “modify registry
value” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Name [Type = UnicodeString]: full path and name of the registry key which value was modified.
The format is: \REGISTRY\HIVE\PATH where:
HIVE:
HKEY_LOCAL_MACHINE = \REGISTRY\MACHINE
HKEY_CURRENT_USER = \REGISTRY\USER\[USER_SID ], where [USER_SID ] is the SID of
current user.
HKEY_CLASSES_ROOT = \REGISTRY\MACHINE\SOFTWARE\Classes
HKEY_USERS = \REGISTRY\USER
HKEY_CURRENT_CONFIG = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current
PATH – path to the registry key.
Object Value Name [Type = UnicodeString]: the name of modified registry key value.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle
to an object was requested.” This parameter might not be captured in the event, and in that case appears as
“0x0”.
Operation Type [Type = UnicodeString]: the type of performed operation with registry key value. Most
common operations are:
New registry value created
Registry value deleted
Existing registry value modified
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the registry key value
was modified. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Change Information:
Old Value Type [Type = UnicodeString]: old type of changed registry key value. Registry key value types:
REG_SZ String
REG_BINARY Binary
Old Value [Type = UnicodeString]: old value for changed registry key value.
New Value Type [Type = UnicodeString]: new type of changed registry key value. See table above for
possible values.
New Value [Type = UnicodeString]: new value for changed registry key value.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If Object Name is a sensitive or critical registry key for which you need to monitor any modification of its
values, monitor all 4657 events.
If Object Name has specific values (Object Value Name) and you need to monitor modifications of these
values, monitor for all 4657 events.
5039(-): A registry key was virtualized.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event should be generated when registry key was virtualized using LUAFV.
This event occurs very rarely during standard LUAFV registry key virtualization.
There is no example of this event in this document.
Subcategory: Audit Registry
Event Schema:
A registry key was virtualized.
Subject:
Security ID:%1%
Account Name:%2
Account Domain:%3
Logon ID:%4
Object:
Key Name:%5
Virtual Key Name:%6
Process Information:
Process ID:%7
Process Name%8
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Registry, Audit Authentication Policy Change,
and Audit Authorization Policy Change
Event Description:
This event generates when the permissions for
an object are changed. The object could be a
file system, registry, or security token object.
This event does not generate if the SACL
(Auditing ACL ) was changed.
Before this event can generate, certain ACEs
might need to be set in the object’s SACL. For
example, for a file system object, it generates
only if “Change Permissions" and/or "Take
Ownership” are set in the object’s SACL. For a
registry key, it generates only if “Write DAC"
and/or "Write Owner” are set in the object’s
SACL.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4670</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" />
<EventRecordID>269529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-
3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)
(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change object’s
permissions” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
permissions were changed. For example, for a file, the path would be included. For Token objects, this field
typically equals “-“.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the permissions were
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Permissions Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the object.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If you have critical registry objects for which you need to monitor all modifications (especially permissions
changes and owner changes), monitor for the specific Object\Object Name.
If you have high-value computers for which you need to monitor all changes for all or specific objects (for
example, file system or registry objects), monitor for all 4670 events on these computers. For example, you
could monitor the ntds.dit file on domain controllers.
Audit Removable Storage
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Removable Storage allows you to audit user attempts to access file system objects on a removable
storage device. A security audit event is generated for all objects and all types of access requested, with no
dependency on object’s SACL.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4656(S, F ): A handle to an object was requested.
4658(S ): The handle to an object was closed.
4663(S ): An attempt was made to access an object.
Audit SAM
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit SAM, which enables you to audit events that are generated by attempts to access Security Account
Manager (SAM ) objects.
The Security Account Manager (SAM ) is a database that is present on computers running Windows operating
systems that stores user accounts and security descriptors for users on the local computer.
SAM objects include the following:
SAM_ALIAS: A local group
SAM_GROUP: A group that is not a local group
SAM_USER: A user account
SAM_DOMAIN: A domain
SAM_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits
record successful attempts, and failure audits record unsuccessful attempts.
Only a SACL for SAM_SERVER can be modified.
Changes to user and group objects are tracked by the Account Management audit category. However, user
accounts with enough privileges could potentially alter the files in which the account and password information
is stored in the system, bypassing any Account Management events.
Event volume: High on domain controllers.
For information about reducing the number of events generated in this subcategory, see KB841001.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain - - - - There is no
Controller recommendation
for this
subcategory in
this document,
unless you know
exactly what you
need to monitor
at Security
Account
Manager level.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Workstation - - - - There is no
recommendation
for this
subcategory in
this document,
unless you know
exactly what you
need to monitor
at Security
Account
Manager level.
Events List:
4661(S, F ): A handle to an object was requested.
4661(S, F): A handle to an object was requested.
4/5/2019 • 12 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Directory Service
Access and Audit SAM
Event Description:
This event indicates that a handle was
requested for either an Active Directory object
or a Security Account Manager (SAM ) object.
If access was declined, then Failure event is
generated.
This event generates only if Success auditing
is enabled for the Audit Handle Manipulation
subcategory.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}
</Data>
</EventData>
</Event>
Required Server Roles: For an Active Directory object, the domain controller role is required. For a SAM object,
there is no required role.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security Account Manager” value for this event.
Object Type [Type = UnicodeString]: the type or class of the object that was accessed. The following list
contains possible values for this field:
SAM_ALIAS - a local group.
SAM_GROUP - a group that is not a local group.
SAM_USER - a user account.
SAM_DOMAIN - a domain. For Active Directory events, this is the typical value.
SAM_SERVER - a computer account.
Object Name [Type = UnicodeString]: the name of an object for which access was requested. Depends on
Object Type. This event can have the following format:
SAM_ALIAS – SID of the group.
SAM_GROUP - SID of the group.
SAM_USER - SID of the account.
SAM_DOMAIN – distinguished name of the accessed object.
SAM_SERVER - distinguished name of the accessed object.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate
this event with other events that might contain the same Handle ID, for example, “4662: An operation was
performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested the handle. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same the Transaction ID, such as “4660(S ): An object was
deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. See “Table 13. File access codes.” for more information about
file access rights. For information about SAM object access right use https://technet.microsoft.com/ or
other informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed.
See “Table 13. File access codes.” for more information about file access rights. For information about SAM
object access right use https://technet.microsoft.com/ or other informational resources.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used
during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event,
and in that case appears as “-”. See full list of user privileges in the table below:
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota
assigned to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using
a network request.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values
that the holder may legitimately assign
as the owner of an object.
With this privilege, the user can take
ownership of any securable object in
the system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Properties [Type = UnicodeString]: depends on Object Type. This field can be empty or contain the list of
the object properties that were accessed. See more detailed information in “4661: A handle to an object
was requested” from Audit SAM subcategory.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types.
Security Monitoring Recommendations
For 4661(S, F ): A handle to an object was requested.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
You can get almost the same information from “4662: An operation was performed on an object.” There are no
additional recommendations for this event in this document.
Audit Central Access Policy Staging
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a
proposed policy differs from the current central access policy on an object.
If you configure this policy setting, an audit event is generated each time a user accesses an object and the
permission granted by the current central access policy on the object differs from that granted by the proposed
policy. The resulting audit event is generated as follows:
Success audits, when configured, record access attempts when the current central access policy grants
access, but the proposed policy denies access.
Failure audits, when configured, record access attempts when:
The current central access policy does not grant access, but the proposed policy grants access.
A principal requests the maximum access rights they are allowed and the access rights granted by
the current central access policy are different than the access rights granted by the proposed policy.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4818(S ): Proposed Central Access Policy does not grant the same access permissions as the current Central
Access Policy.
4818(S): Proposed Central Access Policy does not
grant the same access permissions as the current
Central Access Policy.
4/5/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4818</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12813</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T16:37:29.473472100Z" />
<EventRecordID>1049324</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserName">Auditor</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x1e5f21</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Finance Documents\\desktop.ini</Data>
<Data Name="HandleId">0xc64</Data>
<Data Name="ProcessId">0x4</Data>
<Data Name="ProcessName" />
<Data Name="AccessReason">%%1538: %%1801 D:(A;ID;0x1200a9;;;BU) %%1541: %%1801 D:(A;ID;0x1200a9;;;BU) %%4416:
%%1801 D:(A;ID;0x1200a9;;;BU) %%4419: %%1801 D:(A;ID;0x1200a9;;;BU) %%4423: %%1801 D:(A;ID;0x1200a9;;;BU)
</Data>
<Data Name="StagingReason">%%1538: %%1814Finance Documents Rule %%1541: %%1814Finance Documents Rule %%4416:
%%1814Finance Documents Rule %%4419: %%1814Finance Documents Rule %%4423: %%1814Finance Documents Rule</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an access request.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File” for this event.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: full path and name of the file or folder for which access was
requested.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Current Central Access Policy results:
Access Reasons [Type = UnicodeString]: the list of access check results for Current Access Policy. The format of
the result is:
ReadData (or ListDirectory) 0x1 ReadData - For a file object, the right
to read the corresponding file data. For
a directory object, the right to read the
corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2 WriteData - For a file object, the right
to write data to the file. For a directory
object, the right to create a file in the
directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
ACCESS HEXADECIMAL VALUE DESCRIPTION
RESULT:
Granted by
Denied by
Granted by ACE on parent folder
Not granted due to missing – after this sentence you will typically see missing user rights, for
example SeSecurityPrivilege.
Unknown or unchecked
ACE_WHICH_PROVIDED_OR_DENIED_ACCESS:
Ownership – if access was granted because of ownership of an object.
User Right name, for example SeSecurityPrivilege.
The Security Descriptor Definition Language (SDDL ) value for the Access Control Entry (ACE ) that
granted or denied access.
Proposed Central Access Policy results that differ from the current Central Access Policy results:
Access Reasons [Type = UnicodeString]: the list of access check results for Proposed Central Access Policy.
Here you will see only denied requests. The format of the result is:
ReadData (or ListDirectory) 0x1 ReadData - For a file object, the right
to read the corresponding file data. For
a directory object, the right to read the
corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2 WriteData - For a file object, the right
to write data to the file. For a directory
object, the right to create a file in the
directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
ACCESS HEXADECIMAL VALUE DESCRIPTION
RULE_NAME: the name of Central Access Rule which denied the access.
Applies to
Windows 10
Windows Server 2016
Audit Audit Policy Change determines whether the operating system generates audit events when changes are
made to audit policy.
Event volume: Low.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Note SACL change auditing is performed when a SACL for an object has changed and the Policy Change
category is configured. Discretionary access control list (DACL ) and owner change auditing are performed
when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner
change.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Registry, Audit Authentication Policy Change,
and Audit Authorization Policy Change
Event Description:
This event generates when the permissions for
an object are changed. The object could be a
file system, registry, or security token object.
This event does not generate if the SACL
(Auditing ACL ) was changed.
Before this event can generate, certain ACEs
might need to be set in the object’s SACL. For
example, for a file system object, it generates
only if “Change Permissions" and/or "Take
Ownership” are set in the object’s SACL. For a
registry key, it generates only if “Write DAC"
and/or "Write Owner” are set in the object’s
SACL.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4670</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" />
<EventRecordID>269529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-
3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)
(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change object’s
permissions” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
permissions were changed. For example, for a file, the path would be included. For Token objects, this field
typically equals “-“.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the permissions were
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Permissions Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the object.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If you have critical registry objects for which you need to monitor all modifications (especially permissions
changes and owner changes), monitor for the specific Object\Object Name.
If you have high-value computers for which you need to monitor all changes for all or specific objects (for
example, file system or registry objects), monitor for all 4670 events on these computers. For example, you
could monitor the ntds.dit file on domain controllers.
4715(S): The audit policy (SACL) on an object was
changed.
4/5/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4715</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T19:59:39.964601800Z" />
<EventRecordID>1049425</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4668" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x11ae30</Data>
<Data Name="OldSd">D:(A;;DCSWRPDTRC;;;BA)(D;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL</Data>
<Data Name="NewSd">D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change local audit
policy security descriptor (SACL )” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Audit Policy Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the audit policy.
New Security Descriptor [Type = UnicodeString]: new Security Descriptor Definition Language (SDDL )
value for the audit policy.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates when the computer's
audit policy changes.
This event is always logged regardless of
the "Audit Policy Change" sub-category
setting.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4719</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T19:57:09.668217100Z" />
<EventRecordID>1049418</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4668" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CategoryId">%%8274</Data>
<Data Name="SubcategoryId">%%12807</Data>
<Data Name="SubcategoryGuid">{0CCE9223-69AE-11D9-BED3-505054503030}</Data>
<Data Name="AuditPolicyChanges">%%8448, %%8450</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to local audit policy.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Audit Policy Change:
Category: the name of auditing Category which subcategory was changed. Possible values:
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System
Subcategory: the name of auditing Subcategory which was changed. Possible values:
Kerberos Service Ticket Operations Detailed Directory Service Replication Special Logon
User Account Management IPsec Quick Mode Filtering Platform Packet Drop
Other Object Access Events Filtering Platform Policy Change IPsec Driver
CREDENTIAL VALIDATION PROCESS TERMINATION NETWORK POLICY SERVER
Authorization Policy Change Other Privilege Use Events Plug and Play Events
Group Membership
Subcategory GUID: the unique subcategory GUID. To see Subcategory GUIDs you can use this command:
auditpol /list /subcategory:* /v.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Policy Change
Event Description:
This event generates
when the Global
Object Access Auditing
policy is changed on a
computer.
Separate events will be
generated for
“Registry” and “File
system” policy
changes.
Note For
recommendations,
see Security
Monitoring
Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4817</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-10T01:26:33.191368500Z" />
<EventRecordID>1192270</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ObjectServer">LSA</Data>
<Data Name="ObjectType">Global SACL</Data>
<Data Name="ObjectName">Key</Data>
<Data Name="OldSd" />
<Data Name="NewSd">S:(AU;SA;RC;;;S-1-5-21-3457937927-2839227994-823803824-1104)</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to Global Object
Access Auditing policy.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “LSA” value for this event.
Object Type [Type = UnicodeString]: The type of an object to which this event applies. Always “Global
SACL” for this event.
The following table contains the list of the most common Object Types:
**Object Name: **
Key – if “Registry” Global Object Access Auditing policy was changed.
File – if “File system” Global Object Access Auditing policy was changed.
Auditing Settings:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the Global Object Access Auditing policy. Empty if Global Object Access Auditing policy
SACL was not set.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the Global Object Access Auditing policy.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates during system startup if
Per-user audit policy is defined on the
computer.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4902</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T00:05:25.814466500Z" />
<EventRecordID>1049490</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="556" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="PuaCount">1</Data>
<Data Name="PuaPolicyId">0x703e</Data>
</EventData>
</Event>
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates every time
CrashOnAuditFail audit flag value was
modified.
This event is always logged regardless of the
"Audit Policy Change" sub-category setting.
More information about CrashOnAuditFail
flag can be found here.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4906</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T00:45:07.048458800Z" />
<EventRecordID>1049529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="CrashOnAuditFailValue">1</Data>
</EventData>
</Event>
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4907</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T18:18:19.458828800Z" />
<EventRecordID>1049732</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x138eb0</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">Key</Data>
<Data Name="ObjectName">\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\EventLog\\Internet
Explorer</Data>
<Data Name="HandleId">0x2f8</Data>
<Data Name="OldSd">S:AI</Data>
<Data Name="NewSd">S:ARAI(AU;CISA;KA;;;S-1-5-21-3457937927-2839227994-823803824-1104)</Data>
<Data Name="ProcessId">0x120c</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to object’s auditing
settings.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: full path and name of the object for which the SACL was modified.
Depends on Object Type. Here are some examples:
The format for Object Type = “Key” is: \REGISTRY\HIVE\PATH where:
HIVE:
HKEY_LOCAL_MACHINE = \REGISTRY\MACHINE
HKEY_CURRENT_USER = \REGISTRY\USER\[USER_SID ], where [USER_SID ] is the
SID of current user.
HKEY_CLASSES_ROOT = \REGISTRY\MACHINE\SOFTWARE\Classes
HKEY_USERS = \REGISTRY\USER
HKEY_CURRENT_CONFIG =
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current
PATH – path to the registry key.
The format for Object Type = “File” is: full path and name of the file or folder for which SACL was
modified.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle
to an object was requested.” Event for registry keys or with Handle ID field in “4656(S, F ): A handle to an
object was requested.” Event for file system objects. This parameter might not be captured in the event, and
in that case appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the object’s SACL was
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Auditing Settings:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the object.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor events related to specific Windows object types (“Object Type”), for example File or
Key, monitor this event for the corresponding “Object Type.”
If you need to monitor all SACL changes for specific files, folders, registry keys, or other object types,
monitor for “Object Name” field value which has specific object name.
If you have critical file or registry objects and you need to monitor all modifications (especially changes in
SACL ), monitor for specific “Object\Object Name”.
If you have high-value computers for which you need to monitor all changes for all or specific file or registry
objects, monitor for all 4907 events on these computers.
4908(S): Special Groups Logon table modified.
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates every time Special
Groups logon table was modified.
This event also generates during system
startup.
This event is always logged regardless of the
"Audit Policy Change" sub-category setting.
More information about Special Groups
auditing can be found here:
http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx
https://support.microsoft.com/kb/947223
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4908</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T00:20:40.210246600Z" />
<EventRecordID>1049511</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SidList">%{S-1-5-21-3457937927-2839227994-823803824-512}</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Special Groups [Type = UnicodeString]: contains current list of SIDs (groups or accounts) which are members of
Special Groups. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
resolved, you will see the source data in the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates every time Per User
Audit Policy was changed.
This event is always logged regardless of
the "Audit Policy Change" sub-category
setting.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4912</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T23:43:07.363195100Z" />
<EventRecordID>1049452</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1660" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x11ae30</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="CategoryId">%%8276</Data>
<Data Name="SubcategoryId">%%13312</Data>
<Data Name="SubcategoryGuid">{0CCE922B-69AE-11D9-BED3-505054503030}</Data>
<Data Name="AuditPolicyChanges">%%8452</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to per-user audit
policy.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Policy For Account:
Security ID [Type = SID ]: SID of account for which the Per User Audit Policy was changed. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Policy Change Details:
Category [Type = UnicodeString]: the name of auditing category which subcategory state was changed.
Possible values are:
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System
Subcategory [Type = UnicodeString]: the name of auditing subcategory which state was changed. Possible
values:
AUDIT CREDENTIAL VALIDATION AUDIT PROCESS TERMINATION AUDIT OTHER LOGON/LOGOFF EVENTS
Audit Kerberos Authentication Service Audit RPC Events Audit Special Logon
Audit Kerberos Service Ticket Audit Detailed Directory Service Audit Application Generated
Operations Replication
Audit Other Logon/Logoff Events Audit Directory Service Access Audit Certification Services
Audit Application Group Management Audit Directory Service Changes Audit Detailed File Share
Audit Computer Account Management Audit Directory Service Replication Audit File Share
Audit Distribution Group Management Audit Account Lockout Audit File System
AUDIT CREDENTIAL VALIDATION AUDIT PROCESS TERMINATION AUDIT OTHER LOGON/LOGOFF EVENTS
Audit Other Account Management Audit IPsec Extended Mode Audit Filtering Platform Connection
Events
Audit Security Group Management Audit IPsec Main Mode Audit Filtering Platform Packet Drop
Audit User Account Management Audit IPsec Quick Mode Audit Handle Manipulation
Audit Other Object Access Events Audit Filtering Platform Policy Change Audit Other System Events
Audit Registry Audit MPSSVC Rule-Level Policy Audit Security State Change
Change
Audit SAM Audit Other Policy Change Events Audit Security System Extension
Audit Policy Change Audit Non-Sensitive Privilege Use Audit System Integrity
Audit Authentication Policy Change Audit Sensitive Privilege Use Audit PNP Activity
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
To see subcategory GUID you can use the following command: “auditpol /list /subcategory:* /v”:
Changes [Type = UnicodeString]: changes which were made for the subcategory. Possible values are:
Success include removed
Success include added
Failure include removed
Failure include added
Success exclude removed
Success exclude added
Failure exclude removed
Failure exclude added
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates every time a new security
event source is registered.
You can typically see this event during system
startup, if specific roles (Internet Information
Services, for example) are installed in the
system.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4904</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T00:53:01.030688000Z" />
<EventRecordID>1049538</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="AuditSourceName">FSRM Audit</Data>
<Data Name="EventSourceId">0x1cc4e</Data>
<Data Name="ProcessId">0x688</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to register a
security event source.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted to register the security
event source. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Event Source:
Source Name [Type = UnicodeString]: the name of registered security event source. You can see all
registered security event source names in this registry path:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security”. Here is an example:
Event Source ID [Type = HexInt64]: the unique hexadecimal identifier of registered security event source.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If you have a pre-defined list of allowed security event sources for specific computers or computer types,
then you can use this event and check whether “Event Source\Source Name”is in your defined list.
Typically this event has an informational purpose.
4905(S): An attempt was made to unregister a
security event source.
4/5/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates every time a security
event source is unregistered.
You typically see this event if specific roles
were removed, for example, Internet
Information Services.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4905</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T17:39:12.039825000Z" />
<EventRecordID>1049718</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="1888" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="AuditSourceName">IIS-METABASE</Data>
<Data Name="EventSourceId">0x20c15f</Data>
<Data Name="ProcessId">0xd90</Data>
<Data Name="ProcessName">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to unregister a
security event source.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted to unregister the
security event source. Process ID (PID ) is a number used by the operating system to uniquely identify an
active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Event Source:
Source Name [Type = UnicodeString]: the name of unregistered security event source. You can see all
registered security event source names in this registry path:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security”. Here is an example:
Event Source ID [Type = HexInt64]: the unique hexadecimal identifier of unregistered security event
source.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If you have a list of critical security event sources which should never have been unregistered, then you can
use this event and check the “Event Source\Source Name.”
Typically this event has an informational purpose.
Audit Authentication Policy Change
4/5/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Authentication Policy Change determines whether the operating system generates audit events when
changes are made to authentication policy.
Changes made to authentication policy include:
Creation, modification, and removal of forest and domain trusts.
Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account
Policies\Kerberos Policy.
When any of the following user logon rights is granted to a user or group:
Access this computer from the network
Allow logon locally
Allow logon through Remote Desktop
Logon as a batch job
Logon as a service
Namespace collision, such as when an added trust collides with an existing namespace name.
This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted
to user accounts or groups.
Event volume: Low.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4670(S ): Permissions on an object were changed
4706(S ): A new trust was created to a domain.
4707(S ): A trust to a domain was removed.
4716(S ): Trusted domain information was modified.
4713(S ): Kerberos policy was changed.
4717(S ): System security access was granted to an account.
4718(S ): System security access was removed from an account.
4739(S ): Domain Policy was changed.
4864(S ): A namespace collision was detected.
4865(S ): A trusted forest information entry was added.
4866(S ): A trusted forest information entry was removed.
4867(S ): A trusted forest information entry was modified.
4706(S): A new trust was created to a domain.
4/5/2019 • 7 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates when a new trust was
created to a domain.
This event is generated only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4706</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T20:41:13.189445500Z" />
<EventRecordID>1049759</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4900" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DomainName">corp.contoso.local</Data>
<Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e99d6</Data>
<Data Name="TdoType">2</Data>
<Data Name="TdoDirection">3</Data>
<Data Name="TdoAttributes">32</Data>
<Data Name="SidFilteringEnabled">%%1796</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create domain trust”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Trusted Domain:
Domain Name [Type = UnicodeString]: the name of new trusted domain.
Domain ID [Type = SID ]: SID of new trusted domain. Event Viewer automatically tries to resolve SIDs and
show the account name. If the SID cannot be resolved, you will see the source data in the event.
Trust Information:
Trust Type [Type = UInt32]: the type of new trust. The following table contains possible values for this field:
Trust Direction [Type = UInt32]: the direction of new trust. The following table contains possible values for this
field:
Trust Attributes [Type = UInt32]: the decimal value of attributes for new trust. You need convert decimal value
to hexadecimal and find it in the table below. The following table contains possible values for this field:
0x400 TRUST_ATTRIBUTE_PIM_TRUST If this bit and the TATE bit are set, then
a cross-forest trust to a domain is to be
treated as Privileged Identity
Management trust for the purposes of
SID Filtering. For more information on
how each trust type is filtered, see [MS-
PAC] section 4.1.2.2.
Evaluated only on Windows Server
2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts
having
TRUST_ATTRIBUTE_FOREST_TRANSITIVE.
Can be set only if the forest and the
trusted forest are running in a forest
functional level of
DS_BEHAVIOR_WINTHRESHOLD or
greater.
SID Filtering [Type = UnicodeString]: SID Filtering state for the new trust:
Enabled
Disabled
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates when a domain trust was
removed.
This event is generated only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4707</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T20:41:13.080444700Z" />
<EventRecordID>1049754</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="580" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DomainName">FABRIKAM</Data>
<Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e99d6</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “remove domain trust”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Domain Information:
Domain Name [Type = UnicodeString]: the name of removed trusted domain.
Domain ID [Type = SID ]: SID of removed trusted domain. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates when the trust was
modified.
This event is generated only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4716</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T22:55:54.560735500Z" />
<EventRecordID>1049763</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4920" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x138eb0</Data>
<Data Name="DomainName">-</Data>
<Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data>
<Data Name="TdoType">2</Data>
<Data Name="TdoDirection">3</Data>
<Data Name="TdoAttributes">32</Data>
<Data Name="SidFilteringEnabled">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “modify domain trust
settings” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Trusted Domain:
Domain Name [Type = UnicodeString]: the name of changed trusted domain. If this attribute was not
changed, then it will have “-“ value.
Domain ID [Type = SID ]: SID of changed trusted domain. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
New Trust Information:
Trust Type [Type = UInt32]: the type of new trust. If this attribute was not changed, then it will have “-“ value or
its old value. The following table contains possible values for this field:
Trust Direction [Type = UInt32]: the direction of new trust. If this attribute was not changed, then it will have
“-“ value or its old value. The following table contains possible values for this field:
Trust Attributes [Type = UInt32]: the decimal value of attributes for new trust. You need convert decimal value
to hexadecimal and find it in the table below. If this attribute was not changed, then it will have “-“ value or its
old value. The following table contains possible values for this field:
0x400 TRUST_ATTRIBUTE_PIM_TRUST If this bit and the TATE bit are set, then
a cross-forest trust to a domain is to be
treated as Privileged Identity
Management trust for the purposes of
SID Filtering. For more information on
how each trust type is filtered, see [MS-
PAC] section 4.1.2.2.
Evaluated only on Windows Server
2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts
having
TRUST_ATTRIBUTE_FOREST_TRANSITIVE.
Can be set only if the forest and the
trusted forest are running in a forest
functional level of
DS_BEHAVIOR_WINTHRESHOLD or
greater.
SID Filtering [Type = UnicodeString]: SID Filtering state for the new trust:
Enabled
Disabled
If this attribute was not changed, then it will have “-“ value or its old value.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates when Kerberos
policy was changed.
This event is generated only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4713</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T23:15:50.811774300Z" />
<EventRecordID>1049772</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4116" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="KerberosPolicyChange">KerMaxT: 0x10c388d000 (0x861c46800); KerMaxR: 0x19254d38000 (0xc92a69c000);
</Data>
</EventData>
</Event>
Required Server Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to Kerberos policy. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to Kerberos policy.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Changes Made [Type = UnicodeString]: '--' means no changes, otherwise each change is shown as:
Parameter_Name: new_value (old_value). Here is a list of possible parameter names:
This event shows changes in “Kerberos policy”. Here is location of Kerberos policies in Group Policy management
console:
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates every time local logon
user right policy is changed and logon right
was granted to an account.
You will see unique event for every user if
logon user rights were granted to multiple
accounts.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4717</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T00:02:33.213572000Z" />
<EventRecordID>1049777</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="2064" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="AccessGranted">SeInteractiveLogonRight</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to local logon right
user policy.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Account Modified:
Account Name [Type = SID ]: the SID of the security principal for which logon right was granted. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
**Access Granted: **
Access Right [Type = UnicodeString]: the name of granted logon right. This event generates only for logon
rights, which are as follows:
Actions typically performed by the SYSTEM account: This Because this event is typically triggered by the SYSTEM
event and certain other events should be monitored to see if account, we recommend that you report it whenever
they are triggered by any account other than SYSTEM. “Subject\Security ID” is not SYSTEM.
TYPE OF MONITORING REQUIRED RECOMMENDATION
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Account Modified\Account Name” that correspond to the
Examples of high-value accounts are database administrators, high-value account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” that
or guest accounts, or other accounts that should never be corresponds to the accounts that should never be used.
used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
If you have specific user logon rights policies, for example, a
whitelist of accounts that can log on to certain computers,
monitor this event to confirm that any “Access Right” was
granted only to the appropriate “Account Modified\Account
Name.”
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” and
for example, local or domain account, machine or user “Account Modified\Account Name” to see whether the
account, vendor or employee account, and so on. account type is as expected.
For example, if non-service accounts should never be granted
certain logon rights (for example, SeServiceLogonRight),
monitor this event for those accounts and rights.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should perform only limited actions, or no concerned about. Also be sure to check “Account
actions at all. Modified\Account Name” to see whether logon rights
should be granted to that account.
For high-value servers or other computers, we recommend
that you track this event and investigate whether the specific
“Access Right” should be granted to “Account
Modified\Account Name” in each case.
Logon rights that should be restricted: You might have a Monitor this event and compare the “Access Right” to your
list of user logon rights that you want to monitor (for example, list of restricted rights.
SeServiceLogonRight).
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
4718(S): System security access was removed from an
account.
4/5/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates every time local logon
user right policy is changed and logon right
was removed from an account.
You will see unique event for every user if
logon user rights were removed for multiple
accounts.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4718</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T23:35:46.375134200Z" />
<EventRecordID>1049773</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="5028" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="AccessRemoved">SeInteractiveLogonRight</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to local logon right
user policy.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Account Modified:
Account Name [Type = SID ]: the SID of the security principal for which logon right was removed. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.
**Access Removed: **
Access Right [Type = UnicodeString]: the name of removed logon right. This event generates only for logon
rights, which are as follows:
Actions typically performed by the SYSTEM account: This Because this event is typically triggered by the SYSTEM
event and certain other events should be monitored to see if account, we recommend that you report it whenever
they are triggered by any account other than SYSTEM. “Subject\Security ID” is not SYSTEM.
TYPE OF MONITORING REQUIRED RECOMMENDATION
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Account Modified\Account Name” that correspond to the
Examples of high-value accounts are database administrators, high-value account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” that
or guest accounts, or other accounts that should never be corresponds to the accounts that should never be used.
used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
If you have specific user logon rights policies, for example, a
whitelist of accounts that can log on to certain computers,
monitor this event to confirm that it was appropriate that the
“Access Right” was removed from “Account
Modified\Account Name.”
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” and
for example, local or domain account, machine or user “Account Modified\Account Name” to see whether the
account, vendor or employee account, and so on. account type is as expected.
For example, if critical remote network service accounts have
user logon rights which should never be removed (for
example, SeNetworkLogonRight), monitor this event for the
“Account Modified\Account Name” and the appropriate
rights.
As another example, if non-service accounts should never be
granted certain logon rights (for example,
SeServiceLogonRight), you might monitor this event,
because a right can be removed only after it was previously
granted.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should perform only limited actions, or no concerned about. Also be sure to check “Account
actions at all. Modified\Account Name” to see whether logon rights
should be removed from that account.
For high-value servers or other computers, we recommend
that you track this event and investigate whether the specific
“Access Right” should be removed from “Account
Modified\Account Name” in each case.
TYPE OF MONITORING REQUIRED RECOMMENDATION
Logon rights that should be restricted: You might have a - Monitor this event and compare the “Access Right” to your
list of user logon rights that you want to monitor (for example, list of restricted rights.
SeServiceLogonRight). Monitor this event to discover the removal of a right that
“Deny” rights that should not be removed: Your should never have been granted, so that you can investigate
organization might use “Deny” rights that should not be further.
removed, for example, SeDenyRemoteInteractiveLogonRight. You can also monitor this event to discover the removal of
“Deny” rights. When these rights are removed, it could be an
approved action, done by mistake, or part of malicious activity.
These rights include:
SeDenyNetworkLogonRight:
SeDenyBatchLogonRight
SeDenyServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyRemoteInteractiveLogonRight
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
4739(S): Domain Policy was changed.
4/5/2019 • 12 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates when one of the following
changes was made to local computer security
policy:
Computer’s “\Security Settings\Account
Policies\Account Lockout Policy” settings
were modified.
Computer's “\Security Settings\Account
Policies\Password Policy” settings were
modified.
"Network security: Force logoff when logon
hours expire" group policy setting was
changed.
Domain functional level was changed or
some other attributes changed (see details
in event description).
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4739</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T00:45:37.587380900Z" />
<EventRecordID>1049781</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="1648" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DomainPolicyChanged">Password Policy</Data>
<Data Name="DomainName">CONTOSO</Data>
<Data Name="DomainSid">S-1-5-21-3457937927-2839227994-823803824</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="MinPasswordAge">-</Data>
<Data Name="MaxPasswordAge">-</Data>
<Data Name="ForceLogoff">-</Data>
<Data Name="LockoutThreshold">-</Data>
<Data Name="LockoutObservationWindow">-</Data>
<Data Name="LockoutDuration">-</Data>
<Data Name="PasswordProperties">-</Data>
<Data Name="MinPasswordLength">-</Data>
<Data Name="PasswordHistoryLength">13</Data>
<Data Name="MachineAccountQuota">-</Data>
<Data Name="MixedDomainMode">-</Data>
<Data Name="DomainBehaviorVersion">-</Data>
<Data Name="OemInformation">-</Data>
</EventData>
</Event>
Logoff Policy "Network security: Force logoff when logon hours expire"
group policy setting was changed.
VALUE GROUP POLICY NAME \ DESCRIPTION
Subject:
Security ID [Type = SID ]: SID of account that made a change to specific local policy. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to specific local
policy.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Domain:
Domain Name [Type = UnicodeString]: the name of domain for which policy changes were made.
Domain ID [Type = SID ]: the SID of domain for which policy changes were made. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.
Changed Attributes: For attributes which were not changed the value will be “-“.
Min. Password Age [Type = UnicodeString]: “\Security Settings\Account Policies\Password Policy\Minimum
password age” group policy. Numeric value.
Max. Password Age [Type = UnicodeString]: “\Security Settings\Account Policies\Password
Policy\Maximum password age” group policy. Numeric value.
Force Logoff [Type = UnicodeString]: “\Security Settings\Local Policies\Security Options\Network security:
Force logoff when logon hours expire” group policy.
Lockout Threshold [Type = UnicodeString]: “\Security Settings\Account Policies\Account Lockout
Policy\Account lockout threshold” group policy. Numeric value.
Lockout Observation Window [Type = UnicodeString]: “\Security Settings\Account Policies\Account
Lockout Policy\Reset account lockout counter after” group policy. Numeric value.
Lockout Duration [Type = UnicodeString]: “\Security Settings\Account Policies\Account Lockout
Policy\Account lockout duration” group policy. Numeric value.
Password Properties [Type = UnicodeString]:
OEM Information [Type = UnicodeString]: there is no information about this field in this document.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Applies to
Windows 10
Windows Server 2016
This event is generated when a namespace collision was detected.
There is no example of this event in this document.
Subcategory: Audit Authentication Policy Change
Event Schema:
A namespace collision was detected.
Target Type:%1
Target Name:%2
Forest Root:%3
Top Level Name:%4
DNS Name:%5
NetBIOS Name:%6
Security ID:%7
*New Flags:%8 *
Required Server Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates when new trusted forest
information entry was added.
This event is generated only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4865</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T03:11:33.397715700Z" />
<EventRecordID>1049810</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4808" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ForestRoot">Fabrikam.local</Data>
<Data Name="ForestRootSid">S-1-5-21-2703072690-1374247579-2643703677</Data>
<Data Name="OperationId">0x648620</Data>
<Data Name="EntryType">2</Data>
<Data Name="Flags">0</Data>
<Data Name="TopLevelName">-</Data>
<Data Name="DnsName">Fabrikam.local</Data>
<Data Name="NetbiosName">FABRIKAM</Data>
<Data Name="DomainSid">S-1-5-21-2703072690-1374247579-2643703677</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x138eb0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “add a trusted forest
information entry” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Trust Information:
Forest Root [Type = UnicodeString]: the name of the Active Directory forest for which trusted forest
information entry was added.
Forest Root SID [Type = SID ]: the SID of the Active Directory forest for which trusted forest information entry
was added. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
resolved, you will see the source data in the event.
Operation ID [Type = HexInt64]: unique hexadecimal identifier of the operation. You can correlate this event
with other events (4866(S ): A trusted forest information entry was removed, 4867(S ): A trusted forest
information entry was modified.) using this field.
Entry Type [Type = UInt32]: the type of added entry:
Flags [Type = UInt32]: The following table specifies the possible flags.
Some flag values are reused for different forest record types. See the “Meaning” column for more
information.
Top Level Name [Type = UnicodeString]: the name of the new trusted forest information entry.
DNS Name [Type = UnicodeString]: DNS name of the trust partner. This parameter might not be captured
in the event, and in that case appears as “-”.
NetBIOS Name [Type = UnicodeString]: NetBIOS name of the trust partner. This parameter might not be
captured in the event, and in that case appears as “-”.
Domain SID [Type = SID ]: SID of the trust partner. This parameter might not be captured in the event, and
in that case appears as “NULL SID”.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates when the trusted forest
information entry was removed.
This event is generated only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4865</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T03:11:33.397715700Z" />
<EventRecordID>1049810</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4808" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ForestRoot">Fabrikam.local</Data>
<Data Name="ForestRootSid">S-1-5-21-2703072690-1374247579-2643703677</Data>
<Data Name="OperationId">0x648620</Data>
<Data Name="EntryType">2</Data>
<Data Name="Flags">0</Data>
<Data Name="TopLevelName">-</Data>
<Data Name="DnsName">Fabrikam.local</Data>
<Data Name="NetbiosName">FABRIKAM</Data>
<Data Name="DomainSid">S-1-5-21-2703072690-1374247579-2643703677</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x138eb0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “remove a trusted
forest information entry” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Trust Information:
Forest Root [Type = UnicodeString]: the name of the Active Directory forest for which trusted forest
information entry was removed.
Forest Root SID [Type = SID ]: the SID of the Active Directory forest for which trusted forest information entry
was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot
be resolved, you will see the source data in the event.
Operation ID [Type = HexInt64]: unique hexadecimal identifier of the operation. You can correlate this event
with other events (4865(S ): A trusted forest information entry was added, 4867(S ): A trusted forest information
entry was modified.) using this field.
Entry Type [Type = UInt32]: the type of removed entry:
Flags [Type = UInt32]: The following table specifies the possible flags.
Some flag values are reused for different forest record types. See the “Meaning” column for more
information.
Top Level Name [Type = UnicodeString]: the name of the removed trusted forest information entry.
DNS Name [Type = UnicodeString]: DNS name of the trust partner. This parameter might not be captured
in the event, and in that case appears as “-”.
NetBIOS Name [Type = UnicodeString]: NetBIOS name of the trust partner. This parameter might not be
captured in the event, and in that case appears as “-”.
Domain SID [Type = SID ]: SID of the trust partner. This parameter might not be captured in the event, and
in that case appears as “NULL SID”.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates the trusted forest
information entry was modified.
This event is generated only on domain
controllers.
This event contains new values only, it doesn’t
contains old values and it doesn’t show you
which trust attributes were modified.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4865</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T03:11:33.397715700Z" />
<EventRecordID>1049810</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4808" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ForestRoot">Fabrikam.local</Data>
<Data Name="ForestRootSid">S-1-5-21-2703072690-1374247579-2643703677</Data>
<Data Name="OperationId">0x648620</Data>
<Data Name="EntryType">2</Data>
<Data Name="Flags">0</Data>
<Data Name="TopLevelName">-</Data>
<Data Name="DnsName">Fabrikam.local</Data>
<Data Name="NetbiosName">FABRIKAM</Data>
<Data Name="DomainSid">S-1-5-21-2703072690-1374247579-2643703677</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x138eb0</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “modify/change a
trusted forest information entry” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Trust Information:
Forest Root [Type = UnicodeString]: the name of the Active Directory forest for which trusted forest
information entry was modified.
Forest Root SID [Type = SID ]: the SID of the Active Directory forest for which trusted forest information entry
was modified. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot
be resolved, you will see the source data in the event.
Operation ID [Type = HexInt64]: unique hexadecimal identifier of the operation. You can correlate this event
with other events (4865(S ): A trusted forest information entry was added, 4866(S ): A trusted forest information
entry was removed) using this field.
Entry Type [Type = UInt32]: the type of modified entry:
Flags [Type = UInt32]: The following table specifies the possible flags.
Some flag values are reused for different forest record types. See the “Meaning” column for more
information.
Top Level Name [Type = UnicodeString]: the name of the modified trusted forest information entry.
DNS Name [Type = UnicodeString]: DNS name of the trust partner. This parameter might not be captured
in the event, and in that case appears as “-”.
NetBIOS Name [Type = UnicodeString]: NetBIOS name of the trust partner. This parameter might not be
captured in the event, and in that case appears as “-”.
Domain SID [Type = SID ]: SID of the trust partner. This parameter might not be captured in the event, and
in that case appears as “NULL SID”.
Applies to
Windows 10
Windows Server 2016
Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right
policies, changes in security token object permission, resource attributes changes and Central Access Policy
changes for file system objects.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Events List:
4703(S ): A user right was adjusted.
4704(S ): A user right was assigned.
4705(S ): A user right was removed.
4670(S ): Permissions on an object were changed.
4911(S ): Resource attributes of the object were changed.
4913(S ): Central Access Policy on the object was changed.
Event volume: Medium to High.
4703(S): A user right was adjusted.
4/5/2019 • 15 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authorization Policy Change
Event Description:
This event generates when token privileges were
enabled or disabled for a specific account’s token.
As of Windows 10, event 4703 is also logged by
applications or services that dynamically adjust
token privileges. An example of such an application
is System Center Configuration Manager, which
makes WMI queries at recurring intervals and
quickly generates a large number of 4703 events
(with the WMI activity listed as coming from
svchost.exe). If you are using an application or
system service that makes changes to system
privileges through the AdjustPrivilegesToken API,
you might need to disable Success auditing for this
subcategory (Audit Authorization Policy Change),
or work with a very high volume of event 4703.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4703</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T20:49:46.365958700Z" />
<EventRecordID>5245</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3632" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="ProcessId">0x270</Data>
<Data Name="EnabledPrivilegeList">SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege
SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege
SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege</Data>
<Data Name="DisabledPrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enable” or “disable”
operation for Target Account privileges.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account for which privileges were enabled or disabled. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account for which privileges were enabled or
disabled.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enabled or disabled token
privileges. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Enabled Privileges [Type = UnicodeString]: the list of enabled user rights. This event generates only for user
rights, not logon rights. Here is the list of possible user rights:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota
assigned to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using
a network request.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values
that the holder may legitimately assign
as the owner of an object.
With this privilege, the user can take
ownership of any securable object in
the system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Disabled Privileges [Type = UnicodeString]: the list of disabled user rights. See possible values in the table
above.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or
or guest accounts, or other accounts that should never be “Target Account\Security ID” that correspond to the
used. accounts that should never be used.
TYPE OF MONITORING REQUIRED RECOMMENDATION
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist. Also check the “Target Account\Security ID” and
“Enabled Privileges” to see what was enabled.
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed corresponding to accounts from another domain or “external”
to perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should perform only limited actions, or no concerned about.
actions at all. Also check “Target Account\Security ID” to see whether
the change in privileges should be made on that computer for
that account.
User rights that should be restricted or monitored: You Monitor this event and compare the “Enabled Privileges” to
might have a list of user rights that you want to restrict or your list of user rights. Trigger an alert for user rights that
monitor. should not be enabled, especially on high-value servers or
other computers.
For example, you might have SeDebugPrivilege on a list of
user rights to be restricted.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
4704(S): A user right was assigned.
4/5/2019 • 12 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authorization Policy
Change
Event Description:
This event generates every time local user right
policy is changed and user right was assigned
to an account.
You will see unique event for every user.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4704</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T22:08:07.136050600Z" />
<EventRecordID>1049866</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="1216" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="PrivilegeList">SeAuditPrivilege SeIncreaseWorkingSetPrivilege</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to local user right policy. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to local user right
policy.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Account Name [Type = SID ]: the SID of security principal for which user rights were assigned. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
**New Right: **
User Right [Type = UnicodeString]: the list of assigned user rights. This event generates only for user rights,
not logon rights. Here is the list of possible user rights:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Actions typically performed by the SYSTEM account: This Because this event is typically triggered by the SYSTEM
event and certain other events should be monitored to see if account, we recommend that you report it whenever
they are triggered by any account other than SYSTEM. “Subject\Security ID” is not SYSTEM.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or “Target
or guest accounts, or other accounts that should never be Account\ Account Name” that correspond to the accounts
used. that should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist. Also check the “Target Account\Account Name”
and “New Right” to see what was enabled.
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should perform only limited actions, or no concerned about.
actions at all. Also check “Target Account\ Account Name” to see
whether the change in rights should be made on that
computer for that account.
User rights that should be restricted or monitored: You Monitor this event and compare the “New Right\User Right”
might have a list of user rights that you want to restrict or to your list of user rights, to see whether the right should be
monitor. assigned to “Target Account\Account Name.” Trigger an
alert for user rights that should not be enabled, especially on
high-value servers or other computers.
For example, your list of restricted rights might say that only
administrative accounts should have SeAuditPrivilege. As
another example, your list might say that no accounts should
have SeTcbPrivilege or SeDebugPrivilege.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
4705(S): A user right was removed.
4/5/2019 • 12 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authorization Policy
Change
Event Description:
This event generates every time local user right
policy is changed and user right was removed
from an account.
You will see unique event for every user.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4705</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T22:08:07.152488600Z" />
<EventRecordID>1049867</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="1216" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="PrivilegeList">SeTimeZonePrivilege</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to local user right policy. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made a change to local user right
policy.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Account Name [Type = SID ]: the SID of security principal for which user rights were removed. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
**Removed Right: **
User Right [Type = UnicodeString]: the list of removed user rights. This event generates only for user rights,
not logon rights. Here is the list of possible user rights:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Actions typically performed by the SYSTEM account: This Because this event is typically triggered by the SYSTEM
event and certain other events should be monitored to see if account, we recommend that you report it whenever
they are triggered by any account other than SYSTEM. “Subject\Security ID” is not SYSTEM.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or “Target
or guest accounts, or other accounts that should never be Account\Account Name” that correspond to the accounts
used. that should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
If you have specific user rights policies, for example, a whitelist
of accounts that can perform certain actions, monitor this
event to confirm that it was appropriate that the “Removed
Right” was removed from “Target Account\Account Name.”
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” and
for example, local or domain account, machine or user “Target Account\Account Name” to see whether the
account, vendor or employee account, and so on. account type is as expected.
For example, if some accounts have critical user rights which
should never be removed, monitor this event for the “Target
Account\Account Name” and the appropriate rights.
As another example, if non-administrative accounts should
never be granted certain user rights (for example,
SeAuditPrivilege), you might monitor this event, because a
right can be removed only after it was previously granted.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should perform only limited actions, or no concerned about. Also be sure to check “Target
actions at all. Account\Account Name” to see whether user rights should
be removed from that account (or whether that account
should have any rights on that computer).
For high-value servers or other computers, we recommend
that you track this event and investigate whether the specific
“Removed Right” should be removed from “Target
Account\Account Name” in each case.
TYPE OF MONITORING REQUIRED RECOMMENDATION
User rights that should be restricted: You might have a list Monitor this event and compare the “Removed Right” to
of user rights that you want to monitor. your list of restricted rights.
Monitor this event to discover the removal of a right that
should never have been granted (for example, SeTcbPrivilege),
so that you can investigate further.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
4670(S): Permissions on an object were changed.
4/5/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Registry, Audit Authentication Policy Change,
and Audit Authorization Policy Change
Event Description:
This event generates when the permissions
for an object are changed. The object could
be a file system, registry, or security token
object.
This event does not generate if the SACL
(Auditing ACL ) was changed.
Before this event can generate, certain ACEs
might need to be set in the object’s SACL. For
example, for a file system object, it generates
only if “Change Permissions" and/or "Take
Ownership” are set in the object’s SACL. For
a registry key, it generates only if “Write
DAC" and/or "Write Owner” are set in the
object’s SACL.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4670</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" />
<EventRecordID>269529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-
3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)
(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change object’s
permissions” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
permissions were changed. For example, for a file, the path would be included. For Token objects, this field
typically equals “-“.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the permissions were
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Permissions Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the object.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All
Access), FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD
(Everyone), SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If you have critical registry objects for which you need to monitor all modifications (especially permissions
changes and owner changes), monitor for the specific Object\Object Name.
If you have high-value computers for which you need to monitor all changes for all or specific objects (for
example, file system or registry objects), monitor for all 4670 events on these computers. For example, you
could monitor the ntds.dit file on domain controllers.
4911(S): Resource attributes of the object were
changed.
4/5/2019 • 7 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Authorization Policy Change
Event Description:
This event generates when
resource attributes of the file
system object were changed.
Resource attributes for file or
folder can be changed, for
example, using Windows File
Explorer (object’s Properties-
>Classification tab).
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4911</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-09T23:43:04.009319300Z" />
<EventRecordID>1183714</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x37925</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data>
<Data Name="HandleId">0x49c</Data>
<Data Name="OldSd">S:AI</Data>
<Data Name="NewSd">S:ARAI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
<Data Name="ProcessId">0x67c</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that changed the resource attributes of
the file system object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File” for this event.
The following table contains the list of the most common Object Types:
Object Name [Type = UnicodeString]: full path and/or name of the object for which resource attributes were
changed.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate
this event with other events that might contain the same Handle ID, for example, “4663(S ): An attempt was
made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the resource attributes
of the file system object were changed. Process ID (PID ) is a number used by the operating system to
uniquely identify an active process. To see the PID for a specific process you can, for example, use Task
Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Resource Attributes:
Original Security Descriptor [Type = UnicodeString]: the Security Descriptor Definition Language
(SDDL ) value for the old resource attributes.
For example: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
If no resource attributes were set to the object, then SDDL will not contain any attributes, for example “S:AI”.
New Security Descriptor [Type = UnicodeString]: the Security Descriptor Definition Language (SDDL ) value
for the new resource attributes. See more information in Resource Attributes\Original Security Descriptor
field section for this event.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
If you need to monitor events related to specific Windows object types (“Object Type”), for example File or
Key, monitor this event for the corresponding “Object Type.”
If you need to monitor all changes to specific files or folders (in this case, changes to resource attributes),
monitor for the “Object Name” that corresponds to the file or folder.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
You can track changes when, for example, a file was marked as High Impact, or was changed from High
Impact to Medium Impact, or a resource was marked as a data type for a specific department and so on.
This event can help track changes and resource attribute assignments, which you can see in “Original
Security Descriptor” and “New Security Descriptor” fields.
4913(S): Central Access Policy on the object was
changed.
4/5/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4913</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-09T23:40:43.118758100Z" />
<EventRecordID>1183666</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x37901</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data>
<Data Name="HandleId">0x3d4</Data>
<Data Name="OldSd">S:AI</Data>
<Data Name="NewSd">S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)</Data>
<Data Name="ProcessId">0x884</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID