WinEvtx

Browse the WinEvtx mappings on this page, download the mappings (in CSV/STIX format), or visualize the sensor coverage in ATT&CK Navigator.

Download CSV Download STIX Open in ATT&CK Navigator

Enterprise

EVENT ID

EVENT DESCRIPTION

ATT&CK DATA SOURCE

ATT&CK DATA COMPONENT

1100

The event logging service has shut down.

Sensor Health

Host Status

1101

Audit events have been dropped by the transport.

Sensor Health

Host Status

1102

The audit log was cleared.

Sensor Health

Host Status

1104

The security Log is now full.

Sensor Health

Host Status

2002

A Windows Defender Firewall setting has changed.

Firewall

Firewall Metadata

2003

A Windows Defender Firewall setting in the Private profile has changed.

Firewall

Firewall Metadata

2004

A rule has been added to the Windows Defender Firewall exception list

Firewall

Firewall Rule Modification

2005

A rule has been modified in the Windows Defender Firewall exception list.

Firewall

Firewall Rule Modification

2006

A rule has been deleted in the Windows Defender Firewall exception list

Firewall

Firewall Rule Modification

2009

The Windows Firewall service failed to load Group Policy.

Firewall

Firewall Metadata

2033

All rules have been deleted from the Windows Firewall configuration on this computer.

Firewall

Firewall Rule Modification

4103

Module logging.

Command

Command Execution

4103

Module logging.

Script

Script Execution

4104

Script Block Logging.

Script

Script Execution

4610

An authentication package has been loaded by the Local Security Authority.

Logon Session

Logon Session Metadata

4611

A trusted logon process has been registered with the Local Security Authority.

Logon Session

Logon Session Metadata

4614

A notification package has been loaded by the Security Account Manager.

Logon Session

Logon Session Metadata

4616

The system time was changed.

Sensor Health

Host Status

4622

A security package has been loaded by the Local Security Authority.

Logon Session

Logon Session Metadata

4624

An account was successfully logged on

Logon Session

Logon Session Creation

4625

An account failed to log on

User Account

User Account Authentication

4634

An account was logged off

Logon Session

Logon Session Metadata

4647

User initiated logoff.

Logon Session

Logon Session Metadata

4648

A logon was attempted using explicit credentials.

User Account

User Account Authentication

4656

A handle to an object was requested.

File

File Access

4656

A handle to an object was requested.

Named Pipe

Named Pipe Metadata

4656

A handle to an object was requested

Process

Process Access

4656

A handle to an object was requested.

Service

Service Access

4657

A registry value was modified.

Windows Registry

Windows Registry Key Creation

4657

A registry value was modified.

Windows Registry

Windows Registry Key Deletion

4657

A registry value was modified.

Windows Registry

Windows Registry Key Modification

4660

An object was deleted.

File

File Deletion

4660

An object was deleted.

Windows Registry

Windows Registry Key Deletion

4661

A handle to an object was requested.

Active Directory

Active Directory Object Access

4661

A handle to an object was requested.

File

File Access

4662

An operation was performed on an object.

Active Directory

Active Directory Object Access

4663

An attempt was made to access an object

File

File Access

4663

An attempt was made to access an object.

File

File Creation

4663

An attempt was made to access an object.

File

File Deletion

4663

An attempt was made to access an object

Process

Process Access

4663

An attempt was made to access an object

Windows Registry

Windows Registry Key Access

4664

An attempt was made to create a hard link.

File

File Metadata

4670

Permissions on an object were changed.

File

File Modification

4670

Permissions on an object were changed.

Windows Registry

Windows Registry Key Modification

4672

Special privileges assigned to new logon.

Logon Session

Logon Session Modification

4673

A privileged service was called.

Logon Session

Logon Session Metadata

4674

An operation was attempted on a privileged object.

Logon Session

Logon Session Metadata

4674

An operation was attempted on a privileged object

User Account

User Account Metadata

4688

Program execution. When you start a program you are creating a process that stays open until the program ends

Process

Process Creation

4689

A process has exited.

Process

Process Termination

4690

An attempt was made to duplicate a handle to an object.

File

File Access

4696

A primary token was assigned to process. The assigning process fields identifies the process that started the child (new) process

Process

Process Creation

4697

A service was installed in the system.

Service

Service Creation

4698

A scheduled task was created.

Scheduled Job

Scheduled Job Creation

4699

A scheduled task was deleted.

Scheduled Job

Scheduled Job Deletion

4700

A scheduled task was enabled.

Scheduled Job

Scheduled Job Modification

4701

A scheduled task was disabled.

Scheduled Job

Scheduled Job Modification

4702

A scheduled task was updated.

Scheduled Job

Scheduled Job Modification

4703

A user right was adjusted.

User Account

User Account Modification

4717

System security access was granted to an account.

User Account

User Account Modification

4718

System security access was removed from an account.

User Account

User Account Modification

4719

System audit policy was changed.

Active Directory

Active Directory Object Modification

4720

A user account was created

User Account

User Account Creation

4722

A user account was enabled.

User Account

User Account Modification

4723

An attempt was made to change an account’s password.

User Account

User Account Modification

4724

An attempt was made to reset an account’s password

User Account

User Account Modification

4725

A user account was disabled.

User Account

User Account Modification

4726

A user account was deleted

User Account

User Account Deletion

4727

A security-enabled global group was created.

Group

Group Creation

4729

A member was removed from a security-enabled global group.

Group

Group Modification

4730

A security-enabled global group was deleted.

Group

Group Deletion

4731

A security-enabled local group was created.

Group

Group Creation

4732

A member was added to a security-enabled local group.

Group

Group Modification

4733

A member was removed from a security-enabled local group.

Group

Group Modification

4734

A security-enabled local group was deleted.

Group

Group Deletion

4735

A security-enabled local group was changed.

Group

Group Modification

4737

A security-enabled global group was changed.

Active Directory

Active Directory Object Modification

4738

A user account was changed.

User Account

User Account Modification

4740

A user account was locked out.

User Account

User Account Modification

4741

A computer account was created.

User Account

User Account Creation

4742

A computer account was changed.

User Account

User Account Modification

4743

A computer account was deleted.

User Account

User Account Deletion

4754

A security-enabled universal group was created.

Group

Group Creation

4755

A security-enabled universal group was changed.

Group

Group Modification

4756

A member was added to a security-enabled universal group.

Group

Group Modification

4757

A member was removed from a security-enabled universal group.

Group

Group Modification

4758

A security-enabled universal group was deleted.

Group

Group Deletion

4764

A groups type was changed.

Group

Group Modification

4767

A user account was unlocked.

User Account

User Account Modification

4768

A Kerberos authentication ticket (TGT) was requested.

Active Directory

Active Directory Credential Request

4769

A Kerberos service ticket was requested.

Active Directory

Active Directory Credential Request

4770

A Kerberos service ticket was renewed

Active Directory

Active Directory Object Modification

4771

Kerberos pre-authentication failed

Active Directory

Active Directory Credential Request

4773

A Kerberos service ticket request failed

Active Directory

Active Directory Object Access

4776

The computer attempted to validate the credentials for an account

User Account

User Account Authentication

4778

A session was reconnected to a Window Station.

Logon Session

Logon Session Creation

4779

A session was disconnected from a Window Station

Logon Session

Logon Session Terminated

4781

The name of an account was changed.

User Account

User Account Modification

4798

A user’s local group membership was enumerated.

Group

Group Enumeration

4799

A security-enabled local group membership was enumerated.

Group

Group Enumeration

4932

Synchronization of a replica of an Active Directory naming context has begun.

Active Directory

Active Directory Object Access

4946

A change has been made to Windows Firewall exception list. A rule was added.

Firewall

Firewall Rule Modification

4947

A change has been made to Windows Firewall exception list. A rule was modified.

Firewall

Firewall Rule Modification

4948

A change has been made to Windows Firewall exception list. A rule was deleted.

Firewall

Firewall Rule Modification

4950

A windows firewall setting has changed

Firewall

Firewall Metadata

4954

Windows firewall group policy settings has changed

Firewall

Firewall Metadata

4964

Special groups have been assigned to a new logon.

Logon Session

Logon Session Creation

5024

The Windows Firewall Service has started successfully.

Firewall

Firewall Enabled

5025

The Windows Firewall Service has been stopped.

Firewall

Firewall Disable

5031

The Windows Firewall Service blocked an application from accepting incoming connections on the network.

Network Traffic

Network Connection Creation

5034

The Windows Firewall Driver was stopped.

Firewall

Firewall Disable

5136

A directory service object was modified.

Active Directory

Active Directory Object Modification

5137

A directory service object was created.

Active Directory

Active Directory Object Creation

5138

A directory service object was undeleted

Active Directory

Active Directory Object Creation

5139

A directory service object was moved.

Active Directory

Active Directory Object Modification

5140

A network share object was accessed.

Network Share

Network Share Access

5141

A directory service object was deleted.

Active Directory

Active Directory Object Deletion

5142

A network share object was added.

Network Share

Network Share Creation

5143

A network share object was modified.

Network Share

Network Share Modification

5144

A network share object was deleted.

Network Share

Network Share Deletion

5145

A network share object was checked to see whether client can be granted desired access.

Named Pipe

Named Pipe Metadata

5145

A network share object was checked to see whether client can be granted desired access.

Network Share

Network Share Access

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Network Traffic

Network Connection Creation

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Network Traffic

Network Connection Creation

5156

The Windows Filtering Platform has permitted a connection.

Network Traffic

Network Connection Creation

5157

The Windows Filtering Platform has blocked a connection.

Network Traffic

Network Connection Creation

5158

The Windows Filtering Platform has permitted a bind to a local port.

Network Traffic

Network Connection Creation

5159

The Windows Filtering Platform has blocked a bind to a local port.

Network Traffic

Network Connection Creation

5857

WMIProv provider started.

WMI

WMI Creation

5858

WMI Query Error.

WMI

WMI Creation

5859

WMI Event.

WMI

WMI Creation

5860

WMI temporary event created.

WMI

WMI Creation

5861

WMI permanent event created.

WMI

WMI Creation

6005

The Event log service was started.

Sensor Health

Host Status

6005

The Event log service was started.

Service

Service Metadata

6006

The Event log service was stopped.

Sensor Health

Host Status

6006

The Event log service was stopped.

Service

Service Metadata

6416

A new external device was recognized by the system.

Drive

Drive Creation

6419

A request was made to disable a device.

Drive

Drive Modification

6420

A device was disabled.

Drive

Drive Modification

6421

A request was made to enable a device.

Drive

Drive Modification

6422

A device was enabled.

Drive

Drive Modification

6423

The installation of this device is forbidden by system policy.

Drive

Drive Creation

6424

The installation of this device was allowed, after having previously been forbidden by policy.

Drive

Drive Creation