1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
|
# Sagan windows-security.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# These rules are to monitor event based on Microsoft "Events to monitor" guide at
# github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md
#
# Steve Rawls (srawls@quadrantsec.com) - 2018/05/22
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A monitored security event pattern has occurred"; content: " 4618|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003766; sid: 5003766; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A replay attack was detected"; content: " 4649|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003767; sid: 5003767; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] System audit policy was changed"; pcre: "/ 4719: | 612: /"; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003768; sid: 5003768; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] SID History was added to an account"; content: " 4765|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003769; sid: 5003769; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt to add SID History to an account failed"; content: " 4766|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003770; sid: 5003770; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to set the Directory Services Restore Mode Administrator Password"; content: " 4794|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003764; sid: 5003764; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Role separation enabled:"; pcre: "/ 4897: | 801: /"; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003761; sid: 5003761; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Special groups have been assigned to a new logon"; content: " 4964|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003765; sid: 5003765; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security setting was updated on the OCSP Responder Service"; content: " 5124|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003762; sid: 5003762; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Possible denial-of-service (DoS) attack"; content: " 550|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003763; sid: 5003763; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The audit log was cleared"; pcre: "/ 1102: | 517: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003392; sid: 5003392; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Administrator recovered system from CrashOnAuditFail"; content: " 4621|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003393; sid: 5003393; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] SIDs were filtered"; content: " 4675|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003394; sid: 5003394; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Backup of data protection master key was attempted"; content: " 4692|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003395; sid: 5003395; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Recovery of data protection master key was attempted"; content: " 4693|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003396; sid: 5003396; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A new trust was created to a domain"; pcre: "/ 4706: | 610: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003397; sid: 5003397; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Kerberos policy was changed"; pcre: "/ 4713: | 617: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003398; sid: 5003398; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encrypted data recovery policy was changed"; pcre: "/ 4714: | 618: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003399; sid: 5003399; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The audit policy (SACL) on an object was changed"; content: " 4715|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003400; sid: 5003400; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Trusted domain information was modified"; pcre: "/ 4716: | 620: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003401; sid: 5003401; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to reset an account's password"; pcre: "/ 4724: | 628: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003402; sid: 5003402; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled global group was created"; pcre: "/ 4727: | 631: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003403; sid: 5003403; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled local group was changed"; pcre: "/ 4735: | 639: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003404; sid: 5003404; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled global group was changed"; pcre: "/ 4737: | 641: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003405; sid: 5003405; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Domain Policy was changed"; pcre: "/ 4739: | 643: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003406; sid: 5003406; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled universal group was created"; pcre: "/ 4754: | 658: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003407; sid: 5003407; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled universal group was changed"; pcre: "/ 4755: | 659: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003408; sid: 5003408; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled group was deleted"; pcre: "/ 4764: | 667: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003409; sid: 5003409; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A group's type was changed"; pcre: "/ 4764: | 668: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003410; sid: 5003410; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The ACL was set on accounts which are members of administrators groups"; pcre: "/ 4780: | 684: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003411; sid: 5003411; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] RPC detected an integrity violation while decrypting an incoming message"; content: " 4816|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003412; sid: 5003412; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was added"; content: " 4865|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003413; sid: 5003413; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was removed"; content: " 4866|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003414; sid: 5003414; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was modified"; content: " 4867|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003415; sid: 5003415; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The certificate manager denied a pending certificate request"; pcre: "/ 4868: | 772: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003416; sid: 5003416; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services revoked a certificate"; pcre: "/ 4870: | 774: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003417; sid: 5003417; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The security permissions for Certificate Services changed"; pcre: "/ 4882: | 786: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003418; sid: 5003418; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The audit filter for Certificate Services changed"; pcre: "/ 4885: | 789: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003419; sid: 5003419; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The certificate manager settings for Certificate Services changed"; pcre: "/ 4890: | 794: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003420; sid: 5003420; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A property of Certificate Services changed"; pcre: "/ 4892: | 796: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003421; sid: 5003421; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] One or more rows have been deleted from the certificate database"; pcre: "/ 4896: | 800: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003422; sid: 5003422; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The CrashOnAuditFail value has changed"; content: " 4906|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003423; sid: 5003423; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Auditing settings on object were changed"; content: " 4907|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003424; sid: 5003424; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Special Groups Logon table modified"; content: " 4908|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003425; sid: 5003425; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Per User Audit Policy was changed"; pcre: "/ 4912: | 807: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003426; sid: 5003426; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound packet that failed an integrity check"; content: " 4960|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003427; sid: 5003427; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound packet that failed a replay check"; content: " 4961|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003428; sid: 5003428; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound packet that failed a replay check"; content: " 4962|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003429; sid: 5003429; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound clear text packet that should have been secured"; content: " 4963|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003430; sid: 5003430; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)"; content: " 4965|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003431; sid: 5003431; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] During Main Mode negotiation"; content: " 4976|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003432; sid: 5003432; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] During Quick Mode negotiation"; content: " 4977|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003433; sid: 5003433; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] During Extended Mode negotiation"; content: " 4978|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003434; sid: 5003434; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Extended Mode negotiation failed"; content: " 4983|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003435; sid: 5003435; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Extended Mode negotiation failed"; content: " 4984|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003436; sid: 5003436; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service was unable to retrieve the security policy from the local storage"; content: " 5027|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003437; sid: 5003437; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service was unable to parse the new security policy"; content: " 5028|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003438; sid: 5003438; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service failed to initialize the driver"; content: " 5029|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003439; sid: 5003439; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service failed to start"; content: " 5030|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003440; sid: 5003440; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver failed to start"; content: " 5035|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003441; sid: 5003441; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver detected critical runtime error"; content: " 5037|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003442; sid: 5003442; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Code integrity determined that the image hash of a file is not valid"; content: " 5038|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003443; sid: 5003443; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] OCSP Responder Service Started"; content: " 5120|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003444; sid: 5003444; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] OCSP Responder Service Stopped"; content: " 5121|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003445; sid: 5003445; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A configuration entry changed in OCSP Responder Service"; content: " 5122|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003446; sid: 5003446; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A configuration entry changed in OCSP Responder Service"; content: " 5123|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003447; sid: 5003447; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Credential Manager credentials were backed up"; content: " 5376|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003448; sid: 5003448; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Credential Manager credentials were restored from a backup"; content: " 5377|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003449; sid: 5003449; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started"; content: " 5453|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003450; sid: 5003450; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services failed to get the complete list of network interfaces on the computer"; content: " 5480|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003451; sid: 5003451; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services failed to initialize RPC server"; content: " 5483|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003452; sid: 5003452; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services has experienced a critical failure and has been shut down"; content: " 5484|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003453; sid: 5003453; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces"; content: " 5485|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003454; sid: 5003454; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] One or more errors occurred while processing security policy in the Group Policy objects"; content: " 6145|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003455; sid: 5003455; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server denied access to a user"; content: " 6273|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003456; sid: 5003456; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server discarded the request for a user"; content: " 6274|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003457; sid: 5003457; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server discarded the accounting request for a user"; content: " 6275|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003458; sid: 5003458; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server quarantined a user"; content: " 6276|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003459; sid: 5003459; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy"; content: " 6277|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003460; sid: 5003460; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server granted full access to a user because the host met the defined health policy"; content: " 6278|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003461; sid: 5003461; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server locked the user account due to repeated failed authentication attempts"; content: " 6279|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003462; sid: 5003462; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server unlocked the user account"; content: " 6280|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003463; sid: 5003463; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] General account database changed"; content: " 640|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003464; sid: 5003464; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Quality of Service Policy changed"; content: " 619|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003465; sid: 5003465; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An error was encountered converting volume"; content: " 24586|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003466; sid: 5003466; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt to automatically restart conversion on volume failed"; content: " 24592|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003467; sid: 5003467; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Metadata write: Volume returning errors while trying to modify metadata"; content: " 24593|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003468; sid: 5003468; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Metadata rebuild: An attempt to write a copy of metadata on volume failed and may appear as disk corruption"; content: " 24594|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003469; sid: 5003469; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows is starting up"; pcre: "/ 4608: | 512: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003470; sid: 5003470; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows is shutting down"; pcre: "/ 4609: | 513: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003471; sid: 5003471; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An authentication package has been loaded by the Local Security Authority"; pcre: "/ 4610: | 514: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003472; sid: 5003472; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trusted logon process has been registered with the Local Security Authority"; pcre: "/ 4611: | 515: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003473; sid: 5003473; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Internal resources allocated for the queuing of audit messages have been exhausted"; pcre: "/ 4612: | 516: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003474; sid: 5003474; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A notification package has been loaded by the Security Account Manager"; pcre: "/ 4614: | 518: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003475; sid: 5003475; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Invalid use of LPC port"; pcre: "/ 4615: | 519: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003476; sid: 5003476; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The system time was changed"; pcre: "/ 4616: | 520: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003477; sid: 5003477; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security package has been loaded by the Local Security Authority"; content: " 4622|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003478; sid: 5003478; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Low"; pcre: "/ 4624: | 528: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003479; sid: 5003479; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Low"; pcre: "/ 4625: | 529-537: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003480; sid: 5003480; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An account was logged off"; pcre: "/ 4634: | 538: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003481; sid: 5003481; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IKE DoS-prevention mode started"; content: " 4646|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003482; sid: 5003482; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] User initiated logoff"; pcre: "/ 4647: | 551: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003483; sid: 5003483; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A logon was attempted using explicit credentials"; pcre: "/ 4648: | 552: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003484; sid: 5003484; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode security association was established"; content: " 4650|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003485; sid: 5003485; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode security association was established"; content: " 4651|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003486; sid: 5003486; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode negotiation failed"; content: " 4652|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003487; sid: 5003487; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode negotiation failed"; content: " 4653|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003488; sid: 5003488; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Quick Mode negotiation failed"; content: " 4654|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003489; sid: 5003489; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode security association ended"; content: " 4655|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003490; sid: 5003490; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A handle to an object was requested"; pcre: "/ 4656: | 560: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003491; sid: 5003491; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A registry value was modified"; pcre: "/ 4657: | 567: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003492; sid: 5003492; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The handle to an object was closed"; pcre: "/ 4658: | 562: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003493; sid: 5003493; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A handle to an object was requested with intent to delete"; content: " 4659|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003494; sid: 5003494; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An object was deleted"; pcre: "/ 4660: | 564: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003495; sid: 5003495; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A handle to an object was requested"; pcre: "/ 4661: | 565: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003496; sid: 5003496; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An operation was performed on an object"; pcre: "/ 4662: | 566: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003497; sid: 5003497; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to access an object"; pcre: "/ 4663: | 567: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003498; sid: 5003498; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to create a hard link"; content: " 4664|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003499; sid: 5003499; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to create an application client context"; content: " 4665|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003500; sid: 5003500; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An application attempted an operation:"; content: " 4666|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003501; sid: 5003501; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An application client context was deleted"; content: " 4667|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003502; sid: 5003502; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An application was initialized"; content: " 4668|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003503; sid: 5003503; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Permissions on an object were changed"; content: " 4670|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003504; sid: 5003504; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An application attempted to access a blocked ordinal through the TBS"; content: " 4671|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003505; sid: 5003505; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Special privileges assigned to new logon"; pcre: "/ 4672: | 576: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003506; sid: 5003506; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A privileged service was called"; pcre: "/ 4673: | 577: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003507; sid: 5003507; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An operation was attempted on a privileged object"; pcre: "/ 4674: | 578: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003508; sid: 5003508; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A new process has been created"; pcre: "/ 4688: | 592: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003509; sid: 5003509; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A process has exited"; pcre: "/ 4689: | 593: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003510; sid: 5003510; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to duplicate a handle to an object"; pcre: "/ 4690: | 594: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003511; sid: 5003511; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Indirect access to an object was requested"; pcre: "/ 4691: | 595: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003512; sid: 5003512; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Protection of auditable protected data was attempted"; content: " 4694|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003513; sid: 5003513; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Unprotection of auditable protected data was attempted"; content: " 4695|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003514; sid: 5003514; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A primary token was assigned to process"; pcre: "/ 4696: | 600: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003515; sid: 5003515; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Attempt to install a service"; pcre: "/ 4697: | 601: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003516; sid: 5003516; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was created"; pcre: "/ 4698: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003517; sid: 5003517; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was deleted"; pcre: "/ 4699: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003518; sid: 5003518; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was enabled"; pcre: "/ 4700: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003519; sid: 5003519; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was disabled"; pcre: "/ 4701: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003520; sid: 5003520; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was updated"; pcre: "/ 4702: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003521; sid: 5003521; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user right was assigned"; pcre: "/ 4704: | 608: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003522; sid: 5003522; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user right was removed"; pcre: "/ 4705: | 609: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003523; sid: 5003523; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trust to a domain was removed"; pcre: "/ 4707: | 611: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003524; sid: 5003524; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services was started"; content: " 4709|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003525; sid: 5003525; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services was disabled"; content: " 4710|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003526; sid: 5003526; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine Activity Detected"; content: " 4711|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003527; sid: 5003527; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services encountered a potentially serious failure"; content: " 4712|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003528; sid: 5003528; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] System security access was granted to an account"; pcre: "/ 4717: | 621: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003529; sid: 5003529; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] System security access was removed from an account"; pcre: "/ 4718: | 622: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003530; sid: 5003530; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was created"; pcre: "/ 4720: | 624: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003531; sid: 5003531; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was enabled"; pcre: "/ 4722: | 626: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003532; sid: 5003532; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to change an account's password"; pcre: "/ 4723: | 627: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003533; sid: 5003533; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was disabled"; pcre: "/ 4725: | 629: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003534; sid: 5003534; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was deleted"; pcre: "/ 4726: | 630: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003535; sid: 5003535; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-enabled global group"; pcre: "/ 4728: | 632: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003536; sid: 5003536; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-enabled global group"; pcre: "/ 4729: | 633: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003537; sid: 5003537; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled global group was deleted"; pcre: "/ 4730: | 634: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003538; sid: 5003538; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled local group was created"; pcre: "/ 4731: | 635: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003539; sid: 5003539; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-enabled local group"; pcre: "/ 4732: | 636: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003540; sid: 5003540; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-enabled local group"; pcre: "/ 4733: | 637: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003541; sid: 5003541; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled local group was deleted"; pcre: "/ 4734: | 638: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003542; sid: 5003542; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was changed"; pcre: "/ 4738: | 642: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003543; sid: 5003543; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was locked out"; pcre: "/ 4740: | 644: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003544; sid: 5003544; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A computer account was changed"; pcre: "/ 4741: | 645: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003545; sid: 5003545; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A computer account was changed"; pcre: "/ 4742: | 646: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003546; sid: 5003546; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A computer account was deleted"; pcre: "/ 4743: | 647: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003547; sid: 5003547; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled local group was created"; pcre: "/ 4744: | 648: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003548; sid: 5003548; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled local group was changed"; pcre: "/ 4745: | 649: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003549; sid: 5003549; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-disabled local group"; pcre: "/ 4746: | 650: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003550; sid: 5003550; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-disabled local group"; pcre: "/ 4747: | 651: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003551; sid: 5003551; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled local group was deleted"; pcre: "/ 4748: | 652: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003552; sid: 5003552; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled global group was created"; pcre: "/ 4749: | 653: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003553; sid: 5003553; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled global group was changed"; pcre: "/ 4750: | 654: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003554; sid: 5003554; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-disabled global group"; pcre: "/ 4751: | 655: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003555; sid: 5003555; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-disabled global group"; pcre: "/ 4752: | 656: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003556; sid: 5003556; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled global group was deleted"; pcre: "/ 4753: | 657: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003557; sid: 5003557; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-enabled universal group"; pcre: "/ 4756: | 660: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003558; sid: 5003558; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-enabled universal group"; pcre: "/ 4757: | 661: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003559; sid: 5003559; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled universal group was deleted"; pcre: "/ 4758: | 662: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003560; sid: 5003560; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled universal group was created"; pcre: "/ 4759: | 663: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003561; sid: 5003561; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled universal group was changed"; pcre: "/ 4760: | 664: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003562; sid: 5003562; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-disabled universal group"; pcre: "/ 4761: | 665: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003563; sid: 5003563; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-disabled universal group"; pcre: "/ 4762: | 666: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003564; sid: 5003564; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was unlocked"; pcre: "/ 4767: | 671: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003565; sid: 5003565; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Kerberos service ticket was requested"; pcre: "/ 4769: | 673: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003567; sid: 5003567; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Kerberos service ticket was renewed"; pcre: "/ 4770: | 674: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003568; sid: 5003568; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Kerberos pre-authentication failed"; pcre: "/ 4771: | 675: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003569; sid: 5003569; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Kerberos authentication ticket request failed"; pcre: "/ 4772: | 672: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003570; sid: 5003570; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An account was mapped for logon"; pcre: "/ 4774: | 678: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003571; sid: 5003571; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An account could not be mapped for logon"; pcre: "/ 4775: | 679: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003572; sid: 5003572; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The domain controller failed to validate the credentials for an account"; content: " 4777|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003574; sid: 5003574; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A session was reconnected to a Window Station"; pcre: "/ 4778: | 682: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003575; sid: 5003575; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A session was disconnected from a Window Station"; pcre: "/ 4779: | 683: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003576; sid: 5003576; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The name of an account was changed:"; pcre: "/ 4781: | 685: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003577; sid: 5003577; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The password hash an account was accessed"; content: " 4782|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003578; sid: 5003578; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A basic application group was created"; pcre: "/ 4783: | 667: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003579; sid: 5003579; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A basic application group was changed"; content: " 4784|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003580; sid: 5003580; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a basic application group"; pcre: "/ 4785: | 689: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003581; sid: 5003581; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a basic application group"; pcre: "/ 4786: | 690: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003582; sid: 5003582; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A nonmember was added to a basic application group"; pcre: "/ 4787: | 691: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003583; sid: 5003583; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A nonmember was removed from a basic application group"; pcre: "/ 4788: | 692: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003584; sid: 5003584; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A basic application group was deleted"; pcre: "/ 4789: | 693: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003585; sid: 5003585; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An LDAP query group was created"; pcre: "/ 4790: | 694: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003586; sid: 5003586; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Password Policy Checking API was called"; content: " 4793|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003587; sid: 5003587; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The workstation was locked"; content: " 4800|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003588; sid: 5003588; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The workstation was unlocked"; content: " 4801|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003589; sid: 5003589; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The screen saver was invoked"; content: " 4802|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003590; sid: 5003590; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The screen saver was dismissed"; content: " 4803|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003591; sid: 5003591; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A namespace collision was detected"; content: " 4864|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003592; sid: 5003592; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services received a resubmitted certificate request"; pcre: "/ 4869: | 773: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003593; sid: 5003593; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services received a request to publish the certificate revocation list (CRL)"; pcre: "/ 4871: | 775: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003594; sid: 5003594; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services published the certificate revocation list (CRL)"; pcre: "/ 4872: | 776: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003595; sid: 5003595; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A certificate request extension changed"; pcre: "/ 4873: | 777: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003596; sid: 5003596; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] One or more certificate request attributes changed"; pcre: "/ 4874: | 778: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003597; sid: 5003597; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services received a request to shut down"; pcre: "/ 4875: | 779: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003598; sid: 5003598; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services backup started"; pcre: "/ 4876: | 780: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003599; sid: 5003599; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services backup completed"; pcre: "/ 4877: | 781: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003600; sid: 5003600; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services restore started"; pcre: "/ 4878: | 782: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003601; sid: 5003601; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services restore completed"; pcre: "/ 4879: | 783: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003602; sid: 5003602; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services started"; pcre: "/ 4880: | 784: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003603; sid: 5003603; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services stopped"; pcre: "/ 4881: | 785: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003604; sid: 5003604; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services retrieved an archived key"; pcre: "/ 4883: | 787: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003605; sid: 5003605; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services imported a certificate into its database"; pcre: "/ 4884: | 788: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003606; sid: 5003606; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services received a certificate request"; pcre: "/ 4886: | 790: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003607; sid: 5003607; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services approved a certificate request and issued a certificate"; pcre: "/ 4887: | 791: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003608; sid: 5003608; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services denied a certificate request"; pcre: "/ 4888: | 792: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003609; sid: 5003609; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services set the status of a certificate request to pending"; pcre: "/ 4889: | 793: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003610; sid: 5003610; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A configuration entry changed in Certificate Services"; pcre: "/ 4891: | 795: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003611; sid: 5003611; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services archived a key"; pcre: "/ 4893: | 797: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003612; sid: 5003612; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services imported and archived a key"; pcre: "/ 4894: | 798: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003613; sid: 5003613; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services published the CA certificate to Active Directory Domain Services"; pcre: "/ 4895: | 799: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003614; sid: 5003614; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services loaded a template"; pcre: "/ 4898: | 802: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003615; sid: 5003615; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Per-user audit policy table was created"; content: " 4902|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003616; sid: 5003616; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to register a security event source"; content: " 4904|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003617; sid: 5003617; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to unregister a security event source"; content: " 4905|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003618; sid: 5003618; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The local policy settings for the TBS were changed"; content: " 4909|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003619; sid: 5003619; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Group Policy settings for the TBS were changed"; content: " 4910|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003620; sid: 5003620; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An Active Directory replica source naming context was established"; content: " 4928|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003621; sid: 5003621; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An Active Directory replica source naming context was removed"; content: " 4929|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003622; sid: 5003622; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An Active Directory replica source naming context was modified"; content: " 4930|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003623; sid: 5003623; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An Active Directory replica destination naming context was modified"; content: " 4931|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003624; sid: 5003624; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Synchronization of a replica of an Active Directory naming context has begun"; content: " 4932|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003625; sid: 5003625; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Synchronization of a replica of an Active Directory naming context has ended"; content: " 4933|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003626; sid: 5003626; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Attributes of an Active Directory object were replicated"; content: " 4934|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003627; sid: 5003627; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Replication failure begins"; content: " 4935|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003628; sid: 5003628; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Replication failure ends"; content: " 4936|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003629; sid: 5003629; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A lingering object was removed from a replica"; content: " 4937|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003630; sid: 5003630; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following policy was active when the Windows Firewall started"; content: " 4944|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003631; sid: 5003631; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A rule was listed when the Windows Firewall started"; content: " 4945|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003632; sid: 5003632; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to Windows Firewall exception list"; content: " 4946|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003633; sid: 5003633; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to Windows Firewall exception list"; content: " 4947|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003634; sid: 5003634; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to Windows Firewall exception list"; content: " 4948|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003635; sid: 5003635; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall settings were restored to the default values"; content: " 4949|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003636; sid: 5003636; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Firewall setting has changed"; content: " 4950|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003637; sid: 5003637; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A rule has been ignored because its major version number was not recognized by Windows Firewall"; content: " 4951|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003638; sid: 5003638; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall"; content: " 4952|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003639; sid: 5003639; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A rule has been ignored by Windows Firewall because it could not parse the rule"; content: " 4953|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003640; sid: 5003640; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall Group Policy settings have changed"; content: " 4954|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003641; sid: 5003641; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall has changed the active profile"; content: " 4956|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003642; sid: 5003642; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall did not apply the following rule:"; content: " 4957|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003643; sid: 5003643; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:"; content: " 4958|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003644; sid: 5003644; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; content: " 4979|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003645; sid: 5003645; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; content: " 4980|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003646; sid: 5003646; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; content: " 4981|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003647; sid: 5003647; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; content: " 4982|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003648; sid: 5003648; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The state of a transaction has changed"; content: " 4985|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003649; sid: 5003649; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service has started successfully"; content: " 5024|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003650; sid: 5003650; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service has been stopped"; content: " 5025|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003651; sid: 5003651; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service blocked an application from accepting incoming connections on the network"; content: " 5031|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003652; sid: 5003652; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network"; content: " 5032|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003653; sid: 5003653; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver has started successfully"; content: " 5033|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003654; sid: 5003654; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver has been stopped"; content: " 5034|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003655; sid: 5003655; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A registry key was virtualized"; content: " 5039|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003656; sid: 5003656; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5040|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003657; sid: 5003657; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5041|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003658; sid: 5003658; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5042|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003659; sid: 5003659; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5043|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003660; sid: 5003660; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5044|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003661; sid: 5003661; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5045|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003662; sid: 5003662; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5046|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003663; sid: 5003663; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5047|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003664; sid: 5003664; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5048|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003665; sid: 5003665; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile"; content: " 5050|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003666; sid: 5003666; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A file was virtualized"; content: " 5051|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003667; sid: 5003667; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic self test was performed"; content: " 5056|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003668; sid: 5003668; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic primitive operation failed"; content: " 5057|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003669; sid: 5003669; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Key file operation"; content: " 5058|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003670; sid: 5003670; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Key migration operation"; content: " 5059|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003671; sid: 5003671; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Verification operation failed"; content: " 5060|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003672; sid: 5003672; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Cryptographic operation"; content: " 5061|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003673; sid: 5003673; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A kernel-mode cryptographic self test was performed"; content: " 5062|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003674; sid: 5003674; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic provider operation was attempted"; content: " 5063|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003675; sid: 5003675; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic context operation was attempted"; content: " 5064|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003676; sid: 5003676; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic context modification was attempted"; content: " 5065|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003677; sid: 5003677; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function operation was attempted"; content: " 5066|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003678; sid: 5003678; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function modification was attempted"; content: " 5067|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003679; sid: 5003679; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function provider operation was attempted"; content: " 5068|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003680; sid: 5003680; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function property operation was attempted"; content: " 5069|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003681; sid: 5003681; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function property modification was attempted"; content: " 5070|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003682; sid: 5003682; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A request was submitted to the OCSP Responder Service"; content: " 5125|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003683; sid: 5003683; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Signing Certificate was automatically updated by the OCSP Responder Service"; content: " 5126|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003684; sid: 5003684; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The OCSP Revocation Provider successfully updated the revocation information"; content: " 5127|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003685; sid: 5003685; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was modified"; pcre: "/ 5136: | 566: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003686; sid: 5003686; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was created"; pcre: "/ 5137: | 566: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003687; sid: 5003687; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was undeleted"; content: " 5138|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003688; sid: 5003688; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was moved"; content: " 5139|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003689; sid: 5003689; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A network share object was accessed"; content: " 5140|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003690; sid: 5003690; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was deleted"; content: " 5141|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003691; sid: 5003691; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform blocked a packet"; content: " 5152|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003692; sid: 5003692; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A more restrictive Windows Filtering Platform filter has blocked a packet"; content: " 5153|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003693; sid: 5003693; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections"; content: " 5154|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003694; sid: 5003694; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections"; content: " 5155|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003695; sid: 5003695; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has allowed a connection"; content: " 5156|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003696; sid: 5003696; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has blocked a connection"; content: " 5157|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003697; sid: 5003697; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has permitted a bind to a local port"; content: " 5158|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003698; sid: 5003698; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has blocked a bind to a local port"; content: " 5159|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003699; sid: 5003699; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The requested credentials delegation was disallowed by policy"; content: " 5378|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003700; sid: 5003700; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following callout was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5440|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003701; sid: 5003701; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following filter was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5441|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003702; sid: 5003702; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following provider was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5442|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003703; sid: 5003703; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following provider context was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5443|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003704; sid: 5003704; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5444|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003705; sid: 5003705; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform callout has been changed"; content: " 5446|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003706; sid: 5003706; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform filter has been changed"; content: " 5447|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003707; sid: 5003707; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform provider has been changed"; content: " 5448|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003708; sid: 5003708; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform provider context has been changed"; content: " 5449|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003709; sid: 5003709; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform sublayer has been changed"; content: " 5450|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003710; sid: 5003710; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Quick Mode security association was established"; content: " 5451|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003711; sid: 5003711; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Quick Mode security association ended"; content: " 5452|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003712; sid: 5003712; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine applied Active Directory storage IPsec policy on the computer"; content: " 5456|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003713; sid: 5003713; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply Active Directory storage IPsec policy on the computer"; content: " 5457|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003714; sid: 5003714; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer"; content: " 5458|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003715; sid: 5003715; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer"; content: " 5459|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003716; sid: 5003716; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine applied local registry storage IPsec policy on the computer"; content: " 5460|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003717; sid: 5003717; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply local registry storage IPsec policy on the computer"; content: " 5461|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003718; sid: 5003718; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply some rules of the active IPsec policy on the computer"; content: " 5462|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003719; sid: 5003719; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the active IPsec policy and detected no changes"; content: " 5463|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003720; sid: 5003720; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the active IPsec policy"; content: " 5464|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003721; sid: 5003721; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully"; content: " 5465|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003722; sid: 5003722; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy"; content: " 5466|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003723; sid: 5003723; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy"; content: " 5467|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003724; sid: 5003724; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy"; content: " 5468|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003725; sid: 5003725; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine loaded local storage IPsec policy on the computer"; content: " 5471|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003726; sid: 5003726; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to load local storage IPsec policy on the computer"; content: " 5472|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003727; sid: 5003727; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine loaded directory storage IPsec policy on the computer"; content: " 5473|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003728; sid: 5003728; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to load directory storage IPsec policy on the computer"; content: " 5474|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003729; sid: 5003729; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to add quick mode filter"; content: " 5477|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003730; sid: 5003730; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services has been shut down successfully"; content: " 5479|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003731; sid: 5003731; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A request was made to authenticate to a wireless network"; content: " 5632|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003732; sid: 5003732; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A request was made to authenticate to a wired network"; content: " 5633|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003733; sid: 5003733; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Remote Procedure Call (RPC) was attempted"; content: " 5712|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003734; sid: 5003734; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An object in the COM+ Catalog was modified"; content: " 5888|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003735; sid: 5003735; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An object was deleted from the COM+ Catalog"; content: " 5889|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003736; sid: 5003736; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An object was added to the COM+ Catalog"; content: " 5890|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003737; sid: 5003737; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The previous system shutdown was unexpected"; content: " 6008|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003738; sid: 5003738; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Security policy in the Group Policy objects has been applied successfully"; content: " 6144|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003739; sid: 5003739; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server granted access to a user"; content: " 6272|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003740; sid: 5003740; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] A handle to an object was requested"; content: " 561|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003741; sid: 5003741; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Object open for delete"; content: " 563|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003742; sid: 5003742; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] User Account Type Changed"; content: " 625|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003743; sid: 5003743; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec policy agent started"; content: " 613|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003744; sid: 5003744; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec policy agent disabled"; content: " 614|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003745; sid: 5003745; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec policy agent"; content: " 615|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003746; sid: 5003746; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec policy agent encountered a potential serious failure"; content: " 616|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003747; sid: 5003747; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encryption of volume started"; content: " 24577|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003748; sid: 5003748; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encryption of volume stopped"; content: " 24578|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003749; sid: 5003749; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encryption of volume completed"; content: " 24579|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003750; sid: 5003750; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Decryption of volume started"; content: " 24580|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003751; sid: 5003751; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Decryption of volume stopped"; content: " 24581|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003752; sid: 5003752; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Decryption of volume completed"; content: " 24582|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003753; sid: 5003753; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Conversion worker thread for volume started"; content: " 24583|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003754; sid: 5003754; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Conversion worker thread for volume temporarily stopped"; content: " 24584|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003755; sid: 5003755; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] The conversion operation on volume encountered a bad sector error"; content: " 24588|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003756; sid: 5003756; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Volume contains bad clusters"; content: " 24595|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003757; sid: 5003757; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Initial state check: Rolling volume conversion transaction on"; content: " 24621|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003758; sid: 5003758; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Security Association was deleted"; content: " 5049|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003759; sid: 5003759; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services has started successfully"; content: " 5478|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003760; sid: 5003760; rev: 1;)
|
