From 367ab57766cb41e30ede3e3cfcf32928f98f393c Mon Sep 17 00:00:00 2001
From: Matthew Iverson <matthew@noreply.localhost>
Date: Mon, 13 Jan 2025 21:27:28 -0500
Subject: [PATCH] Delete win_input.conf

---
 win_input.conf | 1068 ------------------------------------------------
 1 file changed, 1068 deletions(-)
 delete mode 100644 win_input.conf

diff --git a/win_input.conf b/win_input.conf
deleted file mode 100644
index 65cfcc2..0000000
--- a/win_input.conf
+++ /dev/null
@@ -1,1068 +0,0 @@
-[WinEventLog]
-renderXml = true
-
-# ---------------------
-#   Security channel
-# ---------------------
-
-[WinEventLog://Security]
-disabled = 0
-whitelist1 = EventCode=%^(1100|1101|1102|1104|1105|1107|1108|4608|4609|4610|4611|4614|4616|4621|4622|4624|4625|4648|4649|4656|4664|4672|4673|4674|4675|4688|4697|4698|4699|4700|4701|4702|4703|4704|4705|4706|4707|4713|4715|4716|4717|4718|4719|4720|4722|4723|4724|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4735|4737|4738|4739|4740|4741|4742|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|4753|4754|4755|4756|4757|4758|4759|4760|4761|4762|4763||4764|4765|4766|4767|4768|4769|4771|4772|4773|4777|4780|4781|4782|4794|4797|4798|4799|4817|4820|4821|4822|4823|4824|4825|4830|4864|4865|4866|4867|4868|4869|4870|4871|4872|4873|4874|4875|4876|4877|4878|4879|4880|4881|4882|4883|4884|4885|4886|4887|4888|4889|4890|4891|4892|4893|4894|4895|4896|4897|4898|4899|4900|4902|4904|4905|4906|4907|4908|4912|4928|4929|4930|4931|4934|4935|4936|4937|4964|5038|5120|5121|5122|5123|5124|5125|5126|5127|5136|5137|5138|5139|5141|5142|5143|5144|5148|5149|5168|5169|5170|5376|5377|5378|5379|5381|5382|6272|6273|6274|6275|6276|6277|6278|6279|6280|6281|6410|6416|6419|6420|6421|6422|6423|6424)$%
-whitelist2 = EventCode=%^4776$% Keywords=%^Audit Failure$%
-whitelist3 = EventCode=%^(4661|4662|4663)$% TaskCategory=%^(Directory Service Access|Kernel Object|SAM)$%
-
-# 1100: Event logging service has shut down / MITRE TTP T1562.002 - Disable Windows Event Logging 
-# 1101: Audit events have been dropped by the transport.
-# 1102: Event log cleared / MITRE TTP T1070.001 - Indicator Removal on Host
-# 1104: Security log is now full / MITRE TTP T1562.002 - Disable Windows Event Logging 
-# 1105: Event log automatic backup
-# 1107: The event logging service encountered an error while processing an incoming event from [publisher] and trying to process the metadata for it
-# 1108: The event logging service encountered an error while processing an incoming event published from […]
-# 4608: Windows is starting up.
-# 4609: Windows is shutting down.
-# 4610: An authentication package has been loaded by the Local Security Authority. / MITRE TTP T1547.008 - Boot or Logon Autostart Execution: LSASS Driver 
-# 4611: A trusted logon process has been registered with the Local Security Authority. / MITRE TTP T1547.008 - Boot or Logon Autostart Execution: LSASS Driver 
-# 4614: A notification package has been loaded by the Security Account Manager.
-# 4616: The system time was changed. / MITRE TTP T1070.006 - Timestomp
-# 4621: Administrator recovered system from CrashOnAuditFail / MITRE TTP T1562.002 - Impair Defenses: Disable Windows Event Logging 
-# 4622: A security package has been loaded by the Local Security Authority. / MITRE TTP T1547.008 - Boot or Logon Autostart Execution: LSASS Driver 
-# 4624: An account was successfully logged on / MITRE TTP T1078 - Valid accounts
-# 4625: An account failed to log on / MITRE TTP T1110 - Brutforce
-# 4648: A logon was attempted using explicit credentials / MITRE TTP T1134.002 - Access Token Manipulation: Create Process with Token
-# 4649: A replay attack was detected / MITRE TTP T1558 - Steal or Forge Kerberos Tickets 
-# 4656: A handle to an object was requested
-# 4661: A handle to an object was requested (Directory services) / MITRE TTP T1201 - Password Policy Discovery
-# 4661: A handle to an object was requested (SAM) / MITRE TTP T1003 - OS credential dumping
-# 4662: An operation was performed on an object (Directory services) / MITRE TTP T1069.002 - Discovery domain groups
-# 4663: An attempt was made to access an object (Kernel object) / MITRE TTP T1003.001 - Credentials dumping: LSASS
-# 4664: An attempt was made to create a hard link / MITRE TTP T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification 
-# 4670: ---NOT COLLECTED PER DEFAULT--- Permissions on an object were changed (File System, Registry, Authentication Policy Change and Authorization Policy Change) / MITRE TTP T1222.001 - Windows File and Directory Permissions Modification
-# 4672: Special privileges assigned to new logon / MITRE TTP T1078 - Valid accounts
-# 4673: A privileged service was called
-# 4674: An operation was attempted on a privileged object
-# 4675: SIDs were filtered / MITRE TTP T1134.005 - Access Token Manipulation: SIDHistory Injection
-# 4688: A new process has been created / MITRE TTP Too many, cannot be listed - 
-# 4697: A service was installed in the system. / MITRE TTP T1543.003 - Create or Modify System ProcessWindows Service
-# 4662: ---NOT COLLECTED PER DEFAULT--- An operation was performed on an object (WMI, LSA…) - Not documented by Microsoft
-# 4698: A scheduled task was created. / MITRE TTP T1053.005 - Scheduled Task
-# 4699: A scheduled task was deleted. / MITRE TTP T1053.005 - Scheduled Task
-# 4700: A scheduled task was enabled. / MITRE TTP T1053.005 - Scheduled Task
-# 4701: A scheduled task was disabled. / MITRE TTP T1053.005 - Scheduled Task
-# 4702: A scheduled task was updated. / MITRE TTP T1053.005 - Scheduled Task
-# 4703: A user right was adjusted. / MITRE TTP T1134 - Access Token Manipulation 
-# 4704: A user right was assigned. / MITRE TTP T1134 - Access Token Manipulation 
-# 4705: A user right was removed. / MITRE TTP T1134 - Access Token Manipulation 
-# 4706: A new trust was created to a domain. / MITRE TTP T1484.002 - Domain Policy Modification: Domain Trust Modification
-# 4707: A trust to a domain was removed. / MITRE TTP T1484.002 - Domain Policy Modification: Domain Trust Modification
-# 4713: Kerberos policy was changed. / MITRE TTP T1484 - Domain Policy Modification
-# 4715: The audit policy (SACL) on an object was changed.
-# 4716: Trusted domain information was modified. / MITRE TTP T1484.002 - Domain Policy Modification: Domain Trust Modification
-# 4717: System security access was granted to an account. / MITRE TTP T1134 - Access Token Manipulation 
-# 4718: System security access was removed from an account. / MITRE TTP T1134 - Access Token Manipulation 
-# 4719: System audit policy was changed. / MITRE TTP T1562.002 - Impair Defenses: Disable Windows Event Logging 
-# 4720: A user account was created / MITRE TTP T1136 - Create account
-# 4722: A user account was enabled / MITRE TTP T1098 - Account manipulation
-# 4723: An attempt was made to change an account's password / MITRE TTP T1098 - Account manipulation
-# 4724: An attempt was made to reset an account's password / MITRE TTP T1098 - Account manipulation
-# 4725: A user account was disabled / MITRE TTP T1098 - Account manipulation
-# 4726: A user account was deleted
-# 4727: A security-enabled Global group was created
-# 4728: A member was added to a security-enabled Global group / MITRE TTP T1098 - Account manipulation
-# 4729: A member was removed from a security-enabled Global group / MITRE TTP T1098 - Account manipulation
-# 4730: A security-enabled Global group was deleted 
-# 4731: A security-enabled Local group was created
-# 4732: A member was added to a security-enabled Local group / MITRE TTP T1098 - Account manipulation
-# 4733: A member was removed from a security-enabled Local group / MITRE TTP T1098 - Account manipulation
-# 4734: A security-enabled Local group was deleted
-# 4735: A security-enabled Local group was changed
-# 4737: A security-enabled Global group was changed 
-# 4738: A user account was changed / MITRE TTP T1098 - Account manipulation
-# 4739: Domain Policy was changed. / MITRE TTP T1484 - Domain Policy Modification
-# 4740: A user account was locked out / MITRE TTP T1110 - Brutforce
-# 4741: A computer account was created / MITRE TTP T1136 - Create account
-# 4742: A computer account was changed / MITRE TTP T1098 - Account manipulation
-# 4743: A computer account was deleted / MITRE TTP T1098 - Account manipulation
-# 4744: A security-disabled (distribution) Local group was created
-# 4745: A security-disabled (distribution) Local group was changed
-# 4746: A member was added to a security-disabled (distribution) Local group
-# 4747: A member was removed to a security-disabled (distribution) Local group;
-# 4748: A security-disabled (distribution) Local group was deleted
-# 4749: A security-disabled (distribution) Global group was created
-# 4750: A security-disabled (distribution) Global group was changed
-# 4751: A member was added to a security-disabled (distribution) Global group
-# 4752: A member was removed to a security-disabled (distribution) Global group
-# 4753: A security-disabled (distribution) Global group was deleted
-# 4754: A security-enabled Universal group was created 
-# 4755: A security-enabled Universal group was changed
-# 4756: A member was added to a security-enabled Universal group / MITRE TTP T1098 - Account manipulation
-# 4757: A member was removed from a security-enabled Universal group / MITRE TTP T1098 - Account manipulation
-# 4758: A security-enabled Universal group was deleted
-# 4759: A security-disabled (distribution) Universal group was created
-# 4760: A security-disabled (distribution) Universal group was changed
-# 4761: A member was added to a security-disabled (distribution) Universal group;
-# 4762: A member was removed to a security-disabled (distribution) Universal group
-# 4763: A security-disabled (distribution) Universal group was deleted
-# 4764: A group's type was changed
-# 4765: SID History was added to an account / MITRE TTP T1134.005 - Access Token Manipulation: SIDHistory Injection
-# 4766: An attempt to add SID History to an account failed / MITRE TTP T1134.005 - Access Token Manipulation: SIDHistory Injection
-# 4767: A user account was unlocked / MITRE TTP T1110 - Brutforce
-# 4768: A Kerberos authentication ticket (TGT) was requested / MITRE TTP T1110 - Brutforce
-# 4768: A Kerberos authentication ticket (TGT) was requested / MITRE TTP T1558 - Steal or Forge Kerberos Tickets 
-# 4769: A Kerberos service ticket was required / MITRE TTP T1558 - Steal or Forge Kerberos Tickets 
-# 4771: Kerberos preauthentication failed / MITRE TTP T1110 - Brutforce
-# 4772: A Kerberos authentication ticket request failed / MITRE TTP T1110 - Brutforce
-# 4773: A Kerberos service ticket request failed / MITRE TTP T1110 - Brutforce
-# 4776: The computer attempted to validate the credentials for an account / MITRE TTP T1110 - Brutforce
-# 4777: The domain controller failed to validate the credentials for an account / MITRE TTP T1110 - Brutforce
-# 4780: The ACL was set on accounts which are members of administrators groups / MITRE TTP T1098 - Account manipulation
-# 4781: The name of an account was changed / MITRE TTP T1098 - Account manipulation
-# 4782: The password hash of an account was accessed / MITRE TTP T1003 - OS credential dumping
-# 4794: An attempt was made to set the Directory Service Restore Mode administrator password / MITRE TTP T1098 - Account manipulation
-# 4797: An attempt was made to query the existence of a blank password for an account.
-# 4798: A user's local group membership was enumerated / MITRE TTP T1069.001 - Permission Groups Discovery: Local Groups 
-# 4799: A security-enabled Local group membership was enumerated / MITRE TTP T1069.002 - Permission Groups Discovery: Domain Groups 
-# 4817: Auditing settings on object were changed.
-# 4820: A Kerberos Ticket granting ticket (TGT) was denied because the device does not meet the access control restrictions. / MITRE TTP T1078.002 - Valid Accounts: Domain Accounts 
-# 4821: A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions. / MITRE TTP T1078.002 - Valid Accounts: Domain Accounts 
-# 4822: NTLM authentication failed because the account was a member of the Protected User group. / MITRE TTP T1078.002 - Valid Accounts: Domain Accounts 
-# 4823: NTLM authentication failed because access control restrictions are required. / MITRE TTP T1078.002 - Valid Accounts: Domain Accounts 
-# 4824: Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group. / MITRE TTP T1078.002 - Valid Accounts: Domain Accounts 
-# 4825: A user was denied the access to Remote Desktop.  / MITRE TTP T1021.001 - Remote Desktop Protocol
-# 4830: SID History was removed from an account / MITRE TTP T1134.005 - Access Token Manipulation: SIDHistory Injection
-# 4864: A namespace collision was detected.
-# 4865: A trusted forest information entry was added. / MITRE TTP T1484.002 - Domain Policy Modification: Domain Trust Modification
-# 4866: A trusted forest information entry was removed. / MITRE TTP T1484.002 - Domain Policy Modification: Domain Trust Modification
-# 4867: A trusted forest information entry was modified. / MITRE TTP T1484.002 - Domain Policy Modification: Domain Trust Modification
-# 4902: The Peruser audit policy table was created.
-# 4904: An attempt was made to register a security event source.
-# 4905: An attempt was made to unregister a security event source.
-# 4906: The CrashOnAuditFail value has changed. / MITRE TTP T1562.002 - Disable Windows Event Logging 
-# 4907: Auditing settings on object were changed.
-# 4908: Special Groups Logon table modified.
-# 4912: Per User Audit Policy was changed.
-# 4928: An Active Directory replica source naming context was established / MITRE TTP T1207 - Rogue domain controler
-# 4929: An Active Directory replica source naming context was removed / MITRE TTP T1207 - Rogue domain controler
-# 4930: An Active Directory replica source naming context was modified / MITRE TTP T1207 - Rogue domain controler
-# 4931: An Active Directory replica destination naming context was modified / MITRE TTP T1207 - Rogue domain controler
-# 4934: Attributes of an Active Directory object were replicated
-# 4935: Replication failure begins
-# 4936: Replication failure ends
-# 4937: A lingering object was removed from a replica
-# 4964: Special groups have been assigned to a new logon / MITRE TTP T1078 - Valid accounts
-# 5136: A directory service object was modified / MITRE TTP T1222.001 - File and Directory Permissions Modification
-# 5137: A directory service object was created / MITRE TTP T1207 - Rogue domain controler
-# 5138: A directory service object was undeleted
-# 5139: A directory service object was moved
-# 5141: A directory service object was deleted
-# 5140: ---NOT COLLECTED PER DEFAULT, PREFER ID 5145--- A network share object was accessed / MITRE TTP T1021.002 - SMB Windows Admin Shares
-# 5142: A network share object was added / MITRE TTP T1021.002 - SMB Windows Admin Shares
-# 5143: A network share object was modified / MITRE TTP T1222.001 - File and Directory Permissions Modification
-# 5144: A network share object was deleted / MITRE TTP T1021.002 - SMB Windows Admin Shares
-# 5145: ---NOT COLLECTED PER DEFAULT, TOO NOISY--- A network share object was checked to see whether client can be granted desired access / MITRE TTP T1021.002 - SMB Windows Admin Shares
-# 5148: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. / MITRE TTP T1498 - Network denial of service
-# 5149: The DoS attack has subsided and normal processing is being resumed. / MITRE TTP T1498 - Network denial of service
-# 5168: SPN check for SMB/SMB2 failed / MITRE TTP T1187 - Forced Authentication 
-# 5169: A directory service object was modified
-# 5170: A directory service object was modified during a background cleanup task
-# 5376: Credential Manager credentials were backed up / MITRE TTP T1555.004 - Credentials from Password Stores: Windows Credential Manager 
-# 5377: Credential Manager credentials were restored from backup
-# 5378: The requested credentials delegation was disallowed by policy / MITRE TTP T1078 - Valid accounts
-# 5379: Credential Manager credentials were read / MITRE TTP T1555.004 - Credentials from Password Stores: Windows Credential Manager 
-# 5381: Vault credentials were enumerated / MITRE TTP T1555.004 - Credentials from Password Stores: Windows Credential Manager 
-# 5382: Vault credentials were read / MITRE TTP T1555.004 - Credentials from Password Stores: Windows Credential Manager 
-
-# Active Directory Certificate Services (ADCS / PKI)
-# 4868: The certificate manager denied a pending certificate request.
-# 4869: Certificate Services received a resubmitted certificate request.
-# 4870: Certificate Services revoked a certificate.
-# 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
-# 4872: Certificate Services published the certificate revocation list (CRL).
-# 4873: A certificate request extension changed.
-# 4874: One or more certificate request attributes changed.
-# 4875: Certificate Services received a request to shut down.
-# 4876: Certificate Services backup started.
-# 4877: Certificate Services backup completed.
-# 4878: Certificate Services restore started.
-# 4879: Certificate Services restore completed.
-# 4880: Certificate Services started.
-# 4881: Certificate Services stopped.
-# 4882: The security permissions for Certificate Services changed.
-# 4883: Certificate Services retrieved an archived key.
-# 4884: Certificate Services imported a certificate into its database.
-# 4885: The audit filter for Certificate Services changed.
-# 4886: Certificate Services received a certificate request.
-# 4887: Certificate Services approved a certificate request and issued a certificate.
-# 4888: Certificate Services denied a certificate request.
-# 4889: Certificate Services set the status of a certificate request to pending.
-# 4890: The certificate manager settings for Certificate Services changed.
-# 4891: A configuration entry changed in Certificate Services.
-# 4892: A property of Certificate Services changed.
-# 4893: Certificate Services archived a key.
-# 4894: Certificate Services imported and archived a key.
-# 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
-# 4896: One or more rows have been deleted from the certificate database.
-# 4897: Role separation enabled:
-# 4898: Certificate Services loaded a template. / MITRE TTP T1649 - Steal or Forge Authentication Certificates
-# 4899: A Certificate Services template was updated. / MITRE TTP T1649 - Steal or Forge Authentication Certificates
-# 4900: Certificate Services template security was updated.
-# 6281: Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. / MITRE TTP T1036.001 Masquerading: Invalid Code Signature - 
-# 6410: Code integrity determined that a file does not meet the security requirements to load into a process. / MITRE TTP T1036.001 Masquerading: Invalid Code Signature - 
-# 6416: A new external device was recognised by the System / MITRE TTP T1091 - Replication Through Removable Media 
-# 6419: A request was made too disable a device
-# 6420: A device was disabled
-# 6421: A request was made to enable a device
-# 6422: A device was enabled
-# 6423: The installation of this device is forbidden by system policy / MITRE TTP T1091 - Replication Through Removable Media 
-# 6424: The installation of this device was allowed, after having previously been forbidden by policy
-
-
-# --------------------------------------------------
-#    72 - Online Certificate Status Protocol
-# --------------------------------------------------
-
-# Active Directory Certificate Services (ADCS / OCSP)
-# 5038: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. / MITRE TTP T1036.001 Masquerading: Invalid Code Signature - 
-# 5120: OCSP Responder Service Started.
-# 5121: OCSP Responder Service Stopped.
-# 5122: A Configuration entry changed in the OCSP Responder Service.
-# 5123: A configuration entry changed in the OCSP Responder Service.
-# 5124: A security setting was updated on OCSP Responder Service.
-# 5125: A request was submitted to OCSP Responder Service.
-# 5126: Signing Certificate was automatically updated by the OCSP Responder Service.
-# 5127: The OCSP Revocation Provider successfully updated the revocation information.
-
-
-# -----------------------------------------
-#    79 - Network Policy server (NPS)
-# -----------------------------------------
-
-# 6272: Network Policy Server granted access to a user
-# 6273: Network Policy Server denied access to a user
-# 6274: Network Policy Server discard the request for a user
-# 6275: Network Policy Server discard the accounting request for a user
-# 6276: Network Policy Server quarantined a user
-# 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy
-# 6278: Network Policy Server granted full access to a user because the host met the defined health policy
-# 6279: Network Policy Server locked the user account due to repeated failed authentication attempts
-# 6280: Network Policy Server unlocked the user account
-
-# ADFS
-# Not done yet. See also topic "75 - ADFS Server" at the bottom.
-# ADFS auditing requires several steps and advanced configuration. Note that some events are only logged depending on the log settings (basic or verbose). Check the links below for activation.
-# https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/enabling-ad-fs-security-auditing-and-shipping-event-logs-to/ba-p/3610464
-# https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
-
-
-# ----------------------
-#    System channel 
-# ----------------------
-
-[WinEventLog://System]
-disabled = 0
-whitelist1 = SourceName=%(EventLog|Microsoft-Windows-Eventlog|Microsoft-Windows-Audit-CVE|Microsoft-Windows-DistributedCOM|Microsoft-Windows-GroupPolicy|Microsoft-Windows-Kernel-General|Microsoft-Windows-Kernel-PnP|Microsoft-Windows-Kernel-Power|Microsoft-Windows-Time-Service|Microsoft-Windows-WER-SystemErrorReporting|Microsoft-Windows-WindowsUpdateClient|Microsoft-Windows-Wininit|NETLOGON|Service Control Manager|User32|Kerberos-Key-Distribution-Center|Security-Kerberos|NPS|RemoteAccess|BugCheck|Microsoft-Windows-Resource-Exhaustion-Detector|FilterManager)%
-
-# Provider: [EventLog] - ID 6005: Event log service was started
-# Provider: [EventLog] - ID 6006: Event log service was stopped / MITRE TTP T1562.002 - Disable Windows Event Logging
-# Provider: [EventLog] - ID 6008: Previous system shutdown was not planned / MITRE TTP T1529 - System Shutdown/Reboot
-# Provider: [EventLog] - ID 6013: System uptime is [seconds]
-# Provider: [Microsoft-Windows-Eventlog] - ID 104: [Event log] log cleared / MITRE TTP T1070.001 - Indicator Removal on Host
-# Provider: [Microsoft-Windows-Audit-CVE] - ID 1: Possible detection for [CVE] / MITRE TTP Threat/vulnerabilityalert - "
-# Provider: [Microsoft-Windows-DistributedCOM] - ID *: DCOM info / MITRE TTP T1021.003 - Remote Services: Distributed Component Object Model
-# Provider: [Microsoft-Windows-GroupPolicy] - ID *: Group policies application / MITRE TTP T1484.001 - Domain Policy Modification: Group Policy Modification
-# Provider: [Microsoft-Windows-Kernel-General] - ID The operating system started at system time [time]
-# Provider: [Microsoft-Windows-Kernel-General] - ID 13: The operating system is shutting down at system time [time] / MITRE TTP T1529 - System Shutdown/Reboot
-# Provider: [Microsoft-Windows-Kernel-PnP] - ID 219: Failed to load driver [driver]
-# Provider: [Microsoft-Windows-Kernel-Power] - ID 41: The system has rebooted without cleaning shutting down first / MITRE TTP T1529 - System Shutdown/Reboot
-# Provider: [Microsoft-Windows-Kernel-Power] - ID 109: The kernel power manager has initiated a shutdown transition / MITRE TTP T1529 - System Shutdown/Reboot
-# Provider: [Microsoft-Windows-Time-Service] - ID *: Time change / MITRE TTP T1070.006 - Timestomp
-# Provider: [Microsoft-Windows-WER-SystemErrorReporting] - ID 1001: BSOD / MITRE TTP T1499.004 - Endpoint DoS: Application or System Exploitation
-# Provider: [Microsoft-Windows-WindowsUpdateClient] - ID 19: Installation successful: [package] / MITRE TTP T0843 - Program install
-# Provider: [Microsoft-Windows-Wininit] - ID 11: Custom dynamic link libraries are being loaded for every application / MITRE TTP T1546.010 - AppInit DLLs
-# Provider: [Microsoft-Windows-Wininit] - ID 12: LSA started as a protected process / MITRE TTP M1025 - Privileged Process Integrity
-# Provider: [Netlogon] - ID 5805: A machine account failed to authenticate / MITRE TTP T1078 - Valid accounts
-# Provider: [Netlogon] - ID 5827: The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account. / MITRE TTP T1078 - Valid accounts
-# Provider: [Netlogon] - ID 5828: The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account. / MITRE TTP T1078 - Valid accounts
-# Provider: [Netlogon] - ID 5829: The Netlogon service allowed a vulnerable Netlogon secure channel connection. / MITRE TTP T1078 - Valid accounts
-# Provider: [Netlogon] - ID 5830: The Netlogon service allowed a vulnerable Netlogon secure channel connection because the machine account is allowed in the "Domain controller / MITRE TTP T1078 - Valid accounts
-# Provider: [Netlogon] - ID 5831: The Netlogon service allowed a vulnerable Netlogon secure channel connection because the trust account is allowed in the "Domain controller / MITRE TTP T1078 - Valid accounts
-# Provider: [Service Control Manager] - ID *: Service installation, change, disabled or crash / MITRE TTP T1499.004 - Endpoint DoS: Application or System Exploitation
-# Provider: [Service Control Manager] - ID 7045: Service installation / MITRE TTP T1543.003 - Create or Modify System Process: Windows Service
-# Provider: [Service Control Manager] - ID 7036: Service started success 
-# Provider: [Service Control Manager] - ID 7040: Service configuration change 
-# Provider: [User32] - ID 1074: [process] has initiated the restart of [host] on behalf of [user] for the following [reason] / MITRE TTP T1529 - System Shutdown/Reboot
-# Provider: [User32] - ID 1076: Reason supplied by [user] for the last unexpected shutdown is: [reason] / MITRE TTP T1529 - System Shutdown/Reboot
-# Provider: [Kerberos-Key-Distribution-Center] - ID 39: User certificate valid but could not be mapped to a user in a secure way
-# Provider: [Kerberos-Security] - ID 21: During Kerberos Network Ticket Logon, the service ticket for Account <Account> from Domain <Domain> had the following actions done to it by DC <Domain Controller>. 
-# Provider: [Kerberos-Security] - ID 22: During Kerberos Network Ticket Logon, the service ticket for Account <Account> from Domain <Domain> was denied by DC <DC> due to the reasons below. 
-# Provider: [Kerberos-Security] - ID 23: During Kerberos Network Ticket Logon, the service ticket for Account <account_name> from Domain <domain_name> could not be forwarded to a Domain Controller to service the request.
-# Provider: [BugCheck] - ID 1001: The computer has rebooted from a bugcheck.  The bugcheck was [path]. A dump was saved in: C:\Windows\MEMORY.DMP.
-# Provider: [Microsoft-Windows-Resource-Exhaustion-Detector] - ID 2004: Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: [programs]
-# Provider: [FilterManager] - ID 1: File System Filter 'WdFilter' (Version X) unloaded successfully. / MITRE TTP T1562.001 - Impair Defenses: Disable or Modify Tools 
-# Provider: [FilterManager] - ID 6: File System Filter 'WdFilter' (Version X) has successfully loaded and registered with Filter Manager. / MITRE TTP T1562.001 - Impair Defenses: Disable or Modify Tools 
-
-
-# ----------------------
-#  Application channel 
-# ----------------------
-
-[WinEventLog://Application]
-disabled = 0
-whitelist1 = SourceName=%Search-ProfileNotify% EventCode=%^1$%
-whitelist2 = SourceName=%ESENT% EventCode=%^(216|325|326|327|637)$%
-whitelist3 = SourceName=%(Application Error|Application Hang|Windows Error Reporting|Docker|MsiInstaller)%
-whitelist4 = SourceName=%Windows Server Update Services% EventCode=%(10022|12072)%
-
-# ID 1: Search Service for [user] removed in response to user profile deletion / MITRE TTP T1070.004 - Indicator Removal on Host: File Deletion 
-# ID 216: A database location change was detected from [path.ntds.dit] to [path]
-# ID 325: The database engine created a new database / IFM / MITRE TTP T1003.033 - OS Credential Dumping: NTDS
-# ID 326: The database engine attached a new database / IFM / MITRE TTP T1003.033 - OS Credential Dumping: NTDS
-# ID 327: The database engine detached a database / IFM / MITRE TTP T1003.033 - OS Credential Dumping: NTDS
-# ID 637: New flush map file will be created to enable persisted lost flush detection
-# ID 10022: The last catalog synchronization attempt was unsuccessful
-# ID 12072: The WSUS content directory is not accessible. 
-# ID 11707: The [product] installation completed successfully. / MITRE TTP T1218.007 -  System Binary Proxy Execution: Msiexec
-# ID 11728: Product […] - Configuration completed successfully / MITRE TTP T1218.007 -  System Binary Proxy Execution: Msiexec
-# Provider: [Application Error] - ID 1000 / MITRE TTP T1499.004 - Endpoint DoS: Application or System Exploitation 
-# Provider: [Application Hang] - ID 1002 / MITRE TTP T1499.004 - Endpoint DoS: Application or System Exploitation 
-# Provider: [Windows Error Reporting] - ID 1001: BSOD / MITRE TTP T1499.004 - Endpoint DoS: Application or System Exploitation 
-# Provider: [Docker]
-
-
-# ------------------
-#  74 - SQL Server
-# ------------------
-
-whitelist5 = SourceName=%MSSQL\$.*% EventCode=%^(15268|15281|15457|17199|17200|17201|17202|17810|18401|18451|18453|18454|18455|18456|18456|18461|18462|18463|18464|18465|18466|18467|18468|18470|18471|18486|18487|18488|26022|28046|28047|28048|33002|33090|33205|49904)$%
-# ID 15268: Authentication mode is [WINDOWS|MIXED]
-# ID 15281: SQL Server blocked access to procedure ‘procedure’ of component ‘component’ because this component is turned off as part of the security configuration for this server.  / MITRE TTP T1505.001 -  Server Software Component: SQL Stored Procedures
-# ID 15457: Configuration option changed / MITRE TTP T1505.001 -  Server Software Component 
-# ID 17199: DAC is disabled / MITRE TTP T1505.001 -  Server Software Component 
-# ID 17200: DAC settings changed / MITRE TTP T1505.001 -  Server Software Component 
-# ID 17201: DAC mode enabled to listen on / MITRE TTP T1505.001 -  Server Software Component 
-# ID 17202: DAC connection established / MITRE TTP T1505.001 -  Server Software Component 
-# ID 17810: DAC max connections reached / MITRE TTP T1505.001 -  Server Software Component 
-# ID 18401: Failed login (server is in script upgrade) / MITRE TTP T1110 - Brutforce
-# ID 18451: Failed login (only admin can connect at this time) / MITRE TTP T1110 - Brutforce
-# ID 18456: Failed login (Windows auth only) / MITRE TTP T1110 - Brutforce
-# ID 18456: Failed login (Windows auth only) / MITRE TTP T1110 - Brutforce
-# ID 18461: Failed login (single user mode activated) / MITRE TTP T1110 - Brutforce
-# ID 18462: Failed login (psw is too recent to change) / MITRE TTP T1110 - Brutforce
-# ID 18463: Failed login (psw cannot be used at this time) / MITRE TTP T1110 - Brutforce
-# ID 18464: Failed login (psw requirements: too short) / MITRE TTP T1110 - Brutforce
-# ID 18465: Failed login (psw requirements: too long) / MITRE TTP T1110 - Brutforce
-# ID 18466: Failed login (psw requirements: is not complex) / MITRE TTP T1110 - Brutforce
-# ID 18467: Failed login (psw requirements: filter DLL) / MITRE TTP T1110 - Brutforce
-# ID 18468: Failed login (error duing password validation) / MITRE TTP T1110 - Brutforce
-# ID 18470: Failed login (account disabled) / MITRE TTP T1110 - Brutforce
-# ID 18471: Failed login (user not having permission to change psw) / MITRE TTP T1110 - Brutforce
-# ID 18486: Failed login (user locked out) / MITRE TTP T1110 - Brutforce
-# ID 18487: Failed login (psw expired) / MITRE TTP T1110 - Brutforce
-# ID 18488: Failed login (psw must be changed) / MITRE TTP T1110 - Brutforce
-# ID 26022: Server is listening on [ 'any' <ipv4> :port.
-# ID 28047: Failed login (no more information) / MITRE TTP T1110 - Brutforce
-# ID 28048: Failed login (no more information) / MITRE TTP T1110 - Brutforce
-# ID 18453: Success login with Windows authentication / MITRE TTP T1078 - Valid accounts
-# ID 18454: Success login with SQL Server authentication / MITRE TTP T1079 - Valid accounts
-# ID 18455: Success login (no more information) / MITRE TTP T1080 - Valid accounts
-# ID 18456: Failed login (Windows auth only) / MITRE TTP T1110 - Brutforce
-# ID 28046: Success login / MITRE TTP T1081 - Valid accounts
-# ID 33205: SQL Server transactions / MITRE TTP T1505 -  Server Software Component 
-# ID 33002: Access to %ls %ls is blocked because the signature is not valid.
-# ID 33090: Attempting to load library 'xxxx.dll' into memory. / MITRE TTP T1574.002 - Hijack Execution Flow: DLL Side-Loading
-# ID 49904: Service account is [account]
-
-
-# ------------------
-#  40 - PowerShell
-# ------------------
-
-# PowerShell classic (not collected, too noisy)
-[WinEventLog://Windows PowerShell]
-disabled = 1
-whitelist = 600, 800
-# ID 600 / MITRE TTP T1059.001 - Command and Scripting Interpreter: PowerShell
-# ID 800 / MITRE TTP T1059.001 - Command and Scripting Interpreter: PowerShell
-
-# PowerShell modern
-[WinEventLog://Microsoft-Windows-PowerShell/Operational]
-disabled = 0
-whitelist = 4103, 4104
-# ID 4103: Module logging / MITRE TTP T1059.001 - Command and Scripting Interpreter: PowerShell
-# ID 4104: Script block   / MITRE TTP T1059.001 - Command and Scripting Interpreter: PowerShell
-
-# PowerShell Core (v6 or higher)
-[WinEventLog://PowerShellCore/Operational]
-disabled = 0
-whitelist = 4103, 4104
-# ID 4103: Module logging / MITRE TTP T1059.001 - Command and Scripting Interpreter: PowerShell
-# ID 4104: Script block   / MITRE TTP T1059.001 - Command and Scripting Interpreter: PowerShell
-
-
-# -----------------------
-#    62 - DNS Server
-# -----------------------
-
-[WinEventLog://DNS Server]
-disabled = 0
-whitelist = 150,770,6004
-# ID 150: DNS Server could not load or initialize the plug-in DLL / MITRE TTP T1574.002 - Hijack Execution Flow: DLL Side Loading
-# ID 770: DNS Server plugin DLL has been loaded / MITRE TTP T1574.002 - Hijack Execution Flow: DLL Side Loading
-# ID 6004: The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2. / MITRE TTP T1071.004 - Application Layer Protocol: DNS
-
-[WinEventLog://Microsoft-Windows-DNSServer/Audit]
-disabled = 0
-whitelist = 512, 513, 514, 515, 516, 517, 518, 522, 523, 537, 540, 541, 542, 543, 548, 549, 550, 551, 555, 556, 557, 565, 573, 574, 575, 576, 577, 578, 579, 580, 581, 582
-# 512 - Zone operations : The zone test was created with settings: Type=Primary; Lookup=Forward; ReplicationScope=Domain; ZoneFile=NULL.
-# 513 - Zone operations : The zone %1 was deleted.
-# 514 - Zone operations : The zone demo.lan was updated. The AllowUpdate setting has been set to Nonsecure and secure.
-# 515 - Zone operations : A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6.
-# 516 - Zone operations : A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6.
-# 517 - Zone operations : All resource records of type %1, name %2 were deleted from scope %4 of zone %3.
-# 518 - Zone operations : All resource records at Node name %1 were deleted from scope %3 of zone %2.
-# 522 - Zone operations : The scope %1 was created in zone %2.
-# 523 - Zone operations : The scope %1 was deleted in zone %2.
-# 537 - Configuration : The forwarder list on scope %2 has been reset to %1.
-# 540 - Configuration : The root hints have been modified.
-# 541 - Configuration : The setting %1 on scope %2 has been set to %3.
-# 542 - Configuration : The scope %1 of DNS server was created.
-# 543 - Configuration : The scope %1 of DNS server was deleted.
-# 548 - Server operations : A request to restart the DNS server service has been received.
-# 549 - Server operations : The debug logs have been cleared from %1 on DNS server.
-# 550 - Server operations : The in-memory contents of all the zones on DNS server have been flushed to their respective files.
-# 551 - Server operations : All the statistical data for the DNS server has been cleared.
-# 555 - Server operations : The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory.
-# 556 - Server operations : The information about the root hints on the DNS server has been written back to the persistent storage.
-# 557 - Server operations : The addresses on which DNS server will listen has been changed to %1.
-# 565 - Zone operations : The content of the zone %1 has been written to the disk and the notification has been sent to all the notify servers.
-# 573 - Zone operations : A delegation for %1 in the scope %2 of zone %3 with the name server %4 has been added.
-# 574 - Policy operations : The client subnet record with name %1 value %2 has been added to the client subnet map.
-# 575 - Policy operations : The client subnet record with name %1 has been deleted from the client subnet map.
-# 576 - Policy operations : The client subnet record with name %1 has been updated from the client subnet map. The new client subnets that it refers to are %2.
-# 577 - Policy operations : A server level policy %6 for %1 has been created on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5.
-# 578 - Policy operations : A zone level policy %8 for %1 has been created on zone %6 on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5; Scopes:%7.
-# 579 - Policy operations : A forwarding policy %6 has been created on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5; Scope:%1.
-# 580 - Policy operations : The server level policy %1 has been deleted from server %2.
-# 581 - Policy operations : The zone level policy %1 has been deleted from zone %3 on server %2.
-# 582 - Policy operations : The forwarding policy %1 has been deleted from server %2.
-
-
-# ---------------------------
-#    71 - Exchange Server
-# ---------------------------
-
-[WinEventLog://MSExchange Management]
-disabled = 0
-whitelist = 1, 6
-# ID 1: Success command operation / MITRE TTP T1505.002 - Server Software Component: Transport Agent 
-# ID 6: Failed command operation / MITRE TTP T1505.002 - Server Software Component: Transport Agent 
-
-
-# --------------------------
-#   60 - DC authentication
-# --------------------------
-
-[WinEventLog://Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController]
-disabled = 0
-whitelist = 101,105,106,305,306
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-# ID 101: An NTLM sign-in failure occurs because the authentication policy is configured. / MITRE TTP T1078 - Valid accounts
-# ID 105: A Kerberos restriction failure occurs because the authentication from a particular device was not permitted. / MITRE TTP T1078 - Valid accounts
-# ID 106: A Kerberos restriction failure occurs because the user or device was not allowed to authenticate to the server. / MITRE TTP T1078 - Valid accounts
-# ID 305: Potential Kerberos restriction failure might occur because the authentication from a particular device was not permitted. / MITRE TTP T1078 - Valid accounts
-# ID 306: A Kerberos restriction failure might occur because the user or device was not allowed to authenticate to the server. / MITRE TTP T1078 - Valid accounts
-
-[WinEventLog://Microsoft-Windows-Authentication/ProtectedUser-Client]
-disabled = 0
-whitelist = 104,304
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-# ID 104: The security package on the client does not contain the credentials.
-# ID 304: The security package does not store the Protected User's credentials.
-
-[WinEventLog://Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController]
-disabled = 0
-whitelist = 100,104
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-# ID 100: An NTLM sign-in failure occurs for an account that is in the Protected Users security group. / MITRE TTP T1110 - Brutforce
-# ID 104: DES or RC4 encryption types are used for Kerberos authentication and a sign-in failure occurs for a user in the Protected User security group. / MITRE TTP T1558 - Steal or Forge Kerberos Tickets
-
-[WinEventLog://Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController]
-disabled = 0
-whitelist = 303
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-# ID 303: A Kerberos ticket-granting-ticket (TGT) was successfully issued for a member of the Protected User group. / MITRE TTP N/A -
-
-[WinEventLog://Directory Service]
-disabled = 0
-whitelist = 1138,1174,1644,2946,2947
-# ID 1138: LDAP debug: Function ldap_search entered (requires manual registry activation) / MITRE TTP T1087.002 - Account Discovery: Domain Account 
-# ID 1174: LDAP debug: Wrong password (requires manual registry activation) / MITRE TTP T1110.001 -  Brute Force: Password Guessing
-# ID 1644: LDAP debug: A client issued a search operation with the following options (requires manual registry activation)
-# ID 2946: Call successfully fetched the password of a gMSA account / MITRE TTP T1003 - OS Credential Dumping 
-# ID 2947: Call failed fetched the password of a gMSA account / MITRE TTP T1003 - OS Credential Dumping 
-
-[WinEventLog://Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational]
-disabled = 0
-whitelist = 302
-# ID 302: KDC uses the below KDC certificate for smart card or certificate authentication
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-
-
-# --------------------------
-#   50 - Authentication
-# --------------------------
-
-[WinEventLog://Microsoft-Windows-NTLM/Operational]
-disabled = 1
-whitelist1 = 8001,8002,8003,8004
-# ID 8001: NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.  / MITRE TTP T1078 - Valid accounts
-# ID 8002: NTLM traffic that would be blocked / MITRE TTP T1078 - Valid accounts
-# ID 8003: NTLM server blocked in the domain audit: Audit NTLM authentication in this domain  / MITRE TTP T1078 - Valid accounts
-# ID 8004: Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.  / MITRE TTP T1078 - Valid accounts
-
-[WinEventLog://Microsoft-Windows-LSA/Operational]
-disabled = 1
-
-
-# -------------------------------
-#  11.1 - Remote management: RDP
-# -------------------------------
-
-[WinEventLog://Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational]
-disabled = 0
-whitelist = 104,131,140,168,169
-# ID 104: Client timezone is [1] hour from UTC / MITRE TTP T1021.001 - Remote services: RDP
-# ID 131: The server accepted a new UDP/TCP connection from client [IP]:PORT / MITRE TTP T1021.001 - Remote services: RDP
-# ID 140: Connection failed; bad username or password / MITRE TTP T1021.001 - Remote services: RDP
-# ID 168: The resolution requested by the client: Monitor 1: [X x Y] / MITRE TTP T1021.001 - Remote services: RDP
-# ID 169: The client operating system type is (1, 3) > Server [SERVER] / MITRE TTP T1021.001 - Remote services: RDP
-
-[WinEventLog://Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]
-disabled = 0
-whitelist = 21,23,24,25,40
-# ID 21: Session logon succeeded / MITRE TTP T1021.001 - Remote services: RDP
-# ID 23: Session logoff succeeded
-# ID 24: Session has been disconnected
-# ID 25: Session reconnection succeeded / MITRE TTP T1021.001 - Remote services: RDP
-# ID 40: Session X has been disconnected, reason code XX
-
-[WinEventLog://Microsoft-Windows-TerminalServices-RDPClient/Operational]
-disabled = 0
-whitelist = 1024,1029
-# ID 1024: RDP ClientActiveX is trying to connect to the server [SERVERX] / MITRE TTP T1021.001 - Remote services: RDP
-# ID 1029: Base64(SHA1(UserName)) / MITRE TTP T1021.001 - Remote services: RDP
-
-[WinEventLog://Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
-disabled = 0
-whitelist = 1149,20503,20504,20508
-# ID 1149: User authentication succeeded / MITRE TTP T1021.001 - Remote services: RDP
-# ID 20503: Shadow View Session Started / MITRE TTP T1021.001 - Remote services: RDP
-# ID 20504: Shadow View Session Stopped / MITRE TTP T1021.001 - Remote services: RDP
-# ID 20508: Shadow View permission granted / MITRE TTP T1021.001 - Remote services: RDP
-
-[WinEventLog://Microsoft-Windows-TerminalServices-Gateway/Operational]
-disabled = 0
-# ID 114: Session Reconnection: Indicates that a user has reconnected to a previous session.
-# ID 230: Policy Evaluation Failure: Logs when a user fails to meet the RD Gateway policy requirements (e.g., NAP compliance failures).
-# ID 301: Connection Attempt: This event logs an initial connection attempt. It can be useful for tracking users trying to connect to the gateway.
-# ID 302: Authentication Failure: Indicates a failed authentication attempt to the RD Gateway. This event is important for identifying unsuccessful login attempts.
-# ID 312: Successful Connection: This event is logged when a user successfully connects through the RD Gateway. It includes user details, target system, and connection timestamp.
-
-
-# ------------------------------------
-#  11.2 - Remote management: SSH/WinRM
-# ------------------------------------
-
-[WinEventLog://Microsoft-Windows-WinRM/Operational]
-disabled = 0
-whitelist = 91,169
-# ID 91: WinRM session creation / MITRE TTP T1021.006 - Remote Services: WinRM
-# ID 169: User [user]: got authenticated using [auth] / MITRE TTP T1021.006 - Remote Services: WinRM
-
-[WinEventLog://OpenSSH/Operational]
-disabled = 0
-whitelist = 4
-# ID 4: sshd: [message] / MITRE TTP T1021.004 - Remote services: SSH
-
-
-# ------------------
-#    32 - Printer
-# ------------------
-
-[WinEventLog://Microsoft-Windows-PrintService/Admin]
-disabled = 0
-whitelist = 354,808,823
-# ID 354: Initialize printer X with driver [DLL] / MITRE TTP T1547.012 - Print Processors
-# ID 808: Initialize printer X with driver [DLL] / MITRE TTP T1547.012 - Print Processors
-# ID 823: Changing default printer / MITRE TTP T1547.012 - Print Processors
-
-[WinEventLog://Microsoft-Windows-PrintService/Operational]
-disabled = 0
-whitelist = 307,848,849
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-# ID 307: Printer job (requires GPO config to show job name)
-# ID 848: Printer share created / MITRE TTP T1210 - Exploitation of Remote Services 
-# ID 849: Printer share canceled
-
-
-# ----------------------------
-#   21 - Software & updates
-# ----------------------------
-
-[WinEventLog://Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant]
-disabled = 0
-whitelist = 17
-# ID 17: Program Compatibility Assistant execution / MITRE TTP T1202 - Indirect Command Execution
-
-[WinEventLog://Microsoft-Windows-Application-Experience/Program-Inventory]
-disabled = 0
-whitelist = 903,904,907,908
-# ID 903: Program installed on the system / MITRE TTP T0843 - Program install
-# ID 904: Program installed on the system / MITRE TTP T0843 - Program install
-# ID 907: Program removed from the system
-# ID 908: Program removed from the system
-
-[WinEventLog://Microsoft-Windows-Application-Experience/Program-Telemetry]
-disabled = 0
-whitelist = 500
-# ID 500: Compatibility fix applied to [path.exe] / MITRE TTP T1546.011 -  Event Triggered Execution: Application Shimming
-
-[WinEventLog://Microsoft-Windows-Shell-Core/AppDefaults]
-disabled = 0
-whitelist = 62443
-# ID 62443: Default application changes / MITRE TTP T1546.001 -  Event Triggered Execution: Change Default File Association
-
-[WinEventLog://Microsoft-Windows-Shell-Core/Operational]
-disabled = 0
-whitelist = 9707, 9708, 28115
-# ID 9707: Detects the start of the execution of a process from both the “Software\Microsoft\Windows\CurrentVersion\Run” and “Software\Microsoft\Windows\CurrentVersion\RunOnce” registry keys with the full command line.
-# ID 9708: Detects when the aforementioned process finishes execution with the corresponding PID (Useful when the process is still running on the system).
-# ID 28115: Triggered when a shortcut is added to the “App Resolver Cache”. Indicates when an application is installed.
-
-[WinEventLog://OAlerts]
-disabled = 0
-whitelist = 300
-# ID 300: Provides info. about opened files, brutforce, DDE attacks
-
-[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Operational]
-disabled = 0
-whitelist = 41
-# ID 41: An update was downloaded: <title, KB, GUID, revision number>
-
-[WinEventLog://Setup]
-disabled = 0
-whitelist1 = SourceName=%Microsoft-Windows-Servicing% EventCode=%^(2|4|7|8|9|10|13|14)$%
-# ID 2: Package [KBx] was successfully changed to the Installed state. / MITRE TTP T0843 - Program install
-# ID 4: A reboot is necessary before package [KBx] can be changed to the Installed state. / MITRE TTP T0843 - Program install
-# ID 7: Initiating changes to turn on update [feature/update] of [package] / MITRE TTP T0843 - Program install
-# ID 8: Initiating changes to turn off update [feature/update] of [package] / MITRE TTP T1562.001 - Impair Defenses: Disable or Modify Tools 
-# ID 9: Selectable update [update] of package [package] was successfully turned on. / MITRE TTP T0843 - Program install
-# ID 10: Selectable update [module/feature] was successfully turned off. / MITRE TTP T1562.001 - Impair Defenses: Disable or Modify Tools 
-# ID 13: A reboot is necessary before the selectable update[update] of package [feature] can be turned on. / MITRE TTP T0843 - Program install
-# ID 14: A reboot is necessary before the selectable update[update] of package [feature] can be turned off. / MITRE TTP T1562.001 - Impair Defenses: Disable or Modify Tools 
-
-[WinEventLog://Microsoft-Windows-AppModel-Runtime/Admin]
-disabled = 0
-whitelist1 = 201
-# ID 201: Process creation [ID] for [application] of [package]. Finish package activation / MITRE TTP T1218.007 -  System Binary Proxy Execution: Msiexec
-
-[WinEventLog://Microsoft-Windows-AppXDeploymentServer/Operational]
-disabled = 0
-whitelist1 = 400, 401, 441, 442, 453, 454, 478, 854
-# ID 400: [Operation] on [volume] for [package] from [source] finished / MITRE TTP T1218.009 -  System Binary Proxy Execution: Msiexec
-# ID 401: [Operation] on [volume] for [package] from [source] failed with [error] / MITRE TTP T1218.010 -  System Binary Proxy Execution: Msiexec
-# ID 441: Package deployement blocked by policy / MITRE TTP T1218.011 -  System Binary Proxy Execution: Msiexec
-# ID 442: Package deployement blocked by policy / MITRE TTP T1218.012 -  System Binary Proxy Execution: Msiexec
-# ID 453: Package deployement blocked by policy / MITRE TTP T1218.013 -  System Binary Proxy Execution: Msiexec
-# ID 454: Package deployement blocked by policy / MITRE TTP T1218.014 -  System Binary Proxy Execution: Msiexec
-# ID 478: Deployement registration on [volume] with [package] finished / MITRE TTP T1218.007 -  System Binary Proxy Execution: Msiexec
-# ID 854: Added URL to process: [x-windowsupdate://] / [file path] ... / MITRE TTP T1218.007 -  System Binary Proxy Execution: Msiexec
-
-[WinEventLog://Microsoft-Windows-AppXDeployment/Operational]
-disabled = 0
-whitelist1 = 327
-# ID 327: The following [packages] will be installed. The following ones will be deleted [package] / MITRE TTP T1218.007 -  System Binary Proxy Execution: Msiexec
-
-[WinEventLog://Key Management Service]
-disabled = 1
-
-# ------------------------
-#  31 - System security
-# ------------------------
-
-[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
-disabled = 0
-whitelist = 8002,8003,8004
-# ID 8002: [path] was allowed to run / MITRE TTP M1038 - Execution Prevention
-# ID 8003: [path] was prevented from running  / MITRE TTP M1038 - Execution Prevention
-# ID 8004: [path] was not allowed to run. / MITRE TTP M1038 - Execution Prevention
-
-[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
-disabled = 0
-whitelist = 8005,8006,8007
-# ID 8005: [path] was allowed to run / MITRE TTP M1038 - Execution Prevention
-# ID 8006: [path] was prevented from running  / MITRE TTP M1038 - Execution Prevention
-# ID 8007: [path] was not allowed to run. / MITRE TTP M1038 - Execution Prevention
-
-[WinEventLog://Microsoft-Windows-CAPI2/Operational]
-disabled = 0
-whitelist = 11,30,70,81
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-# ID 11: Certificate build chain / MITRE TTP T1553.004 - Subvert Trust Controls: Install Root Certificate
-# ID 30: Verify certificate chain policy / MITRE TTP T1553.004 - Subvert Trust Controls: Install Root Certificate
-# ID 70: Acquire certificate private key / MITRE TTP T1552.004 - Unsecured Credentials-Private Keys
-# ID 81: Verify certificate trust / MITRE TTP T1553.004 - Subvert Trust Controls: Install Root Certificate
-
-[WinEventLog://Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational]
-disabled = 0
-whitelist = 1001,1006,1007
-# ID 1001: A certificate has been updated
-# ID 1006: A new certificate has been installed.  / MITRE TTP T1553.004 - Subvert Trust Controls: Install Root Certificate
-# ID 1007: A certificate has been exported / MITRE TTP T1552.004 - Unsecured Credentials-Private Keys
-
-[WinEventLog://Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational]
-disabled = 0
-whitelist = 1001,1006,1007
-# ID 1001: A certificate has been updated
-# ID 1006: A new certificate has been installed.  / MITRE TTP T1553.004 - Subvert Trust Controls: Install Root Certificate
-# ID 1007: A certificate has been exported / MITRE TTP T1552.004 - Unsecured Credentials-Private Keys
-
-[WinEventLog://Microsoft-Windows-CodeIntegrity/Operational]
-disabled = 0
-whitelist = 3001,3002,3003,3004,3033,3063,3065,3066,3077
-# ID 3001: Unsigned drivers loaded on the system / MITRE TTP T1036.001 -  Masquerading: Invalid Code Signature
-# ID 3002: Code Integrity is unable to verify the image integrity of the [FILE] because the set of per-page image hashes could not be found / MITRE TTP T1036.001 -  Masquerading: Invalid Code Signature
-# ID 3003: Unable to verify the image integrity of the [file] because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached / MITRE TTP T1036.001 -  Masquerading: Invalid Code Signature
-# ID 3004: Windows is unable to verify the image integrity of the [file] because file hash could not be found on the system. / MITRE TTP T1036.001 -  Masquerading: Invalid Code Signature
-# ID 3033: Code Integrity determined that [process] attempted to load [FILE] that did not meet the signing level requirements / MITRE TTP T1036.001 -  Masquerading: Invalid Code Signature
-# ID 3063: Code Integrity determined that [process] attempted to load [FILE] that did not meet the signing level requirements / MITRE TTP T1036.001 -  Masquerading: Invalid Code Signature
-# ID 3065: Code Integrity determined that [process] attempted to load [FILE] that did not meet the signing level requirements / MITRE TTP T1036.001 -  Masquerading: Invalid Code Signature
-# ID 3066: Code Integrity determined that [process] attempted to load [FILE] that did not meet the signing level requirements / MITRE TTP T1036.001 -  Masquerading: Invalid Code Signature
-# ID 3077: Code Integrity determined that [process] attempted to load [FILE] that did not meet the signing level requirements / MITRE TTP T1036.001 -  Masquerading: Invalid Code Signature
-
-[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
-disabled = 0
-whitelist = 1013,1014,1116,1117,1118,1119,1121,1122,3002,3007,5000,5001,5004,5007,5008
-# ID 1013: Malware history deletion / MITRE TTP T1070.003 -  Indicator Removal on Host: Clear Command History
-# ID 1014: Malware history deletion failure / MITRE TTP T1070.003 -  Indicator Removal on Host: Clear Command History
-# ID 1116: Threat detected (no action taken yet)
-# ID 1117: Threat detected (action taken with success)
-# ID 1118: Threat detected (action taken failed)
-# ID 1119: Threat detected (action taken critically failed)
-# ID 1121: Defender Exploit Guard has blocked an operation that is not allowed in your IT / MITRE TTP T1055 - Process injection
-# ID 1122: Defender Exploit Guard audited an operation that is not allowed in your IT / MITRE TTP T1055 - Process injection
-# ID 3002: Real time protection has encountered an error and failed / MITRE TTP T1562.001 - Impair Defenses: Disable or Modify Tools
-# ID 3007: Real time protection recovered
-# ID 5000: Real time protection enabled
-# ID 5001: Real time protection disabled / MITRE TTP T1562.001 - Impair Defenses: Disable or Modify Tools 
-# ID 5004: Real time protection feature configured
-# ID 5007: Configuration changed (reports exclusions) / MITRE TTP T1562.001 - Impair Defenses: Disable or Modify Tools
-# ID 5008: Malware engine failure / MITRE TTP T1562.001 - Impair Defenses: Disable or Modify Tools 
-
-[WinEventLog://Microsoft-Windows-BitLocker/BitLocker Management]
-disabled = 0
-whitelist = 768, 775, 793, 796, 817, 840, 
-# ID 768: BitLocker encryption was started for volume C: using XTS-AES 128 algorithm. / MITRE TTP T1486 - Data Encrypted for Impact 
-# ID 775: A BitLocker key protector was created.
-# ID 793: BitLocker resealed boot settings to the TPM for volume C: 
-# ID 796: BitLocker Drive Encryption is using software-based encryption to protect volume C:. / MITRE TTP T1486 - Data Encrypted for Impact 
-# ID 817: BitLocker successfully sealed a key to the TPM.
-# ID 840: A trusted WIM file has been added for volume C: 
-
-[WinEventLog://Microsoft-Windows-Security-Mitigations/KernelMode]
-disabled = 0
-whitelist = 3,10,12
-# ID 3: Process [PROCESS] would have been blocked from creating a child process [CHILD PROCESS] with command line [COMMAND]. / MITRE TTP T1553.003 - Subvert Trust Controls: Code Signing 
-# ID 10: Process [PROCESS] was blocked from making system calls to [DRIVER]. / MITRE TTP T1553.002 - Subvert Trust Controls: Code Signing 
-# ID 12: [process] was blocked from loading non Microsoft binary [DLL] / MITRE TTP T1553.002 - Subvert Trust Controls: Code Signing
-
-[WinEventLog://Microsoft-Windows-Security-Mitigations/UserMode]
-disabled = 0
-# Everything
-
-[WinEventLog://Microsoft-Windows-Crypto-NCrypt/Operational]
-disabled = 1
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-
-[WinEventLog://Microsoft-Windows-LAPS/Operational]
-disabled = 0
-# 10005: LAPS policy processing failed with the error code below. Error code: 80070032
-# 10031: LAPS blocked an external request that tried to modify the password of the current managed account.
-# 10043: LAPS failed to reset the password for the currently managed account. The password is considered expired due to an authentication event. LAPS will continue retrying the password reset operation until it succeeds.
-
-
-# ---------------------------------
-#   32-Image and external device 
-# ---------------------------------
-
-[WinEventLog://Microsoft-Windows-Kernel-PnP/Configuration]
-disabled = 0
-whitelist = 400,401,410
-# ID 400: Device [path] was configured / MITRE TTP T1091 - Replication Through Removable Media
-# ID 401: Device [path] failed to be configured / MITRE TTP T1091 - Replication Through Removable Media
-# ID 410: Device [path] was initiated / MITRE TTP T1091 - Replication Through Removable Media
-
-[WinEventLog://Microsoft-Windows-DriverFrameworks-UserMode/Operational]
-disabled = 0
-whitelist = 1003,1008
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-# ID 1003: USB media connected / MITRE TTP T1091 - Replication Through Removable Media
-# ID 1008: USB media disconnected / MITRE TTP T1091 - Replication Through Removable Media
-
-[WinEventLog://Microsoft-Windows-VHDMP-Operational]
-disabled = 0
-whitelist = 1,2,12
-# ID 1: ISO/VHD file online / MITRE TTP T1553.055 -  Subvert Trust Controls: Mark-of-the-Web Bypass
-# ID 2: ISO/VHD file mounted / MITRE TTP T1553.055 -  Subvert Trust Controls: Mark-of-the-Web Bypass
-# ID 12: Handle for virtual disk [*.iso] created successfully / MITRE TTP T1553.055 -  Subvert Trust Controls: Mark-of-the-Web Bypass
-
-[WinEventLog://Microsoft-Windows-Partition/Diagnostic]
-disabled = 0
-whitelist = 1006
-# ID 1006: Disk/device informations / MITRE TTP T1091 - Replication Through Removable Media
-
-
-# ----------------------------
-#   10.1 - Network (generic)
-# ----------------------------
-
-[WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
-disabled = 0
-whitelist = 2002,2003,2004,2005,2006
-# ID 2002: Settings changed in profile X / MITRE TTP T1562.004 -  Impair Defenses: Disable or Modify System Firewall
-# ID 2003: Settings changed in profile X / MITRE TTP T1562.004 -  Impair Defenses: Disable or Modify System Firewall
-# ID 2004: Rule created / MITRE TTP T1562.004 -  Impair Defenses: Disable or Modify System Firewall
-# ID 2005: Rule modified / MITRE TTP T1562.004 -  Impair Defenses: Disable or Modify System Firewall
-# ID 2006: Rule deleted / MITRE TTP T1562.004 -  Impair Defenses: Disable or Modify System Firewall
-
-[WinEventLog://Microsoft-Windows-WinINet-Config/ProxyConfigChanged]
-disabled = 0
-whitelist = 5600
-# ID 5600: Proxy configuration obtained [Proxy URL] / MITRE TTP T1090 - Proxy
-
-[WinEventLog://Microsoft-Windows-Winsock-WS2HELP/Operational]
-disabled = 0
-whitelist = 1,2,3,4
-# ID 1: Protocol entry added to Winsock catalog / MITRE TTP T1106 - Native API
-# ID 2: Protocol entry removed from Winsock catalog / MITRE TTP T1106 - Native API
-# ID 3: Protocol entry disabled from Winsock catalog / MITRE TTP T1106 - Native API
-# ID 4: Winsock catalog was reseted / MITRE TTP T1106 - Native API
-
-[WinEventLog://Microsoft-Windows-Wired-AutoConfig/Operational]
-disabled = 0
-whitelist = 15510
-# ID 15510: A network adapter was added to the system / MITRE TTP T1200 - Hardware additions
-
-[WinEventLog://Microsoft-Windows-Bits-Client/Operational]
-disabled = 0
-whitelist = 3,4,59,60
-# ID 3: BITS created a task / MITRE TTP T119 - BITS job
-# ID 4: BITS transfer completed / MITRE TTP T119 - BITS job
-# ID 59: BITS transfer job started with URL [URL] / MITRE TTP T119 - BITS job
-# ID 60: BITS transfer job stopped with URL [URL] / MITRE TTP T119 - BITS job
-
-[WinEventLog://Microsoft-Windows-NetworkProfile/Operational]
-disabled = 0
-whitelist = 10000
-# ID 10000: Network connected to domain [domain]
-
-
-# ----------------------------
-#   10.2 - Network (SMB)
-# ----------------------------
-
-[WinEventLog://Microsoft-Windows-SMBServer/Operational]
-disabled = 1
-whitelist = 1001
-# ID 1001: Client attempt to use SMBv1 / MITRE TTP T1562.010 - Impair Defenses: Downgrade Attack 
-# Prefer ID 3000, but requires manual activation via PowerShell
-
-[WinEventLog://Microsoft-Windows-SMBServer/Audit]
-disabled = 1
-whitelist = 3000
-# ID 3000: Client attempt to use SMBv1 (PowerShell command) / MITRE TTP T1562.010 - Impair Defenses: Downgrade Attack 
-# Requires manual activation via PowerShell: https://woshub.com/how-to-disable-smb-1-0-in-windows-10-server-2016/
-
-[WinEventLog://Microsoft-Windows-SMBClient/Security]
-disabled = 0
-whitelist = 31010,31017,31018,32000
-# ID 31010: A process has requested access to an object, but has not been granted those access rights. / MITRE TTP T1078 -  Valid Accounts 
-# ID 31017: Rejected an insecure guest logon. / MITRE TTP T1078.001 -  Valid Accounts: Default Accounts
-# ID 31018: This event indicates that an administrator has enabled insecure guest. The AllowInsecureGuestAuth registry value is not configured with default settings. / MITRE TTP T1562.010 - Impair Defenses: Downgrade Attack 
-# ID 32000: SMB1 negotiate response received from a remote device when SMB1 cannot be negotiated by the local computer. / MITRE TTP T1562.010 - Impair Defenses: Downgrade Attack 
-
-[WinEventLog://Microsoft-Windows-SMBClient/Operational]
-disabled = 1
-whitelist = 30622, 30624
-# ID 30622: Unknown description or description not found
-# ID 30624: Unknown description or description not found
-
-[WinEventLog://Microsoft-Windows-SmbClient/Connectivity]
-disabled = 0
-whitelist = 30803
-# ID 30803: Failed to establish a network connection  / MITRE TTP T1021.002 - SMB/Windows Admin Shares (CVE-2023-23397)
-
-
-# -----------------------
-#     100 - SYSMON
-# -----------------------
-
-[WinEventLog://Microsoft-Windows-Sysmon/Operational]
-disabled = 0
-
-
-# -------------------------
-#    22 - Task & Service
-# -------------------------
-
-[WinEventLog://Microsoft-Windows-TaskScheduler/Operational]
-disabled = 0
-whitelist = 106, 110, 141
-# ID 106: Task creation (lacking of info) / MITRE TTP T1053.005 - Schedule task
-# ID 110: Task execution / MITRE TTP T1053.005 - Schedule task
-# ID 141: Task deletion
-
-
-# -------------------------
-#  20 - System activity
-# -------------------------
-
-[WinEventLog://Microsoft-Windows-WMI-Activity/Operational]
-disabled = 0
-whitelist = 5861
-# ID 5860: ---- NOT COLLECTED ---- Registration of Temporary Event Consumer / MITRE TTP T1546.003 -  Event Triggered Execution: WMI Event Subscription
-# ID 5861: Registration of Permanent Event Consumer / MITRE TTP T1546.003 -  Event Triggered Execution: WMI Event Subscription
-
-[WinEventLog://Microsoft-Windows-Forwarding/Operational]
-disabled = 0
-# Channel is feeded only if event forwarding is in place
-
-[WinEventLog://Microsoft-Windows-EventCollector/Operational]
-disabled = 0
-# Channel is feeded only if the server is acting as an event collector 
-
-[WinEventLog://Microsoft-Windows-GroupPolicy/Operational]
-disabled = 1
-
-
-# -----------------------
-#   70 - IIS webserver
-# -----------------------
-
-[WinEventLog://Microsoft-IIS-Configuration/Operational]
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-disabled = 0
-whitelist = 29, 50
-# ID 29: Changes to [xxx] have successfully been committed (module) / MITRE TTP T1505.004 -  Server Software Component: IIS Components 
-# ID 50: Changes to [xxx] have successfully been committed (Webconfig) / MITRE TTP T1505.004 -  Server Software Component: IIS Components 
-
-
-[WinEventLog://Microsoft-IIS-Configuration/Administrative]
-disabled = 0
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-
-
-# -----------------------
-#    75 - ADFS Server
-# -----------------------
-
-[WinEventLog://AD FS/Admin]
-disabled = 1
-
-[WinEventLog://DRS/Admin]
-disabled = 1
-
-
-# -----------------------
-#    76 - DHCP Server
-# -----------------------
-
-[WinEventLog://DhcpAdminEvents]
-disabled = 0
-# Visible as Microsoft-Windows-DHCP Server Events/Admin in Event logs
-
-[WinEventLog://Microsoft-Windows-Dhcp-Server/Operational]
-disabled = 0
-
-[WinEventLog://Microsoft-Windows-DhcpNap/Operational]
-disabled = 1
-
-# -----------------------
-#    77 - Microsoft Advanced Threat Analytics (ATA) - Replace by Defender for Identity / MDI
-# -----------------------
-
-[WinEventLog://Microsoft ATA]
-disabled = 0
-
-
-# -------------------------------------------------------------------------------
-#   78-Remote Access Services (RAS) / Direct Access / Always On VPN (AOVPN) 
-# -------------------------------------------------------------------------------
-
-[WinEventLog://Microsoft-Windows-Base-Filtering-Engine-Connections/Operational]
-disabled = 0
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-whitelist = 2000
-# ID 2000: New connection (source and destination IP, start/end time), no user information
-# ID 2001: New connection (source and destination IP, start/end time, bytes transfered), no user information
-# ID 2002: Machine session flow
-
-[WinEventLog://Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational]
-disabled = 1
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-
-[WinEventLog://Microsoft-Windows-Iphlpsvc/Operational]
-disabled = 0
-whitelist = 1
-# ID 1: IPHTTPS  Connection established
-# ID 6: IPHTTPS  Connection disassociated - excluded
-
-[WinEventLog://Microsoft-Windows-WinNat/Oper]
-disabled = 0
-whitelist = 3
-# !!! EVENT LOG FILE DISABLED PER DEFAULT !!!
-# 'Oper' is really truncated on the channel name
-# ID 3: Internal resource accessed
-# ID 4: Resource connection closed - excluded
-
-
-# -------------------------------------
-#  80 - Virtualization / Containers
-# -------------------------------------
-
-[WinEventLog://Microsoft-Windows-Containers-Wcifs/Operational]
-disabled = 1
-
-[WinEventLog://Microsoft-Windows-Containers-Wnifs/Operational]
-disabled = 1
-
-[WinEventLog://Microsoft-Windows-Hyper-V-VMMS-Admin]
-disabled = 0
-whitelist = 13002, 18303, 18304, 13003, 20927
-# ID 13002: Created VM (Successfully Created) / MITRE TTP T1497 -  Virtualization/Sandbox Evasion 
-# ID 13003: Deleted VM / MITRE TTP T1485 - Data destruction
-# ID 18303: Exporting VM
-# ID 18304: Created VM (Creation started) / MITRE TTP T1497 -  Virtualization/Sandbox Evasion 
-# ID 20927: Moved VM’s Storage Location
-
-[WinEventLog://Microsoft-Windows-Hyper-V-Worker-Admin]
-disabled = 0
-whitelist = 12148, 18500, 18510, 18596, 18516, 18518, 18502, 18512, 18514, 18504, 18508
-# ID 12148: Started VM
-# ID 18500: Started VM
-# ID 18510: Saved VM
-# ID 18596: Restoring VM
-# ID 18516: Pause VM
-# ID 18518: Resume VM
-# ID 18502: Turn Off VM / MITRE TTP T1529 - System Shutdown/Reboot 
-# ID 18512: Reset VM (Using Hyper-V Manager)
-# ID 18514: Reset VM (Using Guest Operating System)
-# ID 18504: Shut Down VM (Using The Shutdown Integration Component) / MITRE TTP T1529 - System Shutdown/Reboot 
-# ID 18508: Shut Down VM (Using Guest Operating System) / MITRE TTP T1529 - System Shutdown/Reboot 
-
-
-# -------------------------------------
-#  80 - Forwarded events
-# -------------------------------------
-
-[WinEventLog://ForwardedEvents]
-disabled = 0
\ No newline at end of file