Access Control Policy |
- Enter an associated value
|
Action |
Select from the following pre-defined values:
- Add Attribute
- Add Object
- Delete Attribute
- Delete Object
- Modify Attribute
- Move Object
- Other Actions
- Rename Object
|
Activity |
- Enter an associated value
|
Activity Category |
-
Active Directory Federation Services - Server Farm
- Active Directory Federation Services - Claims Provider Trusts
- Active Directory Federation Services - Authentication Methods
- Active Directory Federation Services - Relying Party Trusts
- Active Directory Federation Services - Endpoints
- AD Query
- Alert Plan
- Alert Rule
-
Anonymous Cloud Activity
-
Anonymous Web Site Activity
- Audit Configuration
-
Authentication Activity
-
Authentication Services Monitoring
- Azure Active Directory
-
Azure Active Directory - Administrative Units
- Azure Active Directory - Application
- Azure Active Directory - B2B
-
Azure Active Directory - Directory
-
Azure Active Directory - Group
-
Aure Active Directory - Policy
-
Azure Active Directory - Resource
- Azure Active Directory - Risk Event
- Azure Active Directory - Role
-
Azure Active Directory - Sign-in
-
Azure Active Directory - User
- Category
-
Change Auditor Internal Auditing
-
Computer Monitoring
-
Configuration Monitoring
-
Connection Object
-
Custom AD Object Monitoring
- Custom ADAM Object Monitoring
- Custom Computer Monitoring
-
Custom File System Monitoring
-
Custom Group Monitoring
-
Custom Registry Monitoring
-
Custom User Monitoring
-
Defender
-
Detected Anomaly
-
Detected Anomaly Item
-
Detected TTP
-
Detected TTP Item
-
DNS Service
-
DNS Zone
-
Domain Configuration
-
Domain Controller Authentication
-
Dynamic Access Control
-
EMC
-
Exchange ActiveSync Monitoring
- Exchange Administrative Group
-
Exchange Distribution List
-
Exchange Mailbox Monitoring
-
Exchange Organization
-
Exchange Permission Tracking
-
Exchange Security Group
-
Exchange User
-
Fault Tolerance
- File System Access Denied
- File System Configuration Change
- File System Content Change
- File System Content Access
- File System Security Change
-
FluidFS
- Forest Configuration
-
FRS Service
-
Full Text Event
-
Group Policy Item
-
Group Policy Object
-
Group Monitoring
-
Hygiene
-
Hygiene Item
-
IP Security
-
Link Configuration
- Local Group Monitoring
- Local User Monitoring
-
Logon Session
- NetApp
-
NETLOGON Service
-
None
-
Notification Template
-
NTDS Service
-
Office 365 Exchange Online Administration
- Office 365 SharePoint Online
- Office 365 OneDrive for Business
- Office 365 Exchange Online Mailbox
-
OU
-
Replication Transport
- Schema Configuration
- Search
-
Security Change Detail
-
Session Event
-
Service Monitoring
-
SharePoint Document
-
SharePoint Document Library
-
SharePoint Farm
-
SharePoint Folder
-
SharePoint List
-
SharePoint List Item
- SharePoint Permission
- SharePoint Security Group
-
SharePoint Site
-
SharePoint Site Collection
-
Site Configuration
-
Site Link Bridge Configuration
- Site Link Configuration
-
Skype for Business Administration
-
Skype for Business Configuration
-
SQL Broker Event
- SQL CLR Event
-
SQL Cursors Event
-
SQL Data Level
- SQL Database Event
-
SQL Deprecation Event
-
SQL Errors and Warnings Event
- SQL Full Text Event
-
Scan Event
-
SQL Locks Event
- SQL Objects Event
- SQL OLEDB Event
-
SQL Performance Event
- SQL Progress Report Event
- SQL Query Notifications Event
- SQL Scan Event
-
SQL Security Audit Event
-
SQL Server Event
- SQL Session Event
-
SQL Stored Procedures Event
- SQL Transaction Event
-
SQL TSQL Event
-
SQL User-Configurable Event
-
Subnets
-
System Events
-
SYSVOL
-
Threat Detection - Alert
-
Threat Detection - Risky User
-
TO
-
TO Item
-
Transactions Event
-
User Cloud Activity
-
User Web Site Activity
-
VMware Account
-
VMware Alarm
-
VMware Authorization
- VMware Cluster
-
VMware Custom Field
-
VMware Datacenter
-
VMware Datastore
-
VMware DVPortgroup
-
VMware Dvs
-
VMware Generic
-
VMware Host
-
VMware License
-
VMware Profile
-
VMware Resource Pool
-
VMware Scheduled Task
-
VMware Session
- VMware Task
-
VMware Template Upgrade
-
VMware Upgrade
-
VMware Virtual Machine |
Activity Id |
- Enter an associated value
|
Activity Time |
|
Actor Id |
- Enter an associated value
|
Actor Name |
- Enter an associated value
|
Actor Object Id |
- Enter an associated value
|
Actor PUID |
- Enter an associated value
|
Actor Service Principle Name |
- Enter an associated value
|
Actor User Principal Name |
- Enter an associated value
|
AD Authorization Port |
- Enter an associated value
|
AD Kerberos |
- Enter an associated value
|
AD Security Change Applies To |
- Enter an associated value
|
AD Security Change Condition |
- Enter an associated value
|
AD Security Change Permission |
- Enter an associated value
|
AD Security Change Type |
- Enter an associated value
|
AD Simple Bind |
- Enter an associated value
|
AD SSL/TLS |
- Enter an associated value
|
Additional Details |
- Enter an associated value
|
Additional Info |
- Enter an associated value
|
Add-on Guid |
- Enter an associated value
|
Add-on Name |
- Enter an associated value
|
Add-on Type |
Select from the following pre-defined values:
|
Affected Items |
- Enter an associated value
|
Agent Domain Fully Qualified Domain Name |
- Enter an associated value
|
Agent Forest Name |
- Enter an associated value
|
Agent Fully Qualified Domain Name |
- Enter an associated value
|
Agent Id |
- Enter an associated value
|
Agent OS Version |
- Enter an associated value
|
Agent Site Name |
- Enter an associated value
|
Alert Recipient |
- Enter an associated value
|
Alert Recipients |
- Enter an associated value
|
Alert Rule Name |
- Enter an associated value
|
Alert Rule Type |
Select from the following pre-defined values:
- Shared Alert Rule
- Private Alert Rule
|
Application Id |
- Enter an associated value
|
Application Name |
- Enter an associated value
|
Attribute Name |
- Enter an associated value
|
Atypical Location |
Select from the following pre-defined values:
|
Audit Item |
- Enter an associated value
|
Audit Source |
- Enter an associated value
|
Authentication Method |
- Enter an associated value
|
Authentication Protocol |
Select from the following pre-defined values:
|
Authentication Protocol Version |
Select from the following pre-defined values:
|
Auto Update From Federation Metadata |
Select from the following pre-defined values:
|
Azure AD Activity Operation Type |
- Enter an associated value
|
Azure AD Activity Type |
- Enter an associated value
|
Azure AD Category |
- Enter an associated value
|
Azure AD Result Description |
- Enter an associated value
|
Browser Authentication URL |
- Enter an associated value
|
Category Name |
- Enter an associated value
|
Category Type |
Select from the following pre-defined values:
- Shared Category
- Private Category
|
Channel Name |
- Enter an associated value
|
Channel Guid |
- Enter an associated value
|
Channel Type |
Select from the following pre-defined valus:
|
Change Auditor Event Class ID |
- Enter an associated value
|
Change Auditor Event Class Name |
- Enter an associated value
|
Change Auditor Facility ID |
- Enter an associated value
|
Change Auditor Facility Name |
- Enter an associated value
|
City |
- Enter an associated value
|
Claims Provider Trust Name |
- Enter an associated value
|
Client Info String |
- Enter an associated value
|
Client IP Address |
- Enter an associated value
|
Client Machine Name |
- Enter an associated value
|
Client Process Name |
- Enter an associated value
|
Client Version |
- Enter an associated value
|
Cmdlet Name |
- Enter an associated value
|
Comment |
- Enter an associated value
|
Correlated Activity |
Select from the following pre-defined values:
|
Coordinator Id |
- Enter an associated value
|
Correlation Id |
- Enter an associated value
|
Country |
- Enter an associated value
|
Creator |
- Enter an associated value
|
Cross-Mailbox Operations |
- Enter an associated value
|
Custom Event |
- Enter an associated value
|
Destination File Extension |
- Enter an associated value
|
Destination FileName |
- Enter an associated value
|
Destination Folder |
- Enter an associated value
|
Destination MailboxId Id |
- Enter an associated value
|
Destination MailboxId Owner Master Account Sid |
- Enter an associated value
|
Destination MailboxId Owner Sid |
- Enter an associated value
|
Destination MailboxId Owner UPN |
- Enter an associated value
|
Destination relative URL |
- Enter an associated value
|
Detection Timing |
Select from the following pre-defined values:
- Near Realtime
- Not Defined
- Offline
- Realtime
|
Device Information |
- Enter an associated value
|
Distribution Group Name |
- Enter an associated value
|
Domain Name |
- Enter an associated value
|
Enabled |
Select from the following pre-defined values:
|
Error Code |
- Enter an associated value
|
Event Data |
- Enter an associated value
|
Event Id |
- Enter an associated value
|
Event Source |
- Enter an associated value
|
Event Source Application |
- Enter an associated value
|
Event Version |
- Enter an associated value
|
External Access |
- Enter an associated value
|
Failure Reason |
- Enter an associated value
|
File System Attribute |
|
File System Category |
|
File System Logon Id |
|
File System Object Type |
|
File System Security Change Applies To |
|
File System Security Change Condition |
|
File System Security Change Permission |
|
File System Security Change Type |
|
File System Shadow Copy |
|
File System Share Name |
|
File System SID |
|
First Discovered |
|
Folder |
- Enter an associated value
|
Folder Path |
|
Has file system security change condition |
Select from the following pre-defined values:
|
Has no from value |
Select from the following pre-defined values:
|
Identifiers |
- Enter an associated value
|
Indicator |
|
Initiator User Mail |
- Enter an associated value
|
Initiator User Name |
- Enter an associated value
|
Initiator User SID |
- Enter an associated value
|
Installation Id |
- Enter an associated value
|
Installation Name |
- Enter an associated value
|
Internal Correlation Id |
- Enter an associated value
|
Is Initial Scan |
Select from the following pre-defined values:
|
Is Linked Group Policy Change |
Select from the following pre-defined values:
|
Item type |
- Enter an associated value
|
Kerberos Ticket Lifetime (Hours) |
- Enter an associated value
|
Latest Activity Time |
- Enter the required time frame
|
Latest Event Time Detected |
- Enter the required time frame
|
Logon Begin Type |
Select from the following pre-defined values:
-
Additional logon
- Concurrent user disconnected
- Existing logon
- Lock
- Logoff
- Logon
- None
- Remote logoff
- Remote logon
- Screensaver turned off
- Screensaver turned on
- Shutdown
- Unlock
|
Logon Duration |
- Enter an associated value
|
Logon End |
|
Logon End Type |
Select from the following pre-defined values:
- Additional logon
- Concurrent user disconnected
- Existing logon
- Lock
- Logoff
- Logon
- None
- Remote logoff
- Remote logon
- Screensaver turned off
- Screensaver turned on
- Shutdown
- Unlock
|
Logon Session End |
|
Logon Session Start |
|
Logon Start |
|
Logon Type (Exchange Online) |
Select from the following pre-defined values:
- Admin
- Best Access
- Delegated
- Delegated Admin
- Owner
- System Service
- Transport
- Unknown
|
Logon Type (Windows) |
Select from the following pre-defined values:
- None
- Remote Interactive
- Domain Authentication
- User Session
- Interactive
- Network
- All
|
Logon User Display Name |
- Enter an associated value
|
Logon User Sid |
- Enter an associated value
|
Machine Domain Info |
- Enter an associated value
|
Machine Id |
- Enter an associated value
|
Mailbox Guid |
- Enter an associated value
|
Mailbox Name |
- Enter an associated value
|
Mailbox Owner Master Account Sid |
- Enter an associated value
|
Mailbox Owner Sid |
- Enter an associated value
|
Mailbox Owner UPN |
- Enter an associated value
|
Malware Name |
- Enter an associated value
|
Max Behavior Level |
- Enter an associated value
|
MFA Authentication Detail |
- Enter an associated value
|
MFA Authentication Method |
- Enter an associated value
|
MFA Required |
Select from the following pre-defined values:
|
MFA Result |
- Enter an associated value
|
Modified Object |
- Enter an associated value
|
Modified Properties |
- Enter an associated value
|
Monitor Federation Metadata |
Select from the following pre-defined values:
|
Notification Template Name |
- Enter an associated value
|
Notification Template Type |
Select from the following pre-defined values:
- Shared Notification Template
- Private Notification Template
|
NTLM Impersonation Level |
Select from the following pre-defined values:
- Default
- Anonymous
- Identify
- Impersonate
- Delegate
|
NTLM Key Length |
- Enter an associated value
|
Object Id |
- Enter an associated value
|
Office365 Organization Id |
- Enter an associated value
|
Organization Name |
- Enter an associated value
|
Origin AD Site Name |
- Enter an associated value
|
Origin IP Address |
- Enter an associated value
|
Origin IPv4 Address |
- Enter an associated value
|
Origin IPv6 Address |
- Enter an associated value
|
Origin Name |
- Enter an associated value
|
Originating Server |
- Enter an associated value
|
Parameters |
- Enter an associated value
|
Parent Event Id |
- Enter an associated value
|
Policy Setting |
-
Access Credential Manager as a trusted caller
-
Access This Computer From The Network
-
Account Lockout Duration
-
Account Lockout Threshold
-
Account Logon: Audit Credential Validation
-
Account Logon: Audit Kerberos Authentication Service
-
Account Logon: Audit Kerberos Service Ticket Operations
-
Account Logon: Audit Other Account Logon Events
-
Account Management: Audit Application Group Management
-
Account Management: Audit Computer Account Management
-
Account Management: Audit Distribution Group Management
-
Account Management: Audit Other Account Management Events
-
Account Management: Audit Security Group Management
-
Account Management: Audit User Account Management
-
Accounts: Administrator Account Status
-
Accounts: Guest Account Status
-
Accounts: Limit Local Account Use Of Blank Passwords To Console Logon Only
-
Accounts: Rename Administrator Account
-
Accounts: Rename Guest Account
-
Act As Part Of The Operating System
-
Add Workstations To Domain
-
Adjust Memory Quotas For A Process
-
Allow Log On Locally
-
Allow Log On Through Terminal Services
-
Application Data Folder options
-
Application Data Folder target path
-
Audit Account Logon Events
-
Audit Account Management
-
Audit Directory Service Access
-
Audit Logon Events
-
Audit Object Access
-
Audit Policy Change
-
Audit Privilege Use
-
Audit Process Tracking
-
Audit System Events
-
Audit: Audit The Access Of Global System Objects
-
Audit: Audit The Use Of Backup And Restore Privilege
-
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
-
Audit: Shut Down System Immediately If Unable To Log Security Audits
-
Authenticode Settings Enable Trusted Publisher Lockdown option
-
Autoenrollment Settings
-
Automatic Browser Configuration Auto-config URL
-
Automatic Browser Configuration Automatic Configuration option
-
Automatic Browser Configuration Automatic Configuration Time
-
Automatic Browser Configuration Automatic detection option
-
Automatic Browser Configuration Auto-proxy URL
-
Automatic Certificate Request Settings
-
Back Up Files And Directories
-
Basic User Hash Rule
-
Basic User Zone Rule
-
BitLocker Drive Encryption
-
Browser Title
-
Bypass Traverse Checking
-
Central Access Policy
-
Change The System Time
-
Change the time zone
-
Computer Configuration Administrative Template
-
Computer Preference Setting
-
Connection Settings Delete Existing Option
-
Connection Settings Import Option
-
Contacts Folder target path
-
Content Ratings option
-
Create A Pagefile
-
Create A Token Object
-
Create Global Objects
-
Create Permanent Shared Objects
-
Create symbolic links
-
Custom Large Static Logo
-
Custom Small Animated Logo
-
Custom Small Static Logo
-
Debug Programs
-
Default Security Level
-
Delete Existing Channels option
-
Delete Existing Favorites option
-
Deny Access To This Computer From The Network
-
Deny Log On As A Batch Job
-
Deny Log On As A Service
-
Deny Log On Locally
-
Deny Log On Through Terminal Services / Remote Desktop Services
-
Designated File Types
-
Desktop Folder options
-
Desktop Folder target path
-
Detailed Tracking: Audit DPAPI Activity
-
Detailed Tracking: Audit Process Creation
-
Detailed Tracking: Audit Process Termination
-
Detailed Tracking: Audit RPC Events
-
Devices: Allow Undock Without Having To Logon
-
Devices: Allowed To Format And Eject Removable Media
-
Devices: Prevent Users From Installing Printer Drivers
-
Devices: Restrict CD-ROM Access To Locally Logged-On User Only
-
Devices: Restrict Floppy Access To Locally Logged-On User Only
-
Devices: Unsigned Driver Installation Behavior
- Disallowed Certificate Rule
-
Disallowed Hash Rule
-
Disallowed Path Rule
-
Disallowed Zone Rule
-
Domain Controller: Allow Server Operators To Schedule
-
Domain Controller: LDAP Server Signing Requirements
-
Domain Controller: Refuse Machine Account Password C
-
Domain Member: Digitally Encrypt Or Sign Secure Channel Data (Always)
-
Domain Member: Digitally Encrypt Secure Channel Data (When Possible)
-
Domain Member: Digitally Sign Secure Channel Data (When Possible)
-
Domain Member: Disable Machine Account Password Changes
-
Domain Member: Maximum Machine Account Password Age
-
Domain Member: Require Strong (Windows 2000 Or Later) Session Key
-
Downloads Folder options
-
Downloads Folder target path
-
DS Access: Audit Detailed Directory Service Replication
-
DS Access: Audit Directory Service Access
-
DS Access: Audit Directory Service Changes
-
DS Access: Audit Directory Service Replication
-
Enable Computer And User Accounts To Be Trusted For Delegation
-
Encrypting File System
-
Enforce Password History
-
Enforce User Logon Restrictions
-
Enforcement Files
-
"Enforcement Users
-
Enterprise Trust
-
"Favorites List
-
Favorites options
-
Favorites target path
-
File or Folder
-
Force Shutdown From A Remote System
-
Generate Security Audits
-
Global Object Access Auditing: File system
-
Global Object Access Auditing: Registry
-
Group Policy Container Access
-
Group policy disable computer configuration flag
-
Group policy disable user configuration flag
-
Group policy WMI Filter
-
Impersonate A Client After Authentication
-
Important URLs Home Page URL
-
Important URLs Online Support URL
-
Important URLs Search Bar URL
-
Increase a process working set
-
Increase Scheduling Priority
-
Interactive Logon: Display user information when the session is locked
-
Interactive Logon: Do Not Display Last User Name
-
Interactive Logon: Do Not Require CTRL+ALT+DEL
-
Interactive Logon: Message Text For Users Attempting To Log On
-
Interactive Logon: Message Title For Users Attempting To Log On
-
Interactive Logon: Number Of Previous Logons To Cache (In Case Domain Controller Is Not Available)
-
Interactive Logon: Prompt User To Change Password Before Expiration
-
Interactive Logon: Require Domain Controller Authentication To Unlock Workstation
-
Interactive Logon: Require Smart Card
-
Interactive Logon: Smart Card Removal Behavior
-
Intermediate Certificate Authorities
-
IP Security Policy
-
Links Folder options
-
Links Folder target path
-
Links List
-
Load And Unload Device Drivers
-
Lock Pages In Memory
-
Log On As A Batch Job
-
Log On As A Service
-
Logon/Logoff: Audit Account Lockout
-
Logon/Logoff: Audit IPsec Extended Mode
-
Logon/Logoff: Audit Logon
-
Logon/Logoff: Audit Network Policy Server
-
Logon/Logoff: Audit Other Logon/Logoff Events
-
Logon/Logoff: Audit Special Logon
-
Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
-
Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
-
Manage Auditing And Security Log
-
Maximum Application Log Size
-
Maximum Lifetime For Service Ticket
-
Maximum Lifetime for User Ticket
-
Maximum Lifetime For User Ticket Renewal
-
Maximum Password Age
-
Maximum Security Log Size
-
Maximum System Log Size
-
Maximum Tolerance for Computer Clock Synchronization
-
Microsoft Network Client: Digitally Sign Communications (Always)
-
Microsoft Network Client: Digitally Sign Communications (If Server Agrees)
-
Microsoft Network Client: Send Unencrypted Password To Connect To Third-Party SMB Servers
-
Microsoft Network Server: Amount Of Idle Time Required Before Suspending Session
-
Microsoft Network Server: Digitally Sign Communication (Always)
-
Microsoft Network Server: Digitally Sign Communications (If Client Agrees)
-
Microsoft Network Server: Disconnect Clients When Logon Hours Expire
-
Microsoft network server: Server SPN target name validation level
-
Minimum Password Age
-
Minimum Password Length
-
Modify Firmware Environment
-
Music Folder options
-
Music Folder target path
-
My Documents Folder options
-
My Documents Folder Redirection: My Pictures Options
-
My Documents Folder target path
-
NAP Client Health Registration Settings: CSP
-
NAP Client Health Registration Settings: CSP Key Length
-
NAP Client Health Registration Settings: Hash Algorithm
-
NAP Client Health Registration Settings: Require server verification
-
NAP Client Health Registration Settings: Trusted server group
-
NAP Client Health Registration Settings: Trusted server URL
-
NAP Enforcement Clients: DHCP Quarentine Enforcement Client
-
NAP Enforcement Clients: IPsec Relying Party
-
AP Enforcement Clients: RD Gateway Quarentine Enforcement Client
-
NAP Enforcement Clients: Remote access enforcement client for Windows XP and Windows Vista
-
NAP Enforcement Clients: Wireless EAPOL enforcement client for Windows XP
-
NAP User Interface Settings: Description changed
-
NAP User Interface Settings: Image File changed
-
NAP User Interface Settings: Image File Name changed
-
NAP User Interface Settings: Title changed
-
Network Access: Allow Anonymous SID/Name Translation
-
Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts
-
Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts And Shares
-
Network Access: Do Not Allow Storage Of Credentials Or .NET Passports For Network Authentication
-
Network Access: Let Everyone Permissions Apply To Anonymous Users
-
Network Access: Named Pipes That Can Be Accesssed Anonymously
-
Network Access: Remotely Accessible Registry Paths
-
Network Access: Remotely Accessible Registry Paths And Sub-Paths
-
Network Access: Restrict Anonymous Access To Named Pipes and Shares
-
Network Access: Shares That Can Be Accessed Anonymously
-
Network Access: Sharing And Security Model For Local Accounts
-
Network Security: Allow Local System to use computer identity for NTLM
-
Network security: Allow LocalSystem NULL session fallback
-
Network security: Allow PKU2U authentication requests to this computer to use online identities
-
Network security: Configure encryption types allowed for Kerberos
-
Network Security: Do Not Store LAN Manager Hash Value On Next Password Change
-
Network Security: Force Logoff When Logon Hours Expire
-
Network Security: LAN Manager Authentication Level
-
Network Security: LDAP Client Signing Requirements
-
Network Security: Minimum Session Security For NTLM SSP Based (Including Secure RPC) Clients
-
Network Security: Minimum Session Security For NTLM SSP Based (Including Secure RPC) Servers
-
Network security: Restrict NTLM: NTLM authentication in this domain
-
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
-
Network security: Restrict NTLM: Add server exceptions in this domain
-
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
-
Network security: Restrict NTLM: Audit NTLM authentication in this domain
-
Network security: Restrict NTLM: Incoming NTLM traffic
-
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
-
NLM: Location type
-
NLM: Location type permissions
-
NLM: Network icon permissions
-
NLM: Network name
-
NLM: Network name permissions
-
Object Access: Audit Application Generated
-
Object Access: Audit Certification Services
-
Object Access: Audit File Share
-
Object Access: Audit File System
-
Object Access: Audit Filtering Platform Connection
-
Object Access: Audit Filtering Platform Packet Drop
-
Object Access: Audit Handle Manipulation
-
Object Access: Audit Kernel Object
-
Object Access: Audit Other Object Access Events
-
Object Access: Audit Registry
-
Object Access: Audit SAM
-
Object Access: Detailed File Share
-
Password Must Meet Complexity Requirements
-
Perform Volume Maintenance Tasks
-
Pictures Folder options
-
Pictures Folder target path
-
Place Favorites At Top Of List option
-
Policy Change: Audit Authentication Policy Change
-
Policy Change: Audit Authorization Policy Change
-
Policy Change: Audit Filtering Platform Policy Change
-
Policy Change: Audit MPSSVC Rule-Level Policy Change
-
Policy Change: Audit Other Policy Change Events
-
Policy Change: Audit Policy Change
-
Prevent Local Guests Group From Accessing Application Log
-
Prevent Local Guests Group From Accessing Security Log
-
Prevent Local Guests Group From Accessing System Log
-
Privilege Use: Audit Non Sensitive Privilege Use
-
Privilege Use: Audit Other Privilege Use Events
-
Privilege Use: Audit Sensitive Privilege Use
-
Profile System Performance
-
Program Settings option
-
Proxy Settings Exceptions
-
Proxy Settings FTP Proxy
-
Proxy Settings Gopher Proxy
-
Proxy Settings HTTP Proxy
-
Proxy Settings Secure Proxy
-
Proxy Settings Socks Proxy
-
QoS Policy: Application Name
-
QoS Policy: DSCP Value
-
QoS Policy: Local IP
-
QoS Policy: Local IP Prefix Length
-
QoS Policy: Local Port
-
QoS Policy: Protocol
-
QoS Policy: Remote IP
-
QoS Policy: Remote IP Prefix Length
-
QoS Policy: Remote Port
-
QoS Policy: Throttle Rate
-
QoS Policy: URL
-
QoS Policy: URL Recursive
-
QoS Policy: Version
-
Recovery Console: Allow Automatic Administrative Logon
-
Recovery Console: Allow Floppy Copy And Access To All Drives And All Folders
-
Registry key
-
Remove Computer From Docking Station
-
Replace A Process Level Token
-
Reset Account Lockout Counter After Change
-
Restore Files And Directories
-
Restricted Group
-
Restricted Group Member
-
Restricted Group Membership
-
Retain Application Log
-
Retain Security Log
-
Retain System Log
-
Retention Method For Application Log
-
Retention Method For Security Log
-
Retention Method For System Log
-
Saved Games Folder target path
-
Script setting
-
Searches Folder options
-
Searches Folder target path
-
Secure System Partition (For RISC Platforms Only)
-
Security Zones and Privacy option
-
Shut Down The Computer When The Security Audit Log Is Full
-
Shut Down The System
-
Shutdown: Allow System To Be Shut Down Without Having To Log On
-
Shutdown: Clear Virtual Memory Pagefile
-
Software Installation Policy
-
Start Menu Folder options
-
Start Menu Folder target path
-
Starter GPO
-
Starter GPO Computer setting
-
Starter GPO User setting
-
Store Passwords Using Reversible Encryption
-
Synchronize Directory Service Data
-
System Cryptography: Force Strong Key Protection For User Keys Stored On The Computer policy
-
System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, and Signing policy
-
System Objects: Default Owner For Objects Created By Members Of The Administrators Group policy
-
System Objects: Require Case Insensitivity For Non-Windows Subsystems policy
-
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) policy
-
System Services Policy Service
-
System Services Policy Service Startup Mode
-
System Settings: Optional Subsystems
-
System Settings: Use Certificate Rules On Windows Executables For Software Restriction Policies
-
System: Audit IPsec Driver
-
System: Audit Other System Events
-
System: Audit Security State Change
-
System: Audit Security System Extension
-
System: Audit System Integrity
-
Take Ownership Of Files Or Other Objects
-
Toolbar background Bitmap
-
Toolbar Buttons
-
Trusted People
-
Trusted Publishers
-
Trusted Root Certification Authority
-
Unrestricted Certificate Rule
-
Unrestricted Hash Rule
-
Unrestricted Path Rule
-
Unrestricted Zone Rule
-
Unsigned Non-Driver Installation Behavior
-
User Account Control: Admin Approval Mode for the Built-in Administrator account
-
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
-
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
-
User Account Control: Behavior of the elevation prompt for standard users
-
User Account Control: Detect application installations and prompt for elevation
-
User Account Control: Only elevate executables that are signed and validated
-
User Account Control: Only elevate UIAccess applications that are installed in secure locations
-
User Account Control: Run all administrators in Admin Approval Mode
-
User Account Control: Switch to the secure desktop when prompting for elevation
-
User Account Control: Virtualize file and registry write failures to per-user locations
-
User Administrative Template setting
-
User Agent String
-
User Credential Roaming
-
User Credential Roaming Options
-
User Group Policy Preference
-
User Software Restriction Basic User Hash Rule
-
User Software Restriction Basic User Path Rule
-
User Software Restriction Basic User Zone Rule
-
User Software Restriction Designated File Types
-
User Software Restriction Disallowed Certificate Rule
-
User Software Restriction Disallowed Hash Rule
-
User Software Restriction Disallowed Path Rule
-
User Software Restriction Disallowed Zone Rule
-
User Software Restriction Enforcement Files
-
User Software Restriction Enforcement Users
-
User Software Restriction Policies Default Security Level
-
User Software Restriction Trusted Publishers
-
User Software Restriction Unrestricted Certificate Rule
-
User Software Restriction Unrestricted Hash Rule
-
User Software Restriction Unrestricted Path Rule
-
User Software Restriction Unrestricted Zone Rule
-
Videos Folder options
-
Videos target path
-
Wireless Network Policy |
Policy Setting Category |
-
Account Lockout Policy
-
Additional Rules
-
Administrative Templates: Policy definitions
-
Audit Policies
-
Audit Policy
-
Central Access Policy
-
Change Auditor Protection
-
Event Log
-
File System
-
Folder Redirection
-
GPO Status
-
Internet Explorer Maintenance
-
IP Security Policies on Active Directory
-
Kerberos Policy
-
NAP Client Configuration
-
Network List Manager Policies
-
Password Policy
-
Policy-Based QoS
-
Preferences
-
Public Key Policies
-
Registry
-
Restricted Groups
-
Scripts (Logon/Logoff)
-
Scripts (Startup/Shutdown)
-
Security Levels
-
Security Options
-
Software Installation
-
Software Restriction Policies
-
Software Settings
-
Starter GPO
-
System Services
-
User Rights Assignment
-
Wireless Network Policies
-
WMI Filtering |
Policy Setting List Item |
- Enter an associated value
|
Policy Setting Location |
- Enter an associated value
|
Previous City |
- Enter an associated value
|
Previous Country |
- Enter an associated value
|
Previous IP |
- Enter an associated value
|
Previous Sign-in Time |
|
Previous State |
- Enter an associated value
|
Previous User Agent |
- Enter an associated value
|
Property Name |
- Enter an associated value
|
Property Before Value |
- Enter an associated value
|
Property After Value |
- Enter an associated value
|
Record Type |
- Enter an associated value
|
Relying Party Resource |
- Enter an associated value
|
Relying Party Trust Name |
- Enter an associated value
|
Relying Party Type |
- Enter an associated value
|
Request Id |
- Enter an associated value
|
Result Status |
- Enter an associated value
|
Risk Activity |
Select from the following pre-defined values:
|
Risk Correlation Id |
- Enter an associated value
|
Risk Detail |
Select from the following pre-defined values:
|
Risk Detected Time |
|
Risk Event Details |
- Enter an associated value
|
Risk Event Id |
- Enter an associated value
|
Risk Event Status |
Select from the following pre-defined values:
- Active
- Closed (MFA Auto-Closed)
- Closed (Multiple Reasons)
- Closed (marked as false positive)
- Closed (resolved)
- Closed (ignored)
- Login Blocked
- Remediated
|
Risk Event Time |
|
Risk Event Type |
Select from the following pre-defined values:
- Anonymous IP Risk Event
- Impossible Travel Risk Event
- Leaked Credentials Risk Event
- Malware Risk Event
- Suspicious IP Risk Event
- Unfamiliar Location Risk Event
|
Risk Level |
Select from the following pre-defined values:
- Hidden
- High
- Low
- Medium
- None
|
Risk Source |
- Enter an associated value
|
Risk State |
Select from the following pre-defined values:
- At Risk
- Confirmed Compromised
- Confirmed Safe
-
Dismissed
- None
- Remediated
|
Risk Type |
Select from the following pre-defined values:
|
Schema Id |
- Enter an associated value
|
Search Name |
- Enter an associated value
|
Search Type |
Select from the follwoing pre-defined values:
- Shared Search
- Private Search
|
Send as User Mailbox Guid |
- Enter an associated value
|
Send as User SMTP |
- Enter an associated value
|
Send on behalf of User Mailbox Guid |
- Enter an associated value
|
Send on behalf of User SMTP |
- Enter an associated value
|
Server Farm Name |
- Enter an associated value
|
Server Farm Node Name |
- Enter an associated value
|
Server Farm Node Type |
Select from the following pre-defined values:
- Primary computer
- Secondary computer
|
Service |
Select from the following pre-defined values:
|
Severity |
Select from the following pre-defined values:
|
Sharing Target |
- Enter an associated value
|
Sharing Target Type |
- Enter an associated value
|
Sharing Type |
- Enter an associated value
|
Site |
- Enter an associated value
|
Siter Url |
- Enter an associated value
|
Source File Extesion |
- Enter an associated value
|
Source File Name |
- Enter an associated value
|
Source Folders |
- Enter an associated value
|
Source Name |
- Enter an associated value
|
Source relative Url |
- Enter an associated value
|
State |
- Enter an associated value
|
Status |
Select from the following pre-defined values:
|
Status Reason (Change Auditor) |
Selectfrom the following pre-defined values:
- Failed
- Protected
- Succeeded
|
Subject |
- Enter an associated value
|
Subject Name |
- Enter an associated value
|
Subject Object Id |
- Enter an associated value
|
Subject PUID |
- Enter an associated value
|
Subject Resource Type |
- Enter an associated value
|
Subject Service Principle Name |
- Enter an associated value
|
Subject Type |
- Enter an associated value
|
Subject User Principle Name |
- Enter an associated value
|
Subscription Expiry Date |
- Enter an associated value
|
Subscription Name |
- Enter an associated value
|
Subscription Type |
- Enter an associated value
|
Tab Type |
- Enter an associated value
|
Target |
- Enter an associated value
|
Target AD Forest Name |
- Enter an associated value
|
Target Additional Details |
- Enter an associated value
|
Target Canonical Name |
- Enter an associated value
|
Target Computer Name |
- Enter an associated value
|
Target Distinguished Name |
- Enter an associated value
|
Target Domain Name |
- Enter an associated value
|
Target IP Address |
- Enter an associated value
|
Target is Domain Controller |
Select from the following pre-defined values:
|
Target is Global Catalog |
Select from the following pre-defined values:
|
Target is Exchange Server |
Select from the following pre-defined values:
|
Target is Tier Zero |
Select from the following pre-defined values:
|
Target Managed By |
- Enter an associated value
|
Target Name |
- Enter an associated value
|
Target Object Class |
- Enter an associated value
|
Target Object Id |
- Enter an associated value
|
Target Organizational Unit CN |
- Enter an associated value
|
Target Parent Object Id |
- Enter an associated value
|
Target Policy Item |
- Enter an associated value
|
Target Policy Section |
- Enter an associated value
|
Target PUID |
- Enter an associated value
|
Target Resource Type |
- Enter an associated value
|
Target SAM Account Name |
- Enter an associated value
|
Target Service Principle Name |
- Enter an associated value
|
Target Site Name |
- Enter an associated value
|
Target Type |
- Enter an associated value
|
Target User Mail |
- Enter an associated value
|
Target User Principle Name |
- Enter an associated value
|
Team Guid |
- Enter an associated value
|
Team Name |
- Enter an associated value
|
Teams Property Name |
Select from the following pre-defined values:
-
Allow Box in Files tab
-
Accepted channel SMTP domains list
-
Allow DropBox in Files tab
-
Allow Egnyte in Files tab
-
Allow Guest access in Teams
-
Allow Google Drive in Files tab
-
Allow Resource Account Send Messages
-
Allow Share File in Files tab
-
Allow Skype for Business Interop
-
Allow TBot Proactive Messaging
-
Allow users to send emails to channels
-
Guests allow IP video
-
Guests screen sharing mode
-
Guests allow Meet Now
-
Guests allow editing of sent messages
-
Guests allow Deletion of sent messages
-
Guests allow chat
-
Guests allow Giphys in conversations
-
Guests Giphy content rating
-
Guests allow memes in conversations
-
Guests use Stickers in conversations
-
Guests allow immersive reader
-
Guests allow private calls
-
Meeting room device content pin
-
Members can add additional tags
-
Resource Account Content Access
-
Show organization tab in chats
-
Suggested default tags
-
Suggested feeds appear in user's activity feed
-
Trending feeds appear in user's activity feed
-
Tagging permission mode
-
Team owners can override who can apply tags
-
Use Exchange address book policy |
Teams Role Type |
Select from the following pre-defined values:
|
Tenant Id |
- Enter an associated value
|
Tenant Name |
- Enter an associated value
|
Tier Zero Source |
|
Tier Zero Status |
Select from the following pre-defined values:
- Certified
- Not Tier Zero
- Uncertified
|
Time Detected |
|
Time Indexed |
|
Time Received |
|
Token Issuer |
Select from the following pre-defined values:
- AD Federation Services
- Azure AD
|
Url |
- Enter an associated value
|
Url Path |
- Enter an associated value
|
User (Actor) |
- Enter an associated value
|
User Agent |
- Enter an associated value
|
User Display Name |
- Enter an associated value
|
User DN |
- Enter an associated value
|
User Down-level Logon Name |
- Enter an associated value
|
User Id |
- Enter an associated value
|
User is Administrator |
Select from the following pre-defined values:
|
User is Tier Zero |
Select from the following pre-defined values:
|
User Key |
- Enter an associated value
|
User Mail |
- Enter an associated value
|
User Organizational Unit |
- Enter an associated value
|
User Session Detail |
Select from the following pre-defined values:
- Computer lock/unlock
- Computer restart/shutdown
- Incorrectly finished
- Screensaver
- Started before session monitoring service
- Terminal services connection
- User logon/logoff
- User switch
|
User Shared With |
- Enter an associated value
|
User SID |
- Enter an associated value
|
User Type |
- Enter an associated value
|