Alert Significance

This playbook provides detailed information on the cybersecurity significance of alerts you may see through the DefenseStorm Console. These alerts are taken from the the Trigger Library (Alerts > Library) and based on TRAC security expertise.

The following is a list of the Alert categories described in this playbook:

Show All Bro IDS Cisco ASA DVM FortiGate Location Microsoft Windows Network Palo Alto Networks

Account Lockouts Microsoft Windows

Query: event_id:4740 OR category:"account lockout"

Details: A user account was locked

TRAC Analysis: A user account locking alone is not an indication of an attack but normally the first step of gaining access before an attack can begin. If you see failed logins or account lockouts at a rate higher than a user can generate (100’s in an hour) or outside of normal business hours contact the bank POC or the user whose account was locked and have them verify they locked their account. If they did not find lock their account or attempt to login at this time recommend running anitvirus on the machine to check for malware.


Administrator Failed Login (Bad Password or Unknown Username) Microsoft Windows

Query: event_id: (4625) AND "Status: 0xc000006d Sub Status: 0xc0000064"AND "Account Name: administrator"

Details: An administrator failed to authenticate (failed login, bad password, unknown username.)

TRAC Analysis: A single failed login for an administrator is not alone an indication of an attack but repeated failed login attempts (examples 1 per hour over days or 100 over an hour) should be investigated. Typically a “noisy hacker” will use a tool that attempts over a 100 passwords per minute however a hacker that is attempting to hide their trail might attempt a lower rate so it doesn’t draw as much attention. These should be monitored and if more than 5 to 10 appear in a week recommend following up with bank POC and ensuring this is not a maintenance issue with a password that has expired, if the bank POC can not identify what caused the failed logins recommend running anitvirus on the machine to check for malware. If none is found host should be monitored by bank POC to find out if on site personnel are attempting to access an account they don’t have privileges to.  


Alert on Anonymous Logins Microsoft Windows

Query:  user_name:("anonymous logon")

Details: means that an anonymous logon has been completed to the server. If you want to disable this have a look at this article on restricting anonymous access:

TRAC Analysis: Typically recommend disabling for auditing purposes. Anonymous logon events in your Security log look more dangerous than they really are. By default, the information you can access when you connect anonymously is extremely limited—basically, you can access only a list of shared folders and usernames. (I know; that gives an intruder a list of targets, but there are lots of other ways to get usernames.)

You can completely disable anonymous logins (aka null sessions), but doing so might affect accessibility by users in trusting domains. Before changing policies throughout your domain, I suggest testing them on a limited number of systems.

Source: http://windowsitpro.com/systems-management/disabling-logging-anonymous-logon-events


An Attempt Was Made To Access An Object Microsoft Windows

Query:  (event_id:4663) app_name:("microsoft-windows-security-auditing")

Details: An attempt was made to access an object.

TRAC Analysis: Alone an attempt to access a shared object represents no security risk, and should be considered normal activity, however combined with other alerts such as a failed login combined by a successful login outside of business hours could represent a host that has been compromised and the attacker is now attempting to escalate privileges. Note events 4656 and 4658 will not appear unless the subcategory "Handle Manipulation" is enabled along with the target sub-category. Microsoft explains that this was done to make it more difficult to enable these noisy events. They feel the event 4663 is better.

Source: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663


A Network Share Object Was Accessed Microsoft Windows

Query:  (event_id:5140) app_name:("microsoft-windows-security-auditing")

Details: A network share object was accessed.

TRAC Analysis: Similar to an attempt was made to access a shared object, this alone does not represent an indication of an attack and is normal activity, however combined with other alerts should be investigated closely. An attacker may attempt to gain access to a host then escalate their privileges or see what they can access inside the network.


A New Process Has Been Created Microsoft Windows

Query: (event_id:4688) app_name:("microsoft-windows-security-auditing")

Details: New process creation.

TRAC Analysis: This is normal activity, however if this activity is seen outside of business hours or if you see this activity changing or creating processes in temp folders it should be investigated fully to ensure the process created is valid.


Application Error Microsoft Windows

Query: ((event_id:1000)) app_name:(application_error)

Details: Application reported an error.

TRAC Analysis: It is common to see application error, or crashed messages, however if there is a spike in activity it will most likely represent a configuration error after some time of system change but should be investigated to verify.  


AppLocker Block Microsoft Windows

Query: event_id:(8003 OR 8004) AND severity:(high OR medium) AND app_name:microsoft-Windows-applocker

Details: <File name> was allowed to run but would have been prevented from running if the AppLocker policy were enforced (8003) or <File name> was not allowed to run (8004) had Enforce rules enforcement mode were enabled.

TRAC Analysis: Depending on whether or not an AppLocker policy was enforced, a file may or may not be allowed to run.


A Service Was Changed From Auto Start to Demand Start Microsoft Windows

Query: (event_id:7040) app_name:(service_control_manager)

Details: Service start change from auto to demand start.

TRAC Analysis: Normal activity but should be monitored, if there is a spike in this activity and combined with other alerts such as successful logins outside of normal times could indicate an issue.


Audit Log Cleared Microsoft Windows

Query: (event_id:7040) app_name:(service_control_manager)

Details: The audit log was cleared.

TRAC Analysis: Normal activity but should be monitored, if there is a spike in this activity and combined with other alerts such as successful logins outside of normal times could indicate an issue.


Audit Policy Changed on Object Microsoft Windows

Query: event_id:4715

Details: The audit policy (SACL) on an object was changed.

TRAC Analysis: Normal activity but should be monitored, if there is a spike in this activity and combined with other alerts such as successful logins outside of normal times could indicate an issue.


Backup Of Protection Master Key Microsoft Windows

Query: event_id:4692 AND "Backup"

Details: Backup of data protection master key was attempted.

TRAC Analysis: Normal activity but should be monitored, if there is a spike in this activity and combined with other alerts such as successful logins outside of normal times could indicate an issue.


Blue Screen of Death Microsoft Windows

Query: (event_id:1001) app_name:("microsoft-windows-wer-systemerrorreporting")

Details: Windows crash with blue screen of death.

TRAC Analysis: It is normal to see two or three of these in a month, however a large amount 3 in a 24 hour period could indicate an malware on the network and hosts should be reviewed individually and compared against each other for other threat alerts.


Boot Start Or System Start Driver(s) Did Not Load Microsoft Windows

Query: (event_id:(7026)) app_name:(service_control_manager)

Details: Boot Start or System Start driver(s) did not load.

TRAC Analysis: This alerts should be considered normal however a spike in activity could indicate a configuration error or that malware has made it onto a host an alerted the host. This activity should be reviewed and if a host spikes it should be scanned for malware.


Bro FTP Bro IDS Bro IDS

Query: app_name:(bro_ftp)

Details: Bro is a network analysis framework that is included with the Security Onion software and has many protocol analyzers. One of these protocol analyzers is the ability to monitor FTP traffic.

TRAC Analysis: A Bro FTP trigger is associated with an insecure file transfer protocol (FTP), and may indicate data exfiltration. SHA1 and MD5 hash values are also contained in the data as well as name and path.


Bro RADIUS Bro IDS

Query: app_name:(bro_radius)

Details: Bro is a network analysis framework that is included with the Security Onion software and has many protocol analyzers. One of these protocol analyzers is the ability to monitor BRO RADIUS traffic.

TRAC Analysis: A Bro RADIS trigger is associated with a Remote Authentication Dial-In User Service Remote Authentication Dial-In User Service (RADIUS), which is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.


Bro SSH Bro IDS

Query: app_name:(bro_ssh)

Details: Bro is a network analysis framework that is included with the Security Onion software and has many protocol analyzers. One of these protocol analyzers is the ability to monitor SSH traffic.

TRAC Analysis: A Bro SSH trigger is associated with Secure Shell (SSH) which is a secure way to transfer data over the Internet. This is useful to detect and monitor SSH network connections.


Bro Tunnels Bro IDS

Query: app_name:(bro_tunnels)

Details: Bro is a network analysis framework that is included with the Security Onion software and has many protocol analyzers. One of these protocol analyzers is the ability to monitor tunnel traffic.

TRAC Analysis: A Bro Tunnel is associated with any connection that occurs over a tunnel such as (Teredo, AYIYA, or IP-in-IP). This is useful to detect and monitor tunnel network connections.


Cisco ASA AAA Login Cisco ASA

Query:(syslog_level:6) category:("user authentication" OR "vpn client" OR "command interface")

Details: Cisco recommends to enable AAA (Authentication, Authorization, and Accounting)  authentication on the firewall, in order to increase the security of the device. AAA ensures that only authorized users have access to the management of the firewall.

TRAC Analysis: A Cisco ASA AAA Login trigger is associated with indicating a login of VPN users, firewall sessions, or administrators. It is useful and important to detect and monitor this type of network activity.


Cisco ASA CLI Activity Cisco ASA

Query: app_name:("cisco Cisco ASA") category:("command interface")

Details: Cisco CLI (Command Line Interface) is the primary method to manage, and monitor Cisco firewalls.

TRAC Analysis: A Cisco ASA CLI Activity trigger is associated with command-line interface activity. It is useful and important to detect and monitor CLI activity.


Cisco ASA Duplicate TCP Syns Cisco ASA

Query: (syslog_level:4 AND "Duplicate TCP") app_name:("cisco Cisco ASA")

Details: Cisco message to show when the firewall detects duplicate TCP syns on the network.

TRAC Analysis: Notification that a duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed.


Cisco ASA Failed To Locate Egress Interface Cisco ASA

Query: syslog_level:6 AND "Failed to locate egress"

Details: Cisco error message to show when the firewall fails to locate the egress interface.

TRAC Analysis: A Cisco ASA failed to locate egress interface trigger is a notification that ASA failed to locate egress interface. This is usually indicative of a network problem that needs to be escalated to the POC for resolution if the error messages are continuous.


Cisco ASA Failed to Locate Next Hop Cisco ASA

Query: syslog_level:6 AND "Failed to locate next hop"

Details: Cisco ASA error message when the firewall is unable to locate the next hop on the network.

TRAC Analysis: A Cisco ASA failed to locate next hop trigger is a notification that due to a misconfiguration ASA failed to locate next hop. This is usually indicative of a network problem that needs to be escalated to the POC (point of contact) for resolution if the error messages are continuous.


Cisco ASA Firewall Changes Cisco ASA

Query: (write OR "111010" IR "101008" -teardown) app_name:"cisco asa"

Details: Cisco ASA message when the firewall detects any firewall change on the device.

TRAC Analysis: A Cisco ASA firewall changes trigger, is a notification that configuration changes have been made by a user. It’s important to track firewall changes with proper change controls on a network, in order to detect any unauthorized firewall changes.


Cisco ASA Invalid Transport Cisco ASA

Query: syslog_level:4 AND "invalid transport"

Details: Cisco ASA error message when the firewall detects an invalid transport, which the source or the destination protocol port number is equal to 0.

TRAC Analysis: A Cisco ASA invalid transport trigger is a notification that there is an invalid transport number. If this error message occurs on the internal network is could be indicative of a network problem, or if coming from an externally it could be a sign of DDOS attack.


Cisco ASA Monitor Denied Packets for DDoS Cisco ASA

Query: (deny) app_name:("Cisco ASA")

Details: Cisco ASA message occurs when anytime a deny event is logged on the firewall.

TRAC Analysis: A Cisco ASA monitor denied packets for DDOS trigger is a notification that the firewall denied packets to prevent a potential DDoS attack. This may or may not indicate a DDOS attack.


Cisco ASA NAT Reverse Path Failure Cisco ASA

Query: (syslog_level:5 AND "NAT reverse path failure") app_name:("cisco Cisco ASA")

Details: Cisco ASA message occurs when the NAT rules don’t match, usually indicative of site to site VPN.

TRAC Analysis: A Cisco ASA NAT (Network Address Translation) reverse path failure is a notification that NAT rules don't match in both directions across interfaces. This indicates a networking problem that needs to be corrected by a network engineer.


Cisco ASA Received ARP Request Collision Cisco ASA

Query: (syslog_level:4 AND "Received ARP") app_name:("cisco Cisco ASA")

Details: Cisco ASA warning message occurs when two devices on the network obtain the same the ip address with the same MAC address.  

TRAC Analysis: A Cisco ASA received ARP request collision is a notification that there is a duplicate IP address in the network. This indicates a networking problem that needs to be corrected by a network engineer, or this also can be a security attack and a device is trying to flood a network.



Cisco ASA Sshd Fatal System Error Cisco ASA

Query: syslog_level:2 AND "fatal"

Details: Cisco ASA message occurs when SSHd fails to authenticate a user over the SSH protocol. This could caused by wrong/missing encryption keys, or incorrect passphrase.

TRAC Analysis: A Cisco ASA Sshd fatal system error is a notification that SSHd failed to authenticate a user. If a network receives multiple messages when this could indicate a security attack/problem and needs to be further investigated by the onsite network engineer.


Cisco ASA System Memory >85% Cisco ASA

Query: syslog_level:2 AND "System Memory"

Details: Cisco ASA message occurs when the firewall is low on free memory, which could cause packet drop problem, and networking problem.

TRAC Analysis: A Cisco ASA System Memory >85% is a notification that system is low on free memory. This could indicate a sustained network attack that is using system memory, or physical problem with the device.


Cisco Call Manager Failure Network

Query: syslog_level:2 AND "%UC_CALLMANAGER-2-CallManagerFailure"

Details: Notification that an internal failure occurred in the Cisco CallManager service. The service should restart in an attempt to clear the failure.

TRAC Analysis: The Cisco Call Manager service should be restarted.


Cisco Call Manager Gateway Failure Message Network

Query: syslog_level:2 AND "%UC_CALLMANAGER-2-MGCPGatewayLostComm:"

Details: Notification that some failure occurred in the Cisco CallManager system

TRAC Analysis: Errors are occurring in the Call Manager Gateway - review logs for additional details surrounding failure.


Cisco DHCP Activity Network

Query:  syslog_level:6 AND DHCP

Details: Notification of Dynamic Host Configuration Protocol (DHCP) client activities.

TRAC Analysis: Alert based on DHCP activity, as traditionally machines are configured with static IP’s. Review log for source IP and reconfigure.


Cisco DNS Drops Network

Query: syslog_level:4 AND "dropped UDP DNS"

Details: Notification that a DNS packet has been dropped

TRAC Analysis: A DNS dropped packet by itself is not an issue. A dropped packet becomes an issue when it is a connection that you want to make, but your firewall keeps dropping the connection. Another good use for this is  to monitor who is attempting to access sites that you know to be malicious.


Cisco Environmental Monitor Alerts Network

Query: envmon

Details: Notification that an environmental monitor threshold has been exceeded

TRAC Analysis: Review log details to ascertain what triggered the alert ( e.g. CPU temps, fan speed, etc )


Cisco Ethernet Duplex Mismatch Error Network

Query: duplex mismatch

Details: Notification that two connected devices are operating in different duplex modes

TRAC Analysis: Reconfigure duplex to match, and or set both ends to auto-duplex.


Cisco FAN Alert Network

Query: "%FAN-*"

Details: Notification of a potential fan failure

TRAC Analysis: Full diagnostics is highly recommended to prevent any hardware failure.


Cisco Unified Messaging Fail Network

Query: CDRFileDeliveryFailureContinues

Details: Notification of a Unified Messaging Service failure

TRAC Analysis: Review service logs; issue could be from incorrect password to certificates, dependent on the logs.


Cisco VLAN Mismatch Network

Query: vlan mismatch

Details: Notification of a VLAN mismatch between two connected devices

TRAC Analysis: Recommend to review and troubleshoot VLAN configuration on router.


Command Prompt and Batch File Execution Microsoft Windows

Query: (cmd.exe) AND (*.bat)

Details: DOS command shell and batch file processing.

TRAC Analysis: Normal activity but should be monitored, if there is a spike in this activity and combined with other alerts such as successful logins outside of normal times could indicate an issue.


Detected An Invalid Image Hash Of A File Microsoft Windows

Query: (event_id:5038) app_name:("microsoft-windows-security-auditing")

Details: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

TRAC Analysis: An invalid hash indicates corruption of the image intended to be used.


Detected An Invalid Page Hash Of An Image File Microsoft Windows

Query: (event_id:6281) app_name:("microsoft-windows-security-auditing")

Details: Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

TRAC Analysis: An invalid page hash indicates corruption of the image intended to be used.The hash inside this file should be scanned on a site such as virustotal to verify it as harmless.


Detected Malware Microsoft Windows

Query:  event_id:(1006) AND event_type:WARNING)

Details: The antimalware engine found malware or other potentially unwanted software (Windows Defender Event).

TRAC Analysis: This alert needs to be reviewed and the hash inside the file scanned and verified as harmless on a site such as virustotal.


DVM Disk Almost Full DVM

Query: app_name:PVM_STATS root_partition:("90%" OR "91%" OR "92%" OR "93%" OR "94%" OR "95%" OR "96%" OR "97%" OR "98%" OR "99%" OR "100%")

Details: The DefenseStorm Virtual Machine (DVM), as of version 1.0.7, sends 1 minute heartbeats to the Web Console and those heartbeats contain information to be monitored.

TRAC Analysis: DefenseStorm Virtual Machine has disk near capacity and can cause failure to the DVM if not addressed in a timely manner. This usually will be resolved automatically on a nightly reboot, but if not this might need to be escalated to the Engineering Team.


DVM Disk Queue Large DVM

Query: app_name:PVM_STATS disk_queue_count:>1000

Details: The DefenseStorm Virtual Machine (DVM), as of version 1.0.7, sends 1 minute heartbeats to the Web Console and those heartbeats contain information to be monitored.

TRAC Analysis: DefenseStorm Virtual Machine has a disk queue issue which occurs when a large amount of DVM events are failing to send to SQS, and 1000+ events have been stored on the disk. The cause could be an overloaded DVM, too many hosts on one DVM, or a problem with the ingestion service.


DVM Disk Queue Malfunctioning DVM

Query: app_name:PVM_STATS -pdiskqueue:UP

Details: The DefenseStorm Virtual Machine (DVM), as of version 1.0.7, sends 1 minute heartbeats to the Web Console and those heartbeats contain information to be monitored. This triggered when the DVM’s disk queue service (pDiskQueue) is either not running or not able to process events.  

TRAC Analysis: DefenseStorm Virtual Machine has a disk queue issue. This may be resolved by restarting the pDiskQueue service, and restarting the DVM. This error becomes critical when both syslog-ng service and pDiskQueue service aren’t running.


DVM Dropped Events DVM

Query: app_name:PVM_STATS dropped_events:>0

Details: The DefenseStorm Virtual Machine (DVM), as of version 1.0.7, sends 1 minute heartbeats to the Web Console and those heartbeats contain information to be monitored. This alert occurs when the number of events reaches a certain threshold.

TRAC Analysis: DefenseStorm Virtual Machine (DVM) keeps a running total count since the syslog-ng service was started. This count doesn’t reset during normal operation and it may be necessary for Engineering to manual adjust this count on per customer basis as needed.


DVM Error DVM

Query: app_name:PVM_STATS severity:high

Details: The DefenseStorm Virtual Machine (DVM), as of version 1.0.7, sends 1 minute heartbeats to the Web Console and those heartbeats contain information to be monitored.

TRAC Analysis: DefenseStorm Virtual Machine generic error message. These types of events will need to be investigated by Engineering with the customer to find root cause if error message persist over time.


DVM No Stats DVM

Query: app_name:PVM_STATS

Details: The DefenseStorm Virtual Machine (DVM), as of version 1.0.7, sends 1 minute heartbeats to the Web Console and those heartbeats contain information to be monitored. This alert indicates that no heartbeat message from the DVM have been received in the specified timeframe.

TRAC Analysis: DefenseStorm Virtual Machine stopped log processing. If error message persists, TRAC recommends following the general DVM guide on Connect for basic network and SQS troubleshooting steps. In some cases, Engineering will need to be engage with the customer to further troubleshoot the problem and find root cause.


DVM Reboot Required DVM

Query: app_name:PVM_STATS reboot_required:true

Details: The DefenseStorm Virtual Machine (DVM), as of version 1.0.7, sends 1 minute heartbeats to the Web Console and those heartbeats contain information to be monitored. This alert is triggered when the DVM has downloaded automatic security updates and require a DVM reboot in order to apply the updates.

TRAC Analysis: DefenseStorm Virtual Machine reports reboot required. If the customer has enabled automatic reboot for DVM updates and specified a timeframe, then this alert should clear once the time has occurred. If the customer has disabled automatic reboot for updates, then the alert will continue to fire until the customer has manually rebooted the DVM.


DVM Syslog-NG Malfunctioning DVM

Query: app_name:PVM_STATS -syslog_ng:UP

Details: The DefenseStorm Virtual Machine (DVM), as of version 1.0.7, sends 1 minute heartbeats to the Web Console and those heartbeats contain information to be monitored. This alert triggers when the syslog-ng service is down on the DVM.  

TRAC Analysis: This is the primary event ingestion service which pushes log data from customer hosts into the DefenseStorm SQS queue. DefenseStorm Virtual Machine has a syslog-ng issue.


Encrypted Recovery Policy Changed Microsoft Windows

Query:  (event_id:4714) app_name:("microsoft-windows-security-auditing")

Details: Encrypted data recovery policy was changed.

TRAC Analysis: Normal activity but should be monitored, if there is a spike in this activity and combined with other alerts such as successful logins outside of normal times could indicate an issue.


Enhanced Mitigation Experience Toolkit Microsoft Windows

Query:  app_name:(emet) event_id:(52)

Details: EMET crash.

TRAC Analysis: EMET notifies users when a mitigation event occurs (via an application in Taskbar Notification Area, aka System Tray) and events are recorded into Application log of Event Viewer. You can also use the icon to open EMET.

Source:https://support.microsoft.com/en-us/kb/2458544


Failed Kernel Driver Loading Microsoft Windows

Query:  (event_id:2119) app_name:("microsoft-windows-kernel-pnp")

Details: Kernel driver failed during loading

TRAC Analysis: Plug and play device driver failed to load. This is normal but if a spike occurs review the host that spiked to ensure it was a maintenance related, if other attack indicators are found recommend removing machine host from network and running an antivirus check on machine.


FortiGate Administrator Activity FortiGate

Query: app_name:(fortigate) subtype:(system) AND "Administrator"

Details: This is the default notification for administrator activity on a Fortinet firewall.

TRAC Analysis: A FortiGate Administrator Activity trigger is notification of administrator activity. This is important to detect and monitor who is making changes on the firewall.


FortiGate Category Hacking FortiGate

Query: ( "type=utm" AND (cat=3 catdesc="Hacking")) app_name:(fortigate)

Details: The Fortinet firewall includes FortiGuard URL which provides web filtering protection. It includes many web content categories and classifications.

TRAC Analysis: A FortiGate Category Spam Url trigger indicates that a user/system accessed a web page or domain that was rated as hacking, which may have tools, processes, and procedures related to hacking.  


Fortigate Category Malicious Websites (Blocked) FortiGate

Query:  ("type=utm" AND (cat=26) ) app_name:(fortigate)

Details: The Fortinet firewall includes FortiGuard URL which provides web filtering protection. It includes many web content categories and classifications.

TRAC Analysis: A FortiGate Category Malicious Websites blocked trigger indicates that a user/system accessed a web page or domain that was classified as a malicious website and was blocked by the firewall. Malicious webpages can be used to harvest information from client computers, download malicious files with a virus or trojan.


Fortigate Category Phishing FortiGate

Query: "type=utm" AND (cat=61 catdesc="Phishing")

Details: The Fortinet firewall includes FortiGuard URL which provides web filtering protection. It includes many web content categories and classifications.

TRAC Analysis: A FortiGate Category Phishing trigger indicates that a user accessed a web page or domain that is commonly found in reported phishing related emails.  


FortiGate Category Proxy Avoidance FortiGate

Query: "type=utm" AND (cat=59 catdesc="Proxy Avoidance")

Details: The Fortinet firewall includes FortiGuard URL which provides web filtering protection. It includes many web content categories and classifications.

TRAC Analysis: A FortiGate Category Proxy Avoidance trigger indicates that a user/system accessed a web page or domain that is has information or tools on bypassing firewall controls and policy via anonymous proxy servers.


FortiGate Category Spam URLs FortiGate

Query: "type=utm" AND (cat=86 catdesc="Spam URLs")

Details: The Fortinet firewall includes FortiGuard URL which provides web filtering protection. It includes many web content categories and classifications.

TRAC Analysis: A FortiGate Category Spam Url trigger indicates that a user accessed a webpage or domain that is commonly found in spam related emails.  


FortiGate Configuration Backup FortiGate

Query: app_name:(fortigate) subtype:(system) AND "backed up the configuration"

Details: This is the notification when a user performs a configuration backup on the Fortinet firewall.

TRAC Analysis: A FortiGate Configuration Backup trigger is a notification that the system backed up the configuration. This is important to monitor and detect who is making a backup of the firewall configuration.


FortiGate IPSEC VPN Errors FortiGate

Query: "type=event" "subtype=vpn*" AND "error"

Details: This is the notification when an IPSEC VPN error occurs on the network.

TRAC Analysis: A FortiGate IPSEC VPN Error trigger is anotification of errors generated during Phase1 or Phase2 of VPNs. It is important to detect and monitor VPN errors on a network, this could detect unauthorized remote access on the firewall, or configuration problems on the network.


FortiGate IPS Signature Detected FortiGate

Query: "Type: utm;" AND " Subtype: ips"

Details: The FortiGate firewalls offers an Intrustion Protection System (IPS) in order to activity monitor and block external network based attacks and threats. The IPS is turned is signature based, and is tuned often by Fortinet.  

TRAC Analysis: A FortiGate IPS Signature Detected trigger is a notification that the intrusion prevention system (IPS) has detected a known signature.


FortiGate Phish Detection FortiGate

Query: (("Phishing")) category:(phishing) app_name:(fortigate)

Details: This is a notification when phishing is detected on the firewall.

TRAC Analysis: A FortiGate Phish Detection trigger is a notification that phishing activity was detected.


FortiGate Proxy Avoidance FortiGate

Query: app_name:(fortigate) category:("proxy avoidance")

Details: This is a notification when proxy avoidance is detected on the firewall.

TRAC Analysis: A FortiGate Proxy Avoidance trigger is a notification of proxy avoidance, possibly to bypass browsing restrictions.


FortiGate URLs Blocked By Policy FortiGate

Query: (("URL was blocked because it is in the URL filter list")) app_name:(fortigate)

Details: The Fortinet firewall includes FortiGuard URL which provides web filtering protection. It includes many web content categories and classifications.

TRAC Analysis: A FortiGate Urls Blocked by Policy trigger indicates that a user accessed a web page or domain that was blocked by policy, which was set by the firewall administrator.


FortiGate VPN Critical Events FortiGate

Query: "type=event" "subtype=vpn level=critical"

Details: This is a notification when a critical VPN event is logged from the firewall.

TRAC Analysis: A FortiGate VPN Critical Events is a trigger for a notification of VPN critical errors. It is important to detect and monitor VPN errors on a network, this could detect unauthorized remote access on the firewall, or configuration problems on the network.


FortiGate VPN Error Events FortiGate

Query: "type=event" "subtype=vpn level=error"

Details: This is a notification when VPN error events are logged from the firewall.

TRAC Analysis: A FortiGate VPN Error Events is a trigger for a notification of a VPN error occurrence. It is important to detect and monitor VPN errors on a network, this could detect unauthorized remote access on the firewall, or configuration problems on the network.


FTP Traffic Network

Query: service_port:"21" AND NOT praesidio_skip_ad:true

Details: Monitor FTP traffic

TRAC Analysis: Both source and destination of traffic should be verified to ensure no data exfiltration is occuring.


Group Policy Application Failed Due to Connectivity Microsoft Windows

Query: (event_id:1129) app_name:("microsoft-windows-grouppolicy")

Details:  This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

TRAC Analysis:  The processing of Group Policy failed because of lack of network connectivity to a domain controller.


Group Policy Error Microsoft Windows

Query: (event_id:1125) app_name:("microsoft-windows-grouppolicy")

Details: The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

TRAC Analysis: The Group Policy service detected an internal error during Group Policy processing.


Host Shutdown Or Restart Microsoft Windows

Query: (event_id:1074) app_name:(user32)

Details: System restart/reboot due to user or software input.

TRAC Analysis: Normal activity but should be monitored, if there is a spike in this activity and combined with other alerts such as successful logins outside of normal times could indicate an issue.  


Internet Explorer Add-On Application Microsoft Windows

Query: event_id:(1 OR 2) AND app_name:application-addon-event-provider

Details: Add on applications in Internet Explorer

TRAC Analysis: While add-ons can make your browsing experience better by giving you access to great web content, some add-ons can pose security, privacy, or performance risks. Make sure any add-ons you install are from a trusted source.

Note: plug-ins should be approved on an as needed basis, these can open up back door vulnerabilities to your network and should not be left up to end users to add without an approval process.


Login Failed Bad Password or Username Unknown Palo Alto Networks

Query: event_id:(4625) AND "Status: 0xc000006d Sub Status: 0xc0000064"

Details: This trigger leverages the same Event ID as “Failed Login” but is specific to these types of failures:

bad username or authentication information.

user name does not exist.

TRAC Analysis: Monitored for unauthorized access or indicator of a potential breach. Also, useful for determining network hygiene issues.


Monitor the number of errors Network

Query: error

Details: Detecting errors like dropped packets or retransmissions on the network level is relatively easy. Figuring out if those errors affect the performance and connectivity of your services is however another matter.

TRAC Analysis: Monitoring activity for anomalous activity.


New Application Installation Palo Alto Networks

Query: event_id: (903 OR 904)

Details: The Software Protection service has stopped.

These are events associated with SPPSVC service startup (event id 900) and shutdown (event id 903). The service is designed to shut down when nobody is using it. An application may call SL API, which will cause the service to wake up.

Here is some additional information that may help to investigate anomalies in SPPSVC wakeup-shutdown pattern (notice that starting up because some other app calls SL API is not an anomaly).

First of all, before the service shuts down, it updates a Windows Task Scheduler task under Microsoft/Windows/SoftwareProtectionPlatform. This task is scheduled to wake up SPPSVC approximately <renewal interval> minutes after a successful SPPSVC renewal (typically seven days later). You may want to look at this entry to verify that the next wake up time is consistent with your KMS renewal interval. Pay attention to the “Next Run Time” and “Last Run Time” fields. (This task schedule entry is hidden, so you need to enable viewing hidden tasks from the View menu in the Task Scheduler).

Secondly, another potential reason for SPPSVC to keep waking up is another service: SPPUINOTIFY. This normally (when the system is in the licensed state) should run during KMS renewal and should shut itself down after the renewal has succeeded.

If both of the above are right (that is the task scheduler task is scheduled outside of 2 hours and sppuinotify service is stopped), then there can be only an external reason for SPPSVC to wake up.

TRAC Analysis: Monitored for unauthorized applications being permitted on the network. Also useful for perform software auditing on a network, ie. patching.


No Data Network

Query: *

Details: No events received from customer.

TRAC Analysis: nxlog services may need to be restarting, and of the DVM may need restarting, or further troubleshooting.


Palo Alto Anonymizer Palo Alto Networks

Query: subtype:proxy-avoidance-and-anonymizers -drop

Details: TOR or other anonymizer traffic

TRAC Analysis: Investigation into traffic is highly recommended as traffic is going out via proxy avoidance, and randomly exiting on a node elsewhere in the world.


Palo Alto DNS Botnet Signature Palo Alto Networks

Query: threat_type:("dns botnet signatures")

Details: Notification of DNS Botnet Signatures

TRAC Analysis: Investigation and triage of source of traffic is recommended, as DNS traffic associated known botnet domains has been detected.


Palo Alto Drop Events Palo Alto Networks

Query: app_name:"palo alto networks firewall" category:drop

Details: Notification of dropped events.

TRAC Analysis: The Palo Alto is dropping traffic. This is most commonly seen with ACL’s.


Palo Alto End Events Palo Alto Networks

Query: app_name:"palo alto networks firewall" category:end

Details: Notification on end events

TRAC Analysis: End event logging is used for troubleshooting connectivity and applications, from threats to session time-outs.


Palo Alto Failed To Update Palo Alto Networks

Query: (failed to check) app_name:"palo alto networks firewall" category:(general)

Details: Notification on failed to update events.

TRAC Analysis: The firewall failed to update definitions and or firmware.


Palo Alto Firewall Login/Logout Audit Palo Alto Networks

Query: ("logged in" OR "logged out") app_name:("palo alto networks firewall") category:(general)

Details: Notification of the login and logout audit

TRAC Analysis: This alert is generated whenever a user has logged into, or out of, the Palo Alto firewall.


Palo Alto HA Down Palo Alto Networks

Query: (down) app_name:"palo alto networks firewall" category:(ha)

Details: Notification of HA down events

TRAC Analysis: High Availability pairing is down.


Palo Alto HA Events Palo Alto Networks

Query: system(ha) app_name:"palo alto networks firewall"

Details: Notification of HA events

TRAC Analysis: Alert is generated with the primary firewall has failed over to the secondary.


Palo Alto License Expiring Palo Alto Networks

Query: (license expire) app_name:"palo alto networks firewall"

Details: Notification of license expiring

TRAC Analysis: Alert related to licensing on the firewall expired. Advise to renew licensing so there is no lack in firewall coverage (e.g. web filtering ).


Palo Alto Networks Terminal Server Failed to Connect Palo Alto Networks

Query: connection error app_name:"palo alto networks firewall"

Details: Notification of when terminal server fails to connect.

TRAC Analysis: There is connectivity issues between the Palo Alto firewall and the terminal server agent. Recommend to review tsa configuration.


Palo Alto Spyware Detected Palo Alto Networks

Query: app_name:"palo alto networks firewall" category:(spyware)

Details: Notification when spyware is detected on the network

TRAC Analysis: Spyware has been detected on the network per the definitions on the firewall. Recommend AV scanning of source IP if internal.


Palo Alto SQL Injection Detected Palo Alto Networks

Query: app_name:"palo alto networks firewall" and message:HTTP SQL Injection Attempt

Details: Notification when SQL Injection is detected on the network


Palo Alto Suspicious DNS Query Palo Alto Networks

Query: Suspicious DNS Query app_name:"palo alto networks firewall"

Details: app_name:"palo alto networks firewall" and message:HTTP SQL Injection Attempt

TRAC Analysis: A suspicious DNS query has occurred. Review logs to vet that the traffic was not malicious.


Palo Alto Userid Events Palo Alto Networks

Query: app_name:"palo alto networks firewall" category:userid

Details: Notification when userid events occur on the network

TRAC Analysis: Review log to see what policy violation triggered the event.


Palo Alto Virus Detected Palo Alto Networks

Query: app_name:"palo alto networks firewall" category:(virus) -deny

Details: Notification when a virus is detected on the network

TRAC Analysis: The firewall has detected a virus on the network. Triage and remediation is highly advised.


Palo Alto Vulnerability Detected Palo Alto Networks

Query: app_name:"palo alto networks firewall" category:vulnerability

Details: Notification when a vulnerability is detected on the network.

TRAC Analysis: The firewall has detected vulnerabilities. Recommend to investigate and patch vulnerability, and if not, methods to minimize risk.


RDP Traffic Network

Query: service_port:"3389" AND NOT praesidio_skip_ad:true

Details: Monitor Remote Desktop Protocol traffic

TRAC Analysis: Verify source of IP traffic (e.g. internal/VPN). If source IP is external and not recognized, check NAT ruleset on firewall for open source NAT’s, and proceed to lock/disable NAT.


RSH/Rlogin Traffic Network

Query: service_port:"514" AND NOT praesidio_skip_ad:true

Details: Monitor Remote sync and remote login traffic.

TRAC Analysis: Investigate into source traffic, as Rlogin is a deprecated remote login procedure that has security flaws, and was replaced by SSH.


Security Enabled Global Group Changed Microsoft Windows

Query: (event_id:4737) app_name:("microsoft-windows-security-auditing")

Details: In Active Directory Users and Computers "Security Enabled" groups are simply referred to as Security groups. AD has 2 types of groups: Security and Distribution. Distribution (security disabled) groups are for distribution lists in Exchange and cannot be assigned permissions or rights. Security (security enabled) groups can be used for permissions, rights and as distribution lists. This event indicates a security-enabled global group was changed. Global means the group can be granted access in any trusting domain but may only have members from its own domain.

TRAC Analysis: This event is only logged on domain controllers. The event possibly indicates unauthorized changes in permissions or rights.


Security Enabled Global Group Created Microsoft Windows

Query: (event_id:4727) app_name:("microsoft-windows-security-auditing")

Details: In Active Directory Users and Computers "Security Enabled" groups are simply referred to as Security groups. AD has 2 types of groups: Security and Distribution. Distribution (security disabled) groups are for distribution lists in Exchange and cannot be assigned permissions or rights. Security (security enabled) groups can be used for permissions, rights and as distribution lists. This event indicates a security-enabled global group was created. Global means the group can be granted access in any trusting domain but may only have members from its own domain.


TRAC Analysis: This event is only logged on domain controllers. The event possibly indicates an unauthorized group with permissions or rights.


Security Enabled Local Group Changed Microsoft Windows

Query: (event_id:4735) app_name:("microsoft-windows-security-auditing")

Details: In Active Directory Users and Computers "Security Enabled" groups are simply referred to as Security groups. AD has 2 types of groups: Security and Distribution. Distribution (security disabled) groups are for distribution lists in Exchange and cannot be assigned permissions or rights. Security (security enabled) groups can be used for permissions, rights and as distribution lists. This event indicates a security-enabled local group was changed. All groups are security groups in the computer's SAM.  Local SAM groups can be granted access to objects on the local computer only but may have members from the local SAM and any trusted domain.

TRAC Analysis: A security-enabled local group was changed, possibly indicating unauthorized changes in permissions or rights. This event is logged on domain controllers for Active Directory domain local groups and member computer for local SAM groups. You can determine if the group is a domain or SAM group by comparing Group Domain: to the Computer: name. If they match you have a SAM group, if they differ you have a domain group.


Security Onion Offline Bro IDS

Query: bro*

Details: Bro is a network analysis framework that is included with the Security Onion software.

TRAC Analysis: A Security Onion Offline trigger is associated with anytime the Security Onion software is offline or not logging. It's important to restart and restore the Security Onion hardware and services in order to provide additional security logs and visibility into the network.  


Service Terminated Unexpectedly Microsoft Windows

Query: (event_id:7034) app_name:(service_control_manager)

Details: Service Control Manager (SCM) stops services and driver services. It also reports when services terminate unexpectedly or fail to restart after it takes corrective action. This can also be generated when a service is terminated by the user via "Task Manager".

TRAC Analysis: The message reads “The service terminated unexpectedly. It has done this "n" time(s)”. Anomalous levels of service terminations indicates possible malicious activity.


Service Was Installed Microsoft Windows

Query: (event_id:7045) app_name:(service_control_manager)

Details: A service was installed in the system.

TRAC Analysis: Unauthorized service installation indicates possible malicious activity.


SMTP Traffic Network

Query: service_port:"25" AND NOT praesidio_skip_ad:true

Details: Monitor Simple Mail Transfer Protocol traffic.

TRAC Analysis: This traffic is commonly associated with email traffic.


Source/Destination China Location

Query: geo_dest.country:china OR geo_src.country:china

Details: Detection of network that is either source or destination China, which is usually malicious.

TRAC Anlysis: A Source/Destination China trigger could be associated with malicious traffic on the network. There are some advertisers that leverage servers in China for advertising, but for the most part most of the traffic is malicious.


Source/Destination Russia Location

Query: geo_dest.country:russia OR geo_src.country:russia

Details: Detection of network that is either source or destination Russia, which is usually malicious.

TRAC Analysis: A Source/Destination Russia trigger could be associated with malicious traffic on the network. There are some advertisers that leverage servers in Russia for advertising, but for the most part most of the traffic is malicious.


Source/Destination Iran Location

Query: geo_dest.country:iran OR geo_src.country:iran

Details: Detection of network that is either source or destination Iran, which is usually malicious.

TRAC Analysis: A Source/Destination Iran trigger could be associated with malicious traffic on the network.


Source/Destination Ukraine Location

Query: geo_dest.country:ukraine OR geo_src.country:ukraine

Details: Detection of network that is either source or destination Ukraine, which is usually malicious.

TRAC Analysis:  A Source/Destination Ukraine trigger could be associated with malicious traffic on the network.


Source/Destination Brazil Location

Query: geo_dest.country:brazil OR geo_src.country:brazil

Details: Detection of network that is either source or destination Brazil, which is usually malicious.

TRAC Analysis: A Source/Destination Brazil trigger could be associated with malicious traffic on the network.


Source/Destination North Korea Location

Query: geo_dest.country:(north korea) OR geo_src.country:(north korea)

Details: Detection of network that is either source or destination North Korea, which is usually malicious.

TRAC Analysis:  A Source/Destination North Korea trigger could be associated with malicious traffic on the network.


Source/Destination Romania Location

Query: geo_dest.country:(romania) OR geo_src.country:(romania)

Details: Detection of network that is either source or destination Romania, which is usually malicious.

TRAC Analysis: A Source/Destination Romania trigger could be associated with malicious traffic on the network.


SSH Access By Admin Network

Query: (SSH access by user admin)

Details: Notification of SSH by admin account

TRAC Analysis: Verify source of traffic, and with user who has admin credentials of login history.


SSH Traffic Network

Query: service_port:"22" AND NOT praesidio_skip_ad:true

Details: Monitor Secure Shell traffic.

TRAC Analysis: Review logs and source of traffic to ensure SSH traffic is expected.


Sysmon CreateRemoteThread Detected Microsoft Windows

Query: (event_id:8) app_name:("microsoft-windows-sysmon")

Details: The CreateRemoteThread event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes. The event indicates the source and target process. It gives information on the code that will be run in the new thread: StartAddress, StartModule and StartFunction.

TRAC Analysis: This event is used to track the activity of malicious processes.


Sysmon RawAccessRead Detected Microsoft Windows

Query: (event_id:9) app_name:("microsoft-windows-sysmon")

Details: The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.

TRAC Analysis: This event is used to track the activity of malicious processes.


Sysmon Driver Loaded Microsoft Windows

Query: (event_id:6) app_name:("microsoft-windows-sysmon")

Details: The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.

TRAC Analysis: This event should be configured carefully, as monitoring all image load events will generate a large number of events.


Sysmon Error Microsoft Windows

Query: (event_id:255) app_name:("microsoft-windows-sysmon")

Details: This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load and certain tasked could not be performed or a bug exists in the Sysmon service.

TRAC Analysis: The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as a signature.


Sysmon File Creation Time Changed Microsoft Windows

Query: (event_id:2) app_name:("microsoft-windows-sysmon")

Details: The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.

TRAC Analysis: Many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.


Sysmon Image Loaded Microsoft Windows

Query: (event_id:7) app_name:("microsoft-windows-sysmon")

Details: The image loaded event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the –l option. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.

TRAC Analysis: This event should be configured carefully as it generates a significant number of events.


Sysmon Network Connection Detected Microsoft Windows

Query: (event_id:3) app_name:("microsoft-windows-sysmon")

Details: The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields.

TRAC Analysis: The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.


Sysmon Process Creation Microsoft Windows

Query: (event_id:1) app_name:("microsoft-windows-sysmon")

Details: The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithms in the HashType field.

TRAC Analysis: This event is used to track the activity of malicious processes.


Sysmon Process Terminated Microsoft Windows

Query: (event_id:5) app_name:("microsoft-windows-sysmon")

Details: The process terminate event reports when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process.

TRAC Analysis: This event is used to track the activity of malicious processes.


Sysmon Service State Changed Microsoft Windows

Query: (event_id:4) app_name:("microsoft-windows-sysmon")

Details: The service state change event reports the state of the Sysmon service (started or stopped).

TRAC Analysis: This event is used to track the activity of malicious processes.


Telnet Traffic Network

Query: service_port:"23" AND NOT praesidio_skip_ad:true

Details:Monitor Telnet traffic

TRAC Analysis: Telnet is an outdated protocol and virtually deprecated. Investigation into telnet traffic is advised.


The Windows Filtering Platform Permitted A Connection Microsoft Windows

Query: (event_id:5156) app_name:("microsoft-windows-security-auditing")

Details: The Windows filtering platform permitted a connection.

TRAC Analysis: Event ID 5156 should occur if the Success or Failure audit was enabled for Filtering Platform Connection in Advanced Audit Policy Configuration setting which is available from Windows 2008 R2 and later versions.


Updated Packages Installed Microsoft Windows

Query: (event_id:2) app_name:("microsoft-windows-servicing")

Details: Windows installed package updates.

TRAC Analysis: The Windows Installer package is an .msi file that contains explicit instructions about installing and removing specific applications.


User Account Changes Microsoft Windows

Query: event_id:4725 OR event_id:4722 OR event_id:4723 OR  event_ed:4724 OR event_id:4726 OR event_id:4767

Details: Account created, disabled, enabled, deleted, unlocked, password change attempt, password reset attempt.

TRAC Analysis: Account changes are monitored for unusual and/or malicious activity.


User Account Created Microsoft Windows

Query: (event_id:4720) app_name:("microsoft-windows-security-auditing")

Details: An account was created.

TRAC Analysis: Account changes are monitored for unusual and/or malicious activity.


User Account Was Deleted Microsoft Windows

Query: (event_id:4726) app_name:("microsoft-windows-security-auditing")

Details: A user account was deleted.

TRAC Analysis: Auditing for unauthorized account changes.


User Account Disabled Microsoft Windows

Query: (event_id:4725) app_name:("microsoft-windows-security-auditing")

Details: A user account was disabled.

TRAC Analysis: Account changes are monitored for unusual and/or malicious activity.


User Account Enabled Microsoft Windows

Query: (event_id:4722) app_name:("microsoft-windows-security-auditing")

Details: A user account was enabled.  This is logged when an account along with an account creation event when an account is created, and when an account is enabled after being disabled.

TRAC Analysis: Monitoring for false accounts and elevation of unauthorized privileges.


User Account Unlocked Microsoft Windows

Query: (event_id:4722) app_name:("microsoft-windows-security-auditing")

Details: A user account was unlocked.

TRAC Analysis: Account changes are monitored for unusual and/or malicious activity.


User Added to Security Enabled Local Group Microsoft Windows

Query: event_id: (4732) app_name:("microsoft-windows-security-auditing")

Details: This event generates every time a new member was added to a security-enabled (security) local group.This event generates on domain controllers, member servers, and workstations. For every added member you will get separate 4732 event.

TRAC Analysis: Monitoring for false accounts and elevation of unauthorized privileges.


User Added to Security Enabled Universal Group Microsoft Windows

Query: (event_id: (4756)) app_name:("microsoft-windows-security-auditing")

Details: A member was added to a security-enabled universal group.

TRAC Analysis: Monitoring for false accounts and elevation of unauthorized privileges.


Windows - Error Reporting Microsoft Windows

Query: (event_id: (1001)) app_name:(windows_error_reporting)

Details: The 1001 event is logged by the Windows Error Reporting infrastructure for all reports (for example, application crashes, hangs, and generic reports).

The event contains a summary of the report's signatures, Windows Error Reporting  bucket information, and other fields that describe the state of the report. This event  is logged in the Application event log. Event 1001 is logged at any time the report transitions state (that is, goes to the queue and comes out of the queue). Thus, it is possible to see multiple 1001 events for the same report.

TRAC Analysis: Monitored for routine application failures and possible indicators of compromise.