Configuration/Definitions/OSStartupShutdownCrash.json
|
{ "SearchDefinition": { "OSStartupShutdownCrash": { "Events": { "Fields": { "Computer": "Computer", "Date": "Date", "MachineName": "ObjectAffected", "NoNameB4":"EventLevel", "NoNameB5": "EventActionDetails", "EventAction": "EventAction", "NoNameB7":"EventSource", "ID": "Event ID", "RecordID": "Record ID", "GatheredFrom": "Gathered From", "GatheredLogName": "Gathered LogName" }, "Overwrite": { "EventAction#1": [ "Event ID", 12, "System Start" ], "EventAction#2": [ "Event ID", 13, "System Shutdown" ], "EventAction#3": [ "Event ID", 41, "System Dirty Reboot" ], "EventAction#4": [ "Event ID", 4608, "Windows is starting up" ], "EventAction#5": [ "Event ID", 4621, "Administrator recovered system from CrashOnAuditFail" ] }, "Ignore": {}, "Events": [ 12, 13, 41, 4608, 4621 ], "IgnoreWords": {}, "LogName": "System", "Enabled": true }, "Enabled": true } }, "LogName": "WEC5-Operating-System" } |